Monteverde

Don’t suppose anyone’s having issues with this:

CategoryInfo : ParserError: (:slight_smile: [], ParseException
FullyQualifiedErrorId : TerminatorExpectedAtEndOfString

Re typed the script but still having issues.

Rooted! Thanks to @BrokenGQ for pointing out how to fix the above error and others who sent me nudges!

My inbox is open for anyone else who needs a hint, what a journey. Definitely my hardest root so far.

fun box
user was too easy for a medium box, if you are stuck think simple
I couldn’t spot the vulnerability for root at first, but once the hints on the forum were very useful and once you find the poc you only need to add one thing to connect.

hit me up here or on discord if you need hints.

Idk if i can’t think simple or i’m using the wrong tools.

I tried with lpch querys, krb*e (the user domain enumerations goes OK, but idk if the authentication can work), el-wm with the most ‘not-overthinking passwords’ that i can think, and all this start with rclt but no luck after enumeration. I even did a sbcnt for wordslist bruteforcing with the users/groups enumerated at rc****t but just no…

Did is miss something?

Feel free to dm me for hints. I will respond fast. I loved this box there is a lot of real world value to it!

Type your comment> @Taulio said:

Idk if i can’t think simple or i’m using the wrong tools.

I tried with lpch querys, krb*e (the user domain enumerations goes OK, but idk if the authentication can work), el-wm with the most ‘not-overthinking passwords’ that i can think, and all this start with rclt but no luck after enumeration. I even did a sbcnt for wordslist bruteforcing with the users/groups enumerated at rc****t but just no…

Did is miss something?

What’s the laziest way of coming up with a password?

What’s the laziest way of coming up with a password?

Spoiler Removed

Repetition is a lazy trait!

Get it. I was trying with the wrong users cause i missed the little ‘response’ things.
Thanks.

@CuriousJ @Reiahx01

I have the users, the groups, domain etc. But either I’m using the wrong tool or I’m unable to guess this password . i have create a passwordlist of all thing in the enumeration. Tried domain name,username,group names

what am i missing here

EDIT:

Found it. I was overthinking it. And to much focus on one part of the emuration. I also used the s*******t to connect.

now I’n having trouble escalating to an other user with the found creds. The evil will not connect?

any nodge

Got user. Now enumerating for root. User is so simple that it is hard to take…

Very cool Windows box. Thx @egre55
For foothold earlier in the topic there is an excellent article from OWASP. The next user is very simple, just enumerate .
Root tip: there are several versions of the smb protocol if you need to copy something from your machine. And there is a ready-made exploit (with screenshots from HTB in article :slight_smile: ) already in the form of an application that just works and gets the password.
As usual, PM for hints.

Thank you - @egre55

Well that was a lesson learned on looking at lists and making sure you have everybody you need. I spent a lot of time trying everything without everyone being present.

Respect has been given (hopefully) to everyone that gave me a little nudge.

Confirming what AlexLTN said, root was very fast once you find the exploit to use.

Thanks for all your comments so far. Can someone give me a nudge regarding the Connection String. I can’t really find a reference to any loc**db.
Thanks!

I need help with root. Can somebody send me a PM to discuss? Thanks

This machine wound up being a blast!

Here are my hints:

Initial Foothold:

  • Scan, Enumerate, and be thorough. As others have hinted, being a brute is not the way: be methodical. at some point you’ll find a bunch of users- what would a suuuper lazy admin do to setup a user, if said user didn’t seem immediately important?

User:

  • Once you’re in, find out what all you can access, map things out. be nosy with other people’s things, and check back in on an old friend, he’s feeling blue.

Root:

  • check out who User hangs out with, what their job is… do some googling for the service, and you should be a simple prebuilt away from victory.

(Aside)
I personally had a lot of unnecessary trouble with root, since I was looking for an article everyone else here had mentioned, with an unconventional search engine. For some reason, it just didn’t show up. I cannot stress this enough here, use. google.

If any of this is TMI, let me know and I’ll edit my post.
If you need any help, feel free to PM me- [just let me know what you’ve done so far]

the evil will not connect with the lazy admin creds. trough smb I can connect. Found a password. Again tried this on all users but evil will not connect. What Am I missing.

sudo apt-get root