Bastion - HackTheBox Writeup

HackTheBox
Written By FightTheWest
 
 

The link for this machine is located here: https://app.hackthebox.com/machines/186

In this room, we are able to mount a filesystem and enumerate the Windows SAM hashes to crack a password. From there, we perform priv esc using RemoteNG to gain a root reverse shell.

Full Walkthrough

First thing we do is run an Nmap scan with the following parameters:

  • -p- for all ports

  • 10.10.10.134 for the target IP

  • -oN allports.scan to output the results

This returns a lot of ports open for us. Typically, the ports in the 47000-49000 range are not terribly important so for this, I will focus on the lower end ports, up to port 5985.

With this, we can run a more detailed scan:

Here, we see that OpenSSH is running, allowing with SMB, and HTTP potentially running on port 5985. Typically, SSH is not the initial way in so we can leave that for now.

SMB can be very information heavy so we can enumerate that first. We can try to run a tool like SMBMap to gather information, but we get an authentication error.

A nice trick that might work is providing a dummy username just as a kind of placeholder. If we do that with SMBMap, we actually get some information returned to us.

This tells us that there is a share titled Backups. With this, we can also try a tool such as SMBClient to receive the same information:

Next, we can try connecting to this Backups share without providing a password (-N).

And it works! There are some interesting files in here with the two most interesting being the note.txt and the WindowsImageBackup. We can download the note.txt and see what it says.

This tells us that the WindowsImageBackup is likely an incredibly large file which we don’t want to download even with fast internet.

To solve this problem and look at this, we can first go into the WindowsImageBackup, then look into the L4mpje-PC directory and then the Backup directory and finally list the contents.

This reveals two VHD files - Virtual Hard Disks which are huge sizes (look at the byte value).

How do we analyze these without downloading them? To solve that, since we have access to the share without credentials, we can actually mount it to our local machine.

We use the mount command to mount the Backups directory to our local /mnt directory on Linux.

Now that we have mounted it, we can use a tool called guestmount that allows us to mount a virtual machine filesystem.

With this tool, we can run it with the —add, —insecptor and —ro parameters which add an image, automatically mount the filesystem and make it read only.

Then, in the /mnt2 directory I made, we will see the full file system structure - i.e. Windows.

We can try and get the user flag by navigating to L4mpje’s desktop, but unfortunately there is no flag there:

However, since we have access to what seems to be a full Windows image and it is not running (i.e. it’s turned off), we can analyze the important files such as the SYSTEM and SAM files to try and grab password hashes for example.

These files are located under C:\Windows\System32\config and are normally not accessible when the PC is running - but this a backup!

Since we have full access to these files, we can use a tool like secretsdump.py and specify the SAM and SYSTEM files to try and grab the hashes.

It works! We have grabbed the hashes for the system. With this, we can take the second part (after the colon) and try and crack it using something like Hashcat.

First, we create a file that contains these hashes.

Then, we can attempt to crack them using the rockyou.txt wordlist.

After 2 minutes, one of them gets cracked revealing the cleartext password of bureaulmpje. Looking at the hashes with the usernames in front of them reveals this password to be for the l4mpje user.

With these credentials, we can try and SSH in to the machine.

Bingo! We now have full SSH access as the l4mpje user. With this access, we can try going to the desktop and grabbing the user.txt flag.

Next, it’s time to escalate our privileges. After a lot of enumeration and dead ends, we can look at the installed programs in Program Files.

Nothing seems out of the ordinary in there. What about the 32-bit Program Files?

Ah, something stands out as non-standard - mRemoteNG. I don’t know what this program is so time to put on your research hats.

It turns out to be an open source tool allowing you to view remote connections. With it being open source, we could go and read the source code like true hackers.

But the easier way is to see if anyone has successfully exploited this program before us - turns out they beat us to it.

This tells us that passwords for this program can be found at %appdata%mRemoteNG - perfect! We can try navigating there and seeing if the confCons.xml file exists.

It does!. We can cat out the contents of this file and put it into a local file for better readability. Scrolling through the contents, we see an entry for a connection with the username Administrator and the password hash just staring at us.

It also tells us it was for port 3389 (RDP) but this machine doesn’t have RDP enabled.

If this program is open source, there is likely help out there on what the hashes are that this program uses. If we search google for results, we will find a Python script that will decrypt these password hashes for us.

Downloading the tool and using it by providing the mRemoteNG hash reveals the cleartext password to be thXLHM96BeKL0ER2.

With this password and the Administrator user, we can SSH back into the machine as the admin user.

Finally, as we have now owned the system, we can grab the root.txt flag for submission to complete this box!

FightTheWest
Previous

Querier- HackTheBox Writeup
Next

Bastard- HackTheBox Writeup