Monteverde Writeup — HackTheBox

Made by RebornSec ®

This box is one of best windows boxes so far, made up by egre55 that’s full enumeration and real life exploits, enjoy :)

Enumeration phase :

As usual let’s start with the Nmap scan :

[~] Nmap -sC -sV 10.10.10.172

We notice that dns port is open let’s dig on it maybe we find some credentials :

[~] dig 10.10.10.172 @10.10.10.172

There is not much we can find out from dns port. Let’s move further to SMB enumeration :

ps : for thus who does not know what SMB is, check my last writeup about resolute, i did leave some valuable links will help you understand it :

Resolute Writeup — HackTheBox

We check enum4linux :

i found couple users and let’s put them in a file called users.txt :

Guest
AAD_987d7f2f57d2
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorgan
Administrator

And now we try to use crackmapexec using users.txt and users and users.txt as password :

crackmapexec smb 10.10.10.172 -u users.txt -p users.txt

we found a valid credential :

MEGABANK\SABatchJobs:SABatchJobs

Using smbclient using this credential to find out if there is some share entries and files :

We notice that there is a file called azure.xml in share point mhope if we GET it and look in it :

We found a password probably for the user mhope :

mhope:4n0therD4y@n0th3r$

Let’s log in to it using evil-winrm and check if that’s the user we are looking for him :

And here we got our user.txt :)

Root phase :

If we check the privileges of this user you can find that it is a member of the group Azure Admins :

We can perform DCSync attack in this case like this article demonstrate :

Azure AD introduction for red teamers

Using this tool we can perform our attack :

Hackplayers/PsCabesha-tools

Our new credential is :

administrator:d0m@in4dminyeah!

Let’s try to login using evil-winrm using this credential :

And we got our root :)

THANK’S FOR THE CREATOR OF THIS BOX.