Today, we will be discussing the step-by-step guide to hacking Baby2 from Vulnlab, an Active Directory Windows machine with medium difficulty.
We started our enumeration process by conducting a full port nmap scan on the target IP address 10.10.87.212. The scan revealed open ports and services running on the machine, including domain, kerberos-sec, msrpc, netbios-ssn, ldap, and others.
Further enumeration revealed that the machine was running Windows Server 2022 Build 20348 x64 with the domain name baby2.vl. We found several users with empty directories in the homes share, such as Amelia.Griffiths, Carl.Moore, Harry.Shaw, and others.
Upon discovering a logon script for the user Amelia.Griffiths, we modified the script to include a reverse shell payload that would execute when the user logs in. This allowed us to gain access to the machine as the user Amelia.Griffiths.
We then exploited ACL & GPO Abuse to escalate privileges on the machine. By granting the user Amelia.Griffiths write permissions over the GPOADM group with Generic All access to Group Policies, we were able to force a password change for the GPOADM user and gain full control over it.
Using pyGpoAbuse, we scheduled a task to add the user GPOADM to the administrators group, granting us administrative privileges on the machine. After updating the group policies, we were able to login as GPOADM and retrieve the root flag.
In conclusion, we successfully hacked Baby2 from Vulnlab using a combination of enumeration, exploitation of ACL & GPO Abuse, and privilege escalation techniques. This demonstrates the importance of thorough enumeration and understanding of Active Directory environments in cybersecurity. Thank you for following along with our hacking journey!