Monteverde

Got root, box is interesting.

***** PS C:\Users\Administrator\Desktop> (Get-WmiObject Win32_OperatingSystem).CSName
MONTEVERDE
***** PS C:\Users\Administrator\Desktop> whoami
m****k\administrator
***** PS C:\Users\Administrator\Desktop> ls

Directory: C:\Users\Administrator\Desktop

Mode LastWriteTime Length Name


-ar— 1/3/2020 5:48 AM 32 root.txt

Rooted with scripting help from @nach0brotha

As always happy to pass the hints forward.

Newer to HTB and first attempt at a live Windows machine (albeit probably too soon)

Found some info via ld*ch after learning it via ippsec, determined when the found accounts were created and assume these are what the other comments refer to with admin bad practices…my issue is I have not found where to try auth…rcnt? Am I on the somewhat right path with this or completely wrong for this box?

Stuck on root! I believe I know what should be exploited but I failed to find an exploit or get the idea to write one.

Any nudges?

User: lazy admin, check all possible paths for login

Root: ensure the script has no syntax errors, one little mistake will stop it. And the biggest one, check the CONNECTION STRING for the appropriate usage.

Hope that helps :slight_smile:

Kinda stuck in the admin part… Would appreciate any nudges!

I’m stuck on this one. More down to lack of knowledge on tooling I suspect. I have found a list of users, groups and the domain etc, but not sure what tools I should be using now to get on the box. SMBmap doesn’t give info on shares, so smbclient doesn’t work, am I looking in the wrong place here?

Type your comment> @CuriousJ said:

I’m stuck on this one. More down to lack of knowledge on tooling I suspect. I have found a list of users, groups and the domain etc, but not sure what tools I should be using now to get on the box. SMBmap doesn’t give info on shares, so smbclient doesn’t work, am I looking in the wrong place here?

You are on the right track - once you collect a list of users and know the domain name, you should be able to continue. You can validate the accounts without getting a shell of any sort - look into password spraying on smb, there are various tools.

As others said, the password is something a lazy user/admin would set…

Type your comment> @lukeasec said:

Type your comment> @CuriousJ said:

I’m stuck on this one. More down to lack of knowledge on tooling I suspect. I have found a list of users, groups and the domain etc, but not sure what tools I should be using now to get on the box. SMBmap doesn’t give info on shares, so smbclient doesn’t work, am I looking in the wrong place here?

You are on the right track - once you collect a list of users and know the domain name, you should be able to continue. You can validate the accounts without getting a shell of any sort - look into password spraying on smb, there are various tools.

As others said, the password is something a lazy user/admin would set…

Thanks mate, was just looking into another tool for exactly that purpose! :slight_smile:

I guessed the account/password first shot, always nice! lol.

Got the file now and the next password, just to figure out what to do with it now. Getting there!

Rooted !!!

Interesting box, not very easy and not very difficult (given you have previous experience with windows boxes)

Hints:
User: lazy users and lazy admins, most basic password of a user thinks. Try and get your SHARE using the lazy user.

Root: Try enumerating about the part of groups the user is involved, then do some googling about how to pentest that particular service. You will get the appropriate script :wink:

As always, happy to lend the helping hand only to those who actually want to learn something and not just want straight answers :slight_smile:

I can log in now as a**** a**** user, still over same protocol. Should I be finding user flag at this point? as can’t see anything anywhere. Or am I supposed to be connecting/exploiting something different now with new creds? Assuming then on to an a**** exploit for the root access but not even started looking at that yet.

EDIT - Nevermind, seen the tool I need.

Type your comment> @farbs said:

Spent far too long on the initial guessing game. At the end of the day, I suppose it certainly is quite realistic, but I was majorly overcomplicating it. I would have rated this box closer to the “Easy” end of ratings as far as user goes, but I can understand why root might pose more of a challenge for those who are a bit unfamiliar with the service.

Hints per usual:

Foothold: Everyone is right about not needing a wordlist. Once you enumerate the users on the machine (basic scans can do this for you), you have everything you need. Try harder.

Once you have access, look around a bit. There’s something lying around for you which will help you escalate to a different user.

User: Utilize what you obtained. Be evil about it.

Root: Check your groups. Enumerate the service you find, and utilize the POC.

Thanks @egre55

“Try harder” while you thank someone , guess you tried really hard, thank you for the try harder tip at user while directly hinting afterwards to the tool that needs to be used with the credentials.

@seke he was thanking the maker of the box lol

Is it necessary to query the DB for root?

@syn4ps said:
Is it necessary to query the DB for root?

yes

Struggling with root. Trying to read about A**** and issues, find lots about specific issue, but can’t find anything to exploit it. Grrrrr.

I haven’t even looked at the DB side of things yet, I assume that is just to get an admin user name? Then exploit the other thing to gain access?

A nudge would be very welcome if anyone can provide one. :slight_smile:

@CuriousJ maybe have a look at the dB then!

Don’t be like me! Whatever you find in the dB that looks vaguely interesting, Google it!

Yeah I will look at it, I just didn’t think it was going to be relevant, thought it was a rabbit hole, until I saw @VbScrub comment! Lol

I think i am in the same boat as @CuriousJ
I have been so focused in the a**** realm that i barely touched the db. Thought it was a rabit hole at first but not so sure now with this hint. Most of the higher end queries i attempted i got a may not have permission to do this so i gave up on the db.