Sure enough it works for RPC as well, and testing the srvinfo command, I was able to get information about the system.Īs a result of both services allowing anonymous acces, I decided to run enum4linux to gather info on the system while I manually check the Backups share. The anonymous session is permitted and the SMB shares are revealed, most notably a custom share named Backups was found.īefore checking in the shares, I want to see if I can also get an anonymous session over RPC. To start, I decided to enumerate the SMB and RPC services to see if they permit anonymous access. Enumeration and Initial Exploitįor this target, there is not much to work worth aside from SMB / RPC for enumeration and possibly a vulnerable version of SSH. The nmap scan has also revealed the operating system on the target to be Windows Server 2016 Standard 14393. Ports 49xxx are hosting the high port RPC services.Port 47001 is open, which is commonly associated with WinRM – Microsoft HTTPAPI httpd 2.0.Port 5985 is hosting the WinRM service, which will be useful if credentials are found.Ports 135 / 139 / 445 are open and are hosting the RPC / NetBIOS / SMB share services respecitively.Port 22 is open and is hosting an SSH service, which will be useful of credentials are found – version: OpenSSH for_Windows_7.9.Immediately I find it interesting to see SSH open on a Windows host. Nmap full TCP - nmap -A -sV -sC -T4 10.10.10.134 -p-oN full_tcp.nmap Review of Open Portsīased on the nmap scan, there are multiple ports open on the target. After using the tool we will uncover the Administrators cleartext password and then use it to log into the target host over port 5985 (WinRM). Using another Google search, we will find a great tool for decrpyting mRemoteNG passwords and use it on the password we found in the confCons.xml file. With knowledge of the file we are looking for and where to find it, we will check the confCons.xml file and find an encrypted version of the Administrators password inside. After doing some research on Google, we will learn that this program is used for remoting services and that it can store credentials in a “connection file” called confCons.xml. Once a foothold has been obtained, we will use manual enumeration to get a lay of the land, which reveals an interesting application (mRemoteNG) installed on the system. An attempt to pass-the-hash fails, so instead we’ll crack the hash using hashcat, and then login over SSH to obtain our initial foothold. Once the shares are listed, one custom share stands out named Backups, which contains two virtual hard drives (VHDs).Īfter mounting the VHD, we will grab a copy of the SYSTEM and SAM files and then extract the hash of user Lampje. From there, we will start the enumeration phase by successfully listing the SMB shares using anonymous access. We will begin by finding a few interesting ports open including 22 (SSH), 445, (SMB), and 5985 (WinRM). In this Walkthrough, we will be hacking the machine Bastion from HackTheBox. Want to stay up to date with the latest hacks?.Decrypting the Administrators Password and Getting a Shell Using Evil-Winrm.Finding the Administrators Password in confCons.xml File.Manual Enumeration of the System, Current User, and Installed Applications. Post Exploitation Enumeration and Privilege Escalation.Bonus – Using secretsdump.py to Extract the Cleartext Password.Getting a Shell Over SSH as User L4mpje.Extracting the SAM Hashes and Cracking a Password with Hashcat.Mounting and Enumerating the VHD File from the Backups Share.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |