Wednesday, July 31, 2019

Bastion


BASTION

- Layout for this exercise:





1 - INTRODUCTION

- The goal for this exercise is to develop a hacking process for the vulnerable machine Bastion from Hack The Box pentesting platform:

https://www.hackthebox.eu/


2 - ENUMERATION

- Bastion's IP is 10.10.10.134:




- Scanning with Nmap there are four open ports: 22, 135,139 and 445.




- Scanning deeper those four ports it seems that we have an SMB service running on port 445:






- This Nmap script enumerates the four shared folders:




- Connecting with smbclient:




- As expected, both ADMIN$ and C$ are not accessible:




- IPC$ seems accessible, but it does not yield any valuable information:




- However folder Backups gives us a lot of very important information about Bastion:




- Getting and reading note.txt it gives us a hint about backup related problems:







- Getting and reading SDT65CB.tmp it seems that the file is empty:







- Going into folder WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351:





- There are some .vhd and .xml files:





- VHD (Virtual Hard Disk) is a file format representing a virtual hard disk drive (HDD).

- It may contain what is found on a physical HDD, such as disk partitions and a file system, which in turn can contain files and folders. 

- It is typically used as the hard disk of a virtual machine.

https://en.wikipedia.org/wiki/VHD_(file_format)


- Getting the 1st .vhd file and applying command strings over it we find a lot of strings, but nothing that could lead to find any interesting hint for our purpose:





............................


3 - EXPLOITATION


3.1 - Mounting the backup .vhd disk

- About the 2nd .vhd disk it is too large (5.4 GB) to check with strings, so it would be a better solution to mount it locally.


- Installing cifs-utils:




- Creating folder /Backups:




- Mounting locally the shared folder /Backups:




- The mounting process is successful:




- Looking for the 2nd .vhd disk:





- The guestmount program can be used to mount virtual machine filesystems and other disk images on the host. 

- It uses libguestfs for access to the guest filesystem, and FUSE (the "filesystem in userspace") to make it appear as a mountable device.

http://libguestfs.org/guestmount.1.html


- Installing libguestfs-tools:




- Creating folder /vhd2:




- Using guestmount to mount the 2nd .vhd disk on local folder /mnt/vhd2:




- The mounting process is successful, so now we have access to the whole backup disk .vhd2:







3.2 - Getting the Security Account Manager (SAM)


- The Security Account Manager (SAM) is the database where Windows systems store users's passwords.

- The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. 

- Bastion is a Windows Server 2016 so it uses NTLM hashes for sure.

- This file can be found in %SystemRoot%/System32/config/SAM and is mounted on HKLM/SAM:





- Using samdump2 to retrieve hashes from Bastion's users:














- Accounts Administrator and Guest are disabled, so let's write down hash for user L4mpje:

26112010952d963c8dc4217daec986d9


3.3 - Cracking the NTLM hash

- Hashkiller works online to decrypt the NTLM hash found in previous point:








3.4 - Getting a remote shell

- Now, using credentials L4mpje:bureaulampje we have an SSH connection and a remote shell:












4 - CAPTURING THE 1st FLAG

- Reading user.txt from user l4mpje's Desktop:





5 - PRIVILEGE ESCALATION

- As expected Administrator's Desktop is not accessible, so we need some type of Privilege Escalation:





- Browsing around with the command line we check the presence of the  .vhd and .xml files found before:





- Going to L4mpje's home folder:





- However looking for hidden folders we discover a lot more available resources:





- Going inside AppData\Roaming there is a very interesting folder named mRemoteNG:









- Actually mRemoteNG is an open source remote control and connections manager:





- Reading confCons.xml we find encrypted credentials for Administrator:





- It happens that there are online available tools for dealing with mRemoteNG encrypted credentials, for instance the Python script named mremoteng_decrypt.py:







- Launching the script without parameters to explore available optional arguments:





- Applying the -s option, because the encrypted password seems to be encoded with base64 (see the final ==):




- So finally we have the Administrator's password: thXLHM96BeKL0ER2

- Connecting with SSH as Administrator we have a privileged remote shell:











6 - CAPTURING THE 2nd FLAG

- Reading root.txt: