Ledger - Tryhackme
Eduardo Cochella
MSc. Electrical engineering | Penetration tester | Ethical Hacker | Network engineer | Red Team | Cyber researcher | Top 1% TryHackMe | Top 1% Hack The Box | CTF Player
Nmap Enumeration
We are definitely facing a Domain Controller.
After digging into ports 80 and 443, we didn't find anything valuable.
User Enumeration
It took me some time to retrieve the full list of users from the Domain Controller. Additionally, I had to clean up the file to use it for enumeration purposes.
Extracting Kerberos pre-authentication users: I obtained 5 hashes from 5 different users in total. Unfortunately, I couldn't crack them.
After some investigation I discovered that recent researches have shown that an AS-REP-roastable user can be leveraged to perform Kerberoasting, without pre-authentication. So I gave it a chance. I used the hash of 'SHELLEY_BEARD', one of the users without pre-authentication that I identified earlier. For some reason, I couldn't crack the hash again. LET'S MOVE ON.
LDAP Enumeration
Trying to get all the information from LDAP - CN=Common Names of users/groups, DN=distinguished names, sAMAccountName=usernames, objectClass, description
This took me a while. The report I got was huge, but finally I got a potential password.
Password-Spraying
The password matched with 2 users: IVY_WILLIS and SUSANNA_MCKNIGHT
Bloodhound Enumeration
Recommended by LinkedIn
SUSANNA_MCKNIGHT belongs to REMOTE MANAGEMENT USERS
RDP connection using xfreerdp and first flag
Some User Enumeration
A quick 'whoami /all' revealed that user SUSANNA_MCNIGHT belongs to 'Certificate Service DCOM Access' group. Let's abuse it.
Privilege Escalation using certipy-ad Tool
Certificate Name Flag: EnrolleeSuppliesSubject (ESC1)
Vulnerability: ESC1
Essentially, this allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name. Meaning that, we could authenticate as a Domain Administrator by exploiting this attack path. However, we tried with Administrator and we couldn't get a shell. Fortunately, there were more users who were members of the admin group. One of this users was BRADLEY_ORTIZ.
Requesting a Ticket Granting Ticket and extracting the NT hash for the user
Getting ROOT flag.