search

cubeBaby

hashtag
Reconnaissance

As always, we start off by performing our regular TCP scan using nmap 

nmap --privileged -p- --open -Pn -n --min-rate 5000 -sS -sCV -vvv -oN scan 10.129.8.92
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-10-24 07:15:55Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
52764/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
52765/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
52774/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
55156/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows

We see we are facing a DC (Domain Controller) because of the open ports like 53 TCP (DNS) 88 TCP (Kerberos) 389 TCP (LDAP)

We can already see the domain using netexec so we can add it to our /etc/hosts file

Let's start off by enumerating DNS using dig

We can see also the fully qualified domain name of the DC

Now let's enumerate SMB on the target machine using a NULL Session in netexec

We see here that our access is blocked using in SMB, let's try LDAP using netexec again

We successfully enumerated some users on the DC and a potential credential Teresa.Bell:BabyStart123!

hashtag
Password Spraying

As we found a bunch of users and password it is only natural to perform a password spraying attack on every user we found, let's use netexec again in order to do this, this time we will target the SMB service

And we see a different status on the Caroline.Robinson account: STATUS_PASSWORD_MUST_CHANGE

We can abuse this using smbpasswd , changing the targeted users password to a new password that we decide, in this case we will use BabyStarted123! for example:

Now we can check if this user has got any remote connection privilege, we will check winrm which is active on TCP 5985

Success! now we can foothold onto the machine

hashtag
Foothold

Let's use the evil-winrm tool in order to get our foothold on the DC

Before using BloodHound to escalate our privileges, let's try to do some basic enumeration to see our current user's privileges

And we got a dangerous privilege!: SeBackupPrivilege we can perform a copy of the SAM, SYSTEM & NTDS which are sensitive databases that contain juicy hashes

hashtag
Abusing SeBackupPrivilege

First, let's copy the SAM & SYSTEM onto our C:\Temp folder using reg. These registry hives contain:

  • SAM hive: Local Security Account Manager database with local user hashes

  • SYSTEM hive: System boot key needed to decrypt the SAM database

Now for the NTDS.dit - this is the Active Directory database file that contains all domain user hashes, but it's constantly locked by the LSASS process. We need to use Volume Shadow Copy Service (VSS) to create a snapshot while the file is in use.

First let's create a script on our attacker machine which we can further interpretate with diskshadow to make the backup of the NTDS

Save this into a script.txt file

What this script does:

  • Creates a shadow copy (snapshot) of the C: drive

  • Exposes it as E: drive temporarily

  • Uses backup context to bypass file locks

Then upload it to the DC

Why this works with SeBackupPrivilege:

  • Shadow copies allow reading locked files

  • Backup flag in robocopy uses SeBackupPrivilege to bypass ACLs

  • We get a clean copy of NTDS.dit without stopping AD service

Then let's use robocopy to copy the file into our C:\Temp folder

And there we have our three files that we will use to dump hashes!!:

hashtag
Dumping hashes

Let's download the three files onto the attacker machine using evil-winrm's download so we can use impacket-secretsdump and dump all the hashes

We know the second one it's the correct domain Administrator user so we will use the hash and PtH using evil-winrm to the DC, this time with the Administrator user

hashtag
Conclusion

This attack chain demonstrates a classic Active Directory privilege escalation:

  1. Initial Access: Password spray → Password reset → WinRM access

  2. Privilege Discovery: Backup Operators group membership with SeBackupPrivilege

  3. Credential Extraction: Shadow copy technique to dump NTDS.dit

  4. Domain Compromise: Extract domain Administrator's hash for full domain control

The takeaway is that Backup Operators group membership is highly dangerous in Active Directory environments, as it allows attackers to extract the entire domain credential database through volume shadow copies, ultimately leading to complete domain compromise.

PreviousTimeLapseNextMedium

Last updated