In this challenge, I learn how to mount a remote SMB share as well s mounting a virtual hard disk file, I then dumped the passwords from SAM to gain initial access where I was introduced to a new tool named mremoteng which stored passwords insecurely
Nmap scan:
looking at the results SSH stands out as it is fairly uncommon to see it running on windows let alone windows 7. After looking up the version I found nothing interesting.
I also see port 135 which we can attempt to connect with rpcclient this was unsuccessful
139 and 445 are also open I started with some SMB enumeration running enum4linux and smbmap both failed
A cool trick I learned from 0xdf is that if you specify a username even an invalid made-up one you can authenticate as guest
We see an interesting message about a test backup directory unable to be removed. We also have read/write access to backups.
I followed this with the -R flag to list every file possible. This is a very verbose output
I saw that there was a note file inside the backup I decided to go and grab it with smbclient
The note makes sense as downloading the entire backup file would take way too long and to be honest I like to work fast. So I moved on to mounting the smb share.
Is CIFS the same as SMB? CIFS (Common Internet File System) and SMB (Server Message Block) are both Windows file-sharing protocols used in storage systems, such as network-attached systems (NAS). The key difference between CIFS and SMB is that CIFS is a dialect of SMB – a particular implementation of the SMB protocol. - upgurad upguard.com/blog/cifs-vs-smb
After mounting the backup share I located two vhd files
A virtual hard disk (VHD) is a disk image file format for storing the entire contents of a computer's hard drive. The disk image, sometimes called a virtual machine (VM), replicates an existing hard drive, including all data and structural elements.
to mount the VHD image I will need to reinstall an additional tool set named libguestfs-tools
After installing the required tools I restarted my VM and begin to attempt to mount the vhd
After running this command i listed the mounted directory content, I had to use sudo
From the basic overview of information, we can see it is a Windows file system. I had a poke around in the user and desktop to see if I could find a flag which I could not.
I am aware that Windows has a Security Account Manager which is a database of some sort to store windows credentials. It is located in windows/system32/config
I can use a tool from impacket called secret dumper to automate the process of obtaining valuable information.
We have found an unknown user and an autologin password for this user, we also have 3 other users and their NTLM hashes, to be time-efficient I used a platform called crack station for some fast cracking.
We got the password for L4mpje-PC
Revisiting my nmap results I have a couple poetinal services I can try and authenticate too, I am going to start from the top with SSH which was a success
Finding user flag:
Looking for privilege escalation:
I am unfamiliar with mRemoteNG so i did some research, After reading up on what mRemoteNG is I went looking for some information related to any VulnerabilityI came across this reddit post:
Thank linked to this article: ethicalhackingguru.com/how-to-exploit-remot.. I know that there is an insecure password store now, I went ahead and tried to find it
the password is stored in a xml file named confcons
As there are fairly small files I used the type function to just copy and paste the content to my local machine
At first, I tried to decrypt the password by just passing the file to a tool mremoteng_decrypt.py but this was unsuccessful
I followed it by grepping the file for Password and then taking the password strings out and attempting to decrypt them
I then used these new credentials to authenticate to ssh again and then type out the root flag