Bastion Writeup

Starting of with an nmap scan, we find a number of ports open including SSH, SMB, some HTTP server on 5985 and 47001 which are Windows Remote Manager ports, 47001 is the listener, msrpc ports on 49664,49665,49666,49668,49669,49670 and an open 49667 which is unknown but given the proximity of the surrounding RPC ports I suspect it is related.

Whenever we see SMB open it’s a good idea to check if it is open to null sessions. This is basically attempting to log in with no user specified, and we have an easy means to do this by way of smbclient’s -N switch in conjunction with the -L switch to try and list available shares:

It appears to be open to null sessions as we got a list of available shares on the server. Of particular interest to me is the Backups share since we can usually find some sensitive information in backup files. A quick glance at the contents of that share with smbclient reveals that there is a lot of files on this share so instead of trying to copy them all down it will be a lot easier to mount the share so I can browse as if they are local files.

With the drive mounted, we can leverage our native commands to search through the files and the first thing I want to do is list out all the actual files regardless of what directory they are in. I can do this with the find command’s -type switch:

From this output, we can see the name of the computer that these backup files belong to which is L4mpje-PC. This might be useful later so I make a note of it and keep looking through the files. There is a lot of information in the various XML files, however after some digging and grepping nothing jumps out as immediately useful so I decided to table those for now and circle back if I get stuck later. There are two very interesting files with .vhd extensions. This typically associates with the vitual discs of a VM, which we might be able to access. I tried to download them with the idea that I could load them into VirtualBox, but the download was taking way too long. Next I tried to load them into VirtualBox directly from the share, but this also didn’t work for reasons that I did not end up figuring out. What DID work was creating two directories, one for each, and then using the guestmount utility to mount them directly to the filesystem:

Searching through the files on the newly mounted filesystems with the find command, I see that one appears to be a backup of the boot partition and the other is the main partition of the target operating system. Since I know this is a Windows system, the obvious targets to start with, to me, are the SAM file and SYSTEM hive to see if I can recover logins that might let us interact successfully with the SSH port that I know is listening. I go ahead and copy both of these files into my working directory and process them with samdump2 to get a single file a that be consumed by John The Ripper. :

Well John didn’t do us much good as it is a null hash which makes sense for the two disabled accounts, but not for the actual user since it does have an NT hash. Next I plug the NT hash portion into an online hash checker to see if anyone else has already cracked this hash and made things easy for me.

Sure enough, this gave me the password and allowed me to log in via ssh and grab the user flag. As an aside, since I do HTB to learn and not just for the points I felt inclined to contact the box creator on chat to see if this was the intended method of discovering this password or if I just got lucky and he/she confirmed it as the intended method.

Once I had user level access I began looking around at whats installed and whats running. At this point I’m searching for non standard applications that may be out of date or have known vulnerabilities in them, and I found such an application in Program Files(x86), mRemoteNG. Searching for known exploits for this application lead me to http://hackersvanguard.com/mremoteng-insecure-password-storage/ where its possible to retrieve the admin password from the config file, despite it being encrypted. The article describes multiple ways of doing this, but the route that I took was to install the application locally on my Windows partition, and following the directions outlined in the link to get it to output the decrypted password which allowed me to retrieve the root flag and complete the challenge.

Securing the System

  • Do not allow null sessions via SMB
  • An SMB share might not be the best option to store system backups to begin with, but with proper controls in place may be considered acceptable.
  • Keep your applications updated with the latest security patches.

If you found this content helpful, please consider donating your favorite cryptocurrency below.

