Autopsies
Blackfield: When Operational Accounts Become Domain Keys
A system autopsy of HackTheBox Blackfield — examining how a misconfigured SMB share, disabled Kerberos pre-authentication, an overpermissive ACL, and a backup service account combined to expose every credential in a domain controller.
Blackfield System Context Blackfield is a Windows domain controller running Active Directory for the domain. The exposed attack surface on initial scan: DNS (53), Kerberos (88), LDAP (389), SMB (445), and WinRM (5985) — a standard DC footprint with nothing obviously wrong from the outside. The failure chain is entirely internal. No CVEs, no unpatched services. Every step of the compromise exploits a configuration decision that was made deliberately by an administrator at some point, for a legitimate reason, that was never revisited. Attack surface identified: --- Failure 1 — The profiles$ share treated usernames as non-sensitive SMB enumeration with guest access reveals a readable share: . The share contains no files. What it does contain is a folder for every user account in the domain —…