Monteverde

Type your comment> @secucyber said:

Hi,

Got user and now on root. I figured that the path to root is linked on A****. I found some interesting things on user directory (TokC****.dat, AzRmC**.json) and read some blog posts about this subject (xpnsec) … Am I on the right way ? Any nudges ? Thanks

First part is correct, but the Tok****.dat file does not come into it (at least not the way I and most others did it). Keep researching online for ways to exploit AD via A*****

Hi, if someone can please pm me that manage to get user password, so can run by few things, just make sure I not doing it wrong.

Struggling to get root. I know the service I’m supposed to exploit but can’t seem to find any scripts for that.
Can anyone please PM a hint. Thanks

I am trying to copy and paste my PowerShell script directly into the E***-W**** prompt and it’s not parsing the entire script as one, instead line by line…

Anyone know how I can get around this?

Edit… nevermind few minutes later figured it out… DOH

Aaand got root. Nice box, really enjoyed it and learnt a lot.

Removed

Really stuck on rooting this one. I’ve identified the service everyone is talking about, but can’t seem to get the right configurations from the DB system, much less get my exploit code onto the system. The instable shell that crashes every ~5 commands doesn’t seem to help either. Any nudges would be much appreciated!

Edit: Rooted. Hint for rooting if you were stuck in the same place - figure out why the exploit you are using may not be working. It’s not rocket science! Minor adaptations to overcome this issue will help you on your way towards root. Good luck! PM is open for nudges :slight_smile:

thanks for nudge.

Removed

Finally, got it. Overall pretty easy box, using a certain language to communicate with a certain service for the first time was a little frustrating. PM if you need hints.

Hi,

Please, if you create a exploit, remove it afterwards.

I thought a PS1 script was created by the user, but after checking the comments here it wasn’t the case.

Nice box, thank you @egre55! Relatively easy user foothold if you use a systematic approach to password guessing and do not over-complicate things. Shouldn’t need more than 5-10 password guesses per user. Root was overwhelming at first because I wasn’t familiar with this cloud technology. Then it turned out that the exploit didn’t have much to do with the cloud technology itself. Feel free to DM if you want more specific hints.

Type your comment> @twypsy said:

Hi,

Please, if you create a exploit, remove it afterwards.

I thought a PS1 script was created by the user, but after checking the comments here it wasn’t the case.

Yeah I was wondering about that (this is only my third machine on here).

I know personally I feel bad whenever I have to copy anything over to the machine and always copy it to some obscure location that hopefully no one else will be looking at, then delete it as soon as I’m done. I assumed everyone else did the same, but did wonder if people often left things behind…

AND got root!

Thanks to @nebulousanchor , @CyberMnemosyne and @chvancooten for helping. As others had said, I was there with the user but simply using it incorrectly. Once you are in, you will figure out what to do next, but then you have to do some research. You can end up going down a rabbit hole, or at least I did.

Does ev**-w**** work with the second user credentials?

@zard yes

do i need to import the A**** module for root?

ooooo easy user. Root may wait for tomorrow…getting late.

For root:
when you find the tool you need, it only needs very minor tweaks to work. Thanks to @ssklash for the tip.

This box is truly annoying. e***-w**** fails to work with valid credentials.

Spoiler Removed