This is a short write-up about the skill assessment lab Password Attacks module from Hack The box.
The lab contains the following description:
The next host is a Windows-based client. As with the previous assessments, our client would like to make sure that an attacker cannot gain access to any sensitive files in the event of a successful attack. While our colleagues were busy with other hosts on the network, we found out that the user Johanna is present on many hosts. However, we have not yet been able to determine the exact purpose or reason for this.
The following question should be answered:
Examine the third target and submit the contents of flag.txt in C:\Users\Administrator\Desktop\ as the answer.
The lab provides three files for password brute-forcing, used throughout the skill assessments. The mut_password.list, created earlier in the Medium Lab using the custom.rule and password.list, is also available for use.
 |
| resource files + mutation file |
I started performing a full port-scanning with nmap in the target machine, which resulted in several opened ports.
 |
| nmap full port scanning |
Summarizing the initial verification, no significant findings were uncovered:
• SMB ports: Anonymous login was not allowed, and no useful information could be retrieved.
• NFS port: Mounting options were unavailable, providing no further leads.
• Other services: Testing these required valid credentials, which were not available.
With no other viable options, the next logical step was to attempt brute-forcing the services to discover Johanna’s password. To achieve this, I used the CrackMapExec tool with the WinRM protocol.
 |
| crackmapexec wimrm |
 |
| johanna's password |
 |
| johanna's credential - rdp |
In Johanna’s documents, I found a KeePass file named Logins. KeePass is a well-known tool used to securely store passwords offline. To access the credentials stored within, I needed the master password. At this point, the only viable option was to crack it.
 |
| johanna's documents |
To crack the password, I first transferred the KeePass file to the attack machine using SMB.
 |
| file transfer via smb |
 |
| keepass password cracking |
 |
| david's credentials in keepass |
 |
| runas /user:david |
Testing David’s credentials through SMB revealed a shared folder named david. Testing David’s credentials through SMB revealed a shared folder named david.
 |
| smb share - david |
Accessing the shared folder, I found a file named Backup.vhd. I transferred it to the attack machine for further analysis.
 |
| backup file in david's share |
 |
| vhd bitlocker prompt |
Once again, I used John the Ripper to crack the password, employing its bitlocker2john utility to generate the hash file required for the cracking process.
 |
| bitlocker2john |
 |
| cracking vhd password |
Mounting the partition with the cracked password, I identified two important files: SAM and SYSTEM. These files can be used to extract LM hashes, which can then be leveraged to attempt a Pass the Hash attack for further exploitation.
 |
| SAM and SYSTEM file |
Using the impacket-secretsdump script, I successfully extracted the LM hash for the Administrator account, along with hashes for other accounts. Since the goal is to capture the flag on the Administrator account, my next step is to attempt a Pass the Hash attack using the extracted Administrator hash.
 |
| NTLM hashes |
 |
| PtH with administrator hash |
Finally, accessing the Administrator Desktop, I managed to capture the flag.
 |
| administrator flag |
Thanks for reading it!