HackTheBox - Monteverde
Monteverde was an interesting 30 point box created by egre55. It started out with some user enumeration which leads you to password spraying and discovering a weak password policy for a service account, you then dump an SMB share using the service account’s credentials and discover more creds used by Azure which you can use to WinRM in and get user. You then have to modify an exploit an exploit which abuses Azure’s Password Hash Synchronization to dump the Administrator credentials, you then use the creds to WinRM in again and get the root flag.
Active Directory domain enumeration without leveraging PowerView or the Active Directory PowerShell module, will be continuosly adding to this.
Resolute was a fun 30 point box created by egre55. It starts out by finding a set of credentials via SMB enumeration which allows you to password spray and find that the password has been reused, allowing you to login via WinRM and get the user flag. You then find a set of credentials in a PowerShell Transcript file, log in again via WinRM with those credentials, and then finally abuse the user’s group privileges to get root.
In light of being advised to use Covenant during the Cybernetics pro labs from HTB and absolutely falling in love with it’s power, simplicity, and organisation I decided to type up some notes for myself regarding the installation and basic setup.
Making the most out of lockdown in the UK, I decided to enroll in the new Hack The Box pro lab, Cybernetics.
Some notes to myself to use as a reference guide and to gain a better understanding of the privileges and rights assigned to Windows services in the form of SDDL security descriptor strings.