Monteverde

What a great machine,

A good example that sometimes we don’t focus on the simple.

Start, as the whole key is the enumeration, but here the rule is not to complicate and think like every administrator a bit lazy, remember that you have no restriction on passwords, but you also do not have to brute force.

User, the list will open the doors to locate what you need from the user, you already have everything only EW and your creds.

Root, a good example of taking advantage of technology, was a very good method, getting used to throwing commands is important, but I think a good connection will help you climb, I know it sounds very weird, but believe me it should be.

I thank @CyberMnemosyne and @TheRamen for confirming the correct path and especially to the creator of the machine for this very good challenge.

If any of this is spoiler please delete.

Rooted. Pretty easy box, I just got hung up slightly on root exploit. Thanks to @madhack and @flipflop139874 for the guidance.

Hi all, I’m currently stuck on connecting to a storage service. Can’t figure out the authentication method. May I ask for some guidance? I will show my attempts. Thanks!

EDIT: and, as always happens, five minutes after posting I found the culprit and solved my problem.

Got user
Hints:
After you get first creds (all that previous hints about typical lazy admin) you need to find second creds (check folders of users in s** shares, you’ll get the name of user)
It’s somewhere in the machine, no more than cat is needed
Next that dEVIL will work fine)
Free to pm me, glad to help

Spoiler Removed

I tried “guessing”, then I got really really (really) dumb about password management. Got access to one “user” and found a neat file in another users directory with a very common tool (that isnt evil). Then I found a crumb that worked for another user inside of the neat file after I exfiltrated. I was able to use a more evil tool with the 2nd set of creds from the neat file. Absolutely zero brute forcing is required, but a little mist or spray might make your privilege garden grow ( :stuck_out_tongue: ). If youre throwing word/dict lists at this box, youre doing it wrong (like I was when I first started, lol).

Im saving root for another day, but I have a feeling it has something to do with the steaming pile of microsoft called A***E and how it (poorly) “handles” creds.

Thanks to the creator, I like these winblows boxes! Its a nice change of pace.

Root Tip: Don’t just google and scan. Google and read the articles that show up so you learn. There is one link that contains many. If you’re there you’re heading in the right direction. Also keep your head out of the clouds. When you find what you are looking for review it with a text editor that shows color. Fix the issues and add your code. I had help with the adding code so I can’t really explain a bit of it. Thanks to @NoWay191 and @babywyrm

Edit: I got it, I rabbit holed into one user…gotta try them all! One trick is to look at logon numbers, many users haven’t logged in which narrows it down!

Stuck.
I’ve got a creds and i connected S*B into folder u*****, but i don’t know where to go, i think i need a second creds but i don’t know where to look for it.
Can someone give me a hint?

@Ninjacoder said:

Can anyone send me some nudges on user? I found the user to use (I think) and have tried two different s*b tools with as many default pws as I can think of…I’m sure it’s something stupid simple.

Thanks!

It’s hard to give a nudge without totally giving it away but honestly really take heed of how dumb a ‘password’ could be if you could set it to whatever you like.

You don’t need a dictionary attack or brute force or anything. It’s all right there. I had to really wrack my brain before I got the ‘aha!’ moment and laughed at how stupid and overlooked it was.

@Meise said:
Stuck.
I’ve got a creds and i connected S*B into folder u*****, but i don’t know where to go, i think i need a second creds but i don’t know where to look for it.
Can someone give me a hint?

If you can connect via S*B then you’re about 2 steps away from user. You’ve overlooked something. It’s right there.

So there are definitely enough hints here to get a foothold on the box and from there it is just more and more enumeration to get credentials to access the box as the user account which gives you user.txt

The biggest hurdle is that what is obvious to some people is not to others. The user/password is, in hindsight, obvious but it did take me a while.

My main suggestion is to enumerate the box (domains, groups, users, etc) and use everything you find to create a list of usernames and passwords. Then try it.

Getting root/admin is surprisingly easy after you’ve done some enumeration. You should find something interesting and quick googling will point to an attack.

The attack works perfectly.

running the a**** m*** exploit makes my e***-****m session crash, anyone having the same problem?

Type your comment> @bobbuilder said:

running the a**** m*** exploit makes my e***-****m session crash, anyone having the same problem?

That happens when there’s a fatal error from the exploit.

Root was super fun and I learned a bunch! My hunch was right in regards to A***E. The POC code from a certain three letter handle on github is a steaming pile trashbutt. I had to rewrite most of the POC script, but it worked in the end. Getting root on this box is another shining example of why not to give your keys to the castle to M$ and their “cloud offering”.

Thanks so much for @secucyber for keeping me on the right track and to the creator for a super fun box.

Hit me up if you need help.

Who broke the box

Nice box . whenever working with windows , i am get to know the different tools and gaining good knowledge . Thank you for help me to get root on this box @GhostSquad , @rholas and @madhack

Rooted
Thanks for the help with root @CyberMnemosyne
Nice and interesting box.

#rooted… contact me if you need some nudge

Spent far too long on the initial guessing game. At the end of the day, I suppose it certainly is quite realistic, but I was majorly overcomplicating it. I would have rated this box closer to the “Easy” end of ratings as far as user goes, but I can understand why root might pose more of a challenge for those who are a bit unfamiliar with the service.

Hints per usual:

Foothold: Everyone is right about not needing a wordlist. Once you enumerate the users on the machine (basic scans can do this for you), you have everything you need. Try harder.

Once you have access, look around a bit. There’s something lying around for you which will help you escalate to a different user.

User: Utilize what you obtained. Be evil about it.

Root: Check your groups. Enumerate the service you find, and utilize the POC.

Thanks @egre55