Walkthrough — HTB Linux machine “Monteverde”
Quick enumeration of the machine with nmap revealed the following information:
Many open ports were identified. As there is no useful HTTP server, I looked toward enum4linux after I found no useful information from DNS:
I created a list of users from this information, and was able to find a user using the username as the password via crackmapexec:
Excellent. Let’s take a look and see if we have any shares available:
Through the process of elimination, I found access to the users$ share:
We have access to one file — azure.xml, in the mhope directory:
I copied across the file and took a look at the contents:
I attempted to log in using Evil-WinRM as mhope(the user directory where the file was found) with the newly discovered password 4n0therD4y@n0th3r$ :
A quick look at what this user account is able to do:
I uploaded the PowerShell script from here (https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Azure-ADConnect.ps1) and ran it, revealing further credentials to the system:
I then reconnected using Evil-WinRM with the newly-discovered administrator user and d0m@in4dminyeah! password: