BlackField – Hack The Box writeup

Blackfield is very well built AD machine. This machine will give the oppurtunity to learn about many different services used in AD.

Let’s start with nmap scan

After this i tried enumerating with enum4linux and smbclient.

Smbclient is a tool used to access SMB resources on a server, much like an FTP client is used to access files. It offers a simple command-line interface that is trivial to use if you’re at all familiar with FTP.

I tried to access each shares and got many usernames from profiles$ share

I copied entire list to a text file and trimmed it using cut

https://www.geeksforgeeks.org/cut-command-linux-examples/

cut -b 3-15 user.txt > brute.txt

I stored the timmed

user list to brute.txt

Using the obtained usernames I tried to obtain the TGT (Ticket Granding Ticket). This can be done using GetNPUsers python tool from impackets

python3 GetNPUsers.py blackfield.local/ -dc-ip 10.10.10.192 -usersfile brute.txt -no-pass

After some seconds the below hash showed up.

This hash belongs to support. Also I noted that audit2020 and svc_backup doesnt have a UF-DONT_REQUIRE_PREAUTH set

Using John and wordlist rockyou.txt I tied to break the hash

user: support

password: 00^BlackKnight

With these credentials I tried access the restricted shares using smbclient. But that was not working. Later I tried access using RPC client

The rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself. We can use rpcclient to open an authenticated SMB session to a target machine

I was also able to list about 35 previleges using rpcclient and I was unable to get a way to exploit it.

Later I tried change passwords of svc_backup and audit2020. The below link will help you to learn how to reset paswword

https://malicious.link/post/2017/reset-ad-user-password-with-linux/

Looks like I was able to set the password of audit2020 to Derick123

I tried the same credential to access through smbclient and I was able to see forensic share contents

inside memory_analysis directory, I was able to see different zip files

When I saw lsass I recalled the blog which mentioned the purpose lsass. It is present in the system32 file and it can possibly help in obtaining user hashes using mimicatz.

So I downloaded lsaas.zip

On my windows machine I downloaded mimcatz and also this lsass.zip file and feed the lsass.DMP to mimicatz

I was able to find NTLM hash for svc_backup from this,

I tried evil-winrm tool to access the machine with username svc_backup and hash value 9658d1d1dcd9250115e2205d9f48400d

We got the user!!!

So next process is to get the root. I started by listing the the previlages and groups of svc_manager by whoami /all command

Among this SetBackupPrivilege and seRestore Privilege seem to give me a poterntial path to root.

For this I tried downloading NTSD.DIT, but failed.

The Ntds.dit file may contain the password hashes for all users in the domain

https://hackinparis.com/data/slides/2019/talks/HIP2019-Andrea_Pierini-Whoami_Priv_Show_Me_Your_Privileges_And_I_Will_Lead_You_To_System.pdf

I uploaded disk_shadow.txt to tmp folder on svc_manger

The content of disk_shadow.txt was

Then I ran the below command

Then I uploaded and imported SeBackupPrivilegeUtils.dll and SeBackupPrivilegeCmdLets.dll modules so that I can copy and get ndts file

https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug

I downloaded both ndts.dit and system file genrated to my local machine

Then using secretsdump.py from impackets i got the hash for administrator.

python3 secretsdump.py -ntds ntds.dit -system system -hashes lmhash:nthash LOCAL -output nt-hash

With this hash we can login as administrator using evil-winrm

We have rooted the machine.

Just let me know if you have any doubts

If you found this write-up useful, you can respect me on HTB

https://www.hackthebox.eu/home/users/profile/240146

You can connect me on

LinkedIn: Derick N

Twitter: Derick N