- Layout for this exercise:
1 - INTRODUCTION
- The goal for this exercise is to develop a hacking process for the vulnerable machine Bastion from Hack The Box pentesting platform:
2 - ENUMERATION
- Bastion's IP is 10.10.10.134:
- Scanning with Nmap there are four open ports: 22, 135,139 and 445.
- Scanning deeper those four ports it seems that we have an SMB service running on port 445:
- This Nmap script enumerates the four shared folders:
- Connecting with smbclient:
- As expected, both ADMIN$ and C$ are not accessible:
- IPC$ seems accessible, but it does not yield any valuable information:
- However folder Backups gives us a lot of very important information about Bastion:
- Getting and reading note.txt it gives us a hint about backup related problems:
- Getting and reading SDT65CB.tmp it seems that the file is empty:
- Going into folder WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351:
- There are some .vhd and .xml files:
- VHD (Virtual Hard Disk) is a file format representing a virtual hard disk drive (HDD).
- It may contain what is found on a physical HDD, such as disk partitions and a file system, which in turn can contain files and folders.
- It is typically used as the hard disk of a virtual machine.
- Getting the 1st .vhd file and applying command strings over it we find a lot of strings, but nothing that could lead to find any interesting hint for our purpose:
3 - EXPLOITATION
3.1 - Mounting the backup .vhd disk
- About the 2nd .vhd disk it is too large (5.4 GB) to check with strings, so it would be a better solution to mount it locally.
- Installing cifs-utils:
- Creating folder /Backups:
- Mounting locally the shared folder /Backups:
- The mounting process is successful:
- Looking for the 2nd .vhd disk:
- The guestmount program can be used to mount virtual machine filesystems and other disk images on the host.
- It uses libguestfs for access to the guest filesystem, and FUSE (the "filesystem in userspace") to make it appear as a mountable device.
- Installing libguestfs-tools:
- Creating folder /vhd2:
- Using guestmount to mount the 2nd .vhd disk on local folder /mnt/vhd2:
- The mounting process is successful, so now we have access to the whole backup disk .vhd2:
3.2 - Getting the Security Account Manager (SAM)
- The Security Account Manager (SAM) is the database where Windows systems store users's passwords.
- The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash.
- Bastion is a Windows Server 2016 so it uses NTLM hashes for sure.
- This file can be found in %SystemRoot%/System32/config/SAM and is mounted on HKLM/SAM:
- Using samdump2 to retrieve hashes from Bastion's users:
- Accounts Administrator and Guest are disabled, so let's write down hash for user L4mpje:
3.3 - Cracking the NTLM hash
- Hashkiller works online to decrypt the NTLM hash found in previous point:
3.4 - Getting a remote shell
- Now, using credentials L4mpje:bureaulampje we have an SSH connection and a remote shell:
4 - CAPTURING THE 1st FLAG
- Reading user.txt from user l4mpje's Desktop:
5 - PRIVILEGE ESCALATION
- As expected Administrator's Desktop is not accessible, so we need some type of Privilege Escalation:
- Browsing around with the command line we check the presence of the .vhd and .xml files found before:
- Going to L4mpje's home folder:
- However looking for hidden folders we discover a lot more available resources:
- Going inside AppData\Roaming there is a very interesting folder named mRemoteNG:
- Actually mRemoteNG is an open source remote control and connections manager:
- Reading confCons.xml we find encrypted credentials for Administrator:
- It happens that there are online available tools for dealing with mRemoteNG encrypted credentials, for instance the Python script named mremoteng_decrypt.py:
- Launching the script without parameters to explore available optional arguments:
- Applying the -s option, because the encrypted password seems to be encoded with base64 (see the final ==):
- So finally we have the Administrator's password: thXLHM96BeKL0ER2
- Connecting with SSH as Administrator we have a privileged remote shell:
6 - CAPTURING THE 2nd FLAG
- Reading root.txt: