Hack The Box – Bastion Walkthrough
Introduction
This was an easy Windows box that involved extracting and cracking hashes from a Windows .vhd backup image to gain initial access and exploiting a vulnerability in mRemoteNG that allowed to decrypt stored passwords to escalate privileges to SYSTEM.
Enumeration
The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:
- -sC to run default scripts
- -sV to enumerate applications versions
Performing another Nmap scan with the -p- flag to scan all ports:
SMB Enumeration
The next step was to run a Nmap scan on ports 139 and 445 with all SMB enumeration scripts, to further enumerate this service.
nmap -p 139,445 -Pn –script smb-enum* 10.10.10.40
Then ran another Nmap scan to check for any known vulnerabilities within the SMB service. Nmap has a number of “smb-vuln-msxx-xxx” scripts that can be used to test the SMB service for public exploits.
Using the SMBClient tool to list open shares on the system:
Connecting to the SMB share using SMBClient:
Downloading all the files contained in the share:
The note mentions something to do with with a backup:
When browsing to the share, a WindowsImageBackup folder is found, which contains a .vhd file:
Mounting the .VHD Windows Image
Doing some research on how to open .vhd file, found something interesting:
Mounting the share on the local Kali system to help perform the next steps:
Mounting the .vhd file
Cracking SAM Hashes
The Security Account Manager (SAM) is a database file in Windows that stores users’ passwords. If there is the ability to extract hashes from this archive, they can be cracked in order to authenticate to the machine.
Navigating to the config folder which contains the SAM database files:
Extracting the SAM and SYSTEM files:
Using John the Ripper with the following flags to crack the L4mpje user’s password:
- –format to specify the hash type, in this case NTLM
- –wordlist to specify the wordlist to be used, in this case rockyou
- the text file containing the hashes, one per line
Authenticating to the machine as the L4mpje user using SSH:
Privilege Escalation
Transferring the WinPeas enumeration script to the victim machine:
Running the script:
An unusual entry was found in the ProgramFiles (x86) folder: mRemoteNG.
According to Github it is an open source remote connections manager that allows to view all of your connections in a simple yet powerful interface.
Navigating to MRemoteNG’s installation folder
Checking the MRemoteNG version – it is version 1.76.11 which used to store credentials in an insecure way so we can potentially decrypt them
This GitHub script can be used to decrypt passwords stored in MRemoteNG:
Cloning the MRemoteNG decrypt script from github
Viewing mremoteng config file – this reveals the encrypted password:
Using the mremoteng_decrypt.py script to decrypt the password
Authenticating as the Administrator user through SSH:
Conclusion
This was a really great box, as it shows how dangerous it is to store system image files unprotected as these could contain confidential information that the system has to store such as user hashes.
The MRemoteNG exploitation was also quite interesting, as it demonstrated how password and connection managers can often store credentials insecurely, and therefore compromise security in exchange of convenience.