VulnLab: Baby
Today we are going to take a look at the VulnLab machine baby. If you do not have access to VulnLab here is an article explaining how to setup an account:
Lets start off as usual with a RustScan:
Looks like we have a Domain Controller. Whenever I see something like this I always try to do ldapdomaindump, ldapsearch, rpc and also smbclient. However, the first thing we need is the domain name. We can find this with crackmapexec and sending up whatever we want for a username and password:
Now that we have a domain name lets see if ldapsearch works:
We get information back, so now we know that we can get in anonymously. From here we can save the ldapsearch to a file and look at samaccountnames and also if their is description anywhere:
Now that we have usernames and a default password, lets put those users in a file and use crackmapexec to see who’s password it is (the IP address changed due to me taking too long):
We can see that the user must change their password. However, since we know her old password we can now change her password for her:
There we go, we have now changed her password to P@ssw0rd! (note: the machine has a script running to change the password back. This means that you may have to run this multiple times while working on the machine).
Also if the script runs, you have to pick a different password, this is because your “old” password is one of the last 10 used:
Logging in as her utilizing evil-winrm we can see her permissions, and they are dangerous:
With backup operator privs there are are many things we can do, such as copy the sam and system hklm:
Now we can use the download function on evil-winrm to bring the sam and system back to our Kali machine:
Now do the same thing with system, and you will have both back on your Kali machine (note: System will take a minute to download)
Now from here, we can crack this utilizing secretsdump by impacket:
Lastly, pass the NT hash and get into the machine as administrator:
Hopefully you liked the walkthrough and learned something along the way, have a good one.
If you want to see more hacking follow on twitch / youtube:
