Blackfield is a hard Windows-based box from Hack the Box and follows a real-world example of how a domain controller might be setup. The trick to doing this box properly is to do proper enumeration and using the correct tools for the job. In this post, I am going to go over every tool and highlight some of the pitfalls I experienced along the way.

With every scan I began by running an AutoRecon scan; as this is a Windows box the scan will take much longer and provide a lot more information for consumption:

After the scan completed I was able to find two key items: within smbmap-list-contents a profiles$ share is available giving a list of users. Under the LDAP I am able to see BLACKFIELD.local:[email protected]. I would recommend if you are able to do research outside of your attack box to point your DNS entries to the Blackfield IP as it might help with DNS.

I took the list of user-profiles and cleaned it up to give me a solid list of users which I saved as users. The majority of the users were created within minutes apart so find/replacing the file was easy.

Using the newly created users file I began running GetNPUsers.py. A great article is available for all things Kerberos related here.

Two users came back which I noted down.

One of the two users found provided me with a TGT which I proceeded to crack with john. The one thing to note is doing the outfile in the command above was important as copying the hash directly from my command prompt caused john to fail. This caused a lot of headaches. If a program has an output command it is best to use it whenever possible.

The user with the TGT hash cracked

Having the credentials for one of the users I proceeded to look at my access to SMB shares using CrackMapExec in which I got STATUS_ACCESS_DENIED. I used RPCClient along with this guide to find out that my current user could change the password of the second user. I also found out a password policy was in place requiring a complex password.

RPCClient shows password complex policy.

After setting the second users password found earlier I used CrackMapExec to view shares I had access too. The second user has access to a share called forensic allowing me to continue traverse.

Finding the forensic directory.

First I used smbclient to navigate the folders to look around. I saw a LSASS ZIP file and do not have a Windows machine available so I used mount to mount the share to grab the file and use mimikatz on my main machine to crack the passwords.

Running mimikatz on Windows.

After getting the needed information I went back onto my attacking box and used the hash found in Evil-WinRM to login to the box.

Capping the user flag using Evil-WinRM.

Once the connection to the box was established I capped the user flag. I proceeded to enter the C:/Windows/Temp directory and create a folder to work from. I then uploaded WinPEAS.bat to run checks. One thing that stood out during the scan was SeBackupPrivilege which I also saw during my initial whoami /priv.

Noticing the SeBackupPrivilege.

I have seen the SeBackupPrivilege escalation method before. I would recommend viewing the Github repo below for more information.

I then followed this guide here which I had saved previously. As I was in Powershell within Evil-WinRM I use the /s flag to load the commands via privesc.txt.

After that, I sat back and waited for the downloads to complete. I then used secretsdump.py by Impacket to get the hash of the Administrator account.

Reading and decrypting the hashes from ntds.dit

I then used Evil-WinRM (the hero of today) to log into the Administrator account.

Rooted. That account should have really been dealt with earlier :(.

This was a really great box and I learned a lot. I would recommend checking out the IPPSec video below. It is another box on Hack the Box called Forrest and he uses similar tools/mindset to root the box.