Hack the Box – Hard Boxes

It should be noted that no usernames, hashes or passwords will be included within this guide. If you are going to follow along you will need to do the work as well.

Introduction

Blackfield is a hard Windows-based box from Hack the Box and follows a real-world example of how a domain controller might be setup. The trick to doing this box properly is to do proper enumeration and using the correct tools for the job. In this post, I am going to go over every tool and highlight some of the pitfalls I experienced along the way.

With every scan I began by running an AutoRecon scan; as this is a Windows box the scan will take much longer and provide a lot more information for consumption:

Copy

After the scan completed I was able to find two key items: within smbmap-list-contents a profiles$ share is available giving a list of users. Under the LDAP I am able to see BLACKFIELD.local:[email protected]. I would recommend if you are able to do research outside of your attack box to point your DNS entries to the Blackfield IP as it might help with DNS.

I took the list of user-profiles and cleaned it up to give me a solid list of users which I saved as users. The majority of the users were created within minutes apart so find/replacing the file was easy.

Using the newly created users file I began running GetNPUsers.py. A great article is available for all things Kerberos related here.

Copy
Two users came back.

Two users came back which I noted down.

Cracking/Additional Enumeration

One of the two users found provided me with a TGT which I proceeded to crack with john. The one thing to note is doing the outfile in the command above was important as copying the hash directly from my command prompt caused john to fail. This caused a lot of headaches. If a program has an output command it is best to use it whenever possible.

Copy
The user with the TGT hash cracked

The user with the TGT hash cracked

Having the credentials for one of the users I proceeded to look at my access to SMB shares using CrackMapExec in which I got STATUS_ACCESS_DENIED. I used RPCClient along with this guide to find out that my current user could change the password of the second user. I also found out a password policy was in place requiring a complex password.

RPCClient shows password complex policy.

RPCClient shows password complex policy.

Copy

After setting the second users password found earlier I used CrackMapExec to view shares I had access too. The second user has access to a share called forensic allowing me to continue traverse.

Finding the forensic directory.

Finding the forensic directory.

Copy

First I used smbclient to navigate the folders to look around. I saw a LSASS ZIP file and do not have a Windows machine available so I used mount to mount the share to grab the file and use mimikatz on my main machine to crack the passwords.

Copy
Running mimikatz on Windows.

Running mimikatz on Windows.

Copy

Evil-WinRM

After getting the needed information I went back onto my attacking box and used the hash found in Evil-WinRM to login to the box.

Copy
Capping the user flag using Evil-WinRM.

Capping the user flag using Evil-WinRM.

Once the connection to the box was established I capped the user flag. I proceeded to enter the C:/Windows/Temp directory and create a folder to work from. I then uploaded WinPEAS.bat to run checks. One thing that stood out during the scan was SeBackupPrivilege which I also saw during my initial whoami /priv.

I tried using Seatbelt.exe and other compiled exes utilizing the -e flag but was unable to get them to run successfully.
Copy
Noticing the SeBackupPrivilege.

Noticing the SeBackupPrivilege.

SeBackupPrivilege Escalation

I have seen the SeBackupPrivilege escalation method before. I would recommend viewing the Github repo below for more information.

Copy

I then followed this guide here which I had saved previously. As I was in Powershell within Evil-WinRM I use the /s flag to load the commands via privesc.txt.

Copy

After that, I sat back and waited for the downloads to complete. I then used secretsdump.py by Impacket to get the hash of the Administrator account.

Copy
Reading and decrypting the hashes from ntds.dit

Reading and decrypting the hashes from ntds.dit

I then used Evil-WinRM (the hero of today) to log into the Administrator account.

Copy
Rooting Blackfield from HTB. That account should have really been dealt with earlier :(.

Rooted. That account should have really been dealt with earlier :(.

Recommended Viewing

This was a really great box and I learned a lot. I would recommend checking out the IPPSec video below. It is another box on Hack the Box called Forrest and he uses similar tools/mindset to root the box.

Rooted

Published On: October 3rd, 2020 / Categories: HTB, Technology / Tags: , , , , , , , , /

Leave A Comment