Ldap

Machine #48 on the Lain Kusanagi list. Active Directory, a forgotten config file, and the Azure AD Sync service doing what it really shouldn’t. Machine Info Field Details Name Monteverde Platform HackTheBox OS Windows Difficulty Medium IP 10.129.228.111 Domain MEGABANK.LOCAL TL;DR Null session via nxc gives a full user list. A password spray with username=password lands SABatchJobs:SABatchJobs. Listing SMB shares reveals users$ is readable - spider_plus finds mhope/azure.xml, a leftover Azure AD Connect config file with a cleartext password. Spray again, get mhope via WinRM. mhope is in the Azure Admins group and the ADSync service is running locally. A public PoC decrypts the ADSync credentials from the local MSSQL database, handing us domain administrator. ...

Return is one of those machines where the initial foothold is almost embarrassingly easy - and then it hands you a privilege escalation path that is genuinely worth knowing. Server Operators is not talked about as much as SeBackupPrivilege, but it is just as dangerous. Machine info Name Return Platform HackTheBox OS Windows Difficulty Easy TL;DR A printer admin web panel allows changing the LDAP server address - pointing it at Kali captures cleartext credentials for svc-printer svc-printer has WinRM access and is a member of Server Operators, which allows stopping and reconfiguring Windows services Abused sc.exe to hijack a service binary path and create a local admin user Ran secretsdump, passed the Administrator hash via evil-winrm Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.34.220 Open ports include 80 (HTTP), 88 (Kerberos), 389 (LDAP), 445 (SMB), 5985 (WinRM). Standard Windows domain controller spread. Port 80 is the interesting one. ...