Blackfield is very well built AD machine. This machine will give the oppurtunity to learn about many different services used in AD.
Let’s start with nmap scan
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-24-1024x483.png)
After this i tried enumerating with enum4linux and smbclient.
Smbclient is a tool used to access SMB resources on a server, much like an FTP client is used to access files. It offers a simple command-line interface that is trivial to use if you’re at all familiar with FTP.
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-26.png)
I tried to access each shares and got many usernames from profiles$ share
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-27.png)
I copied entire list to a text file and trimmed it using cut
https://www.geeksforgeeks.org/cut-command-linux-examples/
cut -b 3-15 user.txt > brute.txt
I stored the timmed
user list to brute.txt
Using the obtained usernames I tried to obtain the TGT (Ticket Granding Ticket). This can be done using GetNPUsers python tool from impackets
python3 GetNPUsers.py blackfield.local/ -dc-ip 10.10.10.192 -usersfile brute.txt -no-pass
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-28-1024x345.png)
After some seconds the below hash showed up.
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-29-1024x208.png)
This hash belongs to support. Also I noted that audit2020 and svc_backup doesnt have a UF-DONT_REQUIRE_PREAUTH set
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-32.png)
Using John and wordlist rockyou.txt I tied to break the hash
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-30-1024x197.png)
user: support
password: 00^BlackKnight
With these credentials I tried access the restricted shares using smbclient. But that was not working. Later I tried access using RPC client
The rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself. We can use rpcclient to open an authenticated SMB session to a target machine
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-31.png)
I was also able to list about 35 previleges using rpcclient and I was unable to get a way to exploit it.
Later I tried change passwords of svc_backup and audit2020. The below link will help you to learn how to reset paswword
https://malicious.link/post/2017/reset-ad-user-password-with-linux/
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-33-1024x114.png)
Looks like I was able to set the password of audit2020 to Derick123
I tried the same credential to access through smbclient and I was able to see forensic share contents
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-34.png)
inside memory_analysis directory, I was able to see different zip files
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-35.png)
When I saw lsass I recalled the blog which mentioned the purpose lsass. It is present in the system32 file and it can possibly help in obtaining user hashes using mimicatz.
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-36.png)
So I downloaded lsaas.zip
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-37.png)
On my windows machine I downloaded mimcatz and also this lsass.zip file and feed the lsass.DMP to mimicatz
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-38.png)
I was able to find NTLM hash for svc_backup from this,
I tried evil-winrm tool to access the machine with username svc_backup and hash value 9658d1d1dcd9250115e2205d9f48400d
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-39.png)
We got the user!!!
So next process is to get the root. I started by listing the the previlages and groups of svc_manager by whoami /all command
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-40.png)
Among this SetBackupPrivilege and seRestore Privilege seem to give me a poterntial path to root.
For this I tried downloading NTSD.DIT, but failed.
The Ntds.dit file may contain the password hashes for all users in the domain
I uploaded disk_shadow.txt to tmp folder on svc_manger
The content of disk_shadow.txt was
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-43.png)
Then I ran the below command
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-41-1024x616.png)
Then I uploaded and imported SeBackupPrivilegeUtils.dll and SeBackupPrivilegeCmdLets.dll modules so that I can copy and get ndts file
https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-44.png)
I downloaded both ndts.dit and system file genrated to my local machine
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-45.png)
Then using secretsdump.py from impackets i got the hash for administrator.
python3 secretsdump.py -ntds ntds.dit -system system -hashes lmhash:nthash LOCAL -output nt-hash
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-48.png)
With this hash we can login as administrator using evil-winrm
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-46.png)
We have rooted the machine.
Just let me know if you have any doubts
If you found this write-up useful, you can respect me on HTB
![](https://ehackify.com/blog/wp-content/uploads/2020/08/image-16.png)
https://www.hackthebox.eu/home/users/profile/240146
You can connect me on
LinkedIn: Derick N
Twitter: Derick N
Leave a Reply