HackTheBox Writeup — Monteverde

Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.

The IP of this box is

Port Scan

We got alot of Open Ports, running services scan against them

We see many services running, also Active Directory on this box so we now move onto running enum4linux tool

We get alot of users from the tool so we save it in a file named users

Now moving onto running a metasploit module smb_login which checks for valid smb login creds

Here we set the username list and password same as the users we got from the enum4linux tool and then run the module

We can see that user SABatchJobs:SABatchJobs is a valid credential

Using these credentials with smbclient, we see alot of open shares

We see a share named “users$” so we connect to it

We connected to “users$” share through SMB successfully

We have few user folders here, upon looking on every folders, we see something interesting in mhope folder

We see a file named azure.xml , so download it to our box and see the contents

We see a password, since WinRM port was open on the box , so I try to connect through Evil-WinRM with multiple users we got on the box

We got connected with user mhope successfully, moving onto getting the user flag which is usually located in the Desktop folder

Moving further to privilege escalation

Privilege Escalation

We see that the current user has group permissions of MEGABANK\Azure Admins

Upon looking much on google for Azure Hacking , we come to know many things about Azure AD Connect

As we have Microsoft SQL Server , so we run SQLCMD to get the databases and we get few databases upon which ADSync is the one which we are interested in

The above commands fetched the administrator’s password and gave us the decrypted form of it

Connecting with Evil-WinRM through these creds

We got connected successfully, moving onto get the root flag

Its always fun to solve Windows AD boxes


Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover