Bastion is an easy Windows box. By exploiting weak user authentication for SMB, we were able to enumerate the SMB shares. Here, we discovered an interesting share that contained vhd backup files. Mounting those vhd files gave us access to the SYSTEM and SAM files, which were then used to dump the user password. Once having access to the system, we enumerated the system and found a directory mRemoteNG. This directory contained a config file, in which the administrator’s encoded password was stored. Decoding this using the mRemoteNG encoding/decoding mechanism allowed us to get hold of the administrator password.
As always, we start by scanning the target machine’s open ports:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 rustscan --ulimit 5000 bastion.htb -- sV -sC -oN nmap_scan PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH for_Windows_7.9 (protocol 2.0) | ssh-hostkey: | 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3bG3TRRwV6dlU1lPbviOW+3fBC7wab+KSQ0Gyhvf9Z1OxFh9v5e6GP4rt5Ss76ic1oAJPIDvQwGlKdeUEnjtEtQXB/78Ptw6IPPPPwF5dI1W4GvoGR4MV5Q6CPpJ6HLIJdvAcn3isTCZgoJT69xRK0ymPnqUqaB+/ptC4xvHmW9ptHdYjDOFLlwxg17e7Sy0CA67PW/nXu7+OKaIOx0lLn8QPEcyrYVCWAqVcUsgNNAjR4h1G7tYLVg3SGrbSmIcxlhSMexIFIVfR37LFlNIYc6Pa58lj2MSQLusIzRoQxaXO4YSp/dM1tk7CN2cKx1PTd9VVSDH+/Nq0HCXPiYh3 | 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF1Mau7cS9INLBOXVd4TXFX/02+0gYbMoFzIayeYeEOAcFQrAXa1nxhHjhfpHXWEj2u0Z/hfPBzOLBGi/ngFRUg= | 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB34X2ZgGpYNXYb+KLFENmf0P0iQ22Q0sjws2ATjFsiN 135/tcp open msrpc syn-ack Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack Windows Server 2016 Standard 14393 microsoft-ds 5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc syn-ack Microsoft Windows RPC 49665/tcp open msrpc syn-ack Microsoft Windows RPC 49666/tcp open msrpc syn-ack Microsoft Windows RPC 49667/tcp open msrpc syn-ack Microsoft Windows RPC 49668/tcp open msrpc syn-ack Microsoft Windows RPC 49669/tcp open msrpc syn-ack Microsoft Windows RPC 49670/tcp open msrpc syn-ack Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
The nmap output shows that there are many open ports. Probably most interesting for us are the open
Enumeration of SMB shares (port 139, 445)
First, when we try to enumerate the SMB shares using
smbmap we get an authentication error. However, one of the most frequent misconfigurations of SMB is the authentication. If we simply provide
any arbitrary username, we are suddenly able to access the shares. This is because the server only throws the authentication error if no username is specified.
Looking at the shares, we see one share called
Backups which is readable for us. Let’s investigate that further.
smbmap output using an arbitrary username: discovery of a share called “Backups”.
After mounting the share (optionally: you can also use smbclient to access the share), we can look at the files/directories of the share.
Mounting the remote share on our attacker machine
First, we look at the most obvious and eye-catching file, namely the
1 Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
Hmmm, backups…. Maybe we should look through the
WindowsImageBackup directory. After browsing through these directories for a while, we find an interesting directory that contains two
“A VHD file contains a virtual hard disk image used by Microsoft Windows Virtual PC, a Windows virtualization program. It stores the contents of a hard disk of a virtual machine (VM), which may include disk partitions, a file system, files, and folders. https://fileinfo.com/extension/vhd”
1 sudo apt-get install libguestfs-tools
Initial Foothold - Enumerating the VHD files
mRemoteNG (mremote) is an open source project (https://github.com/rmcardle/mRemoteNG) that provides a full-featured, multi-tab remote connections manager. It currently supports RDP, SSH, Telnet, VNC, ICA, HTTP/S, rlogin, and raw socket connections. Additionally, It also provides the means to save connection settings such as hostnames, IP addresses, protocol, port, and user credentials, in a password protected and encrypted connections file. The password can be found at %appdata%/mRemoteNG in a file named confCons.xml. This password can sometimes be the administrator password https://vk9-sec.com/exploiting-mremoteng/
What seems to be a base64 encoded password, turns out not to be….. Base64 decoding the encoded password returns in pure garbage.
1 2 3 echo "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" | base64 -d VaQt.ޙY`5Z(#ޠ-