Monteverde

Nice box . whenever working with windows , i am get to know the different tools and gaining good knowledge . Thank you for help me to get root on this box @GhostSquad , @rholas and @madhack

Rooted
Thanks for the help with root @CyberMnemosyne
Nice and interesting box.

#rooted… contact me if you need some nudge

Spent far too long on the initial guessing game. At the end of the day, I suppose it certainly is quite realistic, but I was majorly overcomplicating it. I would have rated this box closer to the “Easy” end of ratings as far as user goes, but I can understand why root might pose more of a challenge for those who are a bit unfamiliar with the service.

Hints per usual:

Foothold: Everyone is right about not needing a wordlist. Once you enumerate the users on the machine (basic scans can do this for you), you have everything you need. Try harder.

Once you have access, look around a bit. There’s something lying around for you which will help you escalate to a different user.

User: Utilize what you obtained. Be evil about it.

Root: Check your groups. Enumerate the service you find, and utilize the POC.

Thanks @egre55

Stuck with the POC

Type your comment> @m1rz said:

Stuck with the POC

You’re on the right track but might be looking at the wrong item to run. You don’t need to use the POC people are talking about, there is another set of tools out there as well.

Anyone can feel free to PM me for user or root help.

Took me a couple of days of reading documentation to get the PoC to work bu finally got it. Feel free to pm for hints!

C:\Users\Administrator\Documents> whoami
m*******\administrator

Got root, box is interesting.

***** PS C:\Users\Administrator\Desktop> (Get-WmiObject Win32_OperatingSystem).CSName
MONTEVERDE
***** PS C:\Users\Administrator\Desktop> whoami
m****k\administrator
***** PS C:\Users\Administrator\Desktop> ls

Directory: C:\Users\Administrator\Desktop

Mode LastWriteTime Length Name


-ar— 1/3/2020 5:48 AM 32 root.txt

Rooted with scripting help from @nach0brotha

As always happy to pass the hints forward.

Newer to HTB and first attempt at a live Windows machine (albeit probably too soon)

Found some info via ld*ch after learning it via ippsec, determined when the found accounts were created and assume these are what the other comments refer to with admin bad practices…my issue is I have not found where to try auth…rcnt? Am I on the somewhat right path with this or completely wrong for this box?

Stuck on root! I believe I know what should be exploited but I failed to find an exploit or get the idea to write one.

Any nudges?

User: lazy admin, check all possible paths for login

Root: ensure the script has no syntax errors, one little mistake will stop it. And the biggest one, check the CONNECTION STRING for the appropriate usage.

Hope that helps :slight_smile:

Kinda stuck in the admin part… Would appreciate any nudges!

I’m stuck on this one. More down to lack of knowledge on tooling I suspect. I have found a list of users, groups and the domain etc, but not sure what tools I should be using now to get on the box. SMBmap doesn’t give info on shares, so smbclient doesn’t work, am I looking in the wrong place here?

Type your comment> @CuriousJ said:

I’m stuck on this one. More down to lack of knowledge on tooling I suspect. I have found a list of users, groups and the domain etc, but not sure what tools I should be using now to get on the box. SMBmap doesn’t give info on shares, so smbclient doesn’t work, am I looking in the wrong place here?

You are on the right track - once you collect a list of users and know the domain name, you should be able to continue. You can validate the accounts without getting a shell of any sort - look into password spraying on smb, there are various tools.

As others said, the password is something a lazy user/admin would set…

Type your comment> @lukeasec said:

Type your comment> @CuriousJ said:

I’m stuck on this one. More down to lack of knowledge on tooling I suspect. I have found a list of users, groups and the domain etc, but not sure what tools I should be using now to get on the box. SMBmap doesn’t give info on shares, so smbclient doesn’t work, am I looking in the wrong place here?

You are on the right track - once you collect a list of users and know the domain name, you should be able to continue. You can validate the accounts without getting a shell of any sort - look into password spraying on smb, there are various tools.

As others said, the password is something a lazy user/admin would set…

Thanks mate, was just looking into another tool for exactly that purpose! :slight_smile:

I guessed the account/password first shot, always nice! lol.

Got the file now and the next password, just to figure out what to do with it now. Getting there!

Rooted !!!

Interesting box, not very easy and not very difficult (given you have previous experience with windows boxes)

Hints:
User: lazy users and lazy admins, most basic password of a user thinks. Try and get your SHARE using the lazy user.

Root: Try enumerating about the part of groups the user is involved, then do some googling about how to pentest that particular service. You will get the appropriate script :wink:

As always, happy to lend the helping hand only to those who actually want to learn something and not just want straight answers :slight_smile:

I can log in now as a**** a**** user, still over same protocol. Should I be finding user flag at this point? as can’t see anything anywhere. Or am I supposed to be connecting/exploiting something different now with new creds? Assuming then on to an a**** exploit for the root access but not even started looking at that yet.

EDIT - Nevermind, seen the tool I need.

Type your comment> @farbs said:

Spent far too long on the initial guessing game. At the end of the day, I suppose it certainly is quite realistic, but I was majorly overcomplicating it. I would have rated this box closer to the “Easy” end of ratings as far as user goes, but I can understand why root might pose more of a challenge for those who are a bit unfamiliar with the service.

Hints per usual:

Foothold: Everyone is right about not needing a wordlist. Once you enumerate the users on the machine (basic scans can do this for you), you have everything you need. Try harder.

Once you have access, look around a bit. There’s something lying around for you which will help you escalate to a different user.

User: Utilize what you obtained. Be evil about it.

Root: Check your groups. Enumerate the service you find, and utilize the POC.

Thanks @egre55

“Try harder” while you thank someone , guess you tried really hard, thank you for the try harder tip at user while directly hinting afterwards to the tool that needs to be used with the credentials.