Nmap scan report for 10.10.10.134
Host is up (0.12s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -39m57s, deviation: 1h09m16s, median: 1s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-07-12T18:00:27+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-12T16:00:28
|_ start_date: 2021-07-12T08:13:18
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 12 12:00:35 2021 -- 1 IP address (1 host up) scanned in 33.68 seconds
We can see that SMB port is up, we can go on and enumerate that.
SMB
We can see there is a Backups shared disk.
After some digging, we found out that there is 2 vhd file, those files are too big to download it and analyse.
We can use mount command to mount it under our machine.
mkdir /mnt/backups
sudo mount -t cifs //10.10.10.134/Backups /mnt/backups
After that, we can use guestmount command to do another mount on the 5gb vhd file.
After that, I searched for the password but found nothing, forum hint us to find under System32 directory.
We can see that we are able to read SAM and SYSTEM file. By using impacket command, we can dump password hashes from there using secretdump. We can proceed to copy the SAM and SYSTEM file to our local machine.
impacket-secretsdump -sam SAM -system SYSTEM local
We can see there are some hashes popping up.
Those are LM hash and NTLM hash.
I've tried using crackstation to decrypt each part of the hash.
At the end, NTLM hash of user L4mpje got the password.
Then we can proceed to login to user L4mpjeusing SSH since port 22 is up.
User
Privilege Escalation
After some enumeration, we can see that mRemoteNG here.
From this article, we can know that it has credentials stored inside confCons.xml
We can see the administrator hash here.
We also can find the hash decryp script at github here.
After decrypt, we got the password and can SSH to administrator.
