Skip to main content

23. You have obtained the administrator password for a vCenter machine and have successfully logged in. However, some internal machines are in a locked state and require a password. How can you exploit this situation?

  1. Download vmem files: For Windows machines that are locked, you can attempt to download the .vmem files (memory files). Memory forensics tools such as Volatility can be used to extract password hashes stored in the system memory.
  2. Utilise SSH and Bash mode: If you can enable SSH and Bash mode via vCenter, you can use the default sso-user account’s unrestricted sudo privileges to execute commands. This may allow you to directly obtain the accounts and passwords on the ESXi hosts.
  3. Capture hash values: In certain circumstances, you can bypass password verification by capturing the hash values from the locked machine. This typically requires specific techniques and tools.