Registry 10.10.10.159
Look up at the stars and not down at your feet <Stephen Hawking>
Background
Registery is an Hard difficulty Windows machine from HacktheBox, it requires the SMB enumeration technique and source code review, for training your ethical hacking skills and penetration testing skills.
130n@calvinlai.com
Target Machine: 10.10.10.159
Attacking (Hacker) machine: 10.10.14.9
Penetrating Methodology
Service Scanning
Nmap
Enumeration
Enum4linux
dnSpy
Exploitation
msfvenom
Walkthrough:
Target machine: 10.10.10.178
Attacking (Hacker) machine: 10.10.14.9
Hacking Process Part 0 – Service Scanning
The target machine IP is10.10.10.178. Get a basic understanding of the available services of the target machine using nmap aggressive scanning to all available ports.
Quick searching
nmap -sV -A -oN nmap-htb-registry-detail.txt registry.htb
Enumeration strategies
Web Application Vulnerability
Web Enumeration docker.registry.htb
SSH Enumeration
Hacking Process Part 1 – Enumeration
1.1) SMB Enumeration
SMBMAP
nmap --script smb-enum-shares -p 445
enum4linux
smbclient
smbclient -N //nest.htb/Users
\IT\Configs\Adobe\editing.xml
\IT\Configs\Adobe\Options.txt
\IT\Configs\Adobe\projects.xml
\IT\Configs\Adobe\settings.xml
\IT\Configs\Atlas\Temp.XML
\IT\Configs\Microsoft\Options.xml
\IT\Configs\NotepadPlusPlus\config.xml
\IT\Configs\NotepadPlusPlus\shortcuts.xml
\IT\Configs\RU Scanner\RU_config.xml
\Shared\Maintenance\Maintenance Alerts.txt
\Shared\Templates\HR\Welcome Email.txt
\IT\Configs\NotepadPlusPlus\config.xml
c.smith
fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=
mount -t cifs //10.10.10.178/Secure$ /root/Documents/ctf/htb/windows/10_nest/hostfile/Secure -o user=TempUser,password=welcome2019
According to the config.xml there is af directory
https://dotnetfiddle.net/kiYWi4
c.smith
fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=
xRxRxPANCAK3SxRxRx
smbclient \\\\nest.htb\\Data -U c.smith
WBQ201953D8w
Adminstrator
"XtH4nkS4Pl4y1nGX"
Hacking Process Part 2 – Exploitation
2.1) Brute force attack
Hacking Process Part 3 – Getting Low Privilege Access
Hacking Process Part 4 – Privilege Escalation
4.1) Directory Enumeration
Conclusion...
Reference Link
Last updated