Today we are working on Bastion, a retired Windows box from HackTheBox.eu rated Easy. Let’s get started.
Initial Enumeration
Our nmap scans reveal a number of Windows-related ports open, but minimal detail.
We have anonymous SMB available.
Try them all for yourself, but the Backups share is the only one I could connect to.
I downloaded the entire contents of the share to my Kali box to sort through everything. To do this, at the SMB prompt enter:
- prompt off
- recurse on
- mget *
Now we can look through all the files on our local box. The virtual hard disk files (.vhd) that we downloaded look interesting.
I wasn’t terribly familiar with the .vhd file format and after some Googling it seemed it would be easier to to view the files in Windows, so I used a Windows 10 VM to redownload the files. I had to install OpenVPN on my Windows VM, download my HTB connection pack, and enable unauthenticated SMB, which is disabled by default in Windows. Details on how to do this can be found here:
File 9b9cfbc4–369e-11e9-a17c-806e6f6e6963.vhd contains a partial backup of the box, including the Windows folder. We can drill down to System32/config to find the SAM file that contains the local account password hashes.
I moved the SAM and SYSTEM files to my Kali box in order to attempt to crack the password hashes. First we use samdump2 to create a file for hashcat.
We are able to crack the ntlm hash for user L4mpje using hashcat. I previously cracked the password with hashcat and it wasn’t interested in redoing any work, but use the below command and remove the “ — show” to do the hash cracking yourself. Interestingly, I first tried to crack the password using john, but it did not work for me.
From our nmap scans, we know ssh is available, so we can log onto the box via ssh using our newly discovered creds. From there, the user flag can be found in L4mpje’s Desktop folder.
Privilege Escalation
We find very quickly that our user L4mpje has very limited privileges. Basic privilege escalation techniques go nowhere and we can’t even download files like winPeas to run any automated privesc checks. I also tried unsuccessfully to get a meterpreter session using my ssh creds. Absent any of this, I looked around the C:\ drive and the folder mRemoteNG that looked interesting.
MRemoteNG is an application that assists with remote connections and it turns out that it is ridiculously insecure. Some basic research into the application reveals it uses a config file called confCons.xml.
Looking into the config file, we have an encrypted password for the administrator account.
A little more research and we find out how to decrypt the password.
We first have to install the password decryption script.
Then we run the script against the encrypted password we found.
Using our creds, we can ssh to the box as administrator…
…and read the root flag.
We have rooted the box. Thanks for reading!
