From Anonymous RPC Enumeration to Domain Admin via Azure AD Connect
Target: Monteverde (10.129.228.111) [Hack The Box] OS: Windows Difficulty: Medium Attack Vectors: Anonymous RPC Enumeration -> Password Spray -> SMB File Discovery -> Azure AD Connect Credential Decryption
Press enter or click to view image in full size
Executive Summary
Assessment Date: April 29, 2026 Risk Level: CRITICAL Author: R00t3dbyFa17h\Nicholas Mullenski
Overview
An assessment of the “Monteverde” Domain Controller revealed a chain of misconfigurations that led to a full domain compromise. The DC permitted anonymous RPC enumeration of all domain accounts, a service account was protected by a trivially weak password, sensitive credential files were left exposed on an SMB share, and a member of the Azure Admins group was able to decrypt credentials stored in the local Azure AD Connect database — ultimately recovering the Domain Administrator’s password in cleartext.
Key Findings:
- Anonymous RPC Enumeration: The Domain Controller allowed null-session binds to RPC, exposing the full list of domain users including service accounts (SABatchJobs, AAD_987d7f2f57d2). This provided the attacker a username…