Bastion HackTheBox write up

Bastion HackTheBox write up

·

4 min read

In this challenge, I learn how to mount a remote SMB share as well s mounting a virtual hard disk file, I then dumped the passwords from SAM to gain initial access where I was introduced to a new tool named mremoteng which stored passwords insecurely

Nmap scan:

image.png

looking at the results SSH stands out as it is fairly uncommon to see it running on windows let alone windows 7. After looking up the version I found nothing interesting.

I also see port 135 which we can attempt to connect with rpcclient this was unsuccessful

image.png

139 and 445 are also open I started with some SMB enumeration running enum4linux and smbmap both failed

image.png A cool trick I learned from 0xdf is that if you specify a username even an invalid made-up one you can authenticate as guest

image.png

We see an interesting message about a test backup directory unable to be removed. We also have read/write access to backups.

I followed this with the -R flag to list every file possible. This is a very verbose output

image.png

I saw that there was a note file inside the backup I decided to go and grab it with smbclient

image.png

image.png

The note makes sense as downloading the entire backup file would take way too long and to be honest I like to work fast. So I moved on to mounting the smb share.

image.png

Is CIFS the same as SMB? CIFS (Common Internet File System) and SMB (Server Message Block) are both Windows file-sharing protocols used in storage systems, such as network-attached systems (NAS). The key difference between CIFS and SMB is that CIFS is a dialect of SMB – a particular implementation of the SMB protocol. - upgurad upguard.com/blog/cifs-vs-smb

After mounting the backup share I located two vhd files

image.png A virtual hard disk (VHD) is a disk image file format for storing the entire contents of a computer's hard drive. The disk image, sometimes called a virtual machine (VM), replicates an existing hard drive, including all data and structural elements.

to mount the VHD image I will need to reinstall an additional tool set named libguestfs-tools

After installing the required tools I restarted my VM and begin to attempt to mount the vhd

image.png After running this command i listed the mounted directory content, I had to use sudo

image.png

From the basic overview of information, we can see it is a Windows file system. I had a poke around in the user and desktop to see if I could find a flag which I could not.

I am aware that Windows has a Security Account Manager which is a database of some sort to store windows credentials. It is located in windows/system32/config

image.png

I can use a tool from impacket called secret dumper to automate the process of obtaining valuable information.

image.png

We have found an unknown user and an autologin password for this user, we also have 3 other users and their NTLM hashes, to be time-efficient I used a platform called crack station for some fast cracking.

We got the password for L4mpje-PC

image.png

Revisiting my nmap results I have a couple poetinal services I can try and authenticate too, I am going to start from the top with SSH which was a success

image.png

Finding user flag:

image.png

Looking for privilege escalation:

image.png

image.png

I am unfamiliar with mRemoteNG so i did some research, After reading up on what mRemoteNG is I went looking for some information related to any VulnerabilityI came across this reddit post:

image.png Thank linked to this article: ethicalhackingguru.com/how-to-exploit-remot.. I know that there is an insecure password store now, I went ahead and tried to find it

image.png

the password is stored in a xml file named confcons

image.png

As there are fairly small files I used the type function to just copy and paste the content to my local machine

image.png

At first, I tried to decrypt the password by just passing the file to a tool mremoteng_decrypt.py but this was unsuccessful

image.png

I followed it by grepping the file for Password and then taking the password strings out and attempting to decrypt them

image.png

image.png

I then used these new credentials to authenticate to ssh again and then type out the root flag

image.png