Home HackTheBox: Bastion

HackTheBox: Bastion


Port scan

Jumping into this box with a basic NMAP scan shows us a couple of interesting things. First, the SSH server, but that’s pretty normal for HTB boxes. I tried to log into it with anonymous credentials, but that didn’t work out. The most important thing to pick up on from the scan is that it’s likely a Windows machine with NetBIOS and SMB shares, due to the ports 135,139, and 445. Port 135 had several well-known vulnerabilities plague it over the years, so maybe it could be vulnerable to one on this box. Also, there have been vulnerabilities for SMB, like the famous EternalBlue. So we could run some exploit tests against those ports just in case…


Initial Foothold

Exploit Checks

I didn’t find anything useful for RPC exploits, but did find some for the EternalBlue SMB exploit.

Then I made another search, this time on “ms17-010”, the vulnerability CVE code.

Then I ran the exploit …

But no dice… the exploit path is probably a bust, so I moved on from wasting any more time on that approach.


SMB Guest Access

Then I tried the easy thing that should have been done first: connect to SMB without credentials.

I tried first connecting with the file explorer in kali, but it wouldn’t accept a connection without credentials. So I tried smbmap next.

That also didn’t work, but maybe I was just using it wrong. Either way, I moved on to trying smbclient.

Finally I was getting somewhere, I could see the shares listed on the SMB service!

So then I used smbclient to log in and went exploring…

After looking at all the folders, the only interesting one is WindowsImageBackup. Also there is a warning about downloading the entire backup file:

After digging into the “Backups” share, I found a WindowsImageBackup with two VHD files.

I don’t often listen to signs well, so I proceeded to download the VHDs anyway, but it disconnected the session pretty quickly.


Search For User

Getting Into the VHD

Reading just a little in the forums led to a hint from L4mpje that the VHD files can be opened remotely.

Initial googling led to opening VHD files with native windows disk management, but that wound require making a windows VM, or opening my host machine to a network full of hackers, so I decided to keep searching…

Eventually found an article explaining how to open VHD files remotely from linux, perfectly fitting the task at hand

mount -t cifs // /mnt/remote -o ro

That is the command explained in the article above, and it allowed me to mount the remote SMB share to a local folder…

… where I could see and access the VHD files directly! Awesome way to do things and I’ll definitely be keeping notes on this method.

Another cool technique is to seperately mount the VHD files to another folder and explore inside, using the local shell!

I first opened the smaller VHD, but it turned out to be a system boot partition, so then I opened the larger one to find the next clue.


Extracting the Secret Sauce

From here I just explored for a looooong time, looking and prodding at everything.

Eventually looked into opening the Registry and extracting passwords.

Tried mimikatz, but it didn’t run in kali well.
Tried a tool to open the registry like a filesystem and poke around, that didn’t work.
Eventually found pwdump from the creddump package that works the best:

I knew there were some programs for cracking these hashes with dictionary files, hashcat being one I’ve used before and also John the Ripper.

From reading some of the forums to get hints previously, I noticed people talking about “John”, so I guessed JtR would be the way to go. I wasn’t sure what type of hash to put in, and instead of letting john go through them all I looked up the possibilities and tried some until I got it right.

To get the available formats for John, use:

john -list=formats

This is the result of the password cracking:

Awesome, a user password for L4mpje!!!  bureaulampje

Using the credentials found in the Registry, I logged into the SSH and the flag is in the Desktop folder.


The Search for Root

First Clues

With the user flag found and a live login to the box, I searched around the files and folders for an hour or more. Just poking and prodding.

When reading the forum for clues, several people said to look for a program that seems out of place:

Nothing really out of place there, how about the x86 program files:

Bingo! mRemoteNG looks pretty out of place! I’ve used this software before, so I know that it stores connections to things, which necessarily includes the passwords. Maybe there’s some passwords we can retrieve.


