In this blog post, I'll share my experience solving the "Monteverde" machine on Hack The Box. This medium-level challenge focuses on exploiting misconfigurations in SMB services and leveraging Azure Active Directory Connect to escalate privileges.
The key vulnerabilities exploited in this challenge include:
SMB Service Misconfigurations: Improperly configured SMB services allowed unauthorized access to sensitive files, leading to credential disclosure.
Weak Password Policies: The use of easily guessable passwords facilitated unauthorized access to user accounts.
Azure AD Connect Credential Exposure: Misconfigurations in Azure AD Connect resulted in the storage of plaintext administrator credentials, enabling privilege escalation.
These vulnerabilities highlight the importance of securing SMB services, enforcing strong password policies, and properly configuring cloud synchronization tools to prevent unauthorized access and privilege escalation.
I began by performing an Nmap scan to identify open ports and services on the target machine. The scan revealed several open ports, including
Port 445 (SMB). To gather more information about the SMB service, I used enum4linux.
This provided valuable details, including the domain name and a list of users:
Domain Name: HTB
Users:
svc-alfresco
mhope
santi
fcastle
andy
I created a file named users.txt containing the discovered usernames. Using Metasploit's smb_login module, I performed a brute-force attack to find valid credentials:
use auxiliary/scanner/smb/smb_login
set rhosts 10.10.10.172
set user_file users.txt
set pass_file users.txt
set verbose false
run
This attempt yielded valid credentials for the user svc-alfresco.
With the obtained credentials, I accessed the SMB shares:
smbclient -U svc-alfresco //10.10.10.172/users$
avigating to the mhope directory, I found a file named azure.xml and downloaded it. Inspecting the azure.xml file revealed plaintext credentials for the user mhope. Using the mhope credentials, I connected to the machine via Evil-WinRM.
evil-winrm -i 10.10.10.172 -u mhope -p '<password>'
Once connected, I navigated to the desktop and retrieved the user.txt flag.
To escalate privileges, I checked the user's group memberships:
whoami /all
The output indicated that mhope was a member of the Azure Admins group.
I then used the Azure-ADConnect.ps1 PowerShell script to extract the plaintext password of the Azure AD Sync account:
Import-Module .\Azure-ADConnect.ps1
Get-AADIntSyncCredentials -PasswordPlainText
This provided the administrator credentials, which I used to establish a new Evil-WinRM session:
evil-winrm -i 10.10.10.172 -u Administrator -p '<admin_password>'
Finally, I navigated to the administrator's desktop and obtained the root.txt flag.