Monteverde

stvrad · February 7, 2020, 3:38am

Does anyone else have problems with this server freezing? I’ll be working and then it will become unresponsive for 30 seconds. Check with ping and get no response. Then 30 seconds later it becomes responsive again. I’ve reset it twice. This is a pain.

Edit: This seems to be an issue with saving my Kali VM instead of shutting down when I’m finished. I had two tunnel interfaces up for the same IP and the same route to the VPN. This no doubt was the unresponsive issue. Fix is to be sure to kill the VPN prior to saving the VM or just shutting down.

marvin7408 · February 7, 2020, 11:07pm

Type your comment> @marvin7408 said:

Type your comment> @VbScrub said:

Type your comment> @marvin7408 said:

I got an error message when I use smbclient:
smb1cli_req_writev_submit: called for dialect[SMB3_11] server

Anyone experience the same?

looks like you’re using SMBv1 and the server needs SMBv3

Yes I noticed. I used the -m smb3 but no luck. I will find another way

Found my way in with SMB. I needed a account and password.

mrZapp · February 8, 2020, 3:35pm

ROOT!

Nice box. Thank you @egre55
For this machine, learned a few nice things.

I think all tips have been given in the meantime.

So mine is just Keep it simple.

User: Enumerate and use that information. Don’t go over complicated with word lists (like me) but make sure you don’t miss any info (my slap in the face moment)

Root: that must be clear in the meantime. But don’t forget to activate your debug mode. Read any errors carefully, you will have to make small changes to what you have found.

Feel free to send a DM when you are stuck.

sebiV · February 8, 2020, 6:10pm

Got stuck on user for a stupidly long time since when password spraying ,the username was in the wrong case. Doh

root was simple, game was kinda given away when there several working exploit scripts sitting in the user director…

Nice windows box

Ridan · February 8, 2020, 6:10pm

Great box, Thank you @egre55

VbScrub · February 8, 2020, 8:47pm

@sebiV said:
Got stuck on user for a stupidly long time since when password spraying ,the username was in the wrong case. Doh

Windows doesn’t care about username case, so I don’t see how that could have been the problem. Maybe you made a typo the first time or something?

PianoDentist · February 8, 2020, 8:51pm

~~I am stuck trying to work out what connection string should be.~~

~~I have 0 experience enumerating this storage, and am stuggling to find commands that would let me know what goes in string.~~

~~would appreciate PM on cmd/tool to try~~

EDIT: woohoo. broke through! If anyone else gets super stuck at this stage can pm

D0p4m1n3 · February 9, 2020, 2:26pm

Rooted Monteverde as the third box of this weekend. Is that what they call an addiction? Liked the box and learned something new from root. Thanks @egre55

theonemcp · February 9, 2020, 2:58pm

Got User. and again getting foothold took me way longer as it should. I actually thought I already used that one option in that tool, when trying to login. After hours of guessing and trying, it turns out I didn’t … gah
thankfully I found the second creds pretty fast and got user-flag in no time. so my honor was restored

now onto root. I think that I already know which service to (ab)use. But I still have to find out how …

lhh4sa · February 9, 2020, 11:59pm

Got creds through initial enum. I cannot get s****t to work. can see whats there, but i can’t get a shell. just says S1 disabled. any help would be greatly appreciated.

nevermind, got it

TeRMaN · February 10, 2020, 6:45pm

I tried so many lazy password but cant get access. Also tried sap and sm*ent but no access too. I’m always overthinking but cant think easily can someone give me hint?

theonemcp · February 10, 2020, 7:02pm

Type your comment> @TeRMaN said:

I tried so many lazy password but cant get access. Also tried sap and sm*ent but no access too. I’m always overthinking but cant think easily can someone give me hint?

just think about what’s the SIMPLEST way of creating a password, if you don’t want to use the same password for every user …

TazWake · February 11, 2020, 9:35am

@TeRMaN said:

I tried so many lazy password but cant get access. Also tried sap and sm*ent but no access too. I’m always overthinking but cant think easily can someone give me hint?

To add to @theonemcp, dont try to think about this. Make a list of all the information you have - hostnames, domains, users etc. And try them all against each user account.

Countably · February 11, 2020, 10:20am

To be straight with you, while i found the guessing part rather straight forward (You find all necessary information in your basic enumeration), the privesc was just mind boggling for me. Definitely learned something new…

vxshadow · February 11, 2020, 3:51pm

hey guys I play here not so often. I started this machine , got some info about users but at the moment i didn’t find a valid password even if I tried some basics ones. Any hint?

theonemcp · February 11, 2020, 5:08pm

Type your comment> @vxshadow said:

hey guys I play here not so often. I started this machine , got some info about users but at the moment i didn’t find a valid password even if I tried some basics ones. Any hint?

Read the hints here in the forum. Make sure you got all users and put them into a list. Do the same with your passwords and put thrm in a separate list. Now use tooly that can handle those lists and make the logins for you. At keast One of them has an option that comes in very handy on this very special case ?

POPOBULLA · February 11, 2020, 5:10pm

For those that are stuck with guessing the passwords for an initial foothold.

This has been posted before but I will just leave this link here:

https://wiki.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002)#Testing_for_default_password_of_new_accounts

rek2 · February 11, 2020, 6:14pm

Is there something wrong with this machine on EU-VIP? is on and off cant even complete a small nmap scan with out network on the machine side dropping… or does it has a very hardcore firewall? just want to confirm before I put up a support request
edit: after getting user creds that were super easy, so no need to force or scan, this is impossible to do as is, eu-vip-13 is screwed I cant get block by any firewall if I am not really doing any scanning… I keep getting disconnected from the server so I sent a support ticket.
EDIT2: nevermind I have the memory of a fish, I must to have left the vpn on at home instead of turning it off before work

theonemcp · February 11, 2020, 6:31pm

After getting root today thanks to @TazWake and @VbScrub, now my review for this box.
the first step was also the most frustrating, but mostly because I just couldn’t believe that I din’t try that earlier …
User: the 2nd creds and user are pretty straight forward. You even get a hint, what will be waiting for you during your search for root.
Root: involved a lot of enumeration and searching for me. And when I finnally found the right thing I still struggled … but in the end I got root

LeBlackCat · February 11, 2020, 9:35pm

So, I will need to hint for ROOT. I find a script un the user documents but I’m stuck to continue. If someone can PM me I will appreciate.

Topic		Replies	Views
PlayerTwo Machines machine , htb , playertwo	249	37369	June 24, 2020
Netmon Machines machine	831	107441	May 14, 2025
Bankrobber Machines htb , htb-forum , bankrobber	150	25321	March 11, 2020
GetNPUsers.py Explained (video) Video Tutorials	30	9466	April 3, 2020
Kryptos Machines	109	13161	September 20, 2019

Monteverde

Related topics