Page cover

🐈Baby

Easy machine

Enumeration

Nmap

image.png

Ldapsearch

image.png

Domain = baby.vl

I have now a lot of results that can be useful to analyse

About users (& a password inside the description of an user ⚠️):

SMB

Access denied in guest

We will try with our new creds: Teresa.Bell:**********

RPC

Try to enum domain users but I’m getting an access denied

Trying also with my new creds but not successful

Kerbrute

After trying a password spraying through all the users, I found the real creds:

Compromised user = Caroline.Robinson@baby.vl:**********

Crackmapexec

We need to change the password to connect to this user

We can use smbpasswd

We have now: Caroline.Robinson':'Makito123!'

Domain Enumeration

Doing some domain enumeration with Bloodhound & PowerShell

image.png
image.png

We can confirm that the user Caroline.Robinson can backup files and so, we can gat the SAM & SYSTEM files to possibly crack or pass the Admin hash

LogoBackup Operator Privilege Escalation < BorderGateBorderGate
https://www.thehacker.recipes/ad/movement/credentials/dumping/sam-and-lsa-secretwww.thehacker.recipes

Hashes

But we can do nothing with the Admin hash because it’s a local admin so we can’t use this account to connect to the DC

We need also this ntds.dit

LogoDumping Domain Controller Hashes Locally and Remotely | Red Team Noteswww.ired.team

After following the blog, I can login with the hash with Evil-WinRM and get the root flag

PWNED πŸ†

LogoFzF_StormZ just pwned Baby @ Vulnlab!api.vulnlab.com

PreviousMachinesNextData

Last updated