Official Blackfield Discussion

Can somebody explain why out of the three users in the database, only one gives us TGT keys?

Edit: I think I figured it out

Evil-WinRM PS C:\Users\Administrator\Desktop> whoami
blackfield\administrator

Whew right in time! Really glad I did this box before it retired, it was a great experience with kerb and AD.

Type your comment> @LMAY75 said:

Evil-WinRM PS C:\Users\Administrator\Desktop> whoami
blackfield\administrator

Whew right in time! Really glad I did this box before it retired, it was a great experience with kerb and AD.

Nice work.

Interesting that it is retiring just after 117 days…
Cache is 145 days…

Confusing, would have thought cache would go first…

Type your comment> @acidbat said:

Type your comment> @LMAY75 said:

Evil-WinRM PS C:\Users\Administrator\Desktop> whoami
blackfield\administrator

Whew right in time! Really glad I did this box before it retired, it was a great experience with kerb and AD.

Nice work.

Interesting that it is retiring just after 117 days…
Cache is 145 days…

Confusing, would have thought cache would go first…

Me too, especially since I thought there was a medium Windows box all queued up on the Submissions page

Seems odd they would get rid of a box with a near perfect 5 star rating but who knows lol

Type your comment> @LMAY75 said:

Type your comment> @acidbat said:

Type your comment> @LMAY75 said:

Evil-WinRM PS C:\Users\Administrator\Desktop> whoami
blackfield\administrator

Whew right in time! Really glad I did this box before it retired, it was a great experience with kerb and AD.

Nice work.

Interesting that it is retiring just after 117 days…
Cache is 145 days…

Confusing, would have thought cache would go first…

Me too, especially since I thought there was a medium Windows box all queued up on the Submissions page

Seems odd they would get rid of a box with a near perfect 5 star rating but who knows lol

its a mystery :neutral:

At least its another Windows machine :slight_smile:

@acidbat said:

Type your comment> @LMAY75 said:

Type your comment> @acidbat said:

Type your comment> @LMAY75 said:

Evil-WinRM PS C:\Users\Administrator\Desktop> whoami
blackfield\administrator

Whew right in time! Really glad I did this box before it retired, it was a great experience with kerb and AD.

Nice work.

Interesting that it is retiring just after 117 days…
Cache is 145 days…

Confusing, would have thought cache would go first…

Me too, especially since I thought there was a medium Windows box all queued up on the Submissions page

Seems odd they would get rid of a box with a near perfect 5 star rating but who knows lol

its a mystery :neutral:

At least its another Windows machine :slight_smile:

It does seem a bit of an odd approach and there isn’t the level of consistency there used to be where the oldest one or two were always the one replaced.

I used to think it was the box with the largest number of root/user owns, but that isn’t true either.

Interestingly:
The last 5 releases have been: 1 x insane, 2 x hard, 1 x medium, 1 x easy. For people who aren’t yet ready to jump to the hard ones, there aren’t many new boxes at the moment (and we could argue all day about how hard the medium/easy ones really are)

tl;dr - this was a very fun box and a great one for people to learn some solid windows techniques.

Type your comment> @TazWake said:

Interestingly:
The last 5 releases have been: 1 x insane, 2 x hard, 1 x medium, 1 x easy. For people who aren’t yet ready to jump to the hard ones, there aren’t many new boxes at the moment (and we could argue all day about how hard the medium/easy ones really are)

That is interesting - I found this Hard box easy-ish compared to other medium boxes but it is all about skills and mindset I guess, so I agree with you on that (argue all day about how easy an easy machine is etc)

tl;dr - this was a very fun box and a great one for people to learn some solid windows techniques.
Agree on that mate, it was super fun :slight_smile:

Type your comment> @acidbat said:

Type your comment> @TazWake said:

Interestingly:
The last 5 releases have been: 1 x insane, 2 x hard, 1 x medium, 1 x easy. For people who aren’t yet ready to jump to the hard ones, there aren’t many new boxes at the moment (and we could argue all day about how hard the medium/easy ones really are)

That is interesting - I found this Hard box easy-ish compared to other medium boxes but it is all about skills and mindset I guess, so I agree with you on that (argue all day about how easy an easy machine is etc)

tl;dr - this was a very fun box and a great one for people to learn some solid windows techniques.
Agree on that mate, it was super fun :slight_smile:

Well the next one looks to be rated at the borderline-insane level so we’ll see how that goes

great box, learned some nice tricks

Out of curiosity did anyone try ZeroLogon on this box?

Saw IppSec make mention of it in his write up and was curious if anyone had tried it.

Type your comment> @LMAY75 said:

Out of curiosity did anyone try ZeroLogon on this box?

Saw IppSec make mention of it in his write up and was curious if anyone had tried it.

Not yet, but I am going down that path of Multimaster and this box now :slight_smile:

Hey guys, did anybody try creating a silver ticket with the DC01$ Machine hash from the LSASS dump? Not even ippsec mentioned trying this, he completely ignored the machine hash and im seeing 0 mention of it in all the writeups im seeing online

Type your comment> @SW4gb3JkZXIgdG said:

Hey guys, did anybody try creating a silver ticket with the DC01$ Machine hash from the LSASS dump? Not even ippsec mentioned trying this, he completely ignored the machine hash and im seeing 0 mention of it in all the writeups im seeing online

If I remember correctly the hash has been changed since the LSASS dump so its not the right one. Forget ab silver tho with the DC01 you can run golden ticket attacks.

