📚
OSCP
  • Pentesting
  • Proving Grounds practice
    • Warm up
      • Windows
        • Kevin
        • Internal
        • Metallus
      • Linux
        • ClamAV
        • Exfiltrated
        • Twiggy
    • Get to work
      • Windows
        • Slort
        • Billyboss
        • Fish
        • UT99
        • AuthBy
        • Jacko
        • Shenzi
      • Linux
        • Dibble
        • Pelican
        • Sorcerer
        • Zino
        • Zenphoto
        • Snookums
        • Nibbles
        • Chatty
        • Banzai
    • Try harder
      • Windows
        • Meathead
      • Linux
        • Sirol
        • Peppo
        • Clyde
  • Buffer overflow
    • Buffer Overflow Methodology
    • TryHackMe Practice
      • Overflow1
      • Overflow2
      • Overflow3
      • Overflow4
      • Overflow5
      • Overflow6
      • Overflow7
      • Overflow8
      • Overflow9
      • Overflow10
  • Active Directory
    • AD Authentication
      • NTLM Authentication
      • Kerberos Authentication
    • TryHackMe Practice
      • Attacktive Directory
      • Roasted
      • RazorBlack
    • PG Practice
      • Hutch
      • Vault
      • Heist
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • LDAP (Port 389)
  • SMB (Port 139, 445)
  • HTTP (Port 80)
  • Exploit
  • Privesc

Was this helpful?

  1. Active Directory
  2. PG Practice

Hutch

Writeup for Hutch from offsec Proving Grounds

PreviousPG PracticeNextVault

Last updated 3 years ago

Was this helpful?

Information Gathering

sudo nmapAutomator.sh 192.168.131.122 all

Service Enumeration

LDAP (Port 389)

Didn't really get much info from nmap.

We can use ldapsearch to get all account names.

ldapsearch -x -h 192.168.131.122 -D '' -w '' -b "DC=hutch,DC=offsec"

While scrolling through the ldapsearch results, I came across the account name fmcsorely which had a description saying the password is CrabSharkJellyfish192.

fmcsorely:CrabSharkJellyfish192

SMB (Port 139, 445)

Now that we have valid account credentials, we can enumerate SMB shares since there wasn't anonymous login enabled from earlier testing.

HTTP (Port 80)

We run gobuster but there was not anything significant.

From our Nmap scan earlier we know that there is WebDAV enabled. We try connecting via cadaver and we are able to authenticate using credentials found earlier.

Exploit

We then generate a reverse shell payload to be uploaded to the target machine to get a reverse shell connection.

We then navigate to the following URL after starting our listener and we get a connection.

http://192.168.131.122/shell.aspx

Privesc

From running winPEAS, we see that LAPS (Local Administrator Password Solution) is enabled. We can try to search for the ms-Mcs-AdmPwd attribute using ldapsearch.

ldapsearch -x -h 192.168.131.122 -D 'hutch\fmcsorley' -w 'CrabSharkJellyfish192' -b 'dc=hutch,dc=offsec' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd

We see that there is a password and we can try using evil-winrm to gain access as SYSTEM.

P.S After more enumeration of the box, we could have potentially escalated privileges using JuicyPotato also since we have SeImpersonatePrivilege enabled.