?

Monteverde HTB - Writeup

another AD machine, but here there's an interesting exploit of the "Azure Admin" role!

after scanning ports, we find that LDAP has given us some usernames of the domain. without knowing anything else to test with, we test them against each other Imgur we find that while the SABatchJobs account doesn't have access on winrm, it does have SMB access! using it, we take a look at the shares Imgur the users$ share contains an .xml file that leads to credentials for mhope Imgur Imgur

whoami /all

after we grab the user.txt from mhope, we notice that the account is part of the Azure Admins group

after some searches, we find this article which shows us a method of obtaining DCSync by leveraging off AzureAD Connect and includes a POC script. the POC script doesn't work out of the box and crashed the shell, so we take a look line by line:

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"

when $client.Open() is called, the DB isn't properly connected this article shows us a method of connecting to the SQL instance, and we swap out the string in the intial POC with this (thanks to Ippsec's video!)

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=localhost;Integrated Security=true;Initial Catalog=ADSync"

Imgur

and there we go!

#htb #writeup