HackTheBox - Monteverde - 10.10.10.100

Monteverde is a 30 point medium rated machine on hackthebox, that involves using rpcclient with null authentication to pillage domain usernames, then using hydra to use those usernames and usernames as passwords to find valid credentials. Once found we find the password for user mhope in a SMB share and we use his credentials to get a shell on the box. Once we are mhope we find he is a memeber of the Azure AD Admins groups so we can use a powershell script to decrypt the admin’s credentials from the SQL database used by Azure AD Sync.

1. Recon

To start this box off we will do an nmap scan of the target machine, 10.10.10.172 nmap -sC -sV -oA nmap/monteverde 10.10.10.172

Nmap Scan Results

Some ports of note here are:

1. RPC - Maybe we can get null authentication
2. SMB - Maybe some useful files
3. LDAP - ldapquery?

RPC Enumeration

Firstly we will try to get a connection to rpc with null authentication, using rpcclient: rpcclient -U "" 10.10.10.172 enumdomusers

Bingo, now we have a list of users!

2. Finding some credentials

Now we have a list of usernames we can try to bruteforce login credentials, using those usernames as passwords, first save the usernames to a file like this:

We can then use crackmapexec to bruteforce smb logins, if you want to read more about cme then the link to the github page is here.

If we pass the arguments -u for users file and -p for password file, we can bruteforce logins:

crackmapexec smb 10.10.10.172 -u usersfile.txt -p passfile.txt Nice, we got a valid login using the credentials, SABatchJobs:SABatchJobs, we can now try to enumerate the smb shares.

3. Getting More Credentials

SMB Enumeration

To list all the smb shares we will use smbclient, which is built into Kali.

smbclient -U "SABatchJobs" -L \\10.10.10.172

The one share that stands out is the users$, as it is not a default Windows share like SYSVOL or IPC$

Let’s try and connect using our credentials smbclient -U "SABatchJobs" \\\\10.10.10.172\\users$ Nice, we can see the files in the users$ share, lets download all the files and see if there is anything interesting prompt OFF, recurse ON, mget *

The only file in the share was an azure.xml file, let;s see what’s inside cat azure.xml

Bingo! We have the password for the user mhope.

Getting User

Now that we have the password for the user mhope we can try to login over winrm, for this I will be using a tool called evil-winrm.

evil-winrm -i 10.10.10.172 -u mhope -p [email protected]\$

Now that we have a shell we can do some enumeration, firstly, whoami /all

We can see we are a part of the azure admins, this means that with the right commands or script we can dump the admin password from the mssql database that Azure AD Connect uses, there is a great article by XPNSec that explains this here. So if we use the powershell script from the blog but with the connection string changed to work with this DB we should be good. Allternativly I will use a tool made by fox-it on github, to decrypt the password as I could not get the powershell script to work for me.

Here is the script the exe is based on:

Now if we save the exe and dll from the fox-it github to our local machine, we can upload it using evil-winrm to the box

Now if we naviagate to: C:\Program Files\Microsoft Azure AD Sync\Bin and run \Users\mhope\Documents\AdDecrypt.exe -FullSQL we get the admin credentials

Now we can just use these creds to psexec into the box and grab the root flag

Pwned

psexec.py megabank/Administrator:"[email protected]!"@10.10.10.172

If you enjoyed my write up or found it useful please check out my htb profile linked below and give a +rep

Categories:

Updated: