Monteverde

Rooted, initial foothold took longer than user and root combined! Thanks to @TazWake for the pointer.

Foothold: not much more to be said on this… don’t overthink it, make sure you are using the correct tool for the job…
User: Simple enumeration, keep looking
Root: Nothing else to add to what has already been said. Google for the exploit, make sure you understand what it is doing, and make alterations where necessary

Ok, got the file on there with what i’m 99% sure is the correct connection string after i did some numeration on the database side, but it’s erroring out

  • … ibute" | select @{Name = ‘Password’; Expression = {$_.node.InnerXML}}
  •                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    

The string is missing the terminator: '.

Type your comment> @TestUserx said:

Ok, got the file on there with what i’m 99% sure is the correct connection string after i did some numeration on the database side, but it’s erroring out

  • … ibute" | select @{Name = ‘Password’; Expression = {$_.node.InnerXML}}
  •                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    

The string is missing the terminator: '.

Nevermind.
Got root, i just needed to check the impostor formatting that got into a few characters of the script when copy-pasting it.

  • one on the hint about using Google (literally, use Google. startpage was sabotaging me with its lack of relevant results)
    The connection string part is pretty easy once you do some basic enumeration on the database side (edition, version, instance name, hosted databases, etc)
    For future connection string references
    SQL Server connection strings - ConnectionStrings.com

I am unable to get RM or its evil brother to work with user SA*J. I did find the xml file in the smb share. The contents of the file lead me to believe i have a nuggent I am just not sure if its real or fools gold. Am I missing something?

@F0rtyW3igh7 said:

I am unable to get RM or its evil brother to work with user SA*J.

I found the more traditional client application for this protocol was the only way I could get it to work with that account.

I did find the xml file in the smb share. The contents of the file lead me to believe i have a nuggent I am just not sure if its real or fools gold. Am I missing something?

The XML file is legitimate. You should now have enough information to get evil working.

Type your comment> @TazWake said:

@F0rtyW3igh7 said:

I am unable to get RM or its evil brother to work with user SA*J.

I found the more traditional client application for this protocol was the only way I could get it to work with that account.

I did find the xml file in the smb share. The contents of the file lead me to believe i have a nuggent I am just not sure if its real or fools gold. Am I missing something?

The XML file is legitimate. You should now have enough information to get evil working.

Thank you!

Hi guys!
I’ve enumerate some user, groups and domain but i can’t find out the password that need to be guessed. Have you got some hints?

@zenhex said:

Hi guys!
I’ve enumerate some user, groups and domain but i can’t find out the password that need to be guessed. Have you got some hints?

Yes. You have all the information you need. Make a list of all the usernames you have and a list of all the information you’ve enumerated then try each username with each bit of information.

I got an error message when I use smbclient:
smb1cli_req_writev_submit: called for dialect[SMB3_11] server

Anyone experience the same?

Oh my… Very hard root. Found blind area what to learn for me. Thanks all who gave hints. Root took for me more than week and on this box I first time asked for hints.

Type your comment> @marvin7408 said:

I got an error message when I use smbclient:
smb1cli_req_writev_submit: called for dialect[SMB3_11] server

Anyone experience the same?

looks like you’re using SMBv1 and the server needs SMBv3

Type your comment> @VbScrub said:

Type your comment> @marvin7408 said:

I got an error message when I use smbclient:
smb1cli_req_writev_submit: called for dialect[SMB3_11] server

Anyone experience the same?

looks like you’re using SMBv1 and the server needs SMBv3

Yes I noticed. I used the -m smb3 but no luck. I will find another way :smile:

Type your comment

@marvin7408 said:

Type your comment> @VbScrub said:

Type your comment> @marvin7408 said:

I got an error message when I use smbclient:
smb1cli_req_writev_submit: called for dialect[SMB3_11] server

Anyone experience the same?

looks like you’re using SMBv1 and the server needs SMBv3

Yes I noticed. I used the -m smb3 but no luck. I will find another way :smile:

I found smbclient less than useful on this box until I had creds. Then it worked well.

Hi there, I am struggling to enumerate S** for the connection string.

EDIT:

Got root, kudos to the link from @TestUserx i managed to figure out where I was going wrong in the connection string.

DM if you need :smile:

rooted. pm me if u need. amazing box.

need a hint for the modification of the POC exploit please :slight_smile:

Type your comment> @sparkla said:

Been guessing passwords by hand for 2h now and 1h yesterday. This isn’t fun at all. Any scripts fail, now thinking about creating my own which would at least be productive to some extend. Every single time I try to get into Windows AD world it’s like that, stuck at foothold, very frustrating, zero learning.

That’s got nothing to do with Windows or AD though? Credentials could easily be set up in this exact same way with a Linux box, so I’m not sure I get your point.

As for guessing - there’s been plenty of hints in this thread. The main one being that it is an obvious/lazy password but it would not be on any common passwords list. There’s only one scenario that fits that criteria. I do agree in general though - having anything that needs to be “guessed” often leads to frustration and is not a fun experience.

Type your comment> @sparkla said:

Been guessing passwords by hand for 2h now and 1h yesterday. This isn’t fun at all. Any scripts fail, now thinking about creating my own which would at least be productive to some extend. Every single time I try to get into Windows AD world it’s like that, stuck at foothold, very frustrating, zero learning.

“It’s not difficult to guess” doesn’t necessarily mean you will get it right the 3rd or 5th time…

Pm

@sparkla said:

Been guessing passwords by hand for 2h now and 1h yesterday. This isn’t fun at all. Any scripts fail, now thinking about creating my own which would at least be productive to some extend. Every single time I try to get into Windows AD world it’s like that, stuck at foothold, very frustrating, zero learning.

“It’s not difficult to guess” doesn’t necessarily mean you will get it right the 3rd or 5th time…

I agree with what @VbScrub has said here - guessing is really annoying, simply because what is obvious to you, isnt obvious to me.

However, on this box, you can make it a bit easier and its been said several times on this thread.

List EVERY bit of information you have: domains, usernames, network shares, page content etc. Everything. Then try all of them as a password.

The “real-life” analogy I think applies is using OSINT tools to create wordlists by scraping data. Think CUPP or CeWL. While you 100% do not need to do that for this box, the principle is the same.

What I found frustrating was when I realised I had the password so early on…