Bastion
#Windows #Enumeration #VHD #SAM #NRemoteNG
Last updated
#Windows #Enumeration #VHD #SAM #NRemoteNG
Last updated
Bastion is an easy-rated difficulty Windows machine from HackTheBox created by L4mpje. This machine isnβt complex, but it has much noise with extra useless information, mainly because it contains a VHD (Virtual Hard Disk). In the current post, my IP is 10.10.14.76, and the targetβs IP is 10.129.136.29.
This step is always the same, you have to ping the machine to see if is alive, and then use Nmap to scan all the ports to avoid surprises.
Looks like this machine have a lot of interesting stuff, nothing about a website, maybe is hosted in another port. Still we have relevant information, like port 135, 445 and 5985. Maybe we can do something like enter to the machine by SMB
Yep, we found an http service using the port 5985, not the default port 80. But there is no domain.
Ok, there is nothing related to websites. Looks like one with a vulnerable SMB, so letβs try to get information from that side.
Always try first with a null session
There is a disk where we can read and write as guest. This is a good opportunity to explore the machine with more details.
And we are in, now your terminal called βTermβ is βBackupsβ.
We will connect first to the backup target's disk. Login using { user: null // pass: blank }
There are two vhd (Virtual Hard Drive) files, these are interesting and important to review because these are backups of the target machine, this means that are possible files related to passwords. I am using Windows so I need to use different tools. For Linux, click here.
First search for Disk Management, then inside the Disk Manager: Action > Attach VHD
DiskMan: Submit: Z:\WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
If we search inside the disk, there is no flag, but we can still make use of the backup with the SAM and SYSTEM files. Go to Z:\ > Windows > System32 > config
After copying the SYSTEM and SAM files to your local machine, now you can return to your system.
Create a file called data by using vi data and save the captured hashed from the previous command.
We are in, now your local command prompt called βTermβ is now target user βL4mpjeβ
First, you have to always check what privileges do you have.
Or you can use dir PROGRA~1 to go to the first (~1) folder with PROGRA at the start of the name.
There is a folder with a weird name... suspicious. Search for βmRemoteNG exploitβ and there is something interesting here β https://ethicalhackingguru.com/how-to-exploit-remote-connection-managers/β. This page talks about a python script capable to decrypt the password from the log of mRemoteNG called confCons.xml located at C:\Users\<UserName>\AppData\Roaming\mRemoteNG\. You only have to copy the hash and use the tool
Save the hash and close the L4mpje Terminal. Hash:
aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
Download the tool from https://github.com/kmahyyg/mremoteng-decrypt or open a new terminal, this time called βLocalTermβ
Now your LocalTerm is the target Administrator.
Important information to know before: Rmmod linux command, Modprobe command linux: used to load modules and Quemu-nbd (apt install qemu-utils): tool used to export a QEMU disk image using NBD Protocol.
asd
From here, you can do the same.
