Privesc

Machine #48 on the Lain Kusanagi list. Active Directory, a forgotten config file, and the Azure AD Sync service doing what it really shouldn’t. Machine Info Field Details Name Monteverde Platform HackTheBox OS Windows Difficulty Medium IP 10.129.228.111 Domain MEGABANK.LOCAL TL;DR Null session via nxc gives a full user list. A password spray with username=password lands SABatchJobs:SABatchJobs. Listing SMB shares reveals users$ is readable - spider_plus finds mhope/azure.xml, a leftover Azure AD Connect config file with a cleartext password. Spray again, get mhope via WinRM. mhope is in the Azure Admins group and the ADSync service is running locally. A public PoC decrypts the ADSync credentials from the local MSSQL database, handing us domain administrator. ...

SQL injection doesn’t always mean dumping a database. Sometimes it just means coaxing the server into making a network connection it shouldn’t - and that’s enough to steal credentials. Giddy is a great example of that, paired with a creative privesc that requires bypassing Windows Defender with a custom payload. Machine Info Field Details Name Giddy Platform HackTheBox OS Windows Difficulty Medium IP 10.129.96.140 TL;DR ASP.NET MVC app has a search endpoint vulnerable to SQL injection. We use xp_dirtree to force the SQL Server to authenticate outbound to our Responder instance, capturing Stacy’s NTLMv2 hash. After cracking it, Evil-WinRM gives us a shell. On the machine we find a unifivideo folder hinting at CVE-2016-6914 - Ubiquiti UniFi Video’s service hijacks taskkill.exe on stop. Defender blocks msfvenom, so we cross-compile a custom Go payload to add a local admin user and RDP in as root. ...