MS Security update for Windows SMB Server: March 14, – Question Info

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Jun 15,  · Let’s also run a full, all ports scan. PORT STATE SERVICE 80/tcp open http /tcp open msrpc /tcp open netbios-ssn /tcp open microsoft-ds /tcp open ms-wbt-server /tcp open unknown /tcp open unknown /tcp open unknown /tcp open unknown. For ports we need to run another scan to see exactly . Sep 07,  · Mounting the virtual hard drive. Since this mounted disk appears to be a Windows hard drive, we should be able to retrieve the SAM and SYSTEM hives to recover account names and hashes using samdump2. find HDD/Windows/ -name *SYSTEM* & find HDD/Windows/ -name *SAM*. samdump2 SYSTEM SAM. Dumping account password hashes. Aug 02,  · For a list of the files that are provided in this update, download the file information for cumulative update KB If you’re installing a Windows 10 update package for the first time, the package size for the x86 version is MB. f you are installing the Windows 10 update package of the x64 version or the Windows Server update.
 
 

How to Exploit EternalBlue on Windows Server with Metasploit « Null Byte :: WonderHowTo

To solve this machine, we enumerate services using nmap. Enumerating SMB shares, we see there is a Backups share that we are able to mount to our local machine. On the share, there are 2 virtual hard drives.

With these, we are able to recover accounts and password hashes. After cracking the password of the L4mpje user, we are able to SSH into the machine and obtain user. Looking at installed programs, we see mRemoteNG is installed. We are able to exploit a vulnerability in the encryption mechanism using a known key value to decrypt the administrator password.

Using the password, we are able to a SSH into the machine as administrator and get root. Like all machines, we begin by enumerating all open ports using nmap , then ran nmap scripts against them:. From our scan results, we see that ports and are hosting web servers, so we tried enumerating them with nikto and gobuster , however, we were unsuccessful.

Next, we saw SMB was running on port , so we attempt to list all shares. Seeing there is a Backups share, we mount it to our system, so we can look through it. Once the share is mounted, we can run tree to get a hierarchical look at the files in this share:. We see two virtual hard disks. Using these credentials, we are able to ssh into the machine as l4mpje , and retrieve user. Doing initial recon on the machine, we see there is a program named mRemoteNG. Researching this application, we see there is a vulnerability in the encryption key being a known value.

Supplying the encrypted password to a decryption script we found on github, we are able to recover the password for Administrator , and SSH into the machine. Doing so allows us to get root. Thank you for taking the time to read my write-up. I am interested in other ways this machine has been solved. Feel free to reach out to me and we can discuss it. Khaotic Developments. September 7, No Comments. Nmap done at Fri Jun 21 — 1 IP address 1 host up scanned in Hack The Box Write-ups.

Tags: Easy , Windows. Hack The Box: Luke. Khaotic Developments Powered by WordPress.