[email protected]
Search…
Registry 10.10.10.159
Look up at the stars and not down at your feet <Stephen Hawking>
Owned on

Background

​R​egistery is an Hard difficulty Windows machine from HacktheBox, it requires the SMB enumeration technique and source code review, for training your ethical hacking skills and penetration testing skills.
​
​
Target Machine: 10.10.10.159
Attacking (Hacker) machine: 10.10.14.9

Penetrating Methodology

Service Scanning

  • Nmap

Enumeration

  • Enum4linux
  • dnSpy

Exploitation

  • msfvenom

Walkthrough:

Target machine: 10.10.10.178
Attacking (Hacker) machine: 10.10.14.9

Hacking Process Part 0 – Service Scanning

The target machine IP is10.10.10.178. Get a basic understanding of the available services of the target machine using nmap aggressive scanning to all available ports.
Quick searching
nmap -sV -A -oN nmap-htb-registry-detail.txt registry.htb
Enumeration strategies
  1. 1.
    Web Application Vulnerability
  2. 2.
    Web Enumeration docker.registry.htb
  3. 3.
    SSH Enumeration

Hacking Process Part 1 – Enumeration

1.1) SMB Enumeration

SMBMAP

nmap --script smb-enum-shares -p 445

enum4linux
smbclient
smbclient -N //nest.htb/Users
\IT\Configs\Adobe\editing.xml
\IT\Configs\Adobe\Options.txt
\IT\Configs\Adobe\projects.xml
\IT\Configs\Adobe\settings.xml
\IT\Configs\Atlas\Temp.XML
\IT\Configs\Microsoft\Options.xml
\IT\Configs\NotepadPlusPlus\config.xml
\IT\Configs\NotepadPlusPlus\shortcuts.xml
\IT\Configs\RU Scanner\RU_config.xml
\Shared\Maintenance\Maintenance Alerts.txt
\Shared\Templates\HR\Welcome Email.txt
\IT\Configs\NotepadPlusPlus\config.xml
c.smith
fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=
mount -t cifs //10.10.10.178/Secure$ /root/Documents/ctf/htb/windows/10_nest/hostfile/Secure -o user=TempUser,password=welcome2019
According to the config.xml there is af directory
c.smith
fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=
xRxRxPANCAK3SxRxRx
smbclient \\\\nest.htb\\Data -U c.smith
WBQ201953D8w
Adminstrator
"XtH4nkS4Pl4y1nGX"

Hacking Process Part 2 – Exploitation

2.1) Brute force attack

Hacking Process Part 3 – Getting Low Privilege Access

Hacking Process Part 4 – Privilege Escalation

4.1) Directory Enumeration

Conclusion...

Reference Link