The Bastion host is officially retired so I can do a full walk-through of how I was able to get own a user on the host. Bastion is the first box I have worked on since joining the platform and can be found under their “easy” category. It is a Windows machine that had a couple of misconfigurations that allowed for file transferring and unauthenticated access, simulating real world situations. For the purpose of this box I used Kali Linux as it has a wide variety of already built-in tools that I could leverage. Overall, I would rate this box a 4/5. Okay, let’s get started.
As I had explained previously in a write-up of the pen-testing methodology, the first step I did was to perform some information gathering. So I opened my terminal to first use the ping command to make sure I was getting communication back (there were a few times I could not connect to the host for some reason) and then I used the nmap command in order to see if I can gather more information about any services running on the machine.
Nmap is a free and open-source network scanner and is used to discover hosts and services on a computer network by sending packets and analyzing the responses. The tool comes with a variety of options to go along with it (I used nmap -A -sV for example) for better information. I suggest find a cheat sheet, like this one, to understand more about the tool and its options.
From the screenshot above you can see we have communication coming back from our ping command as well as being able to see the following list of open ports and information from our nmap scan:
- Port 22 – SSH
- Port 135 – Msrpc
- Port 139 – Netbios
- Port 445 – SMB over IP (remember this causing a scene recently, anyone?)
Okay, we have some information now what do I do with this? SSH is open so I thought about wanting to try and find a username/password to get in that way. SMB (port 445) is also open with its security mode set to guest so that might be worth exploring as well.
I decided to crank up the Metasploit Framework tool since I know it can possibly help gain more information about the two open port. Metasploit is a tool that gives you information about security vulnerabilities and aids in penetration testing and IDS signature development. You can start the tool by just typing in msfconsole in your command line in Kali Linux. It should then switch the command line to the Metasploit controller and look something like this
I decided to start with smb and since I wasn’t sure what different modules were available for smb enumeration I did a search using the search smb command. As you can see there is a ton of modules available and I don’t have enough patience to try them all. I dug a bit deeper to find a description that looked like something I could use and came across enumshares.
Enumshares gives you an enumeration of the host you are trying to get into, similar to the enumeration nmap did for us but for disk shares. To switch into this module you simply type in use and the name of the module, so in this instance use auxiliary/scanner/smb/smb_enumshares. I also didn’t know what settings I had to tweak to get this working so the show options command under the module will give you a list of available settings to change for the tool to know what to attack.
After setting the host to the machine IP (10.10.10.134) and asking the module to show me the files on the screen, we were able to get a list of shares on Bastion. Now that I have this list, let’s see if we can get into one of them.
The SMBClient command provides an ftp-like interface on the command line that allows you to transfer files between a Windows machine and Linux. This was perfect for me to see if I can get into one of the shares. As it turns out, the Backups share that was printed to us in the screenshot above had no authentication and I was able to get in. The ls command was able to show me a list of files and directories inside this share
I was able to extract the note to my machine and read what was inside and it gave me a hint about how downloading Backups take forever. That led me to thinking something is inside this WindowsImageBackup Directory but after a little digging (or ls‘ing) I couldn’t see much inside the backup file. This had me stuck for awhile until I learned you are able to mount drives to Linux and see more information
4. Mounting a Windows Share to Linux
This medium article walked me through the mounting process (after some hiccups with my apt-get) so I suggest checking this out for more thorough detailing.
After successfully installing the tools mentioned in the article above I was able to successful mount the WindowsBackupImage found previously onto my Linux machine
After changing deep into the Backup (using the ls command) I can finally see more information into the directories and came across a .vhd file. Now I had no idea what this is or what it does but the medium article not only explaining mounting drives, it explained mounting vhd’s so I followed along to see what more I could get from it. So I followed the instructions in the medium article above to guest mount:
And after it completed, we were totally into the system now:
After doing some researching I found out that user password hashes are stored in the SAM file under the System32/Config directory. I navigated there to verify
and used the pwdump tool to extract the hashes and copy them to a file on my machine (hashed.txt)
5. Cracking the hashes and getting the password file for user
I attempted to use Jack the Ripper, a password and hashing cracking tool, but I could not figure it out. So after some Google’ing I was able to find a website called hashkiller.co.uk that allowed me to manually type in hashes to crack. After typing in the one for L4mpje (who also happens to the be the name of the person who created this box to practice on!), BINGO – got a password:
now we can use this to login via ssh:
Now the ls command does not work here but dir does and after navigating to the desktop (as stated on the HTB website for where to find passwords), I find the user.txt file
After figuring out some more commands, I was able to get the contents of the file to print
and voila! You now have the hash within the file to go back and enter into the Hack The Box Website. Once you do your status for either root or user (depending on which one you extracted) will now change to green
and you have now owned your first (or maybe 30th) box =]
Let me know if you were able to follow along and get in as well! Feel free to leave a comment or tweet me @domyboo or @securityincolor