Feb 9
Hack The Box — Bastion
Bastion is a Medium difficulty rated Windows machine on Hack The Box and is also OSCP like.I would honestly rate this box between Medium to Hard and call it very tricky.In this machine we find smbshare and get a vhd file using guestmount.Then we find the SAM and SYSTEM folder and use pwdump/samdump to dump the hashes.Finally we privilege escalate via a remote connection software called mRemoteNG which was preinstalled in the target as it stores admin username and password in a pirticular place.
ENUMERATION
We find that port 22,135,445 are open.
I firstly try using “smbmap -H 10.10.10.134” to list shares however anonymous listing of shares in not allowed.When i try using smbclient, it works ! As you can see, we can access the share called Backups
And we can upload files here as well as you can see below.My plan was to upload an ASPX shell and execute it however that did’nt work.
Within the Backups folder, i had downloaded a file called note.txt with the following contents:
Upon deeper search through the Backups directory, i found various files and 2 interesting files.
These are these vhd files.A VHD file contains a virtual hard disk image used by Microsoft Windows Virtual PC, a Windows virtualization program. It stores the contents of a hard disk.Due to the huge size, we cannot download it directly.Instead we will have to mount it in our kali.
NOTE: For this part of mounting vhd files, i was unable to install guestmount as kali was missing packages and i had to update and upgrade my kali which takes a lot of time.Therefore i have provided screenshots from another writeup(https://www.hebunilhanli.com/wonderland/htb-bastion/)
DO READ THIS GUIDE FOR MOUNTING VHD FILES-https://medium.com/@klockw3rk/mounting-vhd-file-on-kali-linux-through-remote-share-f2f9542c1f25
As a result of examinations, we found that backups of a computer had been taken inside the Backups folder. We need to get the files out of the SMB and mount them. Because access to these devices cannot be accessed by typing the ip address of the storage system into the folder head, such as in Windows. We need to mount this device on our computer like a disk. Also, if we take into account the warning given by the sysadmin,(in note.txt) it may take a long time to get these files. You can follow mount operations below;
sudo apt-get install cifs-utils (to Install cift-utils packet)
sudo mkdir mnt/bastion_local_share/ (A new folder is created for the device to be mounted on.)
mount -t cifs //10.10.10.134/Backups mnt/bastion_local_share/ (To mount via the SMB)
As you can see in the image above,there are two vhd images in the SMB. The “guestmount” tool will be used to connect virtual machine file systems to our computer.
sudo apt-get install libguestfs-tools (Libguestfs package needs to be installed for access to guest file system)
sudo guestmount –add 9b9cfbc4–369e-11e9-a17c-806e6f6e6963.vhd –ro bastion_vhd_share/ -m /dev/sda1
After the extraction process is finished, we examine the files within the virtual machine as root users.
Initial Foothold
What to do next will be shaped by your knowledge of the system. In the Windows operating system, authentication of user accounts takes place with the SAM (Security Account Manager) file. The SAM file is encrypted with a key called SYSKEY in the SYSTEM file. The encrypted SAM file contains LM and NTLM password summaries of local user accounts.The global location of the SAM and SYSTEM file is Windows/System32/config/
After copying SAM and SYSTEM files to our own machine, we can use samdump2 tool or pwdump to detect NTML hash.
To crack the NT hash, we can use crackstation or even john or hashcat
Since we have found the password, we can SSH into L4mpje
I was unable to transfer WINPEAS to the target and it showed “access dened”
The priv esc part is tricky as well.There is a unusual program installed called mRemoteNG, which is basically a remote connection session manager.This application saves your IP address, username and password information, making it easy to connect to your servers.
We also find that the logged in user credentials are stored in confCons.xml file and also where it is located (look at the image below)
ALL we have to do is head towards the directory and see the contents of confCons.xml file and immediately we find the credentials of Administrator
However it is not just base64 encoded. In order to decrypt it, we need to google and we will immediately find a github tool written in python for decrypting the credentials stored by mRemoteNG.
LINK-https://github.com/haseebT/mRemoteNG-Decrypt
We run it which putting the password string in (-s) and we immediately get the password in clear text !!!
Since it is the password for the Administrator, we can simply use it to SSH into admin.
We are Now Admin User !!!! The root flag can be found in /Desktop
CONCLUSION
I hope you learned a lot from this writeup.I honestly found this machine pretty challenging as it requires very deep enumeration in order to be solved by your own.We learned about mounting vhd files in our kali.We also learned about mRemoteNG and how to abuse it to find encrypted credentials.
Make sure you follow me here on Medium for more such writeups,Until next time- ZEUS
