# Hutch ## Information Gathering `sudo nmapAutomator.sh 192.168.131.122 all` ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FWsKgquIdK7f1TRMuzJyt%2Fimage.png?alt=media\&token=a4f64fad-f189-425c-ace8-1c4983124f2e) ### Service Enumeration ### LDAP (Port 389) Didn't really get much info from nmap. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FgZf9bB1GrHYToLZyhE47%2Fimage.png?alt=media\&token=464fd626-ac2d-49f1-abe3-5c224b6ae269) We can use `ldapsearch` to get all account names. `ldapsearch -x -h 192.168.131.122 -D '' -w '' -b "DC=hutch,DC=offsec"` ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FOIJH9q3HLjpDneywapbV%2Fimage.png?alt=media\&token=e0462b90-8e63-4502-8317-1d60d59a79b1) While scrolling through the `ldapsearch` results, I came across the account name `fmcsorely` which had a description saying the password is `CrabSharkJellyfish192`. `fmcsorely:CrabSharkJellyfish192` ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2F3dpklEVgon6pAbflCCLX%2Fimage.png?alt=media\&token=0c20d0b0-4dfd-4686-b3e5-dc66fc3a9949) ### SMB (Port 139, 445) Now that we have valid account credentials, we can enumerate SMB shares since there wasn't anonymous login enabled from earlier testing. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2Flyo2xEgmzDYTcj8mVbYi%2Fimage.png?alt=media\&token=dbfcb197-a6bf-41ed-8547-4fc15272e52a) ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FSc7EgYoTQDwFUQc1z2CV%2Fimage.png?alt=media\&token=376fa401-5389-4a41-8e13-a52fe32496cd) ### HTTP (Port 80) We run `gobuster` but there was not anything significant. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FJYfkIa6n7tRmz5IZf0Vc%2Fimage.png?alt=media\&token=7ccfd299-c1d3-45e6-9234-a7ab1c5f7613) From our Nmap scan earlier we know that there is WebDAV enabled. We try connecting via cadaver and we are able to authenticate using credentials found earlier. ## Exploit We then generate a reverse shell payload to be uploaded to the target machine to get a reverse shell connection. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2F42S2ZF9XnUGv45hkHobv%2Fimage.png?alt=media\&token=20e656eb-bb87-4d00-872a-d323f9198043) ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FpaMNgGZ5P2ERCESK0SXr%2Fimage.png?alt=media\&token=13c9a605-954e-4d97-92c2-4f5dfac69752) We then navigate to the following URL after starting our listener and we get a connection. `http://192.168.131.122/shell.aspx` ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FMXy9mtc1kLfuT6AoGfYG%2Fimage.png?alt=media\&token=640fdb41-1338-42a7-ad5d-32aa3daed898) ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FZwDKudLTQFaiW9UF6Kep%2Fimage.png?alt=media\&token=7dcd6457-ffc4-4478-95f3-b884d9c9a7f9) ## Privesc From running winPEAS, we see that LAPS (Local Administrator Password Solution) is enabled. We can try to search for the `ms-Mcs-AdmPwd` attribute using `ldapsearch`*.* ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2F7HLKhUgONc9PD2MYFQ2M%2Fimage.png?alt=media\&token=615bf919-c27e-4c45-85a4-ed7d28fdf03a) `ldapsearch -x -h 192.168.131.122 -D 'hutch\fmcsorley' -w 'CrabSharkJellyfish192' -b 'dc=hutch,dc=offsec' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd` ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2F0I0kbhHpygM3N45IVwkK%2Fimage.png?alt=media\&token=fabbea54-8968-4a71-9e65-2e002cfbcc7f) We see that there is a password and we can try using `evil-winrm` to gain access as SYSTEM. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FqgHa9QD2acnPUPERcN7X%2Fimage.png?alt=media\&token=2c390777-d00b-462f-a917-337c7528ce12) P.S After more enumeration of the box, we could have potentially escalated privileges using JuicyPotato also since we have `SeImpersonatePrivilege` enabled. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2Fruer1Wh8CqYllhFg84Yt%2Fimage.png?alt=media\&token=90c478e8-bf60-4010-90f5-c2647782d572)