Box Info
| Platform | HackTheBox |
| Difficulty | Medium |
| OS | Windows |
| Key Techniques | Password Spraying, Azure AD Connect Credential Extraction |
Attack Path Summary
Enumerated domain users → password spraying found SABatchJobs account → used those creds to access SMB shares → found azure.xml containing mhope’s password → logged in as mhope via evil-winrm → mhope is member of Azure Admins group → extracted Azure AD Connect credentials → Domain Admin.
Enumeration
sudo nmap -p- -Pn -T4 $ip -oN nmap/tcp_scan
sudo nmap -sCV -p <PORTS> -Pn -T4 $ip
Domain: MEGABANK.LOCAL
Foothold — Password Spraying
Found the SABatchJobs account through password spraying — the password was the same as the username.
First creds: SABatchJobs:SABatchJobs
SMB Enumeration with Creds
Used SABatchJobs to enumerate SMB shares. Found an azure.xml file containing Azure AD credentials:
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
</TN>
<Props>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>
</Objs>
Second creds: mhope:4n0therD4y@n0th3r$
evil-winrm -i $ip -u 'mhope' -p '4n0therD4y@n0th3r$'
Privilege Escalation — Azure AD Connect
mhope was a member of the Azure Admins group. Azure AD Connect stores credentials for syncing on-prem AD with Azure AD — and those credentials can be extracted.
The Azure AD Connect database contains the domain admin password used for synchronization. With the right access, you can decrypt it.
Domain Admin creds: administrator:d0m@in4dminyeah!
Credentials
| Username | Password | Source |
|---|---|---|
| SABatchJobs | SABatchJobs | Password spraying |
| mhope | 4n0therD4y@n0th3r$ | azure.xml in SMB share |
| administrator | d0m@in4dminyeah! | Azure AD Connect extraction |
What I Learned
Password spraying — always try username=password and common weak passwords against enumerated users. SABatchJobs:SABatchJobs is a classic service account mistake.
Azure AD Connect — when you see this installed on a box and you have access to the Azure Admins group, the sync credentials are extractable. Is a known attack path.
XML config files in SMB shares — always check every file. The azure.xml with cleartext credentials was the pivot point.
Pattern: “Azure AD Connect on a DC + Azure Admins group membership = extract the sync credentials for Domain Admin.”