Hack The Box :: Monteverde
#LDAPAnonymousBind #DefaultPassword #AzureADConnect
Monteverde is a Medium Windows box created by egre55. It was released on January 11th, 2020 and retired on June 13th, 2020. The users rated the difficulty 4.8/10 and gave an appreciation score of 4.3/5.
TL;DR
We can anonymously bind to an Active Directory to retrieve the list of users and service accounts. The service account SABatchJobs password is the same as the username. With this account, we access a share that contains mhope password in clear-text. We log in through WinRM and retrieve the user flag. As mhope is part of the Azure Admins groups and that Azure AD Connect is installed and configured, we can use a known set of Powershell commands to extract its configuration from the MS SQL database and decrypt the password of the service account, which is…the domain admin. We can then use psexec to get a SYSTEM shell and the root flag.
Note: unless otherwise stated, all commands and scripts you will find below are run on macOS. Especially
sedandbase64syntax may slightly differ from Linux versions. Python 3 is the preferred interpreter.
