Fusion Corp (Get-NPUsers + rcpclient + SeBackupPrivilege privesc)

TrRoom: Fusion Corp

Difficulty: Hard

Overview: In this room we will take advantage of different services on a windows machine, abusing Kerberos pre-authentication to enumerate users, dumping and cracking hashes with the help of impacket tools and John the ripper to finaly privesc exploiting SeBackupPrivilege permissions.

Like always we start our enumeration by running “nmap” to scan for all open ports on the target system:

nmap -sV -sC -p- fusioncorp.thm -oN nmap.txt

-sV    →  Probe open ports to determine service
-sC    →  Scan using the default set of scripts
-p-    →  Scan all ports
-oN   →  Save the ouput of the scan in a file

Normally Active Directory windows machines have alot of open ports, which at times can be scary. But , following the basics.

We will explorer the http webserver:

Since there was not any usefull information on the website we can search for hidden directories with “gobuster”:

gobuster dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --url http://fusioncorp.thm -x .txt,.cgi,.php,.log,.bak,.xxx,.old

dir             → Uses directory/file enumeration mode
--wordlist  → Path to wordlist 
--url           → specifies the path of the target url we want to find any hidden directories
-x              → Search for all files with the specified extentions 

We have found an interesting file in the directory /backup which had a list of of employees and their usernames:

Content of "employees.ods":

With this information we can create a username wordlist and use “kerbrute" which is a enumeration tool used to brute-force and enumerate valid users by abusing the Kerberos pre-authentication.

There is a valid username [email protected]. Now we will use an "impacket" tool called "GetNPUsers.py" to dump the kerberos hash for all kerberoastable accounts. In this case for the account [email protected].

We got the hash, since it is encrypted we need to crack it with “John the Ripper”, “hashcat” or another tool of your choice.

Success we have “lparker” credentials, connect with “evil-winrm” and we can start doing some reconnaissance of the machine:

We found “jmurphy" and “Administrator" accounts. Also the first flag of the room.

Now we are going to query the user jmurphy with “rpcclient” service:

In the description in plaintext we found the password for “jmurphy”.

Lets login again with “evil-winrm” but this time with the new user credentials:

Found Second flag:

Now to privesc in order to get the last flag we can check /privs for our user:

We have some privileges that we can exploit and one of them is “SeBackupPrivilege”.

Has we can see the contents of user “Administrator” can be displayed but we cannot read or execute files like the last "flag.txt" file.

This usefull github repository from "giuliano108" shows us how to take advantage of the SeBackupPrivilege. It allows the user to access directories/files that he doesn't own or doesn't have permission to.

So with “evil-winrm” we can upload the two “.dll” files that we got from the github repository to the target machine:

Like in "meterpreter" shell we can do commands “download or upload” to transfer files between the target and the attacker machine.

Now after importing the two modules we have to user command “Copy-FileSeBackupPrivilege”, this command will make a copy of the “flag.txt” file to our directory abusing “SeBackupPrivilege”:

Now read the last flag!!

We have all the flags but let's explore and see if we can escalate our privileges further.

My first attempt to privesc to user “Administrator” failed, because i got an invalid “administrator” hash. Let me show:

With user “jmurphy” we can save “sam” and “system” files into a directory that we can access by doing:

Now just download the files to your attacker machine:

With the tool "pypykatz" we can extract the hashes from the "sam" file:

As we can see below we failed login with “Administrator” hash for whatever reason. Maybe because the “sam” file was from the windows machine itself and not the Domain Controller.

After reading more on how to privesc this machine through "SeBackupPrivilege" i found a very usefull article in hackingarticles website.

To get all the hashes of the Domain Controller we need “ntds.dit” and “system” files from the target machine.

For getting the “ntds.dit” file we need to use "shadowdisk" functionalities because “ntds.dit” file is always running on the system and doesn't let us make a copy of it.

So we can create a custom “Distributed Shell File" with the commands necessary to make a copy of the Windows drive which then we can extract the “ntds.dit” file:

Use “unix2dos” to convert the encoding and spacing of the dsh to be windows compatible.

Running “evil-winrm” with “jmurphy” user i created a /temp folder in his home directory and uploaded the “hashdump.dsh”:

To ran the commands inside “hashdump.dsh” we will "diskshadow":

Now to make the actual copy of the “ntds.dit” we have to use "robocopy" on the new driver letter that we created just now:

To get the “system” file is easier we just need to use:

We have all the files that we need to get hashes, we just need to download them to our attacker machine:

On our attacker machine we can use “impacket secretsdump” tool to extract all the hashes inside "ntds.dit":

We have a valid “Administrator” hash to use with “evil-winrm”:

Success!