HackTheBox Writeups

Writeups for all the HTB boxes I have solved

View on GitHub

Bastion


bastion

Author: L4mpje

Machine IP: 10.10.10.134

DATE : 17/07/2019

START TIME: 11:36 PM

Nmap

There’s SMB service running so we can use tools like smbmap or smbclient to find some share to look into.

SMB

Using the following command I got the list of shares:

➜ smbclient -L //10.10.10.134/Backups -U ""

We can see that there’s one share named Backups present. Let’s see if we can find anything in it.

The first thing I read was note.txt.

the mDGqWiOzka directory was empty and the nmap-test-file had some junk data and SDT65CB.tmp was empty.

In WindowsImageBackup I found another directory named L4mpje-PC

After looking around a bit I found some .vhd file in smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\>.

We can download those .vhd file and then mount them to find something in them but that might not be the best way to do it because this is what the note said:

please don't transfer the entire backup files locally, the VPN to the subsidiary office is too slow.

So instead we need to find a way to mount the SMB directory to our system so we can browse the backup files and then mount the VHD.

Mount SMB

This will mount the SMB share.

Mount VHD

Pwn User

In Windows we can find juicy stuff in System32, you can says it’s equivalent to /etc/ of linux(not exactly).

Windows store passwords in file called SAM and we can use tool like samdump to get hashes out of that file. And then using tools like john or hashcat we can crack it.

In System32/config we can see the SAM file.

Using samdump2 SYSTEM SAM we can dump hashes

26112010952d963c8dc4217daec986d9

I used crackstation to crack the hash

26112010952d963c8dc4217daec986d9: bureaulampje

Now we have the password so we can login into L4mpje SSH account.

We can just grab the user hash now.

Privilege Escalation

I started looking around but there wasn’t anything interesting in the user directory.

I decided to look into Program Files and Program Files (x86) folder. Since this is where the new software are installed, we can see if there’s any vulnerable program installed.

In Program Files (x86) I found a program named mRemoteNg, that is the only program which isn’t present by default.

So I google exploit for it and found a metasploit script for it. But since it’s post exploit it will need a shell or something(I’m not good with msf).

I continued my search for easy-to-run exploit and found a github repository kmahyyg/mremoteng-decrypt. According to this I need to get the User.config for mRemoteNG and then use one of the script to decrypt the password.

I used the type command to see the content of confCons.xml

we can see the password hash there.

Now we can just use that password with our script to decrypt it.

I had to edit the python script a bit. First I installed PyCryptodome and then

Change the following line

from Cryptodome.Cipher import AES

to

from Crypto.Cipher import AES

I used the following command to crack the password:

➜ python mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt\/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="

and got the output Password: thXLHM96BeKL0ER2

To confirm that I got the right password I used the L4mpje hash and checked if I got bureaulampje and I actually did got that:

First I tried to use the runas command to use the administrator account but for some reason it didn’t worked.

So I logged into SSH account of Administrator using the administrator: thXLHM96BeKL0ER2.

Thanks for reading, Feedback is always appreciated

Follow me @0xmzfr for more “Writeups”.