RazorBlack (THM)
TryHackMe – RazorBlack Write-Up
topics: Active Directory, encrypted files, SMB password change, dumping domain hashes, nested credentials, Windows Privilege Escalation (SeBackupPrivilege), Post-exploitation
Enumeration
Local Privilege Escalation
System Privilege Escalation
tools: impacket, secretsdump, evil-winrm, smbclient, john, zip2john, powershell, GetNPUsers, awk, kerbrute, msfconsole
Enumeration
Initial nmap
and autorecon
scans:
From the initial scans, it appears this is a standard Windows server within an Active Directory environment. The common ports of DNS, Kerberos, MSRPC, and SMB signal this machine is a Windows Server.
A quick glance at the autorecon
scans indicate that SMB and MSRPC require credentials to enumerate. Anonymous login was successful but we did not possess the permissions needed to view SMB shares.
Following this, I moved to enumerate NFS on port 111, the autorecon
scans show that there is a publicly accessible share titled /users
NFS
The /users share contains two files, a spreadsheet and a text file.
We can access the share and download the files with showmount -e raz0rblack.thm
The text file contains Stephen's flag while the spreadsheet lists usernames for the domain
Utilizing the /users share, we have obtained a list of usernames as well as a confirmed admin account which should be the top priority to compromise
We need to verify which of these usernames are still valid, given the notes regarding inactive accounts.
Kerberos
Using kerbrute
enables us to verify which usernames are valid within the domain.
AS-REP Roasting
We can utilize impacket-GetNPUsers to determine if any of the three valid users don't require pre-authentication, enabling us to retrieve a ticket-granting-ticket hash value to impersonate the user.
Running: impacket-GetNPUsers raz0rblack.thm/ -no-pass -usersfile validUsers.txt
The user twilliams is vulnerable to this attack, cracking the hash with john
returns the credentials twilliams:roastpotatoes
Now that we have valid credentials, we can enumerate SMB and MSRPC via authenticated means.
SMB (Credentialed)
Listening the shares of raz0rblack.thm returns one unique trash share
An interactive session with these credentials is not authenticated for read permission, so this could be a rabbit hole. We can test to see if the password was reused among the three valid users.
Spraying the password can be conducted many different ways, I had issues with crackmapexec
(ldap3) so I used msfconsole
to password spray the SMB credentials
The password roastpotatoes is also in use by sbradley, attempting to establish an interactive session returned the following compromising information:
Sbradley requires a password change, we can utilize smbpasswd
to impersonate the user and create a new password. This user might potentially have read/write authentication to the unique SMB share.
Following the password change, we can see the user has read access to the unique share, which contains a chat log and a zip file.
Analyzing the chat and zip files reveals a conversation between users on the domain, suggesting the zip file is password protected and contains the NTDS.dit and system.hive files to extract the user domain hashes.
Encrypted Zip File & Dumping Hashes
We can use zip2john to extract the password hash and brute force for the password
zip2john zipFile > zipHash
john
successfully cracked the password allowing us to dump the NTLM hashes of every user on the domain with secretsdump
Enumeration Results
Local Privilege Escalation
We have the hashes of all domain users, yet none of them was confirmed to be the admin lvetrova's hash. We can utilize a hash spraying attack with msfconsole
to confirm the AD admin's hash and establish an evil-winrm
session via pass the hash.
The msfconsole
smb_login module requires that hashes are formatted in the syntax of LMHASH:NTHASH
Based on the format of the systemHash.txt file, we can utilize grep
and awk
to print only the hashes to a text file.
Use cat
to print and grep
to filter only the strings between ":" and ":::" which in this case includes the RID.
To remove the RID en masse, I used a text editor with Ctrl+H to make spaces before/after the colons so awk
wouldn't read it as one giant column. Following this, I used awk
to print the range of columns and undid the spaces before/after the colons in the new file.
awk '{print $3, $4, $5}' rawHash.txt > rawHash2.txt
Once the hashes are formatted by LM:NT, initialize the SMBuser, rhosts, and pass_file options to spray for the lvetrova admin hash
Following the brute force attack to confirm the proper NTLM hash, we can utilize evil-winrm
to establish an initial foothold
evil-winrm -u lvetrova -H <adminHash> --ip raz0rblack.thm
The room asks for this admin's flag which appears to be hidden within an .xml file on the machine
Searching for "powershell password within XML file" leads to this solution which extracts the admin flag
Xyan1d3 Hash
Next we're instructed to retrieve xyan1d3's hash, presumably the actual administrator of this server.
We can start by utilizing the GetUserSPNs
impacket module using lvetrova's credentials to capture a TGS request and brute force the password's NTLM hash with john
Following the successful crack of the hash, we can login via evil-winrm
Administrator Privilege Escalation
A few of xyan1d3's privileges stand out, however I still wanted to utilize some powershell privilege escalation modules to check for any obvious attack vectors.
Double checking the permissions of xyan1d3 indicates three unique privileges, most notably - SeBackupPrivilege
This privilege stands out because xyan1d3 is also a member of the Backup Operators group, which is no mere coincidence.
SeBackupPrivilege can enable us to utilize diskshadow.exe
to make a copy of the entire filesystem, including the NTDS.dit and SYSTEM hive files to extract all admin hashes from the domain. we need to target the NTDS.dit and system key from the registry
First we need to utilize script mode and create a script file with diskshadow
commands to seamlessly create a copy of the hash file, including the SAM or NTDS.dit files which we can extract for a pass the hash shell.
Transfer the file and run diskshadow.exe /s c:\temp\disk.txt
Verify the backup was written to the E: drive by listing the contents of the NTDS directory.
Next we need to copy the system registry hive as it contains the key needed to decrypt the NTDS file. reg save hklm\system c:\temp\system.bak
In order to copy the ntds.dit file, we can utilize these .dll files, transfer them to the target machine
And run Copy-FileSeBackupPrivilege e:\windows\ntds\ntds.dit c:\temp\ntds.dit
After the NTDS.dit was successfully copied to the temp folder, we need to transfer the files to Kali. We know from the AV that common file transfer methods such as SMB and nc.exe are blocked, we can download with evil-winrm and must specify the full path
Once we verify the file size once more on the attacker, we can finally crack the NTLM hashes using secretsdump
And establish an administrator shell with evil-winrm
Last updated