Image for post
Image for post

Target Experience:

My observations while working this target:

Tools:

The recommended tools for this lab were:

Vulnerabilities:

· Misconfiguration

Information Gathering:

Using Nmap, I scanned for service version detection, OS detection, script scanning, and traceroute of the target system.

Image for post
Image for post
Nmap Scan

SMB Enumeration:

With Nmap detecting that SMB was enabled on the target, I decided to use RunFinger.py from the Responder tools in order to determine if the target was vulnerable to MS10–010.

Image for post
Image for post
RunFinger.py
Image for post
Image for post
Smbclient: Shares
Image for post
Image for post
smbmap
Image for post
Image for post
Smbclient: Connection
Image for post
Image for post
Mounted Share
Image for post
Image for post
Note

VHD Enumeration:

Based on the note, I needed to perform additional research on how I could access the VHD backup files. I eventually found information on guestmount and used it to mount the VHD files.

Image for post
Image for post
guestmount
Image for post
Image for post
SAM and SYSTEM
Image for post
Image for post
pwdump
Image for post
Image for post
Mount Cleanup

Password Cracking:

Once pwdump completed its task, I moved the hashes.in file to my password cracking rig; where I used HashCat to crack the NTLMv1 hashes.

Image for post
Image for post
HashCat
Image for post
Image for post
Cracked Accounts

Foothold:

Reverting back to the Nmap scan, I decided to try to connect to the system (via SSH) with the newly obtained credentials.

Image for post
Image for post
SSH Connectivity
Image for post
Image for post
User.txt

Privilege Escalation:

As I continued my pillaging and enumeration efforts, I found an odd program installed on the target.

Image for post
Image for post
nREmoteNG
Image for post
Image for post
confCons.xml
Image for post
Image for post
nMRemoteNG: Password Lookup
Image for post
Image for post
Root.txt

References:

https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/dd323654(v=vs.85)

Disclaimer:

This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store