This is the directory listing for mRemoteNG:

l4mpje@BASTION C:\Program Files (x86)\mRemoteNG>dir                             
 Volume in drive C has no label.                                                
 Volume Serial Number is 0CB3-C487                                              

 Directory of C:\Program Files (x86)\mRemoteNG                                  

22-02-2019  15:01    <DIR>          .                                           
22-02-2019  15:01    <DIR>          ..                                          
18-10-2018  23:31            36.208 ADTree.dll                                  
18-10-2018  23:31           346.992 AxInterop.MSTSCLib.dll                      
18-10-2018  23:31            83.824 AxInterop.WFICALib.dll                      
18-10-2018  23:31         2.243.440 BouncyCastle.Crypto.dll                     
18-10-2018  23:30            71.022 Changelog.txt                               
18-10-2018  23:30             3.224 Credits.txt                                 
22-02-2019  15:01    <DIR>          cs-CZ                                       
22-02-2019  15:01    <DIR>          de                                          
22-02-2019  15:01    <DIR>          el                                          
22-02-2019  15:01    <DIR>          en-US                                       
22-02-2019  15:01    <DIR>          es                                          
22-02-2019  15:01    <DIR>          es-AR                                       
22-02-2019  15:01    <DIR>          Firefox                                     
22-02-2019  15:01    <DIR>          fr                                          
18-10-2018  23:31         1.966.960 Geckofx-Core.dll                            
05-07-2017  01:31         4.482.560 Geckofx-Core.pdb                            
18-10-2018  23:31           143.728 Geckofx-Winforms.dll                        
05-07-2017  01:31           259.584 Geckofx-Winforms.pdb                        
22-02-2019  15:01    <DIR>          Help                                        
22-02-2019  15:01    <DIR>          hu                                          
22-02-2019  15:01    <DIR>          Icons                                       
18-10-2018  23:31           607.088 Interop.MSTSCLib.dll                        
18-10-2018  23:31           131.440 Interop.WFICALib.dll                        
22-02-2019  15:01    <DIR>          it                                          
22-02-2019  15:01    <DIR>          ja-JP                                       
22-02-2019  15:01    <DIR>          ko-KR                                       
07-10-2018  13:21            18.326 License.txt                                 
18-10-2018  23:31           283.504 log4net.dll                                 
18-10-2018  23:31           412.528 MagicLibrary.dll                            
18-10-2018  23:31         1.552.240 mRemoteNG.exe                               
07-10-2018  13:21            28.317 mRemoteNG.exe.config                        
18-10-2018  23:30         2.405.888 mRemoteNG.pdb                               
22-02-2019  15:01    <DIR>          nb-NO                                       
22-02-2019  15:01    <DIR>          nl                                          
18-10-2018  23:31           451.952 ObjectListView.dll                          
22-02-2019  15:01    <DIR>          pl                                          
22-02-2019  15:01    <DIR>          pt                                          
22-02-2019  15:01    <DIR>          pt-BR                                       
07-10-2018  13:21           707.952 PuTTYNG.exe                                 
07-10-2018  13:21               887 Readme.txt                                  
18-10-2018  23:31           415.088 Renci.SshNet.dll                            
22-02-2019  15:01    <DIR>          ru                                          
22-02-2019  15:01    <DIR>          Schemas                                     
22-02-2019  15:01    <DIR>          Themes                                      
22-02-2019  15:01    <DIR>          tr-TR                                       
22-02-2019  15:01    <DIR>          uk                                          
18-10-2018  23:31           152.432 VncSharp.dll                                
18-10-2018  23:31           312.176 WeifenLuo.WinFormsUI.Docking.dll            
18-10-2018  23:31            55.152 WeifenLuo.WinFormsUI.Docking.ThemeVS2003.dll
18-10-2018  23:31           168.816 WeifenLuo.WinFormsUI.Docking.ThemeVS2012.dll
18-10-2018  23:31           217.968 WeifenLuo.WinFormsUI.Docking.ThemeVS2013.dll
18-10-2018  23:31           243.056 WeifenLuo.WinFormsUI.Docking.ThemeVS2015.dll
22-02-2019  15:01    <DIR>          zh-CN                                       
22-02-2019  15:01    <DIR>          zh-TW                                       
              28 File(s)     17.802.352 bytes                                   
              28 Dir(s)  11.376.021.504 bytes free                              

After looking at the mRemoteNG.exe.config, there wasn’t anyting obviously useful to me. So I looked in the program data folders.

l4mpje@BASTION C:\Program Files (x86)\mRemoteNG>dir C:\ProgramData              
 Volume in drive C has no label.                                                
 Volume Serial Number is 0CB3-C487                                              

