HackTheBox - Blackfield

00:00 - Intro
01:00 - Start of nmap
03:00 - Enumerating fileshares with SMBClient and CrackMapExec, highlighting some picky syntax
06:15 - Mounting the profiles$ directory so we can build a username list
09:00 - Using Kerbrute to enumerate valid usernames
13:40 - Running GetNPUsers to perform an ASREP Roast
17:50 - Checking what we can do with the Support User from the ASREP Roast
20:45 - Running the python Bloodhound ingestor from Linux
27:55 - Bloodhound ran, playing around with the data, eventually seeing support can reset audit2020's password
32:20 - Setting an Windows users (Audit2020) password from linux using RPCClient
36:45 - Audit2020 has access to the forensic share which has a memory dump of lsass, running pypykatz to extract credentials
42:20 - Using Evil-WinRM to access the box as SVC_Backup and discovering the backup privilege
43:30 - Failing to get WBADMIN to send a backup file to impacket
47:30 - Creating a NTFS Block Device/Partition but does not fix our impacket issues
49:45 - Editing samba to create a windows fileshare from linux. Purposefully don't point it to our NTFS Disk so you can see the errors.
54:54 - Pointing samba to our NTFS Directory, to show it works much better
55:50 - Running wbadmin to create a backup to our fileshare and include ntds.dit
57:00 - Running wbadmin to restore a ntds.dit out of our backup and creating a backup of the SYSTEM Registry hive
1:02:00 - Using secretsdump to extract credentials out of the Active Directory database (ntds.dit) and show the history flag
1:04:20 - Showing you can't grab the flag as SYSTEM user due to EFS (Encrypted File System). Using WMIExec to get a shell as the actual user
1:12:30 - Using Mimikatz to restore the password of Audit2020, so it's like we were never there.