mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-23 04:23:04 +00:00
189 lines
6.3 KiB
Markdown
189 lines
6.3 KiB
Markdown
|
# HackTheBox - Monteverde
|
||
|
|
||
|
## NMAP
|
||
|
|
||
|
```bash
|
||
|
PORT STATE SERVICE VERSION
|
||
|
53/tcp open domain?
|
||
|
| fingerprint-strings:
|
||
|
| DNSVersionBindReqTCP:
|
||
|
| version
|
||
|
|_ bind
|
||
|
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-11 11:29:48Z)
|
||
|
135/tcp open msrpc Microsoft Windows RPC
|
||
|
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|
||
|
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
|
||
|
445/tcp open microsoft-ds?
|
||
|
464/tcp open kpasswd5?
|
||
|
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
|
||
|
636/tcp open tcpwrapped
|
||
|
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
|
||
|
3269/tcp open tcpwrapped
|
||
|
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|
||
|
|_http-server-header: Microsoft-HTTPAPI/2.0
|
||
|
|_http-title: Not Found
|
||
|
9389/tcp open mc-nmf .NET Message Framing
|
||
|
49667/tcp open msrpc Microsoft Windows RPC
|
||
|
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
|
||
|
49674/tcp open msrpc Microsoft Windows RPC
|
||
|
49676/tcp open msrpc Microsoft Windows RPC
|
||
|
49696/tcp open msrpc Microsoft Windows RPC
|
||
|
59490/tcp open msrpc Microsoft Windows RPC
|
||
|
Host script results:
|
||
|
|_clock-skew: -1s
|
||
|
| smb2-security-mode:
|
||
|
| 2.02:
|
||
|
|_ Message signing enabled and required
|
||
|
| smb2-time:
|
||
|
| date: 2021-12-11T11:32:09
|
||
|
|_ start_date: N/A
|
||
|
|
||
|
NSE: Script Post-scanning.
|
||
|
```
|
||
|
|
||
|
From the nmap scan we can see that port 88 is open which is used by kerberos so this machine is an active directory machine
|
||
|
|
||
|
## PORT 139/445 (SMB)
|
||
|
|
||
|
We can try to see if we can login to smb share through unauthenticated user
|
||
|
|
||
|
<img src="https://i.imgur.com/uLMLvqY.png"/>
|
||
|
|
||
|
We were logged in but don't see any share so moving on , we can try to use `enum4linux` or `windapsearch` which can enumerate users from `LDAP` queries, from the nmap scan we can find the domain name which is `MEGABANK.local` so put that in `/etc/hosts` file
|
||
|
|
||
|
<img src="https://i.imgur.com/ascUJe4.png"/>
|
||
|
|
||
|
This will list service accounts and domain users, let's try doing it with enum4linux-ng
|
||
|
|
||
|
<img src="https://i.imgur.com/AovizRf.png"/>
|
||
|
|
||
|
Now this tool provides us better results so I'll go with this and note the usernames in a text file
|
||
|
|
||
|
<img src="https://i.imgur.com/JLz21lM.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/uwyRAg7.png"/>'
|
||
|
|
||
|
Next I tried to see which users have pre-authentication disabled on them so I can get a hash of the user account
|
||
|
|
||
|
```bash
|
||
|
python3 GetNPUsers.py -dc-ip 10.10.10.172 MEGABANK.local/arz -usersfile ~/Notes/CTFs/HTB/Medium/Monteverde/users.txt
|
||
|
```
|
||
|
|
||
|
<img src="https://i.imgur.com/ExajSLn.png"/>
|
||
|
|
||
|
But we didn't had any luck doing AS-REP roasting , next we could try some common passowrds and brute force it against smb , I created a list of common passwords
|
||
|
|
||
|
```
|
||
|
12345678
|
||
|
admin
|
||
|
dgalanos
|
||
|
roleary
|
||
|
smorgan
|
||
|
password
|
||
|
password123
|
||
|
Password
|
||
|
Password123
|
||
|
1234567
|
||
|
```
|
||
|
|
||
|
<img src="https://i.imgur.com/mxUfCRV.png"/>
|
||
|
|
||
|
But it didn't work , so I tried to use the usernames as a password list
|
||
|
|
||
|
<img src="https://i.imgur.com/88g93wf.png"/>
|
||
