# HackTheBox - Monteverde ## NMAP ```bash PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-11 11:29:48Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49676/tcp open msrpc Microsoft Windows RPC 49696/tcp open msrpc Microsoft Windows RPC 59490/tcp open msrpc Microsoft Windows RPC Host script results: |_clock-skew: -1s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2021-12-11T11:32:09 |_ start_date: N/A NSE: Script Post-scanning. ``` From the nmap scan we can see that port 88 is open which is used by kerberos so this machine is an active directory machine ## PORT 139/445 (SMB) We can try to see if we can login to smb share through unauthenticated user We were logged in but don't see any share so moving on , we can try to use `enum4linux` or `windapsearch` which can enumerate users from `LDAP` queries, from the nmap scan we can find the domain name which is `MEGABANK.local` so put that in `/etc/hosts` file This will list service accounts and domain users, let's try doing it with enum4linux-ng Now this tool provides us better results so I'll go with this and note the usernames in a text file ' Next I tried to see which users have pre-authentication disabled on them so I can get a hash of the user account ```bash python3 GetNPUsers.py -dc-ip 10.10.10.172 MEGABANK.local/arz -usersfile ~/Notes/CTFs/HTB/Medium/Monteverde/users.txt ``` But we didn't had any luck doing AS-REP roasting , next we could try some common passowrds and brute force it against smb , I created a list of common passwords ``` 12345678 admin dgalanos roleary smorgan password password123 Password Password123 1234567 ``` But it didn't work , so I tried to use the usernames as a password list And this found as a valid username and password for smb , so I tried it on winrm to see if I can get a shell and sadly they weren't valid for winrm We have read access to `azure_uploads` but it was emtpy ## Foothold Checking the `users$` share we see a `azure.xml` file in `mhope` 's directory On reading the xml we can find a clear text password So let's run crackmapexec again to see if we got the correct password Using `evil-winrm` we can use that to login over winrm , after logging in we can see that this user is in `Azure Admins` group Upload `Sharphound.ps1` file which is used for collecting information of AD and then using that info we can enumerate the AD using `bloodhound` ```powershell Invoke-Bloodhound -CollectionMethod All -Domain MEGABANK.local -ZipFileName loot.zip ``` We can download this archive file by using evil-winrm's download function in which we have to provide absolute path of the file Now let's launch `neo4j console` and `bloodhound` , import the json files that you get after extracting the archive Running any one of the built-in queries to see if data is actually loaded But here I didn't find anything that would help me escalate privileges ## Privilege Escalation Now remeber that we saw mhope was in Azure admins group so maybe we have to abuse that ,searching of Azure AD related exploit I found an article which would exploit the database and give us the plaintext password Download the executable for this exploit from here https://github.com/VbScrub/AdSyncDecrypt/releases And now uploading the exe and the dll file , in order to run this we need to be in this location `C:\Program Files\Microsoft Azure AD Sync\Bin` and from here execute the exe (doesn't matter where we upload it) This gives us the adminstrator's password We can then further extract user hashes ## References https://vbscrub.com/2020/01/14/azure-ad-connect-database-exploit-priv-esc/ ``` SABatchJobs:SABatchJobs smbclient -U 'SABatchJobs' \\\\10.10.10.172\\azure_uploads smbclient -U SABatchJobs -L \\\\10.10.10.172\ ``` Administrator:d0m@in4dminyeah!