Monteverde

Had so much fun.
Wanted new windows box for improving AD pentesting skills and it just appeared ;d
root part was easier than user.

Great box!

Feel free to PM. I won’t respond messages like those - [“hi, help me”, “what can i do”, “it does not work”] … be more specific!

Good box although I don’t like these guess-the-thing stages. But suppose that’s also part of a penetration testing specially in the bad password practices (not comparable at all to “guessing the technology” like in Mango machine). Liked so much to exploit that service on root since I didn’t do that before.

So I’ve found a list of users, and tried every combination I can think of for passwords and users. Can I get a hint in PMs?? I’m sure I’m doing something stupid

-edit

Got it now

rooted! thx @TheRamen for the help!

rooted. Learned something about a—e cloud and S-- server.

root: If you are a linux guy like me, you need to understand meaning of the connection string in the POC, especially another way of authentication.

I think I’m being really stupid - I have an MB domain, but not sure of what to do so i can use it in im* - can someone just dm me with the right syntax

What a great machine,

A good example that sometimes we don’t focus on the simple.

Start, as the whole key is the enumeration, but here the rule is not to complicate and think like every administrator a bit lazy, remember that you have no restriction on passwords, but you also do not have to brute force.

User, the list will open the doors to locate what you need from the user, you already have everything only EW and your creds.

Root, a good example of taking advantage of technology, was a very good method, getting used to throwing commands is important, but I think a good connection will help you climb, I know it sounds very weird, but believe me it should be.

I thank @CyberMnemosyne and @TheRamen for confirming the correct path and especially to the creator of the machine for this very good challenge.

If any of this is spoiler please delete.

Rooted. Pretty easy box, I just got hung up slightly on root exploit. Thanks to @madhack and @flipflop139874 for the guidance.

Hi all, I’m currently stuck on connecting to a storage service. Can’t figure out the authentication method. May I ask for some guidance? I will show my attempts. Thanks!

EDIT: and, as always happens, five minutes after posting I found the culprit and solved my problem.

Got user
Hints:
After you get first creds (all that previous hints about typical lazy admin) you need to find second creds (check folders of users in s** shares, you’ll get the name of user)
It’s somewhere in the machine, no more than cat is needed
Next that dEVIL will work fine)
Free to pm me, glad to help

Spoiler Removed

I tried “guessing”, then I got really really (really) dumb about password management. Got access to one “user” and found a neat file in another users directory with a very common tool (that isnt evil). Then I found a crumb that worked for another user inside of the neat file after I exfiltrated. I was able to use a more evil tool with the 2nd set of creds from the neat file. Absolutely zero brute forcing is required, but a little mist or spray might make your privilege garden grow ( :stuck_out_tongue: ). If youre throwing word/dict lists at this box, youre doing it wrong (like I was when I first started, lol).

Im saving root for another day, but I have a feeling it has something to do with the steaming pile of microsoft called A***E and how it (poorly) “handles” creds.

Thanks to the creator, I like these winblows boxes! Its a nice change of pace.

Root Tip: Don’t just google and scan. Google and read the articles that show up so you learn. There is one link that contains many. If you’re there you’re heading in the right direction. Also keep your head out of the clouds. When you find what you are looking for review it with a text editor that shows color. Fix the issues and add your code. I had help with the adding code so I can’t really explain a bit of it. Thanks to @NoWay191 and @babywyrm

Edit: I got it, I rabbit holed into one user…gotta try them all! One trick is to look at logon numbers, many users haven’t logged in which narrows it down!

Stuck.
I’ve got a creds and i connected S*B into folder u*****, but i don’t know where to go, i think i need a second creds but i don’t know where to look for it.
Can someone give me a hint?

@Ninjacoder said:

Can anyone send me some nudges on user? I found the user to use (I think) and have tried two different s*b tools with as many default pws as I can think of…I’m sure it’s something stupid simple.

Thanks!

It’s hard to give a nudge without totally giving it away but honestly really take heed of how dumb a ‘password’ could be if you could set it to whatever you like.

You don’t need a dictionary attack or brute force or anything. It’s all right there. I had to really wrack my brain before I got the ‘aha!’ moment and laughed at how stupid and overlooked it was.

@Meise said:
Stuck.
I’ve got a creds and i connected S*B into folder u*****, but i don’t know where to go, i think i need a second creds but i don’t know where to look for it.
Can someone give me a hint?

If you can connect via S*B then you’re about 2 steps away from user. You’ve overlooked something. It’s right there.

So there are definitely enough hints here to get a foothold on the box and from there it is just more and more enumeration to get credentials to access the box as the user account which gives you user.txt

The biggest hurdle is that what is obvious to some people is not to others. The user/password is, in hindsight, obvious but it did take me a while.

My main suggestion is to enumerate the box (domains, groups, users, etc) and use everything you find to create a list of usernames and passwords. Then try it.

Getting root/admin is surprisingly easy after you’ve done some enumeration. You should find something interesting and quick googling will point to an attack.

The attack works perfectly.

running the a**** m*** exploit makes my e***-****m session crash, anyone having the same problem?

Type your comment> @bobbuilder said:

running the a**** m*** exploit makes my e***-****m session crash, anyone having the same problem?

That happens when there’s a fatal error from the exploit.