In this article we are going to solve another boot2root challenge Monteverde from hackthebox and it is a medium level difficulty box .
As usual we started with nmap to find open ports and services running in the targeted system using the command
nmap -sC -sV -Pn -o nmap.txt 10.10.10.172
SMB Port 445 and LDAP 389 caught our attention and after this I started to enumerate more using enum4linux to find SMB Shares and usernames using the command
we found so many usernames but couldn't find any SMB Share , Now lets try bruteforce attack using the usernames we just found and some common passwords against SMB Login , but using common passwords didn't worked here so what we can do is to include all the username as password ( may be the system admin is too lazy to think a more complicated password)
and we found the username as SABatchJobs and password as SABatchJobs , Now we tried to login into the system using evil-winrm but failed , Now lets try to login into SMB using these credentials and list all the SMB Shares ( if we can)
smbclient -L //10.10.10.172/
Okay , we are making some progress , we have some useful SMB Shares and after trying on all the Shares we found something useful in users$ , command used
smbclient //10.10.10.172/users$ -U SABatchJobs
so many directories and again we found something in mhope
we downloaded the azure.xml in our local system and now lets try to read it .
okay we found a password here , probably of user mhope :)
Now we used evil-winrm again to login into the system as user mhope ,command used
sudo evil-winrm -u mhope -p #try_harder -i 10.10.10.172
okay , task 1 is completed :)
Now it is time for privilege escalation .
by using the command whoami /all we came to know that the user mhope is a member of Azure Admin group , it means he probably has the administrator rights
After some quick google search we found a simple Powershell privesc tool called "AzureADConnect"
first of all we copied the script to the user mhope Desktop directory then we will run it.
okay we have found the password of admin user , let's try this password to login to the system using evil-winrm.
and this completes our challenge , If you like the walkthrough then please keep supporting us by sharing this article as much as you can and also by using the Donate button to keep our website Advertisement free :)