Monteverde

@Ninjacoder said:

Can anyone send me some nudges on user? I found the user to use (I think) and have tried two different s*b tools with as many default pws as I can think of…I’m sure it’s something stupid simple.

Thanks!

It’s hard to give a nudge without totally giving it away but honestly really take heed of how dumb a ‘password’ could be if you could set it to whatever you like.

You don’t need a dictionary attack or brute force or anything. It’s all right there. I had to really wrack my brain before I got the ‘aha!’ moment and laughed at how stupid and overlooked it was.

@Meise said:
Stuck.
I’ve got a creds and i connected S*B into folder u*****, but i don’t know where to go, i think i need a second creds but i don’t know where to look for it.
Can someone give me a hint?

If you can connect via S*B then you’re about 2 steps away from user. You’ve overlooked something. It’s right there.

So there are definitely enough hints here to get a foothold on the box and from there it is just more and more enumeration to get credentials to access the box as the user account which gives you user.txt

The biggest hurdle is that what is obvious to some people is not to others. The user/password is, in hindsight, obvious but it did take me a while.

My main suggestion is to enumerate the box (domains, groups, users, etc) and use everything you find to create a list of usernames and passwords. Then try it.

Getting root/admin is surprisingly easy after you’ve done some enumeration. You should find something interesting and quick googling will point to an attack.

The attack works perfectly.

running the a**** m*** exploit makes my e***-****m session crash, anyone having the same problem?

Type your comment> @bobbuilder said:

running the a**** m*** exploit makes my e***-****m session crash, anyone having the same problem?

That happens when there’s a fatal error from the exploit.

Root was super fun and I learned a bunch! My hunch was right in regards to A***E. The POC code from a certain three letter handle on github is a steaming pile trashbutt. I had to rewrite most of the POC script, but it worked in the end. Getting root on this box is another shining example of why not to give your keys to the castle to M$ and their “cloud offering”.

Thanks so much for @secucyber for keeping me on the right track and to the creator for a super fun box.

Hit me up if you need help.

Who broke the box

Nice box . whenever working with windows , i am get to know the different tools and gaining good knowledge . Thank you for help me to get root on this box @GhostSquad , @rholas and @madhack

Rooted
Thanks for the help with root @CyberMnemosyne
Nice and interesting box.

#rooted… contact me if you need some nudge

Spent far too long on the initial guessing game. At the end of the day, I suppose it certainly is quite realistic, but I was majorly overcomplicating it. I would have rated this box closer to the “Easy” end of ratings as far as user goes, but I can understand why root might pose more of a challenge for those who are a bit unfamiliar with the service.

Hints per usual:

Foothold: Everyone is right about not needing a wordlist. Once you enumerate the users on the machine (basic scans can do this for you), you have everything you need. Try harder.

Once you have access, look around a bit. There’s something lying around for you which will help you escalate to a different user.

User: Utilize what you obtained. Be evil about it.

Root: Check your groups. Enumerate the service you find, and utilize the POC.

Thanks @egre55

Stuck with the POC

Type your comment> @m1rz said:

Stuck with the POC

You’re on the right track but might be looking at the wrong item to run. You don’t need to use the POC people are talking about, there is another set of tools out there as well.

Anyone can feel free to PM me for user or root help.

Took me a couple of days of reading documentation to get the PoC to work bu finally got it. Feel free to pm for hints!

C:\Users\Administrator\Documents> whoami
m*******\administrator

Got root, box is interesting.

***** PS C:\Users\Administrator\Desktop> (Get-WmiObject Win32_OperatingSystem).CSName
MONTEVERDE
***** PS C:\Users\Administrator\Desktop> whoami
m****k\administrator
***** PS C:\Users\Administrator\Desktop> ls

Directory: C:\Users\Administrator\Desktop

Mode LastWriteTime Length Name


-ar— 1/3/2020 5:48 AM 32 root.txt

Rooted with scripting help from @nach0brotha

As always happy to pass the hints forward.

Newer to HTB and first attempt at a live Windows machine (albeit probably too soon)

Found some info via ld*ch after learning it via ippsec, determined when the found accounts were created and assume these are what the other comments refer to with admin bad practices…my issue is I have not found where to try auth…rcnt? Am I on the somewhat right path with this or completely wrong for this box?

Stuck on root! I believe I know what should be exploited but I failed to find an exploit or get the idea to write one.

Any nudges?

User: lazy admin, check all possible paths for login

Root: ensure the script has no syntax errors, one little mistake will stop it. And the biggest one, check the CONNECTION STRING for the appropriate usage.

Hope that helps :slight_smile:

Kinda stuck in the admin part… Would appreciate any nudges!