Baby
通过nmap扫描发现目标为Windows域控制器。利用LDAP枚举获取默认密码,并进行密码喷射攻击获取用户访问权。使用evil-winrm foothold后,利用SeBackupPrivilege提取系统文件并解密管理员哈希,最终获取root flag。 2025-10-6 07:3:38 Author: infosecwriteups.com(查看原文) 阅读量:28 收藏

Hack The Box: Machine

Andrew Paul

Press enter or click to view image in full size

© Hack The Box

Details

Release Date: September 18th, 2025
OS: Windows
Difficulty: Easy
Created by: xct
Link: https://app.hackthebox.com/machines/Baby
Soundtrack: AM I THE DRAMA — Cardi B

Summary

We begin by discovering that the machine is a Domain Controller through a standard nmap scan. Enumerating the LDAP service, we find a default password carelessly left in a user's description field. We then use this password in a password spraying attack to gain access to another user's account. After being forced to change the password upon login, we gain a foothold with evil-winrm. For privilege escalation, we leverage the SeBackupPrivilege to create a shadow copy of the system drive, allowing us to exfiltrate the ntds.dit and SYSTEM files. Finally, we use impacket-secretsdump to extract the Administrator's NTLM hash from these files and use it to log in as the Administrator, capturing the root flag.

Reconnaissance

Nmap

nmap -T4 -Pn -sCV -p- -oN nmap-full 10.129.140.68

Output

Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-05 19:33 UTC
Nmap…

文章来源: https://infosecwriteups.com/baby-dfc2547dc387?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh