Greetings to all, this is a walkthrough of "Monteverde" a medium rated windows machine.
1. PORTSCAN
2. USER
As we can see AD ports are open so I performed a quick search of users through enum4linux.
Now we have a list of users, so its time to find out that user which take us to the user flag. so for this purpose, I store all this user under users.txt file.
I ran Metasploit module "smb_login" to brute force the username as password against the username. and we got a hit for SABatchJobs (lazy admin).
options details:
Password found:
1.2 SMB ENUMERATION:
Till now we have the username and the password, so let's give a look under the smb shares.
The file -"azure.xml" I found under mhope user is very interesting. It contains the creds of mhope.
now we have a valid password. so, it's time to take the shell and grab user flag using our favourite tool-"evil-winrm".
2. ROOT
The first and basic step I always do is look for the groups our user belongs to.
Using "whoami /all" I found the user mhope is a member of Azure Admin. Which means he has administrative rights.
Then I google the Azure Admins group exploitation and found an article.
Follow the article and get the administrator password.
1.
2.
finally taking root flag!!.
Thank you for reading.
Comments
Post a Comment