Monteverde

I have to agree with @ryan412 here. Getting user took me a lot longer than it should have simply because I didn’t guess the obvious fast enough. I tried a lot of other “obvious” things but not the right one.

Priv esc was surprisingly easy and close to click, click pwn.

I wouldn’t say I disliked this box, but it was a bit disappointing in places.

got root
thx @igevi for the hint to root
pm me if need some hints

The initial guessing will be the death of me. Can’t seem to guess the ‘obvious’ password…

*~ Got it, Just needed to try with other users…

I managed to get user and root . Very interesting machine.

Hint for user, be lazy, check the very obvious thing first but then dont go storming the same door that allowed you to verify the discovered credentials, use them to poke around.
Hint for root, see what is installed and what is running then find the exploit online. DOnt be a script kiddy though, youre gonna have to find the proper way to use that PS script.

Kuddos to the maker!

Aye if anyone can message me a nudge to find the POC that would be great. Searching around and not finding much for Ae A*

found the Right local poc. ebil crashes when i run it. do i need to specify another port?

anyone can help me with guessing for the foothold i seems really not able to guess it out my head is burning

Finally rooted it.

Huge thanks to @AXANO and @emmycat for nudges and guidance.

Type your comment> @imousrf said:

anyone can help me with guessing for the foothold i seems really not able to guess it out my head is burning

Just start with basic enum then take advantage of lazy users bad habits for password choice

Type your comment> @cyberafro said:

Just start with basic enum then take advantage of lazy users bad habits for password choice

just got it thanks to you and @sinanozdemir
and yeah just basic and lazyy

i found a list of users but i cant login with any common passwords. I’ve tried guessing basic ones and some popular wordlists. what am i missing? can someone DM me a hint for the foothold?

@SirFIS said:

i found a list of users but i cant login with any common passwords. I’ve tried guessing basic ones and some popular wordlists. what am i missing? can someone DM me a hint for the foothold?

It is a little bit annoying but when you get this you will kick yourself. You have enough information right now and you even have a password, you just dont realise it yet.

Take all the lists of information you have now and make a wordlist out of it.

Then try that.

I have it and you’re right @TazWake I am kicking myself for missing it.

Rooted. Feel free to PM me if you need a nudge :slight_smile:

Just rooted.

  • user: no major skills are needed and hte overall process is very similar to many other boxes. Indeed, getting the first shell is all about the common admin laziness and the normal enumeration.

  • root: learned something new. Despite the fact that i’m really potato with ps and s**, eventually I discovered a new way to get the info I need.

Been sitting on user credentials for a few hours now.
Struggling to move forward with them.

@gsxrjason said:

Been sitting on user credentials for a few hours now.
Struggling to move forward with them.

Assuming you’ve got user.txt

Enumerate what unusual thing your user account is part of and then google attacks against that thing.

If you haven’t got user.txt yet, there is an evil tool you can use to do remote management on windows machines.

Initial foothold was fun and can definitely be liked to a real world scenario. I think I’ve even been guilty of that once when I first started. Think what might not be in a wordlist, but also might be easily guessable!

Really struggling with getting the POC to work for root however! If anyone wants to send me a nudge then you’re more than welcome to :slight_smile:

Struggling to get the PoC to work - if anyone can point me in the right direction that would be amazing, been sat on this for a couple of hours now with no luck

Ignore! Worked it out by reading the instructions…

PS C:\Users\Administrator\Desktop> whoami
m…/administrator
PS C:\Users\Administrator\Desktop> ls

Directory: C:\Users\Administrator\Desktop

Mode LastWriteTime Length Name


-ar— 1/3/2020 5:48 AM 32 root.txt

Finally rooted, thanks to @iSmarsh for the final hint about the ps script.

Good box, googling don’t be so confident to find the correct script. I lost time for this reason.