⇒ Monteverde is an easy active directory machine that teaches us :
- Enumerating users through RPC
- Password spraying using usernames
- Abusing Azure Admins group for privesc to Domain Admin
Getting User through mostly Enumeration
⇒ So we are able to login in rpc through null authentication and enumere domain users using the command
- Next we created an list of users and performed password spraying using crackmapexec
crackmapexec smb 10.10.10.172 -u users -p users
SABatchJobs : SABatchJobs
⇒ So we are able to access users$ smb share as SABatchJobs user :
- We find an xml file named axure.xml in mhope directory which contains a password :
mhope : 4n0therD4y@n0th3r$
⇒ Next we just evil-winrm as mhope using the credentials we found :
Privilege Escalation to Domain Admin [ AzureAdmins Group ]
⇒ So after owning mhope user we see that we are in AzureAdmins group which we can abuse to get Domain Admin on megabank domain.
Abusing Azure Admins
So the most interesting is Password Hash Synchronisation (PHS), which uploads user accounts and password hashes from Active Directory into Azure.
A new user is created during the installation of Azure AD Connect with the username MSOL_[HEX]
Now by default when deploying the connector a new database is created on the host using SQL Server’s LOCALDB. The database supports the Azure AD Sync service by storing metadata and configuration data for the service.
There’s a table named mms_management_agent which contains several fields including private_configuration_xml which holds detail regarding MSOL user.
However the password is omitted from the XML returned . The encrypted password is actually stored within another field, encrypted_configuration
So C:\Program Files\Microsoft Azure AD Sync\Binn\mcrypt.dll is responsible for key management and the decryption of the data in encrypted_configuration
⇒ So to decrypt the password from encrypted_configuration we will have to retrieve the keying material from the LocalDB instance before passing it to the mcrypt.dll assembly to decrypt
So what are the requirements to complete this exfiltration of credentials? Well we will need to have access to the LocalDB (if configured to use this DB), which by default holds the following security configuration
This means that if you are able to compromise a server containing the Azure AD Connect service, and gain access to either the ADSyncAdmins or local Administrators groups, what you have is the ability to retrieve the credentials for an account capable of performing a DCSync
⇒ In short :
- MSOL account is capable of peforming dcsync attack
- Retrieve the keyring from LocalDB
- Retrieve the encrypted password of MSOL user from encrypted_configuration
- Pass it to mcrypt.dll to decrypt and get the password for MSOL user.
upload Azure-ADConnect.ps1 import-module .\Azure-ADConnect.ps1 Azure-ADConnect -server 127.0.0.1 -db ADSync
administrator : d0m@in4dminyeah!
⇒ Next we just evil-winrm using the administrator credentials :