Lab - Hard
The next host is a Windows-based client. As with the previous assessments, our client would like to make sure that an attacker cannot gain access to any sensitive files in the event of a successful attack. While our colleagues were busy with other hosts on the network, we found out that the user Johanna is present on many hosts. However, we have not yet been able to determine the exact purpose or reason for this.
Given that the user Johanna appears on multiple hosts, we should proceed with attempting to crack her password.
The host is a Windows-based client, so we will proceed with cracking using the RDP protocol.
We have obtained the password for the user Johanna. Let's proceed with logging in using these credentials.
We have successfully logged in. Let's proceed with the next steps.
I located a file named Logins.kdbx and subsequently downloaded it to my analysis workstation.
The file is password-protected. Therefore, we should attempt to extract the password hash from this KeePass database file.
Now let's open the Logins.kdbx file using keepassxc.
I discovered credentials for the user "david."
After a while, I used smbclient with David's credentials to assess the available resources.
There is a virtual hard disk named Backup.vhd. let's transfer it to our attacking machine.
It's an encrypted virtual hard disk. Let's proceed with the decryption process.
Let's extract the BitLocker recovery information from the VHD file and format it into a hash that can be used for password cracking with John the Ripper.
Here, we can see the NT hash for the Administrator account.
Let's save the file and attempt to crack it using John the Ripper.
We now have the password. Let's proceed with connecting using these credentials.
Now we can get the flag.
Last updated
