WHAT ARE YOU LOOKING FOR?

Hack the Box: Monteverde Walkthrough

Exploits Affichages : 504
Hack the Box: Monteverde Walkthrough

Today we’re going to solve Hack The Box’s “Monteverde” machine. This lab is of “medium” level, although you will see that it is quite simple.

Level: Medium

Penetration Testing Methodology

  • Reconnaissance
  • Nmap
  • Enumeration
  • Enum4Linux
  • Bruteforce SMB Login (Metasploit)
  • Smbclient
  • Exploiting
  • Evil-winrm
  • Powershell Scripts
  • Privilege Escalation
  • Abuse of Azure’s group privileges
  • Capture the flag

Walkthrough

Reconnaissance

We start with a scan of the 5,000 main ports:

nmap -sV --top-ports 5000 10.10.10.172

image

Enumeration

After checking each of the services, it is time to obtain as much information as possible from the Samba service (port 445) with the help of the “Enum4linux” tool.

image

We list the domain name:

image

And the list of users that belong to the corporation:

image

Exploiting

We create a file “users.txt” and introduce the different users found in the previous phase.

image

Now and with the “smb_login” module of Metasploit, we make a brute force, we will indicate the same file “users.txt” for the option “user_file” and “pass_file“. Disable the “verbose” mode so that only positive results appear.

We’ll get a match, so we already have some credentials to be able to gossip in the organization’s files.

image

We use the credentials and see that we have several areas to check.

image

I’ll save you time and we’ll access the “users$” resource.

image

Privilege Escalation (user)

We access the user’s folder “mhope” and find a file called “azure.xml“. Of course, my friend! We downloaded it!

image

We execute the command “cat” on the file “azure.xml” and find some access credentials for the user “mhope“.

image

We use these credentials to connect by RDP (Remote Desktop Protocol) service with the help of “Evil-winrm” and we will read the “user.txt” flag.

image

Privilege Escalation (administrator)

We execute the command “whoami /all” to obtain all the information of our committed user.

image

We found in the information that we belong to the group of administrators of Azure.

image

Now, we will leave the “Evil-winrm” session and download the following script in Powershell called “Azure-ADConnect.ps1“.

image

And we’ll connect again with “Evil-winrm“, but this time, we’ll specify a new command to indicate the path where the “Azure-ADConnect” file is located.

The following commands will make the script load in Powershell in our Evil-winrm, the second command will make it synchronize with the Active Directory located in Azure and will return us the administrator credentials.

image

Once we have obtained the administrator credentials, we will connect to them again and read the “root.txt” flag.

image

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks Contacted on LinkedIn.

The post Hack the Box: Monteverde Walkthrough appeared first on Hacking Articles.

Image
Back To Top

Pensée du jour :

Ce que l'homme a fait ,

l'homme peut le défaire.

 

"No secure path in the world"

Category

Popular Sections

About