HTB - Blackfield
Overview
Short description to include any strange things to be dealt with
Useful Skills and Tools
Useful thing 1
description with generic example
Useful thing 2
description with generic example
Enumeration
Nmap scan
I started my enumeration with an nmap scan of 10.10.10.192. The options I regularly use are: -p-, which is a shortcut which tells nmap to scan all ports, -sC is the equivalent to --script=default and runs a collection of nmap enumeration scripts against the target, -sV does a service scan, and -oA <name> saves the output with a filename of <name>.
At first my scan wouldn't go through until I added the -Pn flag to stop nmap from sending ICMP probes. After that it proceeded normally.
Since port 445 (SMB) is open I tried to enumerate open shares by using anonymous login
with crackmapexec was unable to get any shares without a username, but I'm not sure if you can do anonymous login with this program so I tried with the standard smbclient as well
with smbclient got a list of shares!
I was able to login to the forensic share anonymously but was not allowed to do much
Trying again with the profiles$ share yielded a lot more information! I took all of the these usernames and added them to a list.
I tried using Metasploit's auxiliary(gather/kerberos_enumusers) Kerberos user enumeration tool, however I just got an error for each user saying [*] 10.10.10.193:88 - Wrong DOMAIN Name? Check DOMAIN and retry...
After trying numerous commands, I was able to at least verify that blackfield was indeed the correct domain name.
since the module in msfconsole didn't I decided to try the python-based Impacket script GetNPUsers.py which does the same type of check to see if any users have UF_DONT_REQUIRE_PREAUTH turned off.
I found three users that had this turned off, and one even had the password hash attached! Time to fire up hashcat.
After searching for the correct hash type I fired up hashcat and very quickly cracked the password using the rockyou.txt wordlist. The password for support was #00^BlackKnight
Initial Foothold
Road to User
The user support could view the same shares as I could see anonymously. Next I tried to see if this user could get any more information from them.
I connected to each of the three shares: profiles$ still had the same empty user directories, NETLOGON was completely empty, while SYSVOL only had a few files, none of which contained anything useful.
I ran ldapsearch next to see if I could get any more information than before, and a mountain of data returned. (I also made the mistake of not sending the output to a file the first time and my screen exploded). Unfortunately, there was nothing new or useful in all of that the output (besides a slew of anonymous sounding usernames such as blackfield123456, etc.)
With so many users to go off and no way to directly tell what rights I had with the user support I loaded bloodhound up to see if it could sniff me a path forward. The python version of bloodhound allows it to be run against a remote host with credentials, and outputs a few .json files that I imported into the main program.
Bloodhound reported 342 (!) users on this domain.
Most of them were named generically BLACKFIELD123456, however there were a few that stuck out. I set these as my targets and began looking for ways to link them. Since I already had the credentials for support I marked that user as 'owned' and proceeded to see what I could do with its access.
Since support has the ForceChangePassword privilege over the user audit2020 I looked up how to change a user's password via SMB and found: https://www.dark-hamster.com/operating-system/linux/ubuntu/reset-samba-user-password-via-command-line/
Unfortunately this did not work, so I did some searching to see if there was another way to do it remotely. I found a shady looking site that explained what I was looking for using RPC at https://malicious.link/post/2017/reset-ad-user-password-with-linux/ (it was mixed in the middle of a bunch of those scam/malware .it sites so I was a bit leery at first.)
This site showed that using rpcclient with the syntax rpcclient $> setuserinfo2 adminuser 23 'ASDqwe123' you could change a user's password without knowing the current one. It linked to a MSDN site which explained why to use 23 for the property. https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6b0dff90-5ac0-429a-93aa-150334adabf6?redirectedfrom=MSDN
3 pictures
I also tried doing it the 'easy' way with the one-liner from the bottom of the blog post and successfully changed it with the net command. I'll definitely have to remember that I can use net commands from Linux in the future!
now that I had a usable password for another user I set out to see what I could get into. I was unable to use WinRM or get anything further from rpcclient, so I went back to enumerating the open SMB shares.
ran mimikatz - python edition (pypykatz) on the lssas.DMP file, then pulled out the usernames, passwords, and hashes
I tried cracking the NTLM hashes with hashcat but even using all of the various rules and some basic mangles I was unsiccessful. Luckily since this is Windows domain I can try to do a pass-the-hash attack instead.
It didn't take long to find a valid combination. The password (hash) for svc_backup was 9658d1d1dcd9250115e2205d9f48400d. Luckily for me, this user is in the Windows Remote Management group, and port 5985 for WinRM was open. I tried using evil-winRM and was logged in with a shell.
Further enumeration
Finding user creds
Immediately after logging in I knew I had a privilege escalation path. Either of SeBackupPrivilege or SeRestorePrivilege can be abused for privilege escalation, but its nicer having both!
User.txt
Path to Power (Gaining Administrator Access)
Enumeration as User svc_backup
svc_backupSo much for the easy way to get the flag. with the SeBackupPrivilege I should have the ability to backup any file, but it looked like there was something limiting it. I did get a file notes.txt
So the "audit report" (root.txt) is encrypted. That would explain why it cannot be copied directly. I guess I have to privesc to the Administrator user first in order to decrypt it. Searching for SeBackupPrivilege led me to https://hackinparis.com/data/slides/2019/talks/HIP2019-Andrea_Pierini-Whoami_Priv_Show_Me_Your_Privileges_And_I_Will_Lead_You_To_System.pdf
Members of “Backup Operators” can logon locally on a Domain Controller and backup the NTDS.DIT, for ex. with: “wbadmin.exe” or “diskshadow.exe”
will try wbadmin.exe to backup files and try to backup to local share rather than trying to exfil later
created a samba share using impacket to copy over my loot https://pentestlab.blog/tag/diskshadow/
Unfortunately it wont' back up to a drive that is not formatted with NTFS, and wont backup to the same drive letter.
It took a bit of research and troubleshooting, but I found a workaround, in the form of using the network path for the local drive instead of the drive letter. Now I just had to restore my backup to a location I controlled and exfiltrate the file. I would also have to exfil the SYSTEM hive as well.
First I had to get the version identifier of the backup. It seemed like there was already a backup that had been made to 10.10.14.4\blackfieldA\ on 9/21/2020.
Next I saved each of the registry hives and downloaded all of the files. Unfortunately the SECURITY hive would not save, but I didn't really need it for getting the password hashes. Luckily exfiltrating files is very easy to do in an Evil-WinRM shell!
Getting a shell
Using Impacket's secretsdump.py I was able to dump the password hashes for all of the domain users (including the 300+ Blackfield123456 users!)
Root.txt
After collecting the flag, I went to verify the reason that I was unable to back up root.txt.
Using the cipher.exe command I was indeed able to see that the file was encrypted. The PowerShell script watcher.ps1 that I had seen earlier in the Administrator's documents folder when I logged in was the reason.
The script watcher.ps1 is the reason that root.txt was encrypted
Thanks to aas for something interesting or useful about this machine.
If you like this content and would like to see more, please consider buying me a coffee!
Last updated
Was this helpful?