πŸ“šHutch

IP: 192.168.73.122

Enumeration

Nmap scan

nmap -sV -p- 192.168.73.122 -A -Pn

Port 53 - Dns

DNS recon turned up nothing.

Port 80 - Http

This just turns up and IIS default landing page. Directory busting turned up nothing. After submitting my root and user flags I was able to look at the walkthrough. There was a vector here because the server uses webdav and I could have uploaded an ASPX reverse shell for a low privilege shell. Eh I found user credentials through LDAP first.

Port 88 - Kerberos

Tried kerberoasting the DC but came back with nothing.

Port 135 - RPC

Can get into RPC unauthenticated.

Unable to Enumdomusers or do much from RPC.

Port 389/636 - LDAP

Got a lot of information enumerating LDAP.

Users found:

Port 139/445 - Smb

SMB login

LDAP Revisited

Got a hint around this part that an authenticated ldap query might turn up more results. Already knew that the machine was using LAPS because of some of the files I found in SYSVOL. But did not know to do an authenticated LDAP query. Notes and methodology updated. LDAP Query

Domain Admin

Last updated