 Directory of C:\ProgramData                                                    

16-07-2016  15:23    <DIR>          Comms                                       
22-02-2019  13:36    <DIR>          regid.1991-06.com.microsoft                 
16-07-2016  15:23    <DIR>          SoftwareDistribution                        
25-04-2019  06:08    <DIR>          ssh                                         
12-09-2016  13:37    <DIR>          USOPrivate                                  
12-09-2016  13:37    <DIR>          USOShared                                   
16-04-2019  12:18    <DIR>          VMware                                      
               0 File(s)              0 bytes                                   
               7 Dir(s)  11.374.854.144 bytes free

Nope, nothing there either.

And in AppData\Local\mRemoteNG there is only one file, user.config

l4mpje@BASTION C:\Users\L4mpje\AppData\Local\mRemoteNG\mRemoteNG.exe_Url_pjpxdeh
xpaaorqg2thmuhl11a34i3ave\>type user.config                        
<?xml version="1.0" encoding="utf-8"?>                                          
            <setting name="MainFormLocation" serializeAs="String">              
                <value>-8, -8</value>                                           
            <setting name="MainFormSize" serializeAs="String">                  
                <value>1040, 744</value>                                        
            <setting name="MainFormState" serializeAs="String">                 
            <setting name="MainFormKiosk" serializeAs="String">                 
            <setting name="DoUpgrade" serializeAs="String">                     
            <setting name="LoadConsFromCustomLocation" serializeAs="String">    
            <setting name="FirstStart" serializeAs="String">                    
            <setting name="ResetPanels" serializeAs="String">                   
            <setting name="NoReconnect" serializeAs="String">                   
            <setting name="ExtAppsTBVisible" serializeAs="String">              
            <setting name="ExtAppsTBShowText" serializeAs="String">             
            <setting name="ExtAppsTBLocation" serializeAs="String">             
                <value>3, 25</value>                                            
            <setting name="ExtAppsTBParentDock" serializeAs="String">           
            <setting name="QuickyTBVisible" serializeAs="String">               
            <setting name="QuickyTBLocation" serializeAs="String">              
                <value>3, 24</value>                                            
            <setting name="QuickyTBParentDock" serializeAs="String">            
            <setting name="ResetToolbars" serializeAs="String">                 
            <setting name="CheckForUpdatesAsked" serializeAs="String">          
            <setting name="CheckForUpdatesLastCheck" serializeAs="String">      
                <value>02/22/2019 13:01:46</value>                              
            <setting name="UpdatePending" serializeAs="String">                 
            <setting name="ThemeName" serializeAs="String">                     
            <setting name="PuttySavedSessionsPanel" serializeAs="String">       
            <setting name="EncryptionEngine" serializeAs="String">              
            <setting name="EncryptionBlockCipherMode" serializeAs="String">     
            <setting name="LogFilePath" serializeAs="String">                   
            <setting name="MultiSshToolbarLocation" serializeAs="String">       
                <value>3, 0</value>                                             
            <setting name="MultiSshToolbarParentDock" serializeAs="String">     
            <setting name="MultiSshToolbarVisible" serializeAs="String">        
            <setting name="MainFormRestoreSize" serializeAs="String">           
                <value>1040, 610</value>                                        
            <setting name="MainFormRestoreLocation" serializeAs="String">       
                <value>0, 156</value>                                           

That gave me the path of the log file, but nothing was really interesting in the log file itself. However, other things were in the AppData folder:

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir                    
 Volume in drive C has no label.                                                
 Volume Serial Number is 0CB3-C487                                              

