RazorBlack (THM)

TryHackMe RazorBlack Write-Up

topics: Active Directory, encrypted files, SMB password change, dumping domain hashes, nested credentials, Windows Privilege Escalation (SeBackupPrivilege), Post-exploitation

  1. Enumeration

  2. Local Privilege Escalation

  3. System Privilege Escalation

tools: impacket, secretsdump, evil-winrm, smbclient, john, zip2john, powershell, GetNPUsers, awk, kerbrute, msfconsole

Enumeration

Initial nmap and autorecon scans:

From the initial scans, it appears this is a standard Windows server within an Active Directory environment. The common ports of DNS, Kerberos, MSRPC, and SMB signal this machine is a Windows Server.

A quick glance at the autorecon scans indicate that SMB and MSRPC require credentials to enumerate. Anonymous login was successful but we did not possess the permissions needed to view SMB shares.

Following this, I moved to enumerate NFS on port 111, the autorecon scans show that there is a publicly accessible share titled /users

NFS

The /users share contains two files, a spreadsheet and a text file.

We can access the share and download the files with showmount -e raz0rblack.thm

The text file contains Stephen's flag while the spreadsheet lists usernames for the domain

Utilizing the /users share, we have obtained a list of usernames as well as a confirmed admin account which should be the top priority to compromise

We need to verify which of these usernames are still valid, given the notes regarding inactive accounts.

Kerberos

Using kerbrute enables us to verify which usernames are valid within the domain.

AS-REP Roasting

We can utilize impacket-GetNPUsers to determine if any of the three valid users don't require pre-authentication, enabling us to retrieve a ticket-granting-ticket hash value to impersonate the user.

Running: impacket-GetNPUsers raz0rblack.thm/ -no-pass -usersfile validUsers.txt

The user twilliams is vulnerable to this attack, cracking the hash with john returns the credentials twilliams:roastpotatoes

Now that we have valid credentials, we can enumerate SMB and MSRPC via authenticated means.

SMB (Credentialed)

Listening the shares of raz0rblack.thm returns one unique trash share

An interactive session with these credentials is not authenticated for read permission, so this could be a rabbit hole. We can test to see if the password was reused among the three valid users.

Spraying the password can be conducted many different ways, I had issues with crackmapexec (ldap3) so I used msfconsole to password spray the SMB credentials

The password roastpotatoes is also in use by sbradley, attempting to establish an interactive session returned the following compromising information:

Sbradley requires a password change, we can utilize smbpasswd to impersonate the user and create a new password. This user might potentially have read/write authentication to the unique SMB share.

Following the password change, we can see the user has read access to the unique share, which contains a chat log and a zip file.

Analyzing the chat and zip files reveals a conversation between users on the domain, suggesting the zip file is password protected and contains the NTDS.dit and system.hive files to extract the user domain hashes.

Encrypted Zip File & Dumping Hashes

We can use zip2john to extract the password hash and brute force for the password

zip2john zipFile > zipHash

john successfully cracked the password allowing us to dump the NTLM hashes of every user on the domain with secretsdump

Enumeration Results

Local Privilege Escalation

We have the hashes of all domain users, yet none of them was confirmed to be the admin lvetrova's hash. We can utilize a hash spraying attack with msfconsole to confirm the AD admin's hash and establish an evil-winrm session via pass the hash.

The msfconsole smb_login module requires that hashes are formatted in the syntax of LMHASH:NTHASH

Based on the format of the systemHash.txt file, we can utilize grep and awk to print only the hashes to a text file.

Use cat to print and grep to filter only the strings between ":" and ":::" which in this case includes the RID.

To remove the RID en masse, I used a text editor with Ctrl+H to make spaces before/after the colons so awk wouldn't read it as one giant column. Following this, I used awk to print the range of columns and undid the spaces before/after the colons in the new file.

awk '{print $3, $4, $5}' rawHash.txt > rawHash2.txt

Once the hashes are formatted by LM:NT, initialize the SMBuser, rhosts, and pass_file options to spray for the lvetrova admin hash

Following the brute force attack to confirm the proper NTLM hash, we can utilize evil-winrm to establish an initial foothold

evil-winrm -u lvetrova -H <adminHash> --ip raz0rblack.thm

The room asks for this admin's flag which appears to be hidden within an .xml file on the machine

Searching for "powershell password within XML file" leads to this solution which extracts the admin flag

$secretPW = Import-Clixml -Path lvetrova.xml
$secretPW.GetNetworkCredential().password

Xyan1d3 Hash

Next we're instructed to retrieve xyan1d3's hash, presumably the actual administrator of this server.

We can start by utilizing the GetUserSPNs impacket module using lvetrova's credentials to capture a TGS request and brute force the password's NTLM hash with john

Following the successful crack of the hash, we can login via evil-winrm

Administrator Privilege Escalation

A few of xyan1d3's privileges stand out, however I still wanted to utilize some powershell privilege escalation modules to check for any obvious attack vectors.

Double checking the permissions of xyan1d3 indicates three unique privileges, most notably - SeBackupPrivilege

This privilege stands out because xyan1d3 is also a member of the Backup Operators group, which is no mere coincidence.

SeBackupPrivilege can enable us to utilize diskshadow.exe to make a copy of the entire filesystem, including the NTDS.dit and SYSTEM hive files to extract all admin hashes from the domain. we need to target the NTDS.dit and system key from the registry

First we need to utilize script mode and create a script file with diskshadow commands to seamlessly create a copy of the hash file, including the SAM or NTDS.dit files which we can extract for a pass the hash shell.

set verbose onX
set metadata C:\Temp\meta.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias cdriveX
createX
expose %cdrive% E:X
end backupX

Transfer the file and run diskshadow.exe /s c:\temp\disk.txt

Verify the backup was written to the E: drive by listing the contents of the NTDS directory.

Next we need to copy the system registry hive as it contains the key needed to decrypt the NTDS file. reg save hklm\system c:\temp\system.bak

In order to copy the ntds.dit file, we can utilize these .dll files, transfer them to the target machine

And run Copy-FileSeBackupPrivilege e:\windows\ntds\ntds.dit c:\temp\ntds.dit

After the NTDS.dit was successfully copied to the temp folder, we need to transfer the files to Kali. We know from the AV that common file transfer methods such as SMB and nc.exe are blocked, we can download with evil-winrm and must specify the full path

Once we verify the file size once more on the attacker, we can finally crack the NTLM hashes using secretsdump

And establish an administrator shell with evil-winrm

Last updated