Official Blackfield Discussion

Big ups to @TazWake on the assist! Finally got user after getting my ■■■ kicked by the initial foothold. root shouldn’t be too hard.

Did you guys try downloading a file from the box? I tried getting a 17mb dump over SMB but it keeps failing. Any tips would be appreciated.

Type your comment> @Purp1eW0lf said:

This is one of the best HTB machines I have ever done. I’m really grateful to the box creator for the effort they clearly put in. I’d appreciate any feedback on my writeup for this box: GitHub - Purp1eW0lf/HackTheBoxWriteups: Writeups for the machines on ethical hacking site Hack the Box

I wanted to offer some hints that maybe haven’t been said on this forum yet, or need to be reiterated:

User 1 to user 2

  • There’s a username that stands out, and correlates with an SMB share description.
  • RPC is what you want, but the syntax needs a google.

User 2 to User 3

  • Need to take the Kat for a walk but you’re on Linux? There’s a specialised tool for this very purpose.
  • If you’ve done proper LDAP enum, and paid attention to a high port, you should know whose user creds you’re looking for.

User 3 to Root

  • I found that Tobor knew what they were talking about more. But Tobor can’t spell for ■■■■, so double check their spelling mistakes
  • For some reason, you’re going to need to add one space-bar space at the end of every line for that script. I have no clue why, but just go the end of each line and hit space.

All the hints anyone should need are here.

Finally rooted the machine, the Box was pretty interesting and well made. Learned a lot from the machine.

read @Purp1eW0lf 's hint, it has everything you need.
Thanks @zdko and @Purp1eW0lf for the nudges.

PM if you need help

Type your comment> @blacViking said:

Finally rooted the machine, the Box was pretty interesting and well made. Learned a lot from the machine.

read @Purp1eW0lf 's hint, it has everything you need.
Thanks @zdko and @Purp1eW0lf for the nudges.

PM if you need help

you are welcome bro always

Thanks @zdko the nudge and I now owned the box finally by reading n***.dit file. I’m now trying another RCE way, I got NT Authority\system now, but can’t read root.txt I checked the permission, system has full control of the file, I even changed the ownership of the file to system, but still can’t read the content of root.txt and got “access denied” error message. Can anyone give me a nudge how to proceed?

Finally changed the password of administrator and wmiexec in as administrator and was able to read root.txt. But felt a bit cumbersome. Please tell me if anyone know better way. I still don’t understand what trick in Windows prevent system account reading root.txt even it’s the owner of the file.

@jimmyzhang said:

Finally changed the password of administrator and wmiexec in as administrator and was able to read root.txt. But felt a bit cumbersome. Please tell me if anyone know better way. I still don’t understand what trick in Windows prevent system account reading root.txt even it’s the owner of the file.

You don’t need to change the password. You can extract what you need to access the system.

NTFS File Encryption is a good thing to look into. There is a note which hints this.

@TazWake Many thanks, now I’m clear. Spoiler , do you know why?

@jimmyzhang said:

@TazWake Many thanks, now I’m clear. Spoiler , do you know why?

I think I might but its a discussion that will either need to be in DM or after the box has retired.

Rooted!

Very interesting box, didn’t have the chance to play with these tokens before.

DM for nudges.

I’ve got a hash for what I believe is “User 1” and I’ve had the tool generated output files in formats for both common tools for dealing with hashes. Typically when I run these tools super obscure options aren’t necessary. Is anyone willing to point me in the direction of some better command-line options or lists? I’ve run through several lists with standard options and no joy. Most people don’t seem to be having huge issues here so I’m guessing that I just don’t have the right list.

@wilywizard said:

I’ve got a hash for what I believe is “User 1” and I’ve had the tool generated output files in formats for both common tools for dealing with hashes. Typically when I run these tools super obscure options aren’t necessary. Is anyone willing to point me in the direction of some better command-line options or lists? I’ve run through several lists with standard options and no joy. Most people don’t seem to be having huge issues here so I’m guessing that I just don’t have the right list.

So a lot of it depends on which is “User 1” to you - it could be one of 3 accounts as far as I can see.

The first is a crackable hash with the default settings.

Type your comment> @TazWake said:

@wilywizard said:

I’ve got a hash for what I believe is “User 1” and I’ve had the tool generated output files in formats for both common tools for dealing with hashes. Typically when I run these tools super obscure options aren’t necessary. Is anyone willing to point me in the direction of some better command-line options or lists? I’ve run through several lists with standard options and no joy. Most people don’t seem to be having huge issues here so I’m guessing that I just don’t have the right list.

So a lot of it depends on which is “User 1” to you - it could be one of 3 accounts as far as I can see.

The first is a crackable hash with the default settings.

Thanks, that helped me figure out the issue.

Apparently there are multiple variants of r***y**.txt out there and mine was incomplete.
If you’re not getting results using it then look for a different version.

One of the best HTB boxes. Totally real world like with tons to learn. Thanks @TazWake for the nudge and @aas for the box Cheers

WTF is wrong withroot.txt on this box??

EDIT: ok, 2 resets needed…

To whoever is trying to view the content of root.txt at the final step and getting an access denied error, if you are using impaket tool then try another one.
I did and it worked!

I am enjoying this box. It feels real.

Got usernames, working on getting some hashes.

Edit:

Just got user. AD boxes are always very interesting.

Based on the name of the account I’m in, I have an idea of what my next move is.

I have 2 users accounts. I am working on my third account. I have a hash but I can’t crack it. Can some send me PM to discuss?

@marvin7408 said:
I have 2 users accounts. I am working on my third account. I have a hash but I can’t crack it. Can some send me PM to discuss?

There’s more to be done with hashes than just cracking them.