11/2020

Description:

Target IP: 10.10.10.134. The challenge machine runs Windows Server 2008 R2 and installs a vulnerable program (mRemoteNG) that stores machine’s SSH credential in plaintext. The machine’s “Backups” folder contains usable login information. The credential is exposed and available for everyone to access via SMB service. PE achieved by acquiring authentication information to take over the administrator control of the machine through SSH connection.

Difficulty:

easy

Flags:

User: 9bfe57d5c3309db3a151772f9d86c6cd

Root: 958850691811676ed6620a9c430e65c8

Enumeration

Nmap port scan result.

Nmap port scan result.

! Discover services: SSH (22), Windows RPC (135), Service network (139), SMB (445)

Examining SMB shares using guest access.

Examining SMB shares using guest access.

! Guest has read/write privilege on Backup$ share

Examining content of share.

Examining content of Backup$ share.

The content of note.txt:

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

! WindowsImageBackup is possibly the backup of the target machine, and it’s copying it to attack machine is not recommended.

Mounting the remote share to local machine to browse its content.

Mounting the remote share to local machine to browse its content.

Examining the backup files and folders.

Examining the backup files and folders.

<aside> 💡

Virtual hard disks (VHDs) are disk image file formats that have similar functionalities to a physical hard drive and are designed primarily for use with Hyper-V virtual machines.

https://learn.microsoft.com/en-us/windows-server/storage/disk-management/manage-virtual-hard-disks

</aside>