2 min to read
HackTheBox - Monteverde
Hello Guys , I am Faisal Husaini. My username on HTB is ferllen. Also join me on discord.
The IP of this box is 10.10.10.172
Port Scan
Running nmap full port scan on it , we get
We got alot of Open Ports, running services scan against them
We see many services running, also Active Directory on this box so we now move onto running enum4linux tool
We get alot of users from the tool so we save it in a file named users
Now moving onto running a metasploit module smb_login which checks for valid smb login creds
Here we set the username list and password same as the users we got from the enum4linux tool and then run the module
We can see that user SABatchJobs:SABatchJobs is a valid credential
Using these credentials with smbclient, we see alot of open shares
We see a share named “users$” so we connect to it
We connected to “users$” share through SMB successfully
We have few user folders here, upon looking on every folders, we see something interesting in mhope folder
We see a file named azure.xml , so download it to our box and see the contents
We see a password, since WinRM port was open on the box , so I try to connect through Evil-WinRM with multiple users we got on the box
We got connected with user mhope successfully, moving onto getting the user flag which is usually located in the Desktop folder
Moving further to privilege escalation
Privilege Escalation
Running the whoami /all command, we get
We see that the current user has group permissions of MEGABANK\Azure Admins
Upon looking much on google for Azure Hacking , we come to know many things about Azure AD Connect
As we have Microsoft SQL Server , so we run SQLCMD to get the databases and we get few databases upon which ADSync is the one which we are interested in
The above commands fetched the administrator’s password and gave us the decrypted form of it
Connecting with Evil-WinRM through these creds
We got connected successfully, moving onto get the root flag
Its always fun to solve Windows AD boxes
Comments