Blackfield - Hack The Box
Enumeration
Nmap
The Nmap scan revealed open ports for SMB, LDAP, and Kerberos, which likely indicates that the target is a Domain Controller.
SMB
There was an anonymous SMB session to the profiles$ share, which revealed multiple usernames.
Kerbrute and AS-REP Roasting
Using the extracted usernames, I performed Kerberos user enumeration with Kerbrute. Only three users were valid, and one of them had Kerberos pre-authentication disabled, allowing me to perform an AS-REP Roasting attack and obtain the user’s ticket.
I then used Hashcat to crack the AS-REP ticket and successfully retrieved the user’s plaintext password.
Exploitation
ForceChangePassword
Using the obtained credentials, I ran BloodHound-python since a remote session could not be established. Analysis in BloodHound revealed that the user had the ForceChangePassword permission over the audit2020 account, which allowed me to change its password without knowing the original one.
SMB Again
The audit2020 user had access to another share containing an lsass.dmp file. I extracted it and retrieved the NTLM hash of a user with PSRemoting privileges.
Got The User
Using the extracted hash, I established a WinRM session and obtained the user flag.
Privilege Escalation
First Way
The compromised user had the SeBackupPrivilege right, so I followed the technique outlined in k4sth4/SeBackupPrivilege to dump the ntds.dit and SYSTEM hive files.
I then used secretsdump.py to extract NTLM hashes from the dumped ntds.dit and SYSTEM files.
Second Way
As an alternative method, I applied the same SeBackupPrivilege technique to obtain the SECURITY, SYSTEM, and SAM hive files, and used secretsdump.py again to extract local account hashes.
Pwned
At this point, the machine was fully compromised.