Add files via upload

2024-11-21 19:43:03 +00:00 · 2021-12-11 20:23:56 +05:00 · 2021-12-11 20:23:56 +05:00 · a54d4206ff
commit a54d4206ff
parent 9cb8e4c78e
1 changed files with 189 additions and 0 deletions
--- a/HackTheBox/Monteverde.md
+++ b/HackTheBox/Monteverde.md
@ -0,0 +1,189 @@
+# HackTheBox - Monteverde
+
+## NMAP
+
+```bash
+PORT      STATE SERVICE       VERSION
+53/tcp    open  domain?
+| fingerprint-strings: 
+|   DNSVersionBindReqTCP: 
+|     version                                                          
+|_    bind   
+88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-12-11 11:29:48Z)
+135/tcp   open  msrpc         Microsoft Windows RPC
+139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
+389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
+445/tcp   open  microsoft-ds?
+464/tcp   open  kpasswd5?                                              
+593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
+636/tcp   open  tcpwrapped                                             
+3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
+3269/tcp  open  tcpwrapped                                             
+5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                   
+|_http-title: Not Found                                                
+9389/tcp  open  mc-nmf        .NET Message Framing                
+49667/tcp open  msrpc         Microsoft Windows RPC
+49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
+49674/tcp open  msrpc         Microsoft Windows RPC
+49676/tcp open  msrpc         Microsoft Windows RPC
+49696/tcp open  msrpc         Microsoft Windows RPC
+59490/tcp open  msrpc         Microsoft Windows RPC
+Host script results:
+|_clock-skew: -1s
+| smb2-security-mode: 
+|   2.02: 
+|_    Message signing enabled and required
+| smb2-time: 
+|   date: 2021-12-11T11:32:09
+|_  start_date: N/A
+
+NSE: Script Post-scanning.
+```
+
+From the nmap scan we can see that port 88 is open which is used by kerberos so this machine is an active directory machine
+
+## PORT 139/445 (SMB)
+
+We can try to see if we can login to smb share through unauthenticated  user
+
+<img src="https://i.imgur.com/uLMLvqY.png"/>
+
+We were logged in but don't see any share so moving on , we can try to use `enum4linux` or `windapsearch` which can enumerate users from `LDAP` queries, from the nmap scan we can find the domain name which is `MEGABANK.local` so put that in `/etc/hosts` file
+
+<img src="https://i.imgur.com/ascUJe4.png"/>
+
+This will list service accounts and domain users, let's try doing it with enum4linux-ng
+
+<img src="https://i.imgur.com/AovizRf.png"/>
+
+Now this tool provides us better results so I'll go with this and note the usernames in a text file 
+
+<img src="https://i.imgur.com/JLz21lM.png"/>
+
+<img src="https://i.imgur.com/uwyRAg7.png"/>'
+
+Next I tried to see which users have pre-authentication disabled on them so I can get a hash of the user account
+
+```bash
+python3 GetNPUsers.py -dc-ip 10.10.10.172 MEGABANK.local/arz -usersfile ~/Notes/CTFs/HTB/Medium/Monteverde/users.txt
+```
+
+<img src="https://i.imgur.com/ExajSLn.png"/>
+
+But we didn't had any luck doing AS-REP roasting , next we could try some common passowrds and brute force it against smb , I created a list of common passwords
+
+```
+12345678
+admin
+dgalanos
+roleary
+smorgan
+password
+password123
+Password
+Password123
+1234567
+```
+
+<img src="https://i.imgur.com/mxUfCRV.png"/>
+
+But it didn't work , so I tried to use the usernames as a password list
+
+<img src="https://i.imgur.com/88g93wf.png"/>
+
+And this found as a valid username and password for smb , so I tried it on winrm to see if I can get a shell and sadly they weren't valid for winrm
+
+<img src="https://i.imgur.com/7DDNerC.png"/>
+
+<img src="https://i.imgur.com/cAS3Z7A.png"/>
+
+We have read access to `azure_uploads` but it was emtpy
+
+<img src="https://i.imgur.com/GdqKo7l.png"/>
+
+## Foothold
+
+Checking the `users$` share we see a `azure.xml` file in `mhope` 's directory
+
+<img src="https://i.imgur.com/fthQiHp.png"/>
+
+On reading the xml we can find a clear text password
+
+<img src="https://i.imgur.com/09tY5r0.png"/>
+
+So let's run crackmapexec again to see if we got the correct password
+
+<img src="https://i.imgur.com/bx9HE1a.png"/>
+
+Using `evil-winrm` we can use that to login over winrm , after logging in we can see that this user is in `Azure Admins` group
+
+<img src="https://i.imgur.com/ZiXIvSO.png"/>
+
+Upload `Sharphound.ps1` file which is used for collecting information of AD and then using that info we can enumerate the AD using `bloodhound`
+
+<img src="https://i.imgur.com/IO39L01.png"/>
+
+```powershell
+Invoke-Bloodhound -CollectionMethod All -Domain MEGABANK.local -ZipFileName loot.zip
+```
+
+<img src="https://i.imgur.com/hcYJRf3.png"/>
+
+We can download this archive file by using evil-winrm's download function in which we have to provide absolute path of the file
+
+<img src="https://i.imgur.com/euT3S5F.png"/>
+
+Now let's launch `neo4j console` and `bloodhound` , import the json files that you get after extracting the archive
+
+<img src="https://i.imgur.com/s4wygU1.png"/>
+
+Running any one of the built-in queries to see if data is actually loaded
+
+<img src="https://i.imgur.com/pW0YTB0.png"/>
+
+But here I didn't find anything that would help me escalate privileges
+
+<img src="https://i.imgur.com/eRY82TY.png"/>
+
+## Privilege Escalation
+
+Now remeber that we saw mhope was in Azure admins group so maybe we have to abuse that ,searching of Azure AD related exploit I found an article which would exploit the database and give us the plaintext password 
+
+<img src="https://i.imgur.com/BwbZJTG.png"/>
+
+Download the executable for this exploit from here
+
+https://github.com/VbScrub/AdSyncDecrypt/releases
+
+<img src="https://i.imgur.com/jdBsHAp.png"/>
+
+And now uploading the exe and the dll file , in order to run this we need to be in this location `C:\Program Files\Microsoft Azure AD Sync\Bin` and from here execute the exe (doesn't matter where we upload it)
+
+<img src="https://i.imgur.com/EANqNET.png"/>
+
+<img src="https://i.imgur.com/64O8bgU.png"/>
+
+This gives us the adminstrator's password 
+
+<img src="https://i.imgur.com/oZk1HoM.png"/>
+
+We can then further extract user hashes
+
+<img src="https://i.imgur.com/HJAqL8C.png"/>
+
+
+## References
+
+https://vbscrub.com/2020/01/14/azure-ad-connect-database-exploit-priv-esc/
+
+
+```
+SABatchJobs:SABatchJobs
+
+
+smbclient -U 'SABatchJobs'  \\\\10.10.10.172\\azure_uploads
+smbclient -U SABatchJobs -L  \\\\10.10.10.172\
+```
+
+Administrator:d0m@in4dminyeah!