Monteverde

For those struggling with the initial password what are some really obvious things users will do when there’s next to no password policy?

1234567
password

What else might be a really convenient password for them?

I liked it, I’d rate the difficulty between easy and medium. Inb4 this machine gets spoiled to shi!t lol.

Struggling with confirming first PW for the user i suspect I could get foothold on. Have bash bruted ~400 passwords and really must be missing something obvious…

Spent ages looking for root priv esc with A**** and found a few things that looked promising but ultimately can’t get anything to work. I’m currently trying to get into the A*Sy** database… am I on the right track or not?

Finally. I was on the right track, using the right service with the right idea about the password BUT I didn’t fully enumerate users that could log in. Used the right username:password and have actual user. Wanted to thank @VbScrub @iQimpz @th3y Thank you for letting me know I was in the right mindset with my password and service. You led me to use it on additional users.

@VbScrub I found a way into the database but I don’t see anything terribly useful. I would also like to know if I’m just overlooking something…

@th37 if you google the database name and “exploit” or something similar, you’ll find a good article that explains how to extract password from it… but their example code needs some tweaking to get it to work with this server. That’s what I’m currently doing

lol @VbScrub I have read that article like ten times, and now it makes sense. haha Thanks!

This is perhaps the hardest simple (as opposed to complex and large) box I’ve done. Lol. What a bumpy ride…

Some tips:

USER:
Do you feel stuck between a rock and a hard place?
Take it slow and enjoy a Hazy Jasmine.
You see, for this magic trick to win the race,
you need to apply some …

ROOT:
(No poem. Sorry guys.)
This is a case of something obvious being less important than what you cannot immediately see. If you manage to get your hands on powerful knowledge it likely won’t work at first. Try to tweak it so that the building before the big, Open request looks a little more familiar and explicitly states where and what.

Ps: for more horrible poems, please contact The Vogons, or give me a DM on Discord.

Got root :slight_smile:

Biggest stall for me was the fact that I messed up my original S** connection string, and foolishly kept re using the broken part for future attempts. A quick pointer from @gverre helped me realise my mistake though.

Don’t be put off going for root by the fact its to do with A****. In the end that doesn’t really factor into what you actually exploit (well, you exploit something it uses). You can find PS and C# code online that does all the work for you, but just needs a little tweak. There’s even a long youtube video and some slides that explain it all in more detail if you’re interested in understanding it.

And ROOT! Good box… learned some things.

Like @VbScrub , I got sidetracked by messing up s**m*p strings - and didn’t think how to simplify testing the likely password combinations but @gverre 's help put me back on track.

Quite often I find some of the clues in the forum more confusing than those left on the box :slight_smile: - I couldn’t see why AV and reverse shells would have been an issue. Oh and lazy administrators could think up lots of dumb things as passwords without it being in a list - not just the one s/he happened to choose in this case.

IMHO: One thing I did learn is putting likely passwords into a list and using that with a script or metasploit is better if you want to test a number of users than doing it manually - it is much more likely that you will mess something up and get a false negative if you don’t do it through an automated way. That may be obvious to others - I had to re-learn that this time.

Root was much easier than user in the end (both should have been straightforward though)

Paying it backwards - dm for help.

Hello all, this is my first time attempting a Windows box (only my third ever) and I have no idea where to begin with all of these RPC services. Before I dive into anything here, does anyone have any suggestions for retired box walkthroughs to check out that are similar to this or that will point me in the right direction of properly enumerating/exploiting Windows machines?

I have much, much to learn.

Thanks!

Type your comment> @Pooky said:

Hello all, this is my first time attempting a Windows box (only my third ever) and I have no idea where to begin with all of these RPC services. Before I dive into anything here, does anyone have any suggestions for retired box walkthroughs to check out that are similar to this or that will point me in the right direction of properly enumerating/exploiting Windows machines?

I have much, much to learn.

Thanks!

Check out https://ippsec.rocks and search for active directory or windows. The Active box might be a good place to start.

Can anyone provide hints on getting a certain string right for root? I think I’m on the right track, but compiling the tool and running it fails, and I believe it is because of this string being incorrect.

Edit: Got root!

@ssklash said:
Type your comment> @Pooky said:

Hello all, this is my first time attempting a Windows box (only my third ever) and I have no idea where to begin with all of these RPC services. Before I dive into anything here, does anyone have any suggestions for retired box walkthroughs to check out that are similar to this or that will point me in the right direction of properly enumerating/exploiting Windows machines?

I have much, much to learn.

Thanks!

Check out https://ippsec.rocks and search for active directory or windows. The Active box might be a good place to start.

Thanks, I will have a good look at the Active box!

anyone’s willing to give a hand about BH? I got user already

I don’t even know what to do after nmap. I can never seem to get a grip on windows boxes :expressionless:

I’m pretty sure the hound isn’t needed, there’s two applications/services which should stick out like sore thumbs if you dig around the box.

Though if anyone has managed to get root using the hound, please pm cause I’d like to hear it!

Think simple. This machine is really easy.