HomeGitHubPortfolio Twitter/X Medium Cont@ct

Exploiting Active Directory

https://tryhackme.com/room/exploitingad

🔗 Exploiting Active Directory

Task 1 - Deploy machine

Attacker Machine: 10.250.11.15

🎯 Target IP: 10.211.11.20 | 10.211.11.10

Download VPN

Go here to download correct network VPN (select networks and room name) server and not the classic VPN file for normal machines: https://tryhackme.com/access

Start VPN in a dedicated shell: sudo openvpn devangelist-Jr-Pentester-AD-v01.ovpn

Create a directory on the Desktop with the machine's name, and inside this directory, create another directory to store the materials and outputs needed to run the machine.

su
echo "10.211.11.10 ad.thm" >> /etc/hosts

mkdir -p thm/AD/AD_Enum
cd thm/AD/AD_Enum
mkdir {nmap,content,exploits,scripts}
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts

Task 2 -

Host Discovery

Executing route or ip route commands we can see another subnet in our: 10.211.11.0/24

starting to send an ICMP requests to determine if a host is live or not, to do it we're using fping that permits to ping subnets:

fping -agq 10.211.11.0/24
# -a: shows systems that are alive.
# -g: generates a target list from a supplied IP netmask.
# -q: quiet mode, doesn't show per-probe results or ICMP error messages.
10.211.11.1
10.211.11.10
10.211.11.20
10.211.11.250

in alternative we can do the same using sudo nmap -sn 10.211.11.0/24

Excluding the gateway 10.211.11.1 we can save others IP into a file called hosts.txt.

Once we've discovered live hosts, we must identify which one is the Domain Controller (DC) to determine which critical AD-related services are being used and can be exploited. These are some common Active Directory ports and protocols:

Port
Protocol
What it Means

88

Kerberos

Potential for Kerberos-based enumeration

135

MS-RPC

Potential for RPC enumeration (null sessions)

139

SMB/NetBIOS

Legacy SMB access

389

LDAP

LDAP queries to AD

445

SMB

Modern SMB access, critical for enumeration

464

Kerberos (kpasswd)

Password-related Kerberos service

We can run a service version scan with these specific ports to help identify the DC:

sudo nmap -p 88,135,139,389,445 -sV -sC -iL hosts.txt -oN port_scan

  • -sV: This enables version detection. Nmap will try to determine the version of the services running on the open ports.

  • -sC: Runs Nmap Scripting Engine (NSE) scripts in the default category.

  • -iL: This tells Nmap to read the list of target hosts from the file hosts.txt. Each line in this file should contain a single IP address or hostname.

  • -oN: This save result into a text file called port_scan.

2.1 -

2.2 -

Task 3 -

🚩 Flag 1

Task 4 -

Task 5 -

5.2 -

5.3 -

PreviousBreaching Active DirectoryNextAttacking Kerberos

Last updated