Capture the flag (CTF)

Hack the Box (HTB) machines walkthrough series — Monteverde

September 3, 2020 by Security Ninja

Today, we will be continuing with our exploration of Hack the Box (HTB) machines as seen in previous articles. This walkthrough is of an HTB machine named Monteverde.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Monteverde, is retired.

Let’s start with this machine.

The walkthrough

  1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.
  2. The Monteverde machine IP is
  3. We will adopt our usual methodology of performing penetration testing. Let’s start with enumeration in order to gain as much information about the machine as possible.
  4. As usual, we’ll start with the nmap scan to gather more information about the services running on this machine. [CLICK IMAGES TO ENLARGE]
    <<nmap -sC -sV -p- -oA Monteverde>>

  5. From the above ports enumeration, let’s use enum4linux to do further enumeration of the complete domain. Below are some of the important enumeration points:
    1. Local users list
    2. Domain SID
    3. Local groups (note Azure groups)
    4. Domain groups
    5. Domain users
    6. Domain admins (note Azure admins)
  6. Also, since SMB ports were also enumerated, anonymous connections are allowed
  7. Going through all the users, we are able to browse some interesting artifacts with user SABatchJobs.
  8. Going into users share, we got an interesting users directory.
  9. Under user mhope, there is a file called azure.xml.
  10. Downloading it to our local box and viewing the contents of it reveals the password.
  11. Using that password, our login was successful using evil-winrm for user mhope.
  12. Now since the user is part of the Azure admin list, we can use the Red Team recipe to escalate the privileges by following the exploit here.
  13. We download the exploit and modify as shown below: [Click to Enlarge]
  14. Uploading the exploit to the box, running it gives us admin credentials.
  15. Using the recovered admin credentials, we log into the box as system.

So, this machine is very easy. The only thing to learn is how to use AzureAD connect to escalate privileges.

We will continue this series for many more examples of interesting HTB machines.

Posted: September 3, 2020
Security Ninja
View Profile