Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-22 20:13:02 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/TryHackMe/Throwback/THROWBACK-DC01.md
ARZ 547c0e4481
Add files via upload
2021-03-16 22:13:44 +05:00

1.8 KiB
Raw Blame History

TryHackMe-THROWBACK-DC01(10.200.34.117)

I used SSH to log on the domain controller

We can see that we are a normal domain user on this machine so we need to escalate our privileges and the only way to enumerate AD is to use bloodhound so by using the same loot we got from WS-01 we are going to utilize it

Using the query Find Principals with DCSync Rights

Going into to the documents of jeffersd we find a notice

Here there's a backup account password and we already found that backup has DCsync rights

DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller(DC) in order to retrieve password data via domain replication

By running secretsdump.py we dumped hashes from NTDS.dit

Now we have a bunch of user hashes but the problem how we can we know which user to target as we need to escalate our privileges so running a command net localgroup to see available groups on AD

We can see there's a group Administrators

So we need to crack MercerH 's hash

To crack the hash we will be using a rules in hashcat

Simply ssh with the current logged in user

ssh MercerH@localhost

And you can see we are now a privleged user

THROWBACK.local\MercerH:pikapikachu7
JeffersD:Throwback2020

Going back to bloodhound we can see that THROWBACK.LOCAL domain is trusted by CORPORATE.LOCAL