{"id":227,"date":"2025-08-02T19:00:00","date_gmt":"2025-08-02T19:00:00","guid":{"rendered":"https:\/\/thecyberstaff.com\/?p=227"},"modified":"2025-12-28T19:19:44","modified_gmt":"2025-12-28T19:19:44","slug":"monteverde-hackthebox-lab","status":"publish","type":"post","link":"https:\/\/thecyberstaff.com\/?p=227","title":{"rendered":"Monteverde- Hackthebox lab"},"content":{"rendered":"\n<p>I began by performing a full TCP and UDP port scan to enumerate available services.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1021\" height=\"357\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-27.png\" alt=\"\" class=\"wp-image-389\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-27.png 1021w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-27-300x105.png 300w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-27-768x269.png 768w\" sizes=\"auto, (max-width: 1021px) 100vw, 1021px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"219\" height=\"70\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-28.png\" alt=\"\" class=\"wp-image-390\"\/><\/figure>\n\n\n\n<p>It looks like we are working with an Active Directory Domain Controller from the ports that are open. I was able to collect system information through an SMB null session misconfiguration, which allowed me to enumerate domain users.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"191\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-29-1024x191.png\" alt=\"\" class=\"wp-image-391\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-29-1024x191.png 1024w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-29-300x56.png 300w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-29-768x143.png 768w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-29.png 1479w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>I conducted a password spray against the enumerated accounts and discovered that some accounts were configured with weak &#8216;username = password&#8217; credentials.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"169\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-30-1024x169.png\" alt=\"\" class=\"wp-image-392\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-30-1024x169.png 1024w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-30-300x50.png 300w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-30-768x127.png 768w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-30.png 1351w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>I tried to get a shell with Evil-WinRM and some other methods but none of them were working. While reviewing files accessible over SMB, I discovered an azure.xml file containing cleartext credentials.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"836\" height=\"409\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-31.png\" alt=\"\" class=\"wp-image-393\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-31.png 836w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-31-300x147.png 300w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-31-768x376.png 768w\" sizes=\"auto, (max-width: 836px) 100vw, 836px\" \/><\/figure>\n\n\n\n<p>I pulled down the file and exfiltrated the creds.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"710\" height=\"283\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-32.png\" alt=\"\" class=\"wp-image-394\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-32.png 710w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-32-300x120.png 300w\" sizes=\"auto, (max-width: 710px) 100vw, 710px\" \/><\/figure>\n\n\n\n<p>I was able to use this credential and the &#8220;mhope&#8221; account tied to the share it was in to get a shell with Evil-WinRM.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"231\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-33-1024x231.png\" alt=\"\" class=\"wp-image-395\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-33-1024x231.png 1024w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-33-300x68.png 300w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-33-768x173.png 768w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-33.png 1030w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>While enumerating the account, I noticed it was part of the &#8220;Azure Admins&#8221; group. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-34-1024x576.png\" alt=\"\" class=\"wp-image-396\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-34-1024x576.png 1024w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-34-300x169.png 300w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-34-768x432.png 768w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-34.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Using techniques from XPN\u2019s Azure AD Connect research, I located the AD Connect sync credentials stored locally (in the ADSync database). These credentials are encrypted with DPAPI, but I leveraged a modified PowerShell script from the research to extract and decrypt them, recovering the domain administrator password.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"575\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-35-1024x575.png\" alt=\"\" class=\"wp-image-397\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-35-1024x575.png 1024w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-35-300x168.png 300w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-35-768x431.png 768w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-35.png 1282w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>After updating the script to target the local SQL database, execution revealed the domain administrator\u2019s credentials in cleartext.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"949\" height=\"241\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-36.png\" alt=\"\" class=\"wp-image-398\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-36.png 949w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-36-300x76.png 300w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/08\/image-36-768x195.png 768w\" sizes=\"auto, (max-width: 949px) 100vw, 949px\" \/><\/figure>\n\n\n\n<p>Using the recovered administrator credentials, I established an Evil-WinRM session as Administrator, achieving full domain compromise.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I began by performing a full TCP and UDP port scan to enumerate available services. It looks like we are working with an Active Directory Domain Controller from the ports that are open. I was able to collect system information through an SMB null session misconfiguration, which allowed me to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":228,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-227","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-pentesting"],"brizy_media":[],"_links":{"self":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/227","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=227"}],"version-history":[{"count":2,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/227\/revisions"}],"predecessor-version":[{"id":399,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/227\/revisions\/399"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/media\/228"}],"wp:attachment":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=227"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}