TryHackMe 

Attacktive Directory 
Penetration Test Report | Attacking AD Domain 
 

Table of Contents 

Introduction ……………………………………………………………………………………………… 1-2 

Enumeration …………………………………………………………………………………………….. 2-5 

Exploitation ………………………………………………………………………………………………. 5-10 

Introduction 

With over 96% of the corporate world running on Windows, it is absolutely critical to 
understand the largest attack surface in the world. Security research firm, Okta, estimates 
that of those vast majority of businesses powered by Windows, 95% of them use Active 
Directory to manage users and policies1. This is why it is absolutely critical in understanding 
the weaknesses and methods used to undermine Windows Active Directory based 
businesses. In this module, the goal is to exploit a mock corporate network simulating a 
real Active Directory infrastructure. This is a blackbox style penetration test where the only 
information known about the target is the use of AD. In this report on the simulation, 
different techniques of exploiting Windows Active Directory protocols are shown such as: 

1
https://www.okta.com/businesses-at-work/2017-01 
 

 
 
 
Kerberoasting, ASREProasting, SMB enumeration, NTLM hashing, Passing the Hash, etc. 
Additionally, all solutions to these exploits are of my own work. All explicit flags will be 
blurred or covered to prevent flag sharing on behalf of TryHackMe. All important aspects of 
each process will be described in a step by step fashion and all critical information from 
each step will be highlighted in the screenshots below. Any inquiries about the methods or 
procedures used (or to simply contact me) can be sent to: j​ [email protected]  

Enumeration 
To begin my enumeration phases I always begin with an nmap scan, even when working 
with Windows machines. The open ports can be seen in the results below: 

Table of open ports and services: 

PORT  SERVICE  NOTES 

53  DNS  Standard dns 

80  HTTP  May have web server 

88  Kerberos  Indicative of AD on machine 

135  MSRPC  RPC is open 

 
2 
 
 

139  NetBIOS  ------ 

389  LDAP  Indicative of AD on machine 

445  Microsoft-ds  ------ 

464  ------  ------ 

593  NCAN_HTTP  ------ 

636  Tcp wrapper  ------ 

3268  LDAP  Indicative of AD on machine 

3389  wb-server  ------ 

From this point, I got a good idea of what is on the machine, we know there is an AD 
because of open LDAP and Kerberos. Additionally, I also received confirmation from the 
version on the LDAP that there is in fact AD running and the domain is “spookysec.local” 

Since further enumerating this machine will only paint the picture clearer as to how to 
establish access and how we want to attack this machine, I used another enumeration tool 
but this time it is specifically geared towards Windows. I used the tool enum4linux to see if 
any users or shares could be gained without credentials: 

 
3 
 
 

While the shares or users could not be gained this way, the name of the Workgroup for the 
domain was gained- “THM-AD” 

User and Share Enumeration 

Knowing that the machienthat we are attacking has Kerberos open, we can utilize a 
technique called Kerberoasting to gain an idea of what users are on this domain controller. 
At a high level, in Kerberoasting we are asking the domain controller if there is a TGT for a 
specific username and if there is the DC will respond with a TGT for that user. Once we 
have the TGT for a user we can request a Service Ticket which contains a password hash. 
This hash can be taken and cracked offline and then we are able to gain access to an 
account without authenticating to a service. This technique is used in the tool Kerbrute, 
and the results of this are below: 

 
4 
 
 

There is a lot of information that this tool turned over- first and most importantly, kerbrute 
notified me that the svc-admin account did not have pre-authentication required so it 
dumped the password hash for me to crack offline. This gives us admin access to the 
environment. Secondly, the backup account for the environment was also enumerated 
which could potentially be alarming.  

Exploitation 
 

Password Cracking 

Now that the password ASREP hash for the service admin account has been enumerated 
via Kerbrute, I took it over to HashCat to crack it. The cracking results in the password being 
revealed as “management2005”, which shows organizations that weak passwords on admin 
accounts can be a critical vulnerability- this weak password only took me roughly 20 
minutes to crack! 

 
5 
 
 

Gaining Access to Users and Shares 

Now that I have the logon information for the service admin account, I moved to trying to 
connect to the available shares on the domain. To see what shares are available shares 
there were I used smbclient: 

 
6 
 
 

All of these shares are standard and expected to be seen here besides the backup share. I 
first tried connecting to the ADMIN$ and C$ shares but I did not have access to. This lead 
me to try and connect to the backup share since it was the abnormal share in this list which 
was done with:  

This successfully connected and as seen above once the directory contents were listed 
there was a file containing backup credentials which I was able to download to my own 
machine. The contents of the backup credentials are as follows: 

This looked like base64 encoding to me so I used CyberChef to decode the contents: 

 
7 
 
 

This appears to be the backup user’s credentials on the domain- now we have credentials 
to two users on the DC. Since the last account did not have admin privileges, I tried this new 
backup account for the same privileges but was not able to get a shell. However, since it is a 
backup account, we now have access to the history the of DC which includes stored 
passwords.  

Now that I was able to get access the backup account, that consequently has access to all of 
the stored passwords on the domain controller, I want to dump all of the stored NTLM 
hashes that I can get ahold of. To do this part of the impacket kit, secretsdump, is used: 

 
8 
 
 

The output of secretsdump provided me with lots of valuable information, there are Golden 
tickets in this as well as NTLM hashes that I can use to gain access to other accounts. 
Circled in blue is the NTLM hash of the local admin account on the DC. I was able to bypass 
cracking the hash for this account by passing the hash. This can be done because I knew 
that the hash I have is the hash for the correct password, so to gain access all I have to do is 
pass the hash. To do this another tool from impacket was used called psexec which can be 
seen below: 

As seen above, psexec was able to pass the hash to the DC, Authenticate to the ADMIN$ 
share with write privileges, and then upload a malicious file that enabled it to launch a shell 
on the system as the authority\system (admin). This DC has now been completely 
compromised with admin access to everything.  

 
9 
 
 

Flags 
*** All flags can be found on the respective users Desktop. The flags provided here are solely for 
proof of completion and are covered to prevent flag sharing. *** 

Administrator (root) flag: 

Backup account flag: 

 
10 
 
 

Service Admin account: 

 
11 
 
 

  

 
12