Blackfield
https://app.hackthebox.com/machines/255
Nmap
Add "10.10.10.192 blackfield.local" to /etc/hosts.
Starting out we hit kerberos on port 88 against a large username list. Pulling the known account name of Support@blackfield.local.
With no further user accounts discovered we can check null credentials against SMB with smbmap
.
We have some non default shares. The profiles$
share is of interest as we have READ ONLY access to the share.
Using the smbclient command below, we can recursively download all files and folders in the share.
None of the directories contain any files it seems. We do however, have folders named after potential users. Utilizing this information we can print the direct list to file.
Against kerbrute we can check for which users exists.
We now have a confirmed user list:
Where the user support has "Do not require pre-authentication" enabled in Active Directory. With this, we can potentially pull the kerberos hash with Impacket's GetNPUsers.py
.
Reading the output file we see our confirmed hash for the support user.
Which, can be cracked wsith John
against the rockyou.txt password list.
Revealing the users password.
Credentials:
Checking with crackmapexec
shows the credentials are valid.
However, at the point we do not have code execution over SMB. We are not a member of "Remote Management Users" and RDP is not running.
What we can utilize however, is bloodhound
to pull domain informaiton externally using Bloodhound.py.
GitHub: https://github.com/fox-it/BloodHound.py
After uploading the results to bloodhound we then further investigate our currently owned user support. Looking at the node information we see we have deriative permissions on the "ForceChangePassword" attribute over the user Audit2020.
We can force a password change externally with rpcclient as shown below.
After the password change we can confirm the credentials with crackmapexec
.
From our previous findings we know that a forensic SMB share exists. The user audit2020 has access to the share.
Looking inside the memory_analysis folder, the most interest standout file would be lsass.dmp. Hopefully we can pull some user hashes or password from this.
lsass.dmp
is dump file format. The best dedicated tool for this is likely pypykatz
.
Github: https://github.com/skelsec/pypykatz
Install
The following syntax can be used to analysis the lsass.dmp
file.
As shown above we can see the NT hash for the account svc_backup.
As we know from earlier enumeration, this user is a member of the "Remote Management Users" group. As such, we can use Evil-WinRM
to login with the account hash.
We know this account is already a member of the "Back Operators" group. Let's double check we have the "SeBackupPrivilege" privilege assigned to us so, we can perform privilege escalation.
This privilege grants us the ability to create backups of files on the system. Knowing this, a high value file would be the ntds.dit
file which is a database of hashes for domain objects / users. As the ntds.dit file is in constant use we will be unable to create a backup using normal methods as the system will lock the file.
What we can do instead is create a Distributed Shell File (DSH). This file will contain the appropriate commands for us to run the diskshadow utility against the C: drive and ultimately, the ntds.dit file.
I have previously covered this technique before as linked below.
First created a file called viper.dsh
on the attacking machine. Then insert the following contents:
Once completed use the command unix2dos
to convert the file to DOS format.
Then on the target system create a directory called 'temp' in c:\temp.
After this upload the viper.dsh
file.
From here run the following commands:
From here we need to extract the SYSTEM hive which will be required for extracting the hashes with Impacket later.
From here we can use the download command to download the ntds.dit
and system
hive file.
Now, over on the attacking system we can use Impacket's secretsdump.py
to extract the domain account hashes.
With the administrators NTLM hash we can log into the Domain Controller with Evil-WinRM
.
Last updated