HackTheBox-BlackField

Hello everyone , in this post I will be sharing my writeup for HTB-BlackField which is a hard Active Directory box , starting off with enumeration we can see smb service is running and listing shares shows a share that we can access which has folders that are potential usernames and out of which only 3 users turn out to be valid from which support user had pre-authentication disabled which allowed us to perform AS-REP roasting and get his user’s hash and crack it , but we don’t get a shell yet as this user was only limited to smb , having this account we can use bloodhound to gather information of AD which showed that we can change Audit2020 user’s password through rpcclient from which we were able to access Forensic share which had lsass.zip which is like a gold mine to us because from this dump file we got svc_backup hash and using pass the hash we can get a shell through WinRM, this account was in Backup Operators group which allowed us to take shadow copy of C drive which had NTDS.dit and save SYSTEM key from registry hive so that we can retrieve password hashes using secretsdump.py

NMAP

PORT      STATE SERVICE       VERSION
53/tcp    open  domain?                                                
| fingerprint-strings: 
|   DNSVersionBindReqTCP:                                              
|     version                                                          
|_    bind                                                   
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-01-01 02:43:13Z)
135/tcp   open  msrpc         Microsoft Windows RPC               
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
49676/tcp open  msrpc         Microsoft Windows RPC
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

So from the nmap scan and the LDAP it pretty much tells that this is an active directory box and the only port from where we can start is from ldap ,smb and rpc

Running enum4linux to check null authentication on smb , ldap and rpc to gather information about the domain and maybe if we are allowed to gather usernames

This shows us that we don’t have access to anything so moving on with trying smbclient

PORT 139/445 (SMB)

I tried forensic share but we weren't allowed to access being unauthorized

But from access profiles$ share we get a huge list of usernames

Foothold

Here I had a difficultly , I can’t just use mget * here because all these folders are empty and I won't be manually writing these usernames in a file which would take ages , so I went through this list and there were 3 accounts that caught my attention

I then made a list of users so to see which usernames are valid

To verify that these accounts are valid , we can use kerbrute using the userenum option

/opt/kerbrute/kerbrute_linux_amd64 userenum -d BLACKFIELD.local users.txt --dc 10.10.10.192

The neat feature about this tool is that it can also tell which account has pre-authentication disabled meaning that we can also perform AS-REP roasting which would allow us to get a hash

This can also be done through impacket’s GetUsersNP script

python3 /opt/impacket/examples/GetNPUsers.py -no-pass -dc-ip 10.10.10.192 -usersfile users.txt BLACKFIELD/abc

Using hashcat we can crack the hash

Now that we have an account we can check if we have access to winrm

And it seems that we are only limited to smb with this account

When accessing NETLOGIN, share it's empty , so there wasn't anything interesting in smb shares but since we have a valid account we can use this against enum4linux to see if we are able to list usernames now

I though of running python bloodhoud to gather information about the AD

python3 /opt/Python-Bloodhound/bloodhound.py -d BLACKFIELD.local -u 'support' -p '#00^BlackKnight' -c all -ns 10.10.10.192

Privilege Escalation (Audit2020)

On running some pre-built queries on bloohouond GUI , I didn’t find any path which I could use to escalate privileges

But on checking what the support user has rights on outbound control

Which means that we can change audit2020 password according to the password policy, so through rpcclient we can achieve this

Now we would have access to Forensics/Audit Share

I had to download these files one by one because for some reason mget * didn't work , but it only had information about domain groups and users , nothing that we can do with

But there was another directory named memory_analysis

‘

Which had lsass.zip , if you don't know what lsass (Local Security Authority Subsystem Service) is , it's a process which locally holds the hashes of the users currently logged into the memory which can only be dumped if you have higher privileges or being an Administrator

Privilege Escalation (svc_backup)

So after getting this file on local machine we can use pypykatz which is a mimikatz implementation in python , this can be installed by simply cloning the github repo https://github.com/skelsec/pypykatz and running python3 setup.py install .

After unzipping the lsass.zip we get lsass.DMP file which we can pass onto to pypykatz

/usr/local/bin/pypykatz lsa minidump lsass.DMP

By analyzing the lsass dump process of memory we can get svc_bakup's NT hash which we can use it to perform pass the hash to get a shell or access smb share,

We can also get Administrator’s hash

But this didn’t worked maybe the password was changed after the dump

Using evil-winrm we can get a shell through WinRM

Now to see in which groups this account is we can do net user svc_backup

Privilege Escalation (Administrator)

We can abuse the privilege as we have rights to take backup meaning that we can copy any file we want which lead us to copying NTDS.dit file which is located in C:\Windows\NTDS\NTDS.dit on the domain controller which is our target machine

Using SePrivilegeBackup dll files which can be found from this github repo

https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug

After downloading them on target machine , import those two dll files

But the issue when copying NTDS.dit is that it constantly is going to be used by windows processes

So to counter this we need to create a shadow copy of the C drive and then copy the NTDS.dit file , to do that we need to create a text file that will define which drive we want to make a shadow copy of

set context persistent nowriters
set metadata C:\temp\metdata.cab
set verbose on
add volume C: alias uwu
create 
expose %uwu% f:

To make this compatible with windows as sometimes the formatting might cause an issue use unix2dos

Before running this make sure to create a folder in C drive , mkdir temp and then run it with diskshadow

Switching to f: drive we can see the contents of C: drive

Using SeBackupPrivilege cmdlets we can copy the ntds.dit to the current directory and then download it on to our local machine

Here I faced another issue and it was with evil-winrm , version 3.3 has some issues when downloading files and it just either hangs up showing no progress and says download or either fails by saying path error

I downloaded version 3.2 and used it to download this file

https://github.com/Hackplayers/evil-winrm/releases/tag/v3.2

Next we need is the SYSTEM file from registry hive

Now we just need to use impacket’s secretsdump.py to read hashes from ntds file

References

• https://malicious.link/post/2017/reset-ad-user-password-with-linux/
• https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
• https://github.com/skelsec/pypykatz
• https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug
• https://youtu.be/pWkWIa2dfHY?t=1042
• https://pentestlab.blog/tag/ntds-dit/
• https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/