Bastion is an easy-rated difficulty Windows machine from HackTheBox created by L4mpje. This machine isn’t complex, but it has much noise with extra useless information, mainly because it contains a VHD (Virtual Hard Disk). In the current post, my IP is 10.10.14.76, and the target’s IP is 10.129.136.29.
Gather Information
This step is always the same, you have to ping the machine to see if is alive, and then use Nmap to scan all the ports to avoid surprises.
Ping’s output, by the TTL around 128, we know that is a Windows Machine
Looks like this machine have a lot of interesting stuff, nothing about a website, maybe is hosted in another port. Still we have relevant information, like port 135, 445 and 5985. Maybe we can do something like enter to the machine by SMB
Nmap sCV scan, part 1
Yep, we found an http service using the port 5985, not the default port 80. But there is no domain.
Nmap sCV scan, part 2
Nothing relevant
404 Again
Ok, there is nothing related to websites. Looks like one with a vulnerable SMB, so let’s try to get information from that side.
A good sign for us.
Available Disk from the machine
Always try first with a null session
Disk Permissions
There is a disk where we can read and write as guest. This is a good opportunity to explore the machine with more details.
And we are in, now your terminal called “Term” is “Backups”.
If you can access anytime through SMB, there is no hurry to download the target.
We will connect first to the backup target's disk. Login using { user: null // pass: blank }
Entire content of Backup
Weaponization
There are two vhd (Virtual Hard Drive) files, these are interesting and important to review because these are backups of the target machine, this means that are possible files related to passwords. I am using Windows so I need to use different tools. For Linux, click here.
First search for Disk Management, then inside the Disk Manager: Action > Attach VHD
If we search inside the disk, there is no flag, but we can still make use of the backup with the SAM and SYSTEM files. Go to Z:\ > Windows > System32 > config
Content of the location
Disk Mounted!
After copying the SYSTEM and SAM files to your local machine, now you can return to your system.
output of impacket-secretsump
Exploitation
Create a file called data by using vi data and save the captured hashed from the previous command.
“data” file’s content
The hash is correct
Relevant Information: {L4mpje@bureaulampje}
Ok, definitely works. We can login with L4mpje and pass bureaulampje
IP config inside 10.129.136.29
We are in, now your local command prompt called “Term” is now target user “L4mpje”
Previous steps, we have the first flag.
Privileges Scalation
We are not Administrator
First, you have to always check what privileges do you have.
Both are not usual targets. Let’s check information about groups.
Commands output, nothing important
:(
:(
At this point, the best option is to navigate toward every folder.
Or you can use dir PROGRA~1 to go to the first (~1) folder with PROGRA at the start of the name.
Content of "Program Files"
Program Files (x86)
There is a folder with a weird name... suspicious. Search for “mRemoteNG exploit” and there is something interesting here ” https://ethicalhackingguru.com/how-to-exploit-remote-connection-managers/“. This page talks about a python script capable to decrypt the password from the log of mRemoteNG called confCons.xml located at C:\Users\<UserName>\AppData\Roaming\mRemoteNG\. You only have to copy the hash and use the tool
Save the hash and close the L4mpje Terminal. Hash:
Important information to know before: Rmmod linux command, Modprobe command linux: used to load modules and Quemu-nbd (apt install qemu-utils): tool used to export a QEMU disk image using NBD Protocol.
mkdir /mnt/vhd
modprobe nbd #Used to load a module to the system
qemu-nbd -r -c /dev/nb0 “/mnt/smb/WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd”
mount /dev/nbd0 /mnt/vhd
cd /mnt/vhd
ll