Type your comment> @LMAY75 said:

Type your comment> @SW4gb3JkZXIgdG said:

Hey guys, did anybody try creating a silver ticket with the DC01$ Machine hash from the LSASS dump? Not even ippsec mentioned trying this, he completely ignored the machine hash and im seeing 0 mention of it in all the writeups im seeing online

If I remember correctly the hash has been changed since the LSASS dump so its not the right one. Forget ab silver tho with the DC01 you can run golden ticket attacks.

Ah ok, so you tried it then? Being expired may make sense if it were old i belive the default policy is to reset every 30 days. either that or the author intentionally changed the hash. technically to create golden tickets you need the hash of the KRBTGT account, not the DC (though you can DCSync with the DCs hash to get the krbtgt hash).

Type your comment> @SW4gb3JkZXIgdG said:

Type your comment> @LMAY75 said:

Type your comment> @SW4gb3JkZXIgdG said:

Hey guys, did anybody try creating a silver ticket with the DC01$ Machine hash from the LSASS dump? Not even ippsec mentioned trying this, he completely ignored the machine hash and im seeing 0 mention of it in all the writeups im seeing online

If I remember correctly the hash has been changed since the LSASS dump so its not the right one. Forget ab silver tho with the DC01 you can run golden ticket attacks.

Ah ok, so you tried it then? Being expired may make sense if it were old i belive the default policy is to reset every 30 days. either that or the author intentionally changed the hash. technically to create golden tickets you need the hash of the KRBTGT account, not the DC (though you can DCSync with the DCs hash to get the krbtgt hash).

Ah my bad you are right

I think Ippsec mentioned the DC hash being expired in his video. I didn’t try any ticket attacks.

I believe this box is somehow broken in which the svc_backup user can now just robocopy root.txt out without any restriction of EFS. I did reset the machine for multiple times and still being able to reproduce this behavior.

Alternatively, we can just set permission on root.txt file with powershell script.

$root = "C:\Users\Administrator\Desktop\root.txt"
Get-Acl $root


    Directory: C:\Users\Administrator\Desktop


Path     Owner                  Access
----     -----                  ------
root.txt BUILTIN\Administrators BLACKFIELD\Administrator Allow  FullControl...

$acl = Get-Acl $root
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("blackfield.local\svc_backup","FullControl","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $root

Get-Acl $root


    Directory: C:\Users\Administrator\Desktop


Path     Owner                  Access
----     -----                  ------
root.txt BUILTIN\Administrators BLACKFIELD\svc_backup Allow  FullControl...

hmmm…

By digging into the root cause, I found that the EFS encryption is not enabled for root.txt.

*Evil-WinRM* PS C:\Users\Administrator\desktop> cipher /c root.txt

 Listing C:\Users\Administrator\desktop\
 New files added to this directory will not be encrypted.

U root.txt

One writeup mentioned that the original machine has root.txt encrypted with EFS.

*Evil-WinRM* PS C:\Users\Administrator\desktop> cipher /c root.txt

 Listing C:\Users\Administrator\desktop\
 New files added to this directory will not be encrypted.

E root.txt
  Compatibility Level:
    Windows Vista/Server 2008

Type your comment> @longcatth said:

I believe this box is somehow broken in which the svc_backup user can now just robocopy root.txt out without any restriction of EFS. I did reset the machine for multiple times and still being able to reproduce this behavior.

Alternatively, we can just set permission on root.txt file with powershell script.

$root = "C:\Users\Administrator\Desktop\root.txt"
Get-Acl $root


    Directory: C:\Users\Administrator\Desktop


Path     Owner                  Access
----     -----                  ------
root.txt BUILTIN\Administrators BLACKFIELD\Administrator Allow  FullControl...

$acl = Get-Acl $root
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("blackfield.local\svc_backup","FullControl","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $root

Get-Acl $root


    Directory: C:\Users\Administrator\Desktop


Path     Owner                  Access
----     -----                  ------
root.txt BUILTIN\Administrators BLACKFIELD\svc_backup Allow  FullControl...

hmmm…

By digging into the root cause, I found that the EFS encryption is not enabled for root.txt.

*Evil-WinRM* PS C:\Users\Administrator\desktop> cipher /c root.txt

 Listing C:\Users\Administrator\desktop\
 New files added to this directory will not be encrypted.

U root.txt

One writeup mentioned that the original machine has root.txt encrypted with EFS.

HTB: Blackfield | 0xdf hacks stuff

*Evil-WinRM* PS C:\Users\Administrator\desktop> cipher /c root.txt

 Listing C:\Users\Administrator\desktop\
 New files added to this directory will not be encrypted.

E root.txt
  Compatibility Level:
    Windows Vista/Server 2008

something worth reporting to the HTB crew (Jira) about.
They are not usually on the forum.

Hey guys

Just rooted the box. According to the write-up, performing the copy through special permissions should not be possible on the root.txt. However, when I performed the copy, I got root.txt & no***.txt. So the whole part with the WB***** was not necessary at all.

Something wrong with the box - or is this okay, that it works like that?

Hi, obtaining a foothold via winrm is not possible - I believe the box is broke even after reset. Can anyone confirm? cheers

I have the same problem