Monteverde

i have use enum4linux to brute username,but there is error,this is why?
[E] Server doesn’t allow session using username ‘’, password ‘’. Aborting remainder of tests.

@littleheary said:

i have use enum4linux to brute username,but there is error,this is why?
[E] Server doesn’t allow session using username ‘’, password ‘’. Aborting remainder of tests.

Try a different tool.

The problem with “enum” type scripts is that they run a lot of things and if you dont fully understand what they are doing, the output can be a bit confusing/overwhelming/misleading.

For example, I have zero idea why this response would happen, but it does imply it isn’t the best tool for this job.

I’m tearing my hair out with this easy to guess/lazy password. I’ve enumerated the list of user names but despite looping them through what feels like every obvious password I can think of, I’ve had no joy. Based on output from early enumeration, I been poking at S**. Is that where I’ve gone wrong?

@paddanada said:

I’m tearing my hair out with this easy to guess/lazy password. I’ve enumerated the list of user names but despite looping them through what feels like every obvious password I can think of, I’ve had no joy. Based on output from early enumeration, I been poking at S**. Is that where I’ve gone wrong?

You approach is correct. Take all the information you have right now - domains, obvious passwords, guesses, accounts, etc., and use that as the password list to try.

When you get it, you will realise you currently have the password.

Type your comment> @TazWake said:

@khekhe said:

i connect by s***t and cant find Desktop on u$ (

Ok. Try Evil (which works) or the file system share (I dont know if this works)

Thank you for your hint) user done

Type your comment> @TazWake said:

@6062055 said:

I’ve tried so many users and passwords on this ■■■■■. Figures that the one account I got MSF to come up with the right ‘password’ was disabled. ■■■■ it all. I’ve been using all the four to six users that come up in the scans, all the ‘typical’ users you might see, and so many passwords variations, blanks, everything… Can it really be that obvious?

Annoyingly it really is that obvious when you find it.

All I can say is you might want to use CME rather than MSF and if you make a list of all the user accounts you can find and all the information you can find (domain names, profiles, usernames, timestamps, anything), you get it quite quickly.

The reality is if you’ve enumerated, you’ve seen the password.

I have enumerated all 10 users. I’m not seeing it. Please DM me some direction.

Type your comment> @secucyber said:

Got root. Finally not so hard

User: enumerate with usual tools. After you got some users, don’t bruteforce but test some lazy password that an admin can set on account.

Root: enumerate in order to find the weakness of this box. After, google and you should find all u need ! make some minor changes and all will be fine

Feel free to PM if needed

Have fun !

I have enumerated ldap. been looking and looking. I don’t see it. Please DM me some direction. TYIA

@m1rz said:
Stuck with the POC

Stuck looking at ldap. LOL
Please assist

Type your comment> @khekhe said:

Type your comment> @TazWake said:

@khekhe said:

Hello everybody
can anyone hint me please with user, i found 2nd user creds and enumerate all in S****L directory but cant find way to get user.txt
cant undestand where i wrong

If you’ve connected as the second user, have you looked at their desktop?

i connect by s***t and cant find Desktop on u$ (

How did you connect? please DM me a cookie crumb. TY

@Hackalicious said:

I have enumerated all 10 users. I’m not seeing it. Please DM me some direction.

Drop me a DM saying what you’ve tried and what is going wrong.

@Hackalicious Have you found it, yet? If not, maybe try using the same list, for both lists.

Edit: Doh. wrong button!

■■■■, that root part got me fiddling with the code for hours. After reading enough articles, I realized that you don’t need to mess with the code. You just have to know how to execute the code and how it works!

Definitely expanded my knowledge with A**** and how vulnerable it is once the account has been compromised.

Hints:
USER - think how sysadmins create a new account in a lazy way. Now use that cred somewhere. Look for creds again. Use that creds somewhere.

ROOT - Once you found who you are. Google is your friend. There’s a lot of POC in the wild. Do a lot of research.

@c0met said:
ROOT - Once you found who you are. Google is your friend. There’s a lot of POC in the wild. Do a lot of research.

Yeah this is an issue now. Since this box went live there are now a lot more scripts and tools for this specific exploit (I even made one myself). So when people say “you don’t need to modify anything in the POC” its potentially misleading depending on which one you’re using.

FWIW the original POC on a fairly well known blog was po******* code and definitely did need one small part changing to work on this machine.

@VbScrub There is one that is ported to v******t that doesn’t require changes. But the changes came in the form of a parameter.
So yeah, YMMV on what poc you found.

Anybody willing to give me a nudge? Not the greatest with AD stuff…I’ve found and tested creds and can login to SL but there’s no Gs.xml like people are talking about…Where can I go next?

EDIT:
Managed to get user

No idea how to get root working…every ps1 attempt is riddled with errors like:

Missing closing ‘}’ in statement block or type definition.
The string is missing the terminator: '.
The splatting operator ‘@’ cannot be used to reference variables in an expression.

Anybody willing to give me some guidance on the root process? I have all the pieces, just can’t seem to get it to work

Edit:
Got root

Ditched PS1 scripts and used the uploading of 2 files method

Got User on here by reading through the hints. I mostly got stuck on where to find the second user creds. Learnt about S*B Tooling which was nice…

nvm

thanks @TazWake for the tip about reviewing and reusing the info I had already gathered in order to get user (i legit had to walk away from my laptop for a few days when i realised how dense i’d been…).

I’m now doing the root dance trying to get a script working but my queries seem to be returning results in tabular form. So I make “$myvariable = query that thing and return this info”, the query works, but when i do $variable.thing I get:

Thing
=======
 a result i'm interested in

which is why i guess the next step in the sequence is failing because it’s reading the table heading info as well? Is there a way to query such that it just returns the values I need?

Edit - nvm… RTFM, padds, rtfm…
Edit 2 - mods, that middle section I’ve written might confuse others reading this thread; happy to delete, but didn’t want to break any rules/etiquette in doing so… let me know?

And rooted.
Once I got past the usernames thing, it wasnt too bad a box. Lots of learning on the way from user to root
As always - anyone wants a hand, just send a PM

One of the things I learned was to walk away from the screen for an hour when you get wound up.