Post

Bastion

Posted Updated
By Peter Soverns 2 min read

Overview

Bastion is a vulnerable machine from Hack the Box that requires some deeper smb enumeration, with exploring some unique files, and mounting the smb share locally to take a closer look. The foothold is accomplished after digging into those unique files, and cracking hashes to get ssh access. The privilege escalation is accomplished through digging into the file system and a unique application, and finding encrypted credentials to then crack with a python decryptor found on a github repo.

Nmap Scan

sudo nmap -sS -Pn 10.10.10.134 -vvv

  • 22/tcp open ssh syn-ack ttl 127
  • 135/tcp open msrpc syn-ack ttl 127
  • 139/tcp open netbios-ssn syn-ack ttl 127
  • 445/tcp open microsoft-ds syn-ack ttl 127

Seems that we have access to the smb shares, and we can start digging into the files there.

Basic Enumeration

Taking a look at the smb shares, we see the usual shares here, but one that is not a typical share, Backups.

1
2
3
4

ADMIN$          Disk      Remote Admin
Backups         Disk
C$              Disk      Default share
IPC$            IPC       Remote IPC

We can gain unauthenticated access to this share, and dig through it. We get a sublte hint from note.txt, something about logging in with a VPN.

  • The unique files we find digging further are some .vhd files, which are virtual hard disk files.
  • Digging through the smb file path, we also see a potential user, L4mpje.
  • Due to the file size, it will be easier to mount the file shares locally.

mount -t cifs //10.10.10.134/Backups mnt/

We need to get a tool called guestmount to be able to look through the vhd files. (apt install libguestfs-tools)

  • guestmount –add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd –inspector –ro mnt2/
  • guestmount –add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd –inspector –ro mnt2/

Foothold

The second one works (9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd), and we can look through the files here for the file system.

  • Now we move into the system32/config directory to then do a secretsdump.py
  • impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM @LOCAL
  • This dumps out hashes on the machine.
    1
2
3

    Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

    Since these are ntlm hashes, we can use hashcat to crack passwords. We manage to crack L4mpje user hash: bureaulampje

  • We log in over ssh service, and can read user.txt:

User

Local Enumeration

Looking through and enumerating with winpeas, we don’t get an immediate path to privilege escalation. From here, we pivoted to checking for installed applications. Looking through Program Files (x86), we see an application mRemoteNG.

  • Multi-Remote Next Generation Connection Manager
  • https://mremoteng.org

Privilege Escalation

Doing some research, it looks we can access potential credentials for the files set up for the Remote Connection Manager.

  • We can find the xml file set up for this within the users appdata\roaming file path.
  • We find the file confCons.xml which has credentials for the Administrator, but it is encrypted with AES, using Cypher Mode GCM.

Looking around online, we can find a public POC to decrypt the password: https://github.com/haseebT/mRemoteNG-Decrypt/blob/master/mremoteng_decrypt.py

  • python3 decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw== -p mR3m
  • Password decrypted: thXLHM96BeKL0ER2

Now we log back in over ssh as the admin, get the root.txt:

Root

ctf, security, hacking, exploits, weak authentication, anonymous access
ctf security hacking exploits weak authentication anonymous access
This post is licensed under CC BY 4.0 by the author.