Machine IP: 10.10.10.134
DATE : 17/07/2019
START TIME: 11:36 PM
There’s SMB service running so we can use tools like
smbclient to find some share to look into.
Using the following command I got the list of shares:
➜ smbclient -L //10.10.10.134/Backups -U ""
We can see that there’s one share named
Backups present. Let’s see if we can find anything in it.
The first thing I read was
mDGqWiOzka directory was empty and the
nmap-test-file had some junk data and
SDT65CB.tmp was empty.
WindowsImageBackup I found another directory named
After looking around a bit I found some
.vhd file in
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\>.
We can download those
.vhd file and then mount them to find something in them but that might not be the best way to do it because this is what the
please don't transfer the entire backup files locally, the VPN to the subsidiary office is too slow.
So instead we need to find a way to mount the
SMB directory to our system so we can browse the backup files and then mount the VHD.
- Make a new directory to mount SMB share
- I did
sudo mkdir /home/bastion
- I did
sudo mount -t cifs //10.10.10.134/Backups /home/bastion -o user=""
This will mount the SMB share.
- Make a new directory, I made a directory within
sudo mkdir /home/bastion/vhd
guestmount --add /home/bastion/WindowsImageBackup/L4mpje-PC/"Backup 2019-02-22 124351"/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /home/bastion/vhd -v
This will mount the VHD, now we can just look around to see if we can find anything.
In Windows we can find juicy stuff in
System32, you can says it’s equivalent to
/etc/ of linux(not exactly).
Windows store passwords in file called
SAM and we can use tool like
samdump to get hashes out of that file. And then using tools like
hashcat we can crack it.
System32/config we can see the
samdump2 SYSTEM SAM we can dump hashes
crackstation to crack the hash
Now we have the password so we can login into
L4mpje SSH account.
We can just grab the
user hash now.
I started looking around but there wasn’t anything interesting in the user directory.
I decided to look into
Program Files and
Program Files (x86) folder. Since this is where the new software are installed, we can see if there’s any vulnerable program installed.
Program Files (x86) I found a program named
mRemoteNg, that is the only program which isn’t present by default.
So I google exploit for it and found a metasploit script for it. But since it’s
post exploit it will need a shell or something(I’m not good with msf).
I continued my search for easy-to-run exploit and found a github repository kmahyyg/mremoteng-decrypt. According to this I need to get the
mRemoteNG and then use one of the script to decrypt the password.
I used the
type command to see the content of
we can see the password hash there.
Now we can just use that password with our script to decrypt it.
I had to edit the python script a bit. First I installed
PyCryptodome and then
Change the following line
from Cryptodome.Cipher import AES
from Crypto.Cipher import AES
I used the following command to crack the password:
➜ python mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt\/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
and got the output
To confirm that I got the right password I used the
L4mpje hash and checked if I got
bureaulampje and I actually did got that:
First I tried to use the
runas command to use the
administrator account but for some reason it didn’t worked.
So I logged into
SSH account of
Administrator using the
Thanks for reading, Feedback is always appreciated
Follow me @0xmzfr for more “Writeups”.