|
|
||
|
And this found as a valid username and password for smb , so I tried it on winrm to see if I can get a shell and sadly they weren't valid for winrm
|
||
|
|
||
|
<img src="https://i.imgur.com/7DDNerC.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/cAS3Z7A.png"/>
|
||
|
|
||
|
We have read access to `azure_uploads` but it was emtpy
|
||
|
|
||
|
<img src="https://i.imgur.com/GdqKo7l.png"/>
|
||
|
|
||
|
## Foothold
|
||
|
|
||
|
Checking the `users$` share we see a `azure.xml` file in `mhope` 's directory
|
||
|
|
||
|
<img src="https://i.imgur.com/fthQiHp.png"/>
|
||
|
|
||
|
On reading the xml we can find a clear text password
|
||
|
|
||
|
<img src="https://i.imgur.com/09tY5r0.png"/>
|
||
|
|
||
|
So let's run crackmapexec again to see if we got the correct password
|
||
|
|
||
|
<img src="https://i.imgur.com/bx9HE1a.png"/>
|
||
|
|
||
|
Using `evil-winrm` we can use that to login over winrm , after logging in we can see that this user is in `Azure Admins` group
|
||
|
|
||
|
<img src="https://i.imgur.com/ZiXIvSO.png"/>
|
||
|
|
||
|
Upload `Sharphound.ps1` file which is used for collecting information of AD and then using that info we can enumerate the AD using `bloodhound`
|
||
|
|
||
|
<img src="https://i.imgur.com/IO39L01.png"/>
|
||
|
|
||
|
```powershell
|
||
|
Invoke-Bloodhound -CollectionMethod All -Domain MEGABANK.local -ZipFileName loot.zip
|
||
|
```
|
||
|
|
||
|
<img src="https://i.imgur.com/hcYJRf3.png"/>
|
||
|
|
||
|
We can download this archive file by using evil-winrm's download function in which we have to provide absolute path of the file
|
||
|
|
||
|
<img src="https://i.imgur.com/euT3S5F.png"/>
|
||
|
|
||
|
Now let's launch `neo4j console` and `bloodhound` , import the json files that you get after extracting the archive
|
||
|
|
||
|
<img src="https://i.imgur.com/s4wygU1.png"/>
|
||
|
|
||
|
Running any one of the built-in queries to see if data is actually loaded
|
||
|
|
||
|
<img src="https://i.imgur.com/pW0YTB0.png"/>
|
||
|
|
||
|
But here I didn't find anything that would help me escalate privileges
|
||
|
|
||
|
<img src="https://i.imgur.com/eRY82TY.png"/>
|
||
|
|
||
|
## Privilege Escalation
|
||
|
|
||
|
Now remeber that we saw mhope was in Azure admins group so maybe we have to abuse that ,searching of Azure AD related exploit I found an article which would exploit the database and give us the plaintext password
|
||
|
|
||
|
<img src="https://i.imgur.com/BwbZJTG.png"/>
|
||
|
|
||
|
Download the executable for this exploit from here
|
||
|
|
||
|
https://github.com/VbScrub/AdSyncDecrypt/releases
|
||
|
|
||
|
<img src="https://i.imgur.com/jdBsHAp.png"/>
|
||
|
|
||
|
And now uploading the exe and the dll file , in order to run this we need to be in this location `C:\Program Files\Microsoft Azure AD Sync\Bin` and from here execute the exe (doesn't matter where we upload it)
|
||
|
|
||
|
<img src="https://i.imgur.com/EANqNET.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/64O8bgU.png"/>
|
||
|
|
||
|
This gives us the adminstrator's password
|
||
|
|
||
|
<img src="https://i.imgur.com/oZk1HoM.png"/>
|
||
|
|
||
|
We can then further extract user hashes
|
||
|
|
||
|
<img src="https://i.imgur.com/HJAqL8C.png"/>
|
||
|
|
||
|
|
||
|
## References
|
||
|
|
||
|
https://vbscrub.com/2020/01/14/azure-ad-connect-database-exploit-priv-esc/
|
||
|
|
||
|
|
||
|
```
|
||
|
SABatchJobs:SABatchJobs
|
||
|
|
||
|
|
||
|
smbclient -U 'SABatchJobs' \\\\10.10.10.172\\azure_uploads
|
||
|
smbclient -U SABatchJobs -L \\\\10.10.10.172\
|
||
|
```
|
||
|
|
||
|
Administrator:d0m@in4dminyeah!
|