BabyTwo - Hack The Box
Enumeration
Nmap
Initial Nmap scan revealed many standard ports for Domain Controllers.
SMB Null
SMB Null enumeration was allowed and it revealed some accessible shares.
One of the shares was homes share which included usernames. I noted them. Morover, I put desktop.ini generated by ntlm_theft tool to each one of them and started responder.
To enhance my user list, I also applied rid brute forcing and noted these users too.
There was another share called apps and it included a .lnk file.
I used lnk-parse tool to analyze it. It did not reveal any useful data other than startup scripts location.
Brute Forcing
Then, I applied brute forcing to SMB with username and password as username from previously generated user list. Found 2 valid credentials.
More SMB Enumeration
User Carl.Moore had READ access to the sysvol share which inlcudes startup scripts.
At first I analyzed the login.vbs script and it was not useful.
Later I found out that, despite nxc was sayinng it was READ access, I could write into scripts folder. So at first I updated login.vbs script and added a reverse shell.
Then put it to scripts folder.
Then simply got a reverse powershell using netcat. Moreover, I got the user flag.
Privilege Escalation
BloodHound
The user Carl.Moore could authenticate using LDAP. So I ran bloodhoun-python using Carl.Moore’s credentials.
WriteDACL over GPOADM
Analyzing the bloodhound revealed that current user in reverse shell (Amellia) had WriteDACL priviliges over GPOAdm user.
So at first, I updated ACL’s and gave the Amellia GenericAll privileges over GPOAdm. Then I updated its password.
GenericAll over GPO
The GPOAdm user had GenericAll privileges over default domain policy object.
So I can abuse this using pyGPOAbuse or SharpGPOAbuse to add a new user to Local Admins group.
I used pyGPOAbuse and used its default options which adds john user to local administrators group with Password: ‘H4x00r123..’
Then used xfreerdp3 to get an RDP session using new user.
And got the root flag.
Pwned
Pwned it baby :)