 Directory of C:\Users\L4mpje\AppData\Roaming\mRemoteNG                         

22-02-2019  15:03    <DIR>          .                                           
22-02-2019  15:03    <DIR>          ..                                          
22-02-2019  15:03             6.316 confCons.xml                                
22-02-2019  15:02             6.194 confCons.xml.20190222-1402277353.backup     
22-02-2019  15:02             6.206 confCons.xml.20190222-1402339071.backup     
22-02-2019  15:02             6.218 confCons.xml.20190222-1402379227.backup     
22-02-2019  15:02             6.231 confCons.xml.20190222-1403070644.backup     
22-02-2019  15:03             6.319 confCons.xml.20190222-1403100488.backup     
22-02-2019  15:03             6.318 confCons.xml.20190222-1403220026.backup     
22-02-2019  15:03             6.315 confCons.xml.20190222-1403261268.backup     
22-02-2019  15:03             6.316 confCons.xml.20190222-1403272831.backup     
22-02-2019  15:03             6.315 confCons.xml.20190222-1403433299.backup     
22-02-2019  15:03             6.316 confCons.xml.20190222-1403486580.backup     
22-02-2019  15:03                51 extApps.xml                                 
22-02-2019  15:03             5.217 mRemoteNG.log                               
22-02-2019  15:03             2.245 pnlLayout.xml                               
22-02-2019  15:01    <DIR>          Themes                                      
              14 File(s)         76.577 bytes                                   
               3 Dir(s)  11.441.676.288 bytes free

confCons.xml looked particularly interesting. It was clearly important since it had all those backups.

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml      
<?xml version="1.0" encoding="utf-8"?>                                          
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="f
alse" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFile
Encryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL
5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6">                      
    <Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" 
Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Pas
f7lWWA10dQKiw==" Hostname="" Protocol="RDP" PuttySession="Default Setti
ngs" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE"
 ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToI
dleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bi
t" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" Disp
layThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" C
acheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPri
nters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality=
"Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacA
ddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHexti
le" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0
" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode
="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostna
me="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPass
word="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" Inh
eritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="fa
lse" InheritEnableFontSmoothing="false" InheritEnableDesktopComposition="false" 
InheritDomain="false" InheritIcon="false" InheritPanel="false" InheritPassword="
false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" I
nheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPort
s="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" Inhe
ritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" I
nheritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp
="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryp
tionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToId
leTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="fal
se" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false"
 InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" In
heritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" 
InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="f
alse" InheritVNCProxyPassword="false" InheritVNCColors="false" InheritVNCSmartSi
zeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" In
heritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" 
InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatew
ayDomain="false" />                                                             
    <Node Name="L4mpje-PC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="Ge
neral" Id="8d3579b2-e68e-48c1-8f0f-9ee1347c9128" Username="L4mpje" Domain="" Pas
vla8esB" Hostname="" Protocol="RDP" PuttySession="Default Settings" 
Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAE
ncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTi
meout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Re
solution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayTh
emes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheB
itmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters
="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dyna
mic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddres
s="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" V
NCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNC
ProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="Sma
rtSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname=""
 RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword=
"" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritD
escription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" 
InheritEnableFontSmoothing="false" InheritEnableDesktopComposition="false" Inher
itDomain="false" InheritIcon="false" InheritPanel="false" InheritPassword="false
" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" Inheri
tRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPorts="fa
lse" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRe
directSound="false" InheritSoundQuality="false" InheritResolution="false" Inheri
tAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="fal
se" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionS
trength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTim
eout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" I
nheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" Inhe
ritUserField="false" InheritExtApp="false" InheritVNCCompression="false" Inherit
VNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" Inher
itVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false"
 InheritVNCProxyPassword="false" InheritVNCColors="false" InheritVNCSmartSizeMod
e="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" Inherit
RDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" Inher
itRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDom
ain="false" />                                                                  

On close inspection I could see there was a connection defined for L4mpje, and another for Administrator. The Administrator password is what we want, but it’s encrypted.

We’re given encryption details at the beginning of the file. One possible option is to take those details and try to decrypt it. But I don’t want to do that if we can get mRemoteNG to do the decryption for us.

The forum posts suggested Google had the answers once we discovered which software was out of place. I found that an external command can be made  that will display the decrypted password!!!

If you download the Zip version instead of installer, everything stays in the same folder, so it’ll be a little easier to manipulate. To get the connection details into mRemoteNG, copy the text that was extracted from the SSH session into an xml file and save it as confCons.xml.

After copying the text, saving it, and opening mRemoteNG, I got an error:

Turns out a straight copy of the text from the shell resulted in data not formed well, so I had to clean up the XML and reload. After that it worked great.

Then the external tools script could be put in to extract the password.

Admin password found!! With that you can log into the SSH with Administrator and grab the root flag!

This post is licensed under CC BY 4.0 by the author.