Hutch
PG Practice Hutch writeup
Nmap
Starting off looking at LDAP running some LDAP related nmap scripts to enumerate.
Looking through the results we do not have much interesting information but we do have the naming connect off hutch.offsec for the DC.
Having this information we can run LDAP search with the naming context included to enumerate users and grep by SAM account name.
We now have the following users list:
Running the same LDAP command as above except this time grepping for the description we see the following:
We have a password in the last line which we can correlate with being the last users in the entry list of fmcsorley for the combined credentials of fmcsorley:CrabSharkJellyfish192
Checking the credentials with crackmpaexec against SMB shows we have valid information.
With valid SMB credentials I was unable to enumerate any further interesting information. From the Nikto results earlier we do have Webdav enabled.
Without a specific directory enabled we can attempt to upload with curl on the root page. I first created a msfvenom ASPX reverse shell then attempted to upload with curl ensuring the valid credentials we have are used.
I set the shell to talk back on port 445 and set a netcat listener on the same port. After browsing to 192.168.64.122/shell.aspx I received a shell back on my listener.
After going through the system we do see that LAPS has been installed on the server.
Its possible that LAPS or LDAP has been misconfigured enough to potentially contains the computer passwords for computer object in AD. Knowing this we can go back and search LDAP with the credentials with have specifically looking for the ms-Mcs-AdmPwd attribute.
We can see for the domain controller the LAPS password set is J6QOuU+lhs[SH/ I then confirmed the credentials with crackmapexec against LDAP using the local administrator account and was given successful confirmation.
I was then able to use these credentials with Impacket's psexec.py to gain access to the Domain Controller as SYSTEM.
Last updated
