AesirSec
  • 🏑Home
  • πŸ“šBlog
    • Radio Silence
    • OSCP Strategy
    • Plan for 2023
    • PNPT
    • Plan for 2022
    • eJPT
  • ❓Enumeration
  • 🐧Linux
    • Commands
    • Restricted Shell Bypassing
    • Stabilize Shell
  • πŸͺŸWindows
    • Commands
    • Transferring Files
  • πŸ“•Active Directory
    • Enumeration
    • Attacking AD Initial Vectors
    • Ipv6 attacks
    • Post Compromise Enum
    • Strategy
  • #️Privilege Escalation
    • 🐳Docker
    • 🐧Linux
    • πŸͺŸWindows
  • πŸ•ΈοΈWeb Apps
    • LFI
    • Apache
    • CSRF
    • PHP
    • XSS
    • SQLi
    • Pay Loads All The Things
  • πŸ‘ΎBuffer Overflows
  • πŸ’»Programming
    • 🐍Python
  • πŸ‘¨β€πŸ’»Ports/Technologies
    • FTP - Port 21
    • SSH - Port 22
    • Telnet - Port 23
    • DNS - 53
    • HTTP/S - 80/443
    • RPC - 135
    • SMB - 139/445
    • LDAP - 389/636
    • SQL - Port 3306
    • Docker
    • IIS
  • πŸ› οΈTools
    • ffuf
    • wwwtree
    • Rogue LDAP Servers
    • Wpscan
    • crackmapexec
    • msfvenom
    • John the Ripper
    • Hydra
  • 🐬Flipper Zero/ Radio Frequency
  • πŸ—ƒοΈBoxes/Write Ups
    • Template
    • πŸ‰Game Of Active Directory v2 - Day 1
    • Proving Grounds
      • Proving Grounds Practice
        • πŸ“šHeist
        • πŸ“šHutch
        • πŸͺŸInternal
        • πŸͺŸShenzi
        • πŸͺŸJacko
        • πŸͺŸDVR4 - qued
        • πŸͺŸNickel
        • πŸͺŸSlort
        • 🐧Walla
        • 🐧Snookums
        • 🐧Exfiltrated
        • 🐧Wheels
        • 🐧ClamAV
        • πŸͺŸSquid
        • πŸͺŸAlgernon
        • πŸͺŸHelpdesk
      • Proving Grounds Play
        • πŸͺŸSams
        • 🐧Assertion101
        • 🐧DriftingBlues6
        • 🐧DC-2 - unfinished
        • 🐧InfoSecPrep
        • 🐧Stapler
        • 🐧BBSCute
        • 🐧SoSimple
        • 🐧Solstice
        • 🐧FunBoxEasyEnum
        • 🐧Sumo
        • 🐧FunBoxRookie
        • 🐧MoneyBox
        • 🐧CyberSploit1
        • 🐧Wpawn
        • 🐧Dawn
        • 🐧Pwned1
        • 🐧FunBoxEasy
        • 🐧DC-1
    • TryHackMe
      • πŸͺŸAnthem
  • πŸ”—Helpful Links
  • πŸ§™whoami
  • πŸ΄β€β˜ οΈGithub
  • πŸ“‘Discord
  • 🐦Twitter
Powered by GitBook
On this page
  • IP: 192.168.73.122
  • Enumeration
  • Port 53 - Dns
  • Port 80 - Http
  • Port 88 - Kerberos
  • Port 135 - RPC
  • Port 389/636 - LDAP
  • Port 139/445 - Smb
  • LDAP Revisited
  • Domain Admin

Was this helpful?

  1. Boxes/Write Ups
  2. Proving Grounds
  3. Proving Grounds Practice

Hutch

PreviousHeistNextInternal

Last updated 2 years ago

Was this helpful?

IP: 192.168.73.122

Enumeration

Nmap scan

nmap -sV -p- 192.168.73.122 -A -Pn

Port 53 - Dns

DNS recon turned up nothing.

Port 80 - Http

This just turns up and IIS default landing page. Directory busting turned up nothing. After submitting my root and user flags I was able to look at the walkthrough. There was a vector here because the server uses webdav and I could have uploaded an ASPX reverse shell for a low privilege shell. Eh I found user credentials through LDAP first.

Port 88 - Kerberos

Tried kerberoasting the DC but came back with nothing.

Port 135 - RPC

Can get into RPC unauthenticated.

Unable to Enumdomusers or do much from RPC.

Port 389/636 - LDAP

Got a lot of information enumerating LDAP.

ldapsearch -x -H ldap://192.168.73.122 -D '' -w '' -b "DC=hutch,DC=offsec"

Users found:

rplacidi
opatry
ltaunton
acostello
jsparwell
oknee
jmckendry
avictoria
jfrarey
eaburrow
cluddy
agitthouse
fmcsorley

Port 139/445 - Smb

SMB login

smbclient  \\\\192.168.73.122\\SYSVOL  --user='hutch/fmcsorley' --password='CrabSharkJellyfish192'

LDAP Revisited

Got a hint around this part that an authenticated ldap query might turn up more results. Already knew that the machine was using LAPS because of some of the files I found in SYSVOL. But did not know to do an authenticated LDAP query. Notes and methodology updated. LDAP Query

Domain Admin

πŸ—ƒοΈ
πŸ“š