Threat Research

Blackfield – HTB

iocOne
Blackfield – HTB

Blackfield is a hard-difficulty Windows machine where attackers exploit Windows and Active Directory misconfigurations. Through anonymous SMB access, attackers enumerate users, identify those vulnerable to AS-REP Roasting, and gain further access to sensitive data. The attacks involve stealing password hashes, exploiting user permissions, and culminating in full control of the domain through various techniques. Affected: Windows machines, Active Directory networks

Keypoints :

  • Initial enumeration reveals an SMB share with anonymous access.
  • Identified a user with Kerberos pre-authentication disabled, allowing AS-REP Roasting.
  • Retrieved hash from the AS-REP response and recovered the plaintext password.
  • Gained access to another SMB share containing forensic artifacts.
  • Dumped Active Directory database and extracted domain administrator hash.
  • Exploited various tools, including Kerbrute and BloodHound, for user enumeration and privilege escalation.
  • Used techniques like DCSync and AS-REP Roasting to compromise domain security mechanisms.
  • Identified vulnerabilities in the system using Windows Exploit Suggester.
  • Accessed and analyzed critical files such as LSASS dump, NTDS.dit, and systeminfo.txt.

MITRE Techniques :

  • Account Discovery (T1087): Used tools like BloodHound to enumerate accounts and permissions.
  • Kerberoasting (T1098): Extracted service ticket hashes for users with SPNs.
  • AS-REP Roasting (T1208): Identified vulnerable accounts and extracted AS-REP hashes.
  • Credential Dumping (T1003): Retrieved NTLM hashes from the LSASS process dump and NTDS.dit.
  • Permission Groups Discovery (T1069): Explored group memberships and permissions using LDAP queries.
  • Remote File Copy (T1105): Used tools like Robocopy to copy sensitive files across the network.
  • Service Account Discovery (T1087.002): Enumerated service accounts with specific roles in Active Directory.
  • Exploitation for Credential Access (T1212): Used extracted hashes for Pass-the-Hash attacks.
  • Data Encrypted (T1022): Analyzed encrypted files to identify security gaps.

Indicator of Compromise :

  • [Domain] blackfield.local
  • [IP Address] 10.129.229.17
  • [Kerberos Hash] [email protected]:1955d29d48f18e19604f25f717bea716da11a18221517d4e6d31ae00195c48ee9ea558fb5e7cea9b2b712009ebb2bb5622118745d69906b0e1a5c5c84fd31bb73876bc8854488d1d3328cb92c31f13c76f371215f1dd73a9a0917b0ed550e5d0d3be27a61946ce5d6aa9ee1909d0e862075f2b9fef5cfd4e98867bce9a244035083c3f450ee3c12e160cab2d7b78499ecb95e1a100ab7dc8861f27954d77499db6cf21ec3c843751d45872b91bf61cede68718e51c3e7adfbc6b18e8ca795b061b542bb082aab290bf072e4d94425c983d9e4316d9aee21682dc1e66a2325f723972faf640456edf0e4640f52178fc18965dc4e40e095552624fdaaa88e1c2fe59d12df6d6d62d687bfe31d211036fe02db8f3652869d5e2025
  • [NT Hash] 7f1e4ff8c6a8e6b6fcae2d9c0572cd62 (Administrator)
  • [NT Hash] 9658d1d1dcd9250115e2205d9f48400d (svc_backup)

Full Story: https://medium.com/@eggsec6/blackfield-htb-2ce77152f1a2?source=rssβ€”β€”cybersecurity-5

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint