Monteverde

@egre55

Man, I’ve been on this site less than a year self training at this craft.
I had user a month ago and just decided to come back to finish it off.

Let me tell you, this box taught me so many things. I wanted to thank you for putting it together. I’ve spent the past 2 days just mindlessly plugging away at root and learning about A****, M**s*, PS scripting.

That was intense. I had a few scripts I custom made because I had issues and didn’t think the PoC’s were right lol. Because of that and reversing so many of them it dawned on me this morning (6pm at night! after 3 hours of sleep) that all I had to do was change the way it “handshakes”… o…m…f…g…

:open_mouth: but again, thank you for this machine. Thank you to everyone in these forums for hints and nudges… even though I had no F’ing clue what most of them meant for root it did help push me to the flag!

On that note… I did find a way to use Responder… though it gave me back the $monterverde hash… anyway I could have used this hash (which couldn’t crack with rockyou) to have owned the box?

thanks @Sharktank for foothold for lazy person b********ce with common and get user :smile:

Rooted … publicly thank @vbscrab his script was of enormous help !!

rooted :smile:

user : basic Enumeration
root : actually i don’t know about A****AD so i try to know in google . but there i can’t understand so, i try on youtube and first video will give me all thing with exploit.but that exploit not work so i see some forum msg that some of them POC is need changes so i try to find different ps script and i got it …

if you want help ,DM

Just an FYI for anyone who gets tired of using the CLI for the S** shares & is running the latest XFCE kali - sudo apt-get install gvfs-backends will let you use Thunar to browse the shares via s**:\\ ipAddress

Rooted, although I don’t feel completely satisfied. I spent hours looking at the exploit and I understand how it works in general, but I didn’t end up having to really enumerate for the connection string like I expected. The script I used just sort of works without modification, leading me to believe that default values were in place. I will do some more research in the meantime, but if anyone has any suggestions for properly enumerating a Windows box for connection strings, please reach out!

Yeah that was an alright box!
User was pretty easy if you do proper enumeration and some very basic, basic guessing.
Root was a path that I had never seen before, but a very interesting one. Once you know what the issue is it’s easy to do if you google and read the right things.

everyone keeps talking about easy passwords…I’ve gone through several lists (not small). HTB boxes aren’t about brute forcing so I know I’m doing it wrong. what are you doing to get this “easy” pass. Everything is easy when you know it. Are you guys using scripts to build wordlists? Maybe I’m way off…

Pffft, finally got root.txt… Really need to up my knowledge of MS SQL. LOL
Thanks for everyone who gave me hints for the right direction to go. Learned a lot. Again.

Rooted.
PM for hints.

Discord -
fashark#5862

@Scarleton said:

everyone keeps talking about easy passwords…I’ve gone through several lists (not small). HTB boxes aren’t about brute forcing so I know I’m doing it wrong. what are you doing to get this “easy” pass. Everything is easy when you know it. Are you guys using scripts to build wordlists? Maybe I’m way off…

It’s been mentioned a few times.

Make a list of all the information you have - domain names, usernames, hostnames etc.

Use this as both the username list and password list. See if anything good turns up.

Nice box. Rooted finally. Anyone did it manually can nudge me. PoC is ok. but i wanna learn the other ways.

Edit=PoC works as well if you change it a little :wink:

any hints for gaining a foothold? I’ve got all the users from the ol enum script and have made a pass file including them, groups, domain, RIDs and just about everything I have gotten from enum plus some simple password, admin type passwords to spray with a loop of CME. nada. I’ve read almost every post in here and think I’m close, but am somehow missing something…as per usual.

Type your comment> @TazWake said:

@Scarleton said:

everyone keeps talking about easy passwords…I’ve gone through several lists (not small). HTB boxes aren’t about brute forcing so I know I’m doing it wrong. what are you doing to get this “easy” pass. Everything is easy when you know it. Are you guys using scripts to build wordlists? Maybe I’m way off…

It’s been mentioned a few times.

Make a list of all the information you have - domain names, usernames, hostnames etc.

Use this as both the username list and password list. See if anything good turns up.
I’ve done that and even made permutations of what I found combined with some of the lazy admin suggestions. nada

@Scarleton said:

I’ve done that and even made permutations of what I found combined with some of the lazy admin suggestions. nada

Dont take this the wrong way but that means either you havent done that or the tool you are using to check is doing it wrong.

Type your comment> @TazWake said:

@Scarleton said:

I’ve done that and even made permutations of what I found combined with some of the lazy admin suggestions. nada

Dont take this the wrong way but that means either you havent done that or the tool you are using to check is doing it wrong.

Well I suppose only someone who has jumped this hurdle could tell me. I tried cme in a bash loop with all the passwords and 12 users. I made a pass file including usernames (with and without domain), groups, domain, RIDs and just about everything I have gotten from enum plus some simple password, admin type passwords.

@Scarleton said:

Well I suppose only someone who has jumped this hurdle could tell me. I tried cme in a bash loop with all the passwords and 12 users. I made a pass file including usernames (with and without domain), groups, domain, RIDs and just about everything I have gotten from enum plus some simple password, admin type passwords.

With CME, you can pass it a list of usernames and a list of passwords (-u and -p options) which might be a bit more reliable.

I would try running it like that, and making sure the CME syntax is correct before giving up.

If you are stuck, drop me a PM.

Type your comment> @Cald0g said:

Anyone able to nudge for user? I’ve got what I believe is the correct credentials, just unable to connect. Have tried using an evil tool to help however I have had no luck, am new to windows

maybe try those passwords in the ssh area

@inc0gnit0 said:

@Cald0g said:

Anyone able to nudge for user? I’ve got what I believe is the correct credentials, just unable to connect. Have tried using an evil tool to help however I have had no luck, am new to windows

maybe try those passwords in the ssh area

Not sure this box has SSH open.

If the passwords have been discovered with a tool like CME, then a good place to start is the Linux client for connecting to SMB.

Hey guys,

Well, after doing a lot of machines and checking always the hints on the forums, I am proud enough to publish that I have completed “Monteverde” with no hints and without checking the forums.

I got user and root and currently doing the root dance. it’s very satisfying when you complete a box with only your knowledge and your own analysis.

If someone needs help please let me know, and I will be happy to assist.

pp123