HackTheBox - Blackfield

00:00 - Intro 01:00 - Start of nmap 03:00 - Enumerating fileshares with SMBClient and CrackMapExec, highlighting some picky syntax 06:15 - Mounting the profiles$ directory so we can build a username list 09:00 - Using Kerbrute to enumerate valid usernames 13:40 - Running GetNPUsers to perform an ASREP Roast 17:50 - Checking what we can do with the Support User from the ASREP Roast 20:45 - Running the python Bloodhound ingestor from Linux 27:55 - Bloodhound ran, playing around with the data, eventually seeing support can reset audit2020's password 32:20 - Setting an Windows users (Audit2020) password from linux using RPCClient 36:45 - Audit2020 has access to the forensic share which has a memory dump of lsass, running pypykatz to extract credentials 42:20 - Using Evil-WinRM to access the box as SVC_Backup and discovering the backup privilege 43:30 - Failing to get WBADMIN to send a backup file to impacket 47:30 - Creating a NTFS Block Device/Partition but does not fix our impacket issues 49:45 - Editing samba to create a windows fileshare from linux. Purposefully don't point it to our NTFS Disk so you can see the errors. 54:54 - Pointing samba to our NTFS Directory, to show it works much better 55:50 - Running wbadmin to create a backup to our fileshare and include ntds.dit 57:00 - Running wbadmin to restore a ntds.dit out of our backup and creating a backup of the SYSTEM Registry hive 1:02:00 - Using secretsdump to extract credentials out of the Active Directory database (ntds.dit) and show the history flag 1:04:20 - Showing you can't grab the flag as SYSTEM user due to EFS (Encrypted File System). Using WMIExec to get a shell as the actual user 1:12:30 - Using Mimikatz to restore the password of Audit2020, so it's like we were never there.