Target Experience:
My observations while working this target:
· Enumeration: Life-like
· Vulnerabilities: Life-like
· Exploitation: Life-like
· Difficulty: Easy/Medium
· Community Notes: OSCP-like
Tools:
The recommended tools for this lab were:
· Nmap
· SMBClient and/or SMBMap
· Guestmount
· Pwdump
· HashCat
· Searchsploit
· Python3 with working Hashlib or Windows
· nMRemoteNG
Vulnerabilities:
· Misconfiguration
· Remote Code Execution
Information Gathering:
Using Nmap, I scanned for service version detection, OS detection, script scanning, and traceroute of the target system.
SMB Enumeration:
With Nmap detecting that SMB was enabled on the target, I decided to use RunFinger.py from the Responder tools in order to determine if the target was vulnerable to MS10–010.
Reviewing Nmap, the Guest account was enabled as a user. So, I used smbclient to login as Guest to enumerate the available shares on the target.
An alternative to smbclient, was smbmap.
After identifying that Guest had Read/Write connectivity to the Backups share, I used smbclient to connect to the share of the target.
Since smbclient was a little cumbersome for my liking, I decided to mount the share with cifs from my local attacker system to the target.
With the share mounted, I found an interesting note referring to a backup file. I eventually found the backup; where there were two VHD files.
Using my preferred search engine, I decided to review what these extensions were. My research uncovered that they were Virtual Hard Disk extensions.
VHD Enumeration:
Based on the note, I needed to perform additional research on how I could access the VHD backup files. I eventually found information on guestmount and used it to mount the VHD files.
With the backup VHD files mounted, I used basic Windows techniques to download a copy of the SAM and SYSTEM files from the Windows/System32/config directory to my attacker system.
On my attacker system, I used pwdump to merge the database and key files to a new file named hashes.in.
As a matter of clean up, I used the following commands to disconnect the mount points from my attacker system.
Password Cracking:
Once pwdump completed its task, I moved the hashes.in file to my password cracking rig; where I used HashCat to crack the NTLMv1 hashes.
Within less that a second, the system cracked the L4mpje account.
Foothold:
Reverting back to the Nmap scan, I decided to try to connect to the system (via SSH) with the newly obtained credentials.
Once connected, I started pillaging the user’s home directory and found the User.txt file containing a flag.
Privilege Escalation:
As I continued my pillaging and enumeration efforts, I found an odd program installed on the target.
I checked SearchSploit and found a few references on how to exploit the passwords from the nRemoteNG application. However, they all failed.
I continued to search and found two Python scripts that appeared to provide remote code execution.
https://github.com/mRemoteNG/mRemoteNG/releases
https://github.com/kmahyyg/mremoteng-decrypt
However, Python3’s HashLib appeared corrupt and no matter what I tried, nothing seemed to work to correct the issue on my attacker system. So, I found another link and decided to try those methods.
http://hackersvanguard.com/mremoteng-insecure-password-storage/
Again, not luck. The article seemed to be a bit dated. So, back to researching again; where I found the following article:
https://dynamic-datacenter.be/?p=168
Unfortunately, I needed to use Windows in order to exploit nRemoteNG’s password storage. So, after loading a Windows VM and installing nMRemoteNG, I downloaded the confCons.xml file from the target and then uploaded it to my Windows VM.
Next, I launched my locally installed nMRemoteNG and created the External Password Tool as described in the article. Once created, I used the External Tool to perform a Password Lookup of the DC Connection.
Note: I had to clean up the confCons.xml after downloading it from target due to formatting issues. If the file is not clean, the nMRemoteNG application will launch with an error.
After locating the administrator credentials in the bottom left side panel of nMRemoteNG, I used the credentials to establish a new SSH connection to the target.
Continuing to pillage the system, I found the root flag.
References:
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/dd323654(v=vs.85)
https://medium.com/@klockw3rk/mounting-vhd-file-on-kali-linux-through-remote-share-f2f9542c1f25
http://hackersvanguard.com/mremoteng-insecure-password-storage/
https://dynamic-datacenter.be/?p=168
Disclaimer:
This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.
Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.
Information within this article is “as is”, without warranty of any sort.
