Sep 9, 2019
Bastion — HackTheBox Machine Write-up
Whatever you are, be a good one.
— Abraham Lincoln
Reconnaisance
As per my usual methods, I started my attack by performing an nmap scan:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc?
139/tcp open netbios-ssn?
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open wsman?
47001/tcp open winrm?
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknownHost script results:
|_clock-skew: mean: -53m54s, deviation: 1h09m15s, median: -13m56s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2019-08-20T11:16:22+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-08-20 17:16:25
|_ start_date: 2019-08-20 08:08:10
Enumeration + Initial Foothold
It seems like an SMB share is exposed, let’s give it a look:
Browsing to the Backups share will give us this:
Getting note.txt and displaying its contents will give us this:
The note refers to “backup file/s”. With this in mind, let’s dig deep into the WindowsImageBackup folder:
Based on the output above, we can see that there are .vhd files located in the WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 123451 directory.
Let’s mount the SMB share using the mount command:
sudo mount -t cifs -o username=guest //10.10.10.134/Backups smb_mountsmb_mount is just an aribtrarily-named folder that will be used to contain the mounted file share
Now, let’s mount the .vhd file using the guestmount command:
guestmount --add smb_mount/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro machine_mount -vSimilarly, machine_mount is just an aribtrarily-named folder that will be used to contain the mounted .vhd file
Be aware that the guestmount command takes a while to finish, so go and grab some food/do your homework/do your job first then come back later. 😂
Once the command completes its execution, we can finally browse the mounted .vhd file’s filesystem:
Since we now have unrestricted* access to the filesystem, we can use our knowledge of the Windows filesystem to gain some credentials.
To do that, we’ll need to dump the SAM hive using samdump2 . We also need to get the SYSTEM hive to retrieve the syskey, which is needed to decrypt the hashes from the acquired SAM hive.
Cracking the user L4mpje‘s NTLM hash results in this password:
Now that we have the password for the user L4mpje, let’s try to login to the system via ssh using the acquired credentials:
USER.TXT
Enumerating further and listing the available programs inside the machine will give us the output below:
The program mRemoteNG caught my eye. mRemoteNG is a remote connections manager, making it a top candidate for stored credentials, which may eventually lead us to escalate our privileges.
Checking out the C:\Users\L4mpje\AppData\Roaming folder will give us this output:
And listing the mRemoteNG directory will give us this:
Let’s try grabbing the confCons.xml which contains the connection configurations for mRemoteNG.
Please pay attention to the highlighted string:
We now have the password hash for the Administrator user.
We can decrypt the mRemoteNG password hash using this tool called mremoteng_decrypt.py:
So we now have the credential pair of the Administrator account: Administrator:thXLHM96BeKL0ER2
ROOT.TXT
Let’s login via ssh and get the root flag:
That’s it for this write-up!
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Hi I’m Mon, and I’m one of the founders of hackstreetboys, a CTF team from the Philippines!
While you’re at it, please like our Facebook page (facebook.com/hackstreetboys)
Follow our Twitter account (https://twitter.com/_hackstreetboys)
Read our writeups on Medium (https://medium.com/hackstreetboys)
Look at our new GitHub page (https://github.com/hackstreetboysph)
Check our website (https://hackstreetboys.ph)
