search

๐Ÿ”ดBlackfield

hashtag
Enumeration

IP

We have a Windows DC with domain BLACKFIELD.local

Enumerating SMB we find two custom shares

We don't have permission to read the forensics share

In the profiles$ share there are a lot of users

We can copy all the users and make a list

3 users are correct, and the support account is AS-REP roastable

The TGT that kerbrute gives is not suitable for hashcat, so we need to use GetNPUsers

And we got a password

hashtag
Lateral movement

With bloodhound we find a svc_backup account that is a backup operator

And the support account can the force a password change on audit2020

Now we can read the forensic share

hashtag
Privilege escalation

We find a LSASS dump inside the share

The hashes of the DC machine account and Administrator do not work, but the svc_backup one is correct

Now with this privileges we can copy the system, security and sam hives from the dc

Now we can parse the hives and DCSync the DC using the machine account hash

PreviousAuthorityNextIntelligence

Last updated