Monteverde : HTB walkthrough

Took ages but was worth it. Lots of ports were open. Let’s start with enum.
user list
SABatchJobs ;;;;; bad password practices by Developer or SysAdmins
SYSVOL found with some files , but GptTemp.inf on both policies contained no juicy info
> get AZURE.XML
No entries found. Might be Windows Remote Management works… Try Evil-winrm
“Exploit can get us plain text credentials of whatever AD account is set to use it — — ADMINISTRATOR”
Out of which ADSyncDecrypt matches all our requirements
We will run our exploit from bin folder of AD Sync dir
You see there is an mcrypt.dll , so when you transfer your AdDecrypt.exe , transfer mcrypt.dll too; else this one will be used and since it has no readable access, this won’t help you crack credentials.
There was an error in finding localDB
It will access the ADSync on full MSSQL rather than LocalDB instance.
This time this worked.
Logged in as ADMINISTRATOR
Found The Flag.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store