Hack The Box - Blackfield Walkthrough

Overview

Item	Details
Platform	Hack The Box
Machine	Blackfield
Environment	Active Directory
Difficulty	Hard
OS	Windows
Created By	aas
Release Date	06 June 2020
Pwn Date	21 December 2025

HTB Page

Blackfield is an Active Directory environment machine. You can complete the machine through the following hints.
- smbclient for enumerating users.
- Kerberoasting attack for getting support account hash.
- Crack the hash using hashcat.
- AD relation enumeration using bloodhound-python.
- Change the password of audit2020 using the permission.
- pypykatz for dumping hash of svc_backup.
- WinRM shell as svc_backup for user flag.
- Exploiting user permissions for privilege escalation.
- diskshadow for getting ntds.dit and SYSTEM files.
- Dump the administrator hash and capture the root flag.

Try to connect the hints and pwn the machine. If you are getting stuck, feel free to go through the write-up.

Initial Enumeration

First we can enumerate open ports and services using Nmap.

nmap -sV -T4 -p- -A <target-ip> -oN <result.txt>

Nmap Scan

There are 8 ports open in the target. Our first target will be SMB port (445). Lets list out the SMB shares using smbclient tool.

smbclient -L \\\\<target-ip>

When checked we have access to the "profiles$" share. From that I was able to get a list of users.

smbclient \\\\<target-ip>\\profiles$

Profiles$ share

Usernames collected

Accessing SUPPORT account

So, without authentication we were able to find list of usernames. Now we can use these users for kerberoasting attack. GetNPUsers.py tool can be used to request for kerberoasting ticket hashes.

GetNPUsers.py -request 'BLACKFIELD.local/' -usersfile <usernames.txt> -no-pass -dc-ip <target-ip> -format hashcat

Kerberoas Ticket Enumeration

Got a kerberoast ticket

Here we got the hash of "support". Now we can use hashcat to crack the hash.
Hash Cracked

Successfully cracked the hash.

support : #00^BlackKnight

We don't have access to WinRM through this credential. Also there was no useful response from SMB shares and kerberoasting. But we can use this credential with bloodhound-python for AD relation enumeration.

sudo bloodhound-python -d BLACKFIELD.local -u support -p '#00^BlackKnight' -ns <target-ip> -c all --zip

Enumeration through bloodhound-python

Taking over AUDIT2020

Now we can use bloodhound UI for viewing the AD structure. It would be helpful for us to choose an attack path.

Bloodhound UI - Attack Path

From this you can see that SUPPORT has ForceChangePassword on AUDIT2020. This is our attack path. If you check, you can see "audit2020" in the username list we created.

Valid User Confirmed

Now lets use rpcclient to change the password of audit2020 with the credential of support.

Password changing of user

You can see the audit2020 user have access in SMB shares.

crackmapexec smb <target-ip> -u audit2020 -p <password>

Checking SMB access of the new user

So now we got the audit2020 user also. Lets explore the SMB shares with the user's credential.

smbclient \\\\<target-ip>\\forensic -U BLACKFIELD.local/audit2020%<newpassword>

SMB Share - Forensic

Capturing User Flag

If you explore the share folders you can see the lsass.zip file. Download and unzip the file into our system.

Listing Files

Unzipping LSASS File

Now we can dump the credentials from lsass using pypykatz tool.

Reference:
https://github.com/skelsec/pypykatz
https://en.hackndo.com/remote-lsass-dump-passwords/#linux--windows

Found NT hash of svc_backup

Now lets check where we can use this credential.

# Checking for SMB access
crackmapexec smb <target-ip> -u svc_backup -H '<NT-Hash>'

# Checking for WinRM access
crackmapexec winrm <target-ip> -u svc_backup -H '<NT-Hash>'

Accessibiltiy check using crackmapexec

We successfully got credential for WinRM shell access. Lets use evil-winrm for accessing the shell.

evil-winrm -i <target-ip> -u 'svc_backup' -H '<NT-Hash>'

User Flag Captured

We successfully captured the user flag from svc_backup account.

Capturing Root Flag

Check the user's privileges.

whoami /priv

So here we can see interesting privileges to the user. Our target here is SeBackupPrivilege.

Our target here is getting the ntds.dit (core database of the active directory) file. Even though it is present at C:\Windows\NTDS\ntds.dit, we can't directly access it. So we use the Volume Shadow Copy Service (VSS) to create a point-in-time snapshot of the C: volume, then read ntds.dit from the snapshot.

For that we can use, DiskShadow. DiskShadow.exe is a Microsoft-signed tool built into Windows Server that automates VSS operations using a script file.

Reference:
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/

First we'll create a diskshadow script.
DiskShadow script created

Now upload it into the target machine and execute with diskshadow.

diskshadow /s <diskshadowScript>

Using diskshadow we were able to expose a shadow copy of the files. Now copy the ntds.dit file and download it into our machine.

Reference:
https://pentestlab.blog/tag/diskshadow/

Copying ntds.dit file into temperory folder

Downloading ntds.dit file into our machine

Our next target is the SYSTEM file. It holds the key to decrypting password hashes Active Directory NTDS.dit database.
System Hive File Download

Now we can use secretsdump.py to dump the hash of administrator from the files we've collected.

secretsdump.py -ntds ntds.dit -system system.hive LOCAL | grep Admin

Lets use the hash we found to access the administrator shell with WinRM.

evil-winrm -i <target-ip> -u Administrator -H <hash>

Root Flag Captured

We captured the root flag. Successfully pwned the Blackfield.

Machine Completed

Thanks for reading ✨.