Hack The Box :: Monteverde
#LDAPAnonymousBind #DefaultPassword #AzureADConnect
Monteverde is a Medium Windows box created by egre55. It was released on January 11th, 2020 and retired on June 13th, 2020. The users rated the difficulty 4.8/10 and gave an appreciation score of 4.3/5.
TL;DR
We can anonymously bind to an Active Directory to retrieve the list of users and service accounts. The service account SABatchJobs
password is the same as the username. With this account, we access a share that contains mhope
password in clear-text. We log in through WinRM and retrieve the user flag. As mhope
is part of the Azure Admins
groups and that Azure AD Connect is installed and configured, we can use a known set of Powershell commands to extract its configuration from the MS SQL database and decrypt the password of the service account, which is…the domain admin. We can then use psexec
to get a SYSTEM
shell and the root flag.
Note: unless otherwise stated, all commands and scripts you will find below are run on macOS. Especially
sed
andbase64
syntax may slightly differ from Linux versions. Python 3 is the preferred interpreter.