Post Image
svgDamian Pajszczyksvg27 października, 2022svgUncategorized

HackTheBox – Monteverde

Hey everyone this is my writeup of HackTheBox Monteverde which is medium difficulty Windows Box.

What i like about this box is it teaches something new about on premise – cloud AD synchronization.

I learnt a lot about AzureADSync service. I raised my awareness of potential misconfigurations of AD cloud – on premise synchronization services which can lead to complete compromise of the system.

In order to deal with that box we have to access rpc service and enumerate users. When we get list of usernames from rpc service we check if there is any account which passwords is the same as username. By doing this we’ll get first pair of credentials.

Using newly found credentials we just have to enumerate smb shares where we’ll find password. Location of the file which contains password indicates which user password it is.

After getting access to another user account we will find out it has access to winrm service. We may use evil-winrm to perform system enumeration. After proper enumeration we will find that our user belongs to specific group and there is sql service on the sysytem.

Afterwards we just need to perform careful enumeration of sql service. There we’ll find some encrypted data (which is encrypted password). If we properly analyse informations we already have and perform some google dorking we will get how to decrypt that data.

After encryption we get another password that belongs to administrator account. Then we can login and get root flag.

nmap scan:

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-10-18 07:37:34Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  msrpc         Microsoft Windows RPC
49750/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2022-10-18T07:38:27
|_  start_date: N/A

SMB enumeration:

DNS enumeration:

ldap enumeration:

RPC enumeration:

Nextly I checked password policy:

We can also check if there is any info in account description:

I got list of usernames, now we can check if any of these users has disable kerberos preauthentication.

I can see there’s no policy that will block bruteforce attack, but first let’s check usernames as passwords:

I found valid credentials SABatchJobs:SABatchJobs

Let’s enumerate SMB with this credentials:

I performed cme smb spider scan and found something interesting:

I decided to dump all files from shares:

Azure.xml looked like:

I understand this is some kind of azure service configuration. Since this file is in mhope directory I will check if this is valid mhope password.

Another credentials: mhope:4n0therD4y@n0th3r$

Since mhope has winrm access we can use evil-winrm to access filesystem:

Finally I got userflag.

I started my enumeration with disk enumeration:

We can see that there is another disk that clearly stands out – E:\

I uploaded sharphound, and performer bloodhound analysis but i didn’t fount anything useful.

Nextly I wanted to check my permissions and groups:

One of the groups our account belong to is Azure Admins. I think this will be our attack vector.

I decided to run winpeas scan to have general outlook of the system and it found sql service on port 1434:

This sql service was not accessible outside the localhost. I decided to enumerate it using invoke-sqlcmd:

Finally i found something that caught my attention:

When we look carefully at database output we can see there is interesting column encrypted_configuration.

This is encrypted configuration of administrator user.

In this blog post i found some useful informations about this subject:

https://blog.xpnsec.com/azuread-connect-for-redteam/

It’s very important to know what we are going to do. According to database information we have Azure AD Sync service on the box. Configuration data for that service is stored in database.  We want to abuse potential misconfiguration of Azure AD Sync service by obtaining saved credentials. Encrypted passwords are stored in the mms_management_agent table in encrypted_configuration field. 
Author of previously mentioned blog post noticed that there is particular library that handle this encrypted data: C:\Program Files\Microsoft Azure AD Sync\Binn\mcrypt.dll.
mcrypt.dll library is responsible for key management and decryption of data. Actually we can data from database to decrypt the password:

Author of this post also mentioned that in order to access this particular database we have to had particular permission. One of the groups we belong to – Azure-Admin has permission to select from ADSync Database. 

In general I may say that we’re able to compromise server containg Azure AD Connect Service and get access to Administrator/AD Sync Admin group if we can access to ADSync database.

On this blog post there was exploitation script. I modified it and run it:

It worked:

Finally i found something that caught my attention:

svgHackTheBox - Search
svg
svgHackTheBox - Monitors

Leave a reply