HackTheBox - Monteverde

IppSec · Beginner ·📰 AI News & Updates ·6y ago

Key Takeaways

Enumerates HackTheBox machine 'Monteverde' using Nmap, rpcclient, and SMBMap

Original Description

00:00 - Into 00:54 - Begin of recon 03:36 - Using rpcclient with null authentication and dumping active directory users 06:26 - Building a password list with hashcat --stdout (Forest Video does it better) 08:41 - CrackMapExec shows SABatchJobs:SABatchJobs are valid credentials 12:06 - Using SMBMap to list contents of directories 16:20 - Using SMBMap to download azure.xml which has a hardcoded credential in it then testing with WinRM to see if we can get a shell 19:50 - Downloading and running Seatbelt on the server 25:20 - Running WinPEAS for a second opinion 27:45 - Talking about the Azure Admins group 28:55 - Playing with SQLCMD to view the MSSQL Database 30:45 - Downloading and running PowerUpSQL to see if there's any obvious escalation paths 37:00 - Using XP_DIRTREE to connect to our Responder Instance and leak an NetNTLMv2 hash (I should of noticed its the machine account due to username ending with a $, these are pretty much never crackable) 39:45 - Searching google to find XPNSec's post on "Azure AD Connect for Red Teamers" 43:00 - Running through the commands with SQLCMD to understand what is going on 48:20 - Executing the Azure AD Connectdecryption script and having Evil-WinRM Crash on us 49:10 - Stepping through the script to see where it is failing 51:25 - Updating the SQL Connection script to work with our MSSQL Configuration, then fixing the script 55:40 - Running the updated script, and getting the administrator password then using PSExec to get a system shell on the box 58:30 - Using DNSPY to decompile the MCRYPT.DLL binary to just explore what is going on 1:03:50 - Dumping the DNS Zone for MEGABANK.LOCAL via powershell
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

Related AI Lessons

The AI Moat Paradox: The Better Models Become, the Less Models Matter
The AI moat paradox suggests that as AI models improve, their importance may decrease, and understanding this concept is crucial for AI professionals and businesses.
Medium · AI
170,927 AI Papers Reveal the Biggest Research Shifts of the First Half of 2026
Discover the biggest AI research shifts of 2026 based on 170,927 papers, and learn how to apply these trends to your work
Medium · Machine Learning
170,927 AI Papers Reveal the Biggest Research Shifts of the First Half of 2026
Discover the major research shifts in AI from 170,927 papers published in the first half of 2026, and learn how to analyze trends in AI research
Medium · Data Science
[PoV] When Everyone Is Smart, No One Is
In a world where AI makes everyone smart, the value of intelligence decreases, and new challenges arise
Medium · AI

Chapters (21)

Into
0:54 Begin of recon
3:36 Using rpcclient with null authentication and dumping active directory users
6:26 Building a password list with hashcat --stdout (Forest Video does it better)
8:41 CrackMapExec shows SABatchJobs:SABatchJobs are valid credentials
12:06 Using SMBMap to list contents of directories
16:20 Using SMBMap to download azure.xml which has a hardcoded credential in it then
19:50 Downloading and running Seatbelt on the server
25:20 Running WinPEAS for a second opinion
27:45 Talking about the Azure Admins group
28:55 Playing with SQLCMD to view the MSSQL Database
30:45 Downloading and running PowerUpSQL to see if there's any obvious escalation pa
37:00 Using XP_DIRTREE to connect to our Responder Instance and leak an NetNTLMv2 ha
39:45 Searching google to find XPNSec's post on "Azure AD Connect for Red Teamers"
43:00 Running through the commands with SQLCMD to understand what is going on
48:20 Executing the Azure AD Connectdecryption script and having Evil-WinRM Crash on
49:10 Stepping through the script to see where it is failing
51:25 Updating the SQL Connection script to work with our MSSQL Configuration, then
55:40 Running the updated script, and getting the administrator password then using
58:30 Using DNSPY to decompile the MCRYPT.DLL binary to just explore what is going o
1:03:50 Dumping the DNS Zone for MEGABANK.LOCAL via powershell
Up next
Man dies after horror Gold Coast house fire; high-speed Sydney motorway pursuit | 9 News Australia
9 News Australia
Watch →