Hutch - Proving Grounds Practice
Enumeration
Nmap
Initial Nmap scan revealed HTTP and common Domain Controller Ports were open.
At first I added domain and dc to /etc/hosts file.
Ldap Anonymous
I could run LDAP anonymously, so I ran it an checked the output and found a password for Freddy.
Username Anarchy
Later I ran username-anarchy against Freddy McSorley and used it to brute force SMB using nxc. Thus, I found the valid credential set.
Exploitation to Administrator (1st way using Active Directory)
Bloodhound-Python
At first I ran the bloodhound-python using the set of credentials we obtained.
bloodhound-python -u 'fmcsorley' -p 'CrabSharkJellyfish192' -dc HUTCHDC.hutch.offsec -c all -ns 192.168.198.122 -d hutch.offsec --zip
Read LAPS Password
Checking the output revealed that Freddy could read LAPS password of the DC.
The “Local Administrator Password Solution” (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.
So we can simply read Local Administrator password. I used bloodyAD to read it. (For more information https://bloodhound.specterops.io/resources/edges/read-laps-password)
bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
Then I simply logged in as Administrator using evil-winrm.
Exploitation to Administrator (2nd way using WebDAV and SeImpersonatePrivilege)
WebDAV
The website had WebDAV as seen in nmap output.
So I searched WebDAV pentest and found hacviser post. It recommended to use cadaver so I used it and put shell.aspx in it.
SeImpersonatePrivilege
Then visiting the web page directly gained me reverse shell as IIS service user. Moreover, user had SeImpersonatePrivilege enabled.
So I simply transfered GodPatato using WEbDAV.
Then I ran it and read the Administrator flag.