📚Hutch

IP: 192.168.73.122

Enumeration

Nmap scan

nmap -sV -p- 192.168.73.122 -A -Pn

Port 53 - Dns

DNS recon turned up nothing.

Port 80 - Http

This just turns up and IIS default landing page. Directory busting turned up nothing. After submitting my root and user flags I was able to look at the walkthrough. There was a vector here because the server uses webdav and I could have uploaded an ASPX reverse shell for a low privilege shell. Eh I found user credentials through LDAP first.

Port 88 - Kerberos

Tried kerberoasting the DC but came back with nothing.

Port 135 - RPC

Can get into RPC unauthenticated.

Unable to Enumdomusers or do much from RPC.

Port 389/636 - LDAP

Got a lot of information enumerating LDAP.

ldapsearch -x -H ldap://192.168.73.122 -D '' -w '' -b "DC=hutch,DC=offsec"

Users found:

rplacidi
opatry
ltaunton
acostello
jsparwell
oknee
jmckendry
avictoria
jfrarey
eaburrow
cluddy
agitthouse
fmcsorley

Port 139/445 - Smb

SMB login

smbclient  \\\\192.168.73.122\\SYSVOL  --user='hutch/fmcsorley' --password='CrabSharkJellyfish192'

LDAP Revisited

Got a hint around this part that an authenticated ldap query might turn up more results. Already knew that the machine was using LAPS because of some of the files I found in SYSVOL. But did not know to do an authenticated LDAP query. Notes and methodology updated. LDAP Query

Domain Admin