Monteverde

Type your comment> @VbScrub said:

@c0met said:
ROOT - Once you found who you are. Google is your friend. There’s a lot of POC in the wild. Do a lot of research.

Yeah this is an issue now. Since this box went live there are now a lot more scripts and tools for this specific exploit (I even made one myself). So when people say “you don’t need to modify anything in the POC” its potentially misleading depending on which one you’re using.

FWIW the original POC on a fairly well known blog was po******* code and definitely did need one small part changing to work on this machine.

agree with @VbScrub .
I finally rooted this machine after reading lots article and POC about this particular vulnerability. Learn a lot of new techniques about po******** tricks. It was fun.

Thanks a lot for this wonderful box. Learnt a lot of new techniques from this box.

Wow this box is really easy. I made forest before which was a lot harder.
User: Basic Enumeration. Honestly the password part isn’t guessing at all. Its just a basic check you should always perform.
Root: Easy. Just google. Try to understand the service in question (Microsoft Docs). Then you just have to do some basic troubleshooting and alter the C********S****g Information in the right script you got from googling (Search word: POC ). That’s it! :wink:

Finally got root. Thanks to @pkaiser .
Here are my suggestions:

  • user: smb enumeration is very useful and then repeat it again and again if necessary
  • root: there is an odd group that give you access to privEsc.

PM if you need help

Could anyone help me on guessing the initial foot hold of guessing the passwords for the users.

hello, may I kindly ask someone to nudge me on the root.
i have the 2 part files and also the pshell script and I think I know where I am going wrong but failing to correct it.

Awww yeeeah! What a rush, ended up writing a bit of a custom exploit for root, not sure how others got there, but the road was bumpy. Probably the first time I got a Windows root without resorting to reading the comments on the forums, and it feels so good.

It started off when I noticed something different compared to other windows boxes I’d done. Decided to Google it, and lo and behold there were a bunch of blogs and talks about this exact thing - great! Looked involved, but couldn’t find any other route, so I started reading and following along. Only problem is their code doesn’t work in this case, and neither do the manual steps, for a couple of reasons.

I’d love to know how other people got around these hurdles. I ended up doing some manual extraction of data, then modifying one of the blog’s code and running that. Even this wasn’t plain sailing though due to the annoying output of another tool.

Type your comment> @bharathacker said:

Could anyone help me on guessing the initial foot hold of guessing the passwords for the users.

for initial root,
1 - compile the usernames you found and then do something with them to get the password.

2 - or think what would a lazy admin do when creating specific type of accounts

Type your comment> @idevilkz said:

Type your comment> @bharathacker said:

Could anyone help me on guessing the initial foot hold of guessing the passwords for the users.

for initial root,
1 - compile the usernames you found and then do something with them to get the password.

2 - or think what would a lazy admin do when creating specific type of accounts

Thank you @idevilkz I got the user and struggling to get the root, Do you have any hints for the root?

I am on same boat, PM and we can talk

Anyone for a nudge?

Just Rooted.

No need for additional hints.
PM For help

Ok I have rooted this with some help
Its an irony that people will post here saying its rooted and done.
There is a lot going on that machine and here are some pointers for all who are on to it.
Take this opportunity to learn, not just crack it.
Initial Foothold:
once you have enumerated and found the users, just think what you can do with the list and how can you compare it to get the details.
or another way is to just think of how lazy admins think. I couldn’t get it working this way but then I found out, I was using the wrong tool to test but I did guess the password right.

Once In:
Then have a troll through folders and see what kind of server that is. ie.: modern ms offering and see if you can find anything useful in google
at this point, you will find some article. Read them and understand them and how the structure etc works and saves info. You will see this server has that a wee little bit different.

at this point, also think of what happens when you run something fishy on your personal PC as it may help.

PM me and I will try to guide you with hints in the right directions. I have learned a lot from this VM and ended up setting a test environment to understand in detail.

rooted, great box and learnt a new area

User Hint : enumeration of users is key. Don’t overthink credentials and no brute forcing is required.

Root Hint : Look at the applications running on the server and ask why it would be running on this box. One of the usernames gives a hint to what this box might be used for. When you have this google how this function works.

Thanks to the creator of the box.

Nugget!

finally rooted!

ran into some weird issues while working on the last step but definitely learned something new.

User was pretty straight forward: just basic enumeration and some digging around
Learned the most from getting root. That was a really cool concept.

PoC and some great videos on this topic are out there that helped me out tremendously.

Got it! Thanks a lot to @dok72 for the nudge! Really learned a lot about windows possibilities!

rooted! :smiley:

Definitely harder than initially thought

USER: the password part is really trivial, but there’s the risk you’ll get frustrated very soon (I lost several hours…). Make sure you include all users into your users list, I discarded a few of them (thinking they were not related to the user.txt file) and lost so much time trying to find a not existent user/pass match. Thanks to @TazWake for the nudge!

ROOT: thanks to everyone who commented in this discussion. Each comment helped to identify the right tool to exploit the right service. Learnt a lot of new stuff I wasn’t even aware of. Some difficulties configuring the connection but some good M$ utilities helped a bit…

Nice box! :blush:

Just rooted the box. PM me for nudges. Tell me where you are at so I can help.

If you’re struggling with the Foothold, here is my advice:

A) Build a simple password list based on typical bad practices. A wordlist will more than likely not work.
B) if that doesn’t work, remember there are more than one services running on the box

I finally got through after a lot of reading around so many exploits(I’m never signing up for z** lol), I finally got through. I did not need to play around with the PoC like many others here because our man, @VbScrub is a legend both on HTB and other places(Wink wink)!!