BASTION — HTB

MACHINE IP — 10.10.10.134

NMAP SCAN -

$ nmap -sV -sC -p- 10.10.10.134
Nmap scan report for 10.10.10.134
Host is up (0.23s latency).
Not shown: 65522 closed ports
PORT
STATE SERVICE
VERSION
22/tcp
open ssh
OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
|
2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|
256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp
open msrpc
Microsoft Windows RPC
139/tcp
open netbios-ssn Microsoft Windows netbios-ssn
445/tcp
open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http
Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http
Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc
Microsoft Windows RPC49665/tcp open msrpc
Microsoft Windows RPC
49666/tcp open msrpc
Microsoft Windows RPC
49667/tcp open msrpc
Microsoft Windows RPC
49668/tcp open msrpc
Microsoft Windows RPC
49669/tcp open msrpc
Microsoft Windows RPC
49670/tcp open msrpc
Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE:
cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -39m47s, deviation: 1h09m13s, median: 10s
| smb-os-discovery:
|
OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|
Computer name: Bastion
|
NetBIOS computer name: BASTION\x00
|
Workgroup: WORKGROUP\x00
|_ System time: 2019-05-23T11:30:14+02:00
| smb-security-mode:
|
account_used: guest
|
authentication_level: user
|
challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|
2.02:
|_
Message signing enabled but not required
| smb2-time:
|
date: 2019-05-23 09:30:13
|_ start_date: 2019-05-23 05:46:29

so here we can see that we are having a smb port open

so let’s look what are we having in smb

$ smbclient -L 10.10.10.134

here we are getting 4 shares , after enumerating we found that there are some sensitive files at Backups share

here at WindowsImageBackup we found a VHD file (VIRTUAL HARD DISK)

after opening the VDH file at windows operating system

To attach the VHD follow the steps

1. right click on Computer/This PC and click Manage.
2. move to Disk Management right click on it.
3. select attach VHD .
4. give the location of VHD and press enter.

Location — (\\10.10.10.134\Backups\WindowsImageBackup\\L4mpje-PC\Backup 2019–02–22 124351\9b9cfbc4–369e-11e9-a17c-806e6f6e6963.vhd)

After getting access to file search for config files such as SAM and SYSTEM files

Getting files at “C:\Windows\System32\Config”

We copied SAM and SYSTEM file to our system

Then we used samdump2 tool to extract the files hashes in user readable form

$ samdump2 SAM SYSTEM > hash.txt 

both the files are encrypted to we crack the SAM and SYSTEM file hash using john the ripper tool

$ john --format=NT --wordlist=/usr/share/wordlist/rockyou.txt hash.txt

After decryption of hashes we found the plain password as

So here we found L4mpje user creds

Using ssh we found user.txt

Then after further enumerating we got to see mRemoteNG

mremoteng — mRemote stores connections for RDP, VNC, SSH, Telnet, rlogin and other protocols. It saves the passwords in an encrypted format

So this can be our key for privilege escalation to root

Here we got files of mRemoteNG config files

After this we installed mRemoteNG application to our windows machine

Steps for privilege escalation

1. On looking inside C:\Program Files\ found a Installed program mRemoteng
2. On searching found a vulnerability for this Program that the credentials can be disclosed
3. The file C:\Users\AppData\Roaming\mRemoteNG\confcons.xml holds the encrypted credentials, copied the file to my system

λ scp.exe L4mpje@10.10.10.134:C:\Users\L4mpje\AppData\Roaming\mRemoteng\confcons.xml .

4. Installed the mRemoteng from https://mremoteng.org/download in my system
5. On top right corner click File>Open Connection File and select the copied confcons.xml file
5. Create a new external tool, Click on tools at top right corner and right click on External tools and select New External tools
6. In display name fill whatever you want the name, in filename type cmd, in Argument type “/k echo %password%”
7. Right click on the connection DC and in External tools select the one you created
8. A command prompt will pop up and will show you the password for Administrator
9. login to ssh with Administrator:thXLHM96BeKL0ER2