Hack the Box – Hard Boxes
It should be noted that no
passwords will be included within this guide. If you are going to follow along you will need to do the work as well.
Blackfield is a hard Windows-based box from Hack the Box and follows a real-world example of how a domain controller might be setup. The trick to doing this box properly is to do proper enumeration and using the correct tools for the job. In this post, I am going to go over every tool and highlight some of the pitfalls I experienced along the way.
With every scan I began by running an AutoRecon scan; as this is a Windows box the scan will take much longer and provide a lot more information for consumption:
After the scan completed I was able to find two key items: within
profiles$ share is available giving a list of users. Under the LDAP I am able to see
BLACKFIELD.local:[email protected]. I would recommend if you are able to do research outside of your attack box to point your DNS entries to the Blackfield IP as it might help with DNS.
I took the list of user-profiles and cleaned it up to give me a solid list of users which I saved as users. The majority of the users were created within minutes apart so find/replacing the file was easy.
Using the newly created users file I began running GetNPUsers.py. A great article is available for all things Kerberos related here.
Two users came back which I noted down.
One of the two users found provided me with a TGT which I proceeded to crack with john. The one thing to note is doing the
outfile in the command above was important as copying the hash directly from my command prompt caused
john to fail. This caused a lot of headaches. If a program has an output command it is best to use it whenever possible.
The user with the TGT hash cracked
Having the credentials for one of the users I proceeded to look at my access to
SMB shares using CrackMapExec in which I got
STATUS_ACCESS_DENIED. I used
RPCClient along with this guide to find out that my current user could change the password of the second user. I also found out a password policy was in place requiring a complex password.
RPCClient shows password complex policy.
After setting the second users password found earlier I used CrackMapExec to view shares I had access too. The second user has access to a share called
forensic allowing me to continue traverse.
Finding the forensic directory.
First I used
smbclient to navigate the folders to look around. I saw a
LSASS ZIP file and do not have a Windows machine available so I used mount to mount the share to grab the file and use
mimikatz on my main machine to crack the passwords.
Running mimikatz on Windows.
After getting the needed information I went back onto my attacking box and used the hash found in
Evil-WinRM to login to the box.
Capping the user flag using Evil-WinRM.
Once the connection to the box was established I capped the user flag. I proceeded to enter the
C:/Windows/Temp directory and create a folder to work from. I then uploaded WinPEAS.bat to run checks. One thing that stood out during the scan was SeBackupPrivilege which I also saw during my initial
I tried using Seatbelt.exe and other compiled exes utilizing the
-e flag but was unable to get them to run successfully.
Noticing the SeBackupPrivilege.
I have seen the SeBackupPrivilege escalation method before. I would recommend viewing the Github repo below for more information.
I then followed this guide here which I had saved previously. As I was in
Evil-WinRM I use the /s flag to load the commands via
After that, I sat back and waited for the downloads to complete. I then used
secretsdump.py by Impacket to get the hash of the Administrator account.
Reading and decrypting the hashes from ntds.dit
I then used Evil-WinRM (the hero of today) to log into the Administrator account.
Rooted. That account should have really been dealt with earlier :(.
This was a really great box and I learned a lot. I would recommend checking out the IPPSec video below. It is another box on Hack the Box called Forrest and he uses similar tools/mindset to root the box.