Hack The Box Monteverde Writeup – 10.10.10.172

Hello, welcome back to my Hack the Box windows machine writeup series. Today we are going to do a newly released Windows box called Monteverde (IP: 10.10.10.172). The new machine is very easy to exploit as we have seen the almost similar rooting process in the previous few windows machine including the Forest machine.

Getting the user on the Monteverde is straight-forward right from the nmap scan to owning the machine. Thanks to the author this PowerShell privilege escalation exploit which made my life easy.

Let us start.

Hack The Box Monteverde Write-up | 10.10.10.172

NAMP Scan

As usual, let us add machine IP 10.10.10.172 to etc/hosts as monteverde.htb and start the namp scan.

The nmap revealed a few ports are open. The SMB port 445, LDAP ports 389 and 3628 caught our attention. Since its a Windows machine, let us concentrate on these two ports. The tool we are going to use is enum4linux. Let us run enum4linux with -a switch to full enumeration. This option will return all the available information about the given active directory.

Enum4Linux

So, using enum4linux, we gathered a number of users:

The next step lets look at the SMB we might get something hidden there. Since we couldn’t gather any passwords, we will go for a password guessing tactic.

SMBClient

Lets us run SMBCLIENT against the users. We will use all of the users and their username as a password. After failing with 4 top users, we were able to access SMB of the user SABatchJobs.

The user had few directories listed, the directory azure_uploads had nothing in it, but interestingly user SABatchJobs has access to a directory called users$. Let us connect and see what other users have in their directories.

Getting User.txt

After a couple of minute’s enumeration, we found a file azure.xml in the user mhope’s directory. Let us download and see what it is.

The XML file contains a password “4n0therD4y@n0th3r$“, which could be of user MHope’s.

Now we have a possible valid password, its time to use our favorite tool “Evil-WinRM“.

We got the user.txt from the user MHopes desktop.

Straight To the Root

Like we do sudo -l in Linux, we do whoami /all to see the which are the group our user belongs to. Running the command we found the following.

The command shows the user MHope is a member of the Azure Admin group. It means he probably has administrator rights.

After a simple Google search, we come across a PowerShell privesc tool called “AzureADConnect“. The script returns the Administrator credential immediately.

This script seems to be working locally post exploit, because I tried to run directly from my Kali terminal, but without success. So, I copied the script to Desktop of user Mhope and run from there.

So, now we obtained the Administrator credentials, let us run the Evil-WinRM again as Administrator and get the root flag.

That’s it, thank you for reading.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
vbscrub
5 months ago

That powershell script you found that does it all for you didn’t exist until yesterday. No wonder you thought it should have been marked as an Easy box when all you had to do was run that to instantly get admin creds lol there was a very similar powershell script available before that, but it at least required a little work to get it to run (figuring out that the AD Sync database was hosted on full SQL not LocalDb and then changing the SQL connection string in the script accordingly).

Sorry, that action is blocked.
%d bloggers like this: