Bastion @ HackTheBox

28Apr

Bastion @ HackTheBox

By CTF , , ,

Bastion is an easy 20 points machine on hackthebox. It is about mounting a .vhd file over the network, retrieving password hashes from backups (via SAM) and a privilege escalation that involves stored credentials in mRemoteNG.

User Flag

The initial scan shows the following open ports:

22/tcp  open  ssh
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

By checking port 445 with smbmap we notice that we have a readable and writable share called Backups:

[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.134...
[+] IP: 10.10.10.134:445  Name: 10.10.10.134
  Disk                                                    Permissions
  ----                                                    -----------
  ADMIN$                                              NO ACCESS
  Backups                                             READ, WRITE
  C$                                                  NO ACCESS
  IPC$                                                READ ONLY

Since we learned from the helpline box that a windows vm is best for testing windows, we will be using a windows 10 vm from now on. We connect to the share via windows explorer and notice it has 2 .vhd backup files in it. Since it is very slow to download them we directly mount them over the smb share:

This allows us to read the backup of the c drive from L4mpje. There aren’t any flags or otherwise too interesting files, but we can download the SAM and SYSTEM file from “C:\windows\system32\config\”. We copy them to our Linux box and use pwdump to obtain the user hashes:

pwdump SYSTEM SAM
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

Using hashkiller we retrieve the password of L4mpje: “bureaulampje”. We can now ssh into the box with the credentials and read the userflag.

Root Flag

After enumerating the box a bit we notice that an application called mRemoteNG is installed, which manages connections (to ssh, rdp, ftp, etc.) and saves the connection details, including the used credentials. The file it saves these in is “C:\users\l4mpje\AppData\Roaming\mRemoteNG\confCons.xml”, the credentials are however somewhat encrypted. There exist some ways to decrypt these but I did not bother with them, instead I loaded the file into a local mRemoteNG installation on my windows vm and was able to connect as administrator to the box (make sure you change the ip address & protocol accordingly).

This enabled us to read the root flag and finish the box.

Overall a nice box – what made it a bit frustrating is the very slow speed on release that resulted in several timeouts when dealing with SMB.

Share this post

Author

Related Posts

22Feb

Zetta @ HackTheBox

Zetta is 40-point machine on hackthebox. We will get the ipv6 address of the box via ftp, use rsync to... read more

11Jul

Book @ HackTheBox

Book is a 30-point Linux machine on HackTheBox. We log into a web application by exploiting SQL truncation and then... read more

16Oct

Dynamic DNS & Command Injection – Dynstr @ HackTheBox

We are solving Dynstr, a 30-point Linux machine on HackTheBox that involves a Dynamic DNS Service & a Command Injection. read more

15Feb

Json @ HackTheBox

Json is a 30-point system on HackTheBox that involves exploiting a .NET deserialization vulnerability and has multiple ways for privilege... read more

03Nov

Ekoparty 2022 BFS Windows Challenge

In this blog post, we will solve the Windows userland challenge that Blue Frost Security published for Ekoparty 2022. read more

09May

Obscurity @ HackTheBox

Obscurity is a 30-point Linux machine on HackTheBox that involves exploiting a command injection in a custom webserver, breaking a... read more

23May

Rope @ HackTheBox

Rope is a 50-point machine on HackTheBox that involves 3 binary exploits. There is a format string vulnerability in the... read more

06Nov

Active Directory, Reverse Engineering & Unintended Solutions – Pivotapi @ HackTheBox

We are solving Pivotapi, a 50-point Windows machine on HackTheBox. This one involves some Reverse Engineering, MSSQL, and Active Directory... read more

29Jan

ASP, Windows Containers, Responder & NoPAC – Anubis @ HackTheBox

We are solving Anubis, a 50-point windows machine on HackTheBox which involves an ASP template injection, windows containers, and stealing... read more

02Jun

P.O.O. Endgame @ HackTheBox

P.O.O. Endgame is one of HackTheBox’s endgame labs and was just retired. It involves exploiting SQL Server Links & Active... read more