Tech Customer Support @HTB | PNPT | Google Cybersecurity Certification | Penetration Tester | Red Team Operator | Bug Hunter | Attorney at Law
This box was a little bit difficult. I had to mount a system from a backup file found in the host from which I've connected via SMB. Once the system was mounted, I was able to get the SAM hash from the user. From there, I identified and cracked the hash and was able to log into the user's machine via SSH. In this machine, I found that it was running an application called mRemoteNG, which has its configure files located in the "C:\Users\L4mpje\AppData\Roaming\mRemoteNG" directory. In said directory, there was a file called "confcons.xml", which contained the hashes for the User as well as the Administrator. I, then, used a mRemoteNG hash cracker and was able to get the Administrator password, and, therefore, his flag.
