Monteverde

Rooted!!

User : Basic Enum, BF Guessing Skill.
Root : The “Bill Gates Product”

:love:

Rooted!

That took me ages to get the foothold!! I was banging on the wrong service for days. Big thanks to @mrfw for just the right level of helpful guidance.

Root finally done. Had to research and learn new techniques for root – learned some new things! PM for nuggets

I enjoyed going through this machine :-), cheers @egre55

User flag: This was nice and straight forward but everyone has a different mindset when enumerating. Keep it simple and try not to overthink things. There are enough hints for the user flag on this discussion.

Root flag: This took me longer than it should’ve but it’s been a good learning curve. Once you know what can be exploited, find some blogs on Google and understand how the exploit is executed. Take your time reading through them, I missed something blatantly obvious when trying to trigger the exploit.

~~Hey folks. Would appreciate a lil nudge.

Currently working on Root. I think I know what I need to do, but I am unable to move the exploit (exe) onto the box. I can run the powershell version, but it errors out. I have tried numerous ways of getting the file onto the box, including trying to upload via smbclient (with various users/shares) but no dice…would appreciate any help, unless I’m totally barking up the wrong tree in which case…

Has anyone been able to get the powershell version to work? ~~

Ah, nvm! Rooted!

To anyone else facing the same issues: definitely research different ways to download stuff using powershell, and make sure you physically type out the commands since stuff can get screwed up in windows with copy/paste

roooooted
thank you all
PM for hints

Root: Write simple ps commands and try to connect to the database (SQL Server connection strings - ConnectionStrings.com), then modify the POC

Finally got user and root, A good box to learn few things regarding user enum and lazy admin practice.For root we have to explore cloud services as well and how passwords are stored and Synced.

User Hint - ldap tools is helpful , but also you need to think like lazy admins and test it on port with anonymous access. AD Logon timestamp is something to take into consideration.

Root Hint - Once you get the user flag some hint is already provided in the same directory. Then you need to research how that actually works. @VbScrub already hinted earlier.

@VbScrub
I tried to make use of your tool and modified it using dny but unfortunately that never worked though I was implementing it as you suggested.
But later when i executed everything individually using F
I* technique it worked, that seems bit weird . Any idea what I was doing wrong ?

A good box to learn new things. :slight_smile:

hi guys,

Quite a newbie over here, first windows machine and only did a few linux ones from vulnhub and a couple here. Still quite in experienced :).

I have learned a lot with this machine. Only managed to get root because their are a couple of PoC around, still a script kiddie in that regards. But it helped me a lot from a knowledge perspective, testing out of new tools, reading about them, etc

The articles available online and a youtube link on the forum really helped a lot.

Thank you so much for the tips and hints, sometimes they also help you confirm your on the right track.

Spend a lot of time guessing user credentials because of wrong tool >_<
User: you need to leave that dog alone and go dancing.
Root: some file is a hint.
PM if you need help.

Got the user’s stuck on the lazy password, I am probably overthinking it. Anybody who can PM me your help will be appreciated.

Nice box!

Foothold: Enumerate everything you can! People are lazy with passwords (this took me longer than it should!)

User: quick and simple

Root: i found this easy, maybe i have done too many deployments with that tool to notice it so fast and know about its crappy past!

@egre55

Man, I’ve been on this site less than a year self training at this craft.
I had user a month ago and just decided to come back to finish it off.

Let me tell you, this box taught me so many things. I wanted to thank you for putting it together. I’ve spent the past 2 days just mindlessly plugging away at root and learning about A****, M**s*, PS scripting.

That was intense. I had a few scripts I custom made because I had issues and didn’t think the PoC’s were right lol. Because of that and reversing so many of them it dawned on me this morning (6pm at night! after 3 hours of sleep) that all I had to do was change the way it “handshakes”… o…m…f…g…

:open_mouth: but again, thank you for this machine. Thank you to everyone in these forums for hints and nudges… even though I had no F’ing clue what most of them meant for root it did help push me to the flag!

On that note… I did find a way to use Responder… though it gave me back the $monterverde hash… anyway I could have used this hash (which couldn’t crack with rockyou) to have owned the box?

thanks @Sharktank for foothold for lazy person b********ce with common and get user :smile:

Rooted … publicly thank @vbscrab his script was of enormous help !!

rooted :smile:

user : basic Enumeration
root : actually i don’t know about A****AD so i try to know in google . but there i can’t understand so, i try on youtube and first video will give me all thing with exploit.but that exploit not work so i see some forum msg that some of them POC is need changes so i try to find different ps script and i got it …

if you want help ,DM

Just an FYI for anyone who gets tired of using the CLI for the S** shares & is running the latest XFCE kali - sudo apt-get install gvfs-backends will let you use Thunar to browse the shares via s**:\\ ipAddress

Rooted, although I don’t feel completely satisfied. I spent hours looking at the exploit and I understand how it works in general, but I didn’t end up having to really enumerate for the connection string like I expected. The script I used just sort of works without modification, leading me to believe that default values were in place. I will do some more research in the meantime, but if anyone has any suggestions for properly enumerating a Windows box for connection strings, please reach out!