Registry 10.10.10.159

Look up at the stars and not down at your feet <Stephen Hawking>
Owned on

Background

Registery is an Hard difficulty Windows machine from HacktheBox, it requires the SMB enumeration technique and source code review, for training your ethical hacking skills and penetration testing skills.

[email protected]

Target Machine: 10.10.10.159

Attacking (Hacker) machine: 10.10.14.9

Penetrating Methodology

Service Scanning

  • Nmap

Enumeration

  • Enum4linux

  • dnSpy

Exploitation

  • msfvenom

Walkthrough:

Target machine: 10.10.10.178

Attacking (Hacker) machine: 10.10.14.9

Hacking Process Part 0 – Service Scanning

The target machine IP is10.10.10.178. Get a basic understanding of the available services of the target machine using nmap aggressive scanning to all available ports.

Quick searching

nmap -sV -A -oN nmap-htb-registry-detail.txt registry.htb

Enumeration strategies

  1. Web Application Vulnerability

  2. Web Enumeration docker.registry.htb

  3. SSH Enumeration

Hacking Process Part 1 – Enumeration

1.1) SMB Enumeration

SMBMAP

nmap --script smb-enum-shares -p 445

enum4linux

smbclient

smbclient -N //nest.htb/Users

\IT\Configs\Adobe\editing.xml

\IT\Configs\Adobe\Options.txt

\IT\Configs\Adobe\projects.xml

\IT\Configs\Adobe\settings.xml

\IT\Configs\Atlas\Temp.XML

\IT\Configs\Microsoft\Options.xml

\IT\Configs\NotepadPlusPlus\config.xml

\IT\Configs\NotepadPlusPlus\shortcuts.xml

\IT\Configs\RU Scanner\RU_config.xml

\Shared\Maintenance\Maintenance Alerts.txt

\Shared\Templates\HR\Welcome Email.txt

\IT\Configs\NotepadPlusPlus\config.xml

c.smith

fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=

mount -t cifs //10.10.10.178/Secure$ /root/Documents/ctf/htb/windows/10_nest/hostfile/Secure -o user=TempUser,password=welcome2019

According to the config.xml there is af directory

https://dotnetfiddle.net/kiYWi4

c.smith

fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=

xRxRxPANCAK3SxRxRx

smbclient \\\\nest.htb\\Data -U c.smith

WBQ201953D8w

Adminstrator

"XtH4nkS4Pl4y1nGX"

Hacking Process Part 2 – Exploitation

2.1) Brute force attack

Hacking Process Part 3 – Getting Low Privilege Access

Hacking Process Part 4 – Privilege Escalation

4.1) Directory Enumeration

Conclusion...

Reference Link

https://www.anquanke.com/post/id/86080

https://github.com/0xd4d/dnSpy