Blackfield is a windows Active Directory machine and is considered as hard box by the hack the box. This box has various interesting vulnerabilities, and security misconfigurations were placed. As usual, we began with a basic nmap scan as a part of enumeration and noticed smb null session was enabled. Then we discovered a pre-authentication disabled account and performed AS-Rep Roasting, and cracked the obtained hash. With the extracted password, we were able to enumerate the users available in the AD using RPC Client.
Moving laterally, we used bloodhound and noticed that a user could change another user’s password, which could be done using RPC Client. After changing the password of another user, we accessed the shared folder, where we found an interesting file as memory-dumped data. Using mimikatz, we extracted the NTLM hash of the backup user from the lsass memory. The further enumeration in order to find the privilege escalation vector, we discovered the current user belongs to the backup operator group, and the sebackup privilege was enabled. With the privileged assigned to the current user, we were able to copy ntds.dit file and system hive.
Lastly, we used the impacket secretdump tool to extract the administrator hash from the ntds.dit file with the help of the system hive. After obtaining the administrator hash, we logged in as an administrator and collected the root flag. So, without spoiling it more, let’s exploit it step by step.
You have not unlocked this post's content yet. Please reply to this thread to unlock the content.