  • Bitcoin
  • Ethereum
  • Cardano
  • Xrp
  • Litecoin
  • Stellar
  • Bitcoin cash
  • Dogecoin
  • Usdcoin
  • Aave
  • Uniswap
  • Wrappedbitcoin
  • Eos
  • Cosmos
  • Synthetix
  • Dash
  • Maker
  • Dai
  • Ethereum classic
Scan to Donate Bitcoin to 3ENZABkzJ8V2u3ewaHGFmsWx3i7pdy47Nr

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0x0a7B929203F77353DDBF9419Fc0d50a50932010c

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Cardano to DdzFFzCqrhsuy6avGUazSq2S5VKEBS6rTxo1Cy71DKwozED8nXFwtzAZda4u5GbE3B4oKFwKVNw3fbAfCrkRdpv8pma83rsgokDk1CTy

Donate Cardano to this address

Scan the QR code or copy the address below into your wallet to send some Cardano

Scan to Donate Xrp to rw2ciyaNshpHe7bCHo4bRWq6pqqynnWKQg:::ucl:::2447425404

Donate Xrp to this address

Scan the QR code or copy the address below into your wallet to send some Xrp

Scan to Donate Litecoin to LXQcKbXSemXnF3VNH5Ez7n4SDUFTkh1uJp

Donate Litecoin to this address

Scan the QR code or copy the address below into your wallet to send some Litecoin

Scan to Donate Stellar to GDQP2KPQGKIHYJGXNUIYOMHARUARCA7DJT5FO2FFOOKY3B2WSQHG4W37:::ucl:::639763260

Donate Stellar to this address

Scan the QR code or copy the address below into your wallet to send some Stellar

Scan to Donate Bitcoin cash to 17iu6o47bdYRbGoxV3WeWUCUBcYZsrXYeG

Donate Bitcoin cash to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin cash

Scan to Donate Dogecoin to DNserpUCc77Q9EvoU2BePPMnB2nJzJcbRW

Donate Dogecoin to this address

Scan the QR code or copy the address below into your wallet to send some Dogecoin

Scan to Donate Usdcoin to 0xC8354d47Df616EbEb9E91b65C64F352Ce2457215

Donate Usdcoin to this address

Scan the QR code or copy the address below into your wallet to send some Usdcoin

Scan to Donate Aave to 0x268a1fc2eF33c37c0f6D593C17886c2105456f7C

Donate Aave to this address

Scan the QR code or copy the address below into your wallet to send some Aave

Scan to Donate Uniswap to 0xf83FA7Ef077fDA536029EC1F6B73CC87d1D33a54

Donate Uniswap to this address

Scan the QR code or copy the address below into your wallet to send some Uniswap

Scan to Donate Wrappedbitcoin to 0xac7C2A4a700a3c6B341658960C7e99BcC7A93387

Donate Wrappedbitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Wrappedbitcoin

Scan to Donate Eos to coinbasebase:::ucl:::2151882130

Donate Eos to this address

Scan the QR code or copy the address below into your wallet to send some Eos

Scan to Donate Cosmos to cosmos1scwcfre6h4c7epkyrdfegpeaz8umqldl50gn8w

Donate Cosmos to this address

Scan the QR code or copy the address below into your wallet to send some Cosmos

Tag/Note:- 102476592
Scan to Donate Synthetix to 0x89Ee88FdD6B30f72a8e6E6BF3F948Ac3B45e16A8

Donate Synthetix to this address

Scan the QR code or copy the address below into your wallet to send some Synthetix

Scan to Donate Dash to XoMHNXYDx37sDq4bij96cTEpcBznLsbaab

Donate Dash to this address

Scan the QR code or copy the address below into your wallet to send some Dash

Scan to Donate Maker to 0xF72Ace0DdCa3b8e2F691700d8a78282b5d628E12

Donate Maker to this address

Scan the QR code or copy the address below into your wallet to send some Maker

Scan to Donate Dai to 0x22675f754c285bCD7fF8D411Eca32348021a4162

Donate Dai to this address

Scan the QR code or copy the address below into your wallet to send some Dai

Scan to Donate Ethereum classic to 0x03DC1DeFBaFD17Ebf77827faEAc5E50AB90e3b52

Donate Ethereum classic to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum classic

Leave a Reply