No alive nodes found in your cluster Bastion: Hack the box | 码农网

Bastion: Hack the box

栏目: 服务器 · 发布时间: 3周前

来源: mp.weixin.qq.com

本文转载自:https://mp.weixin.qq.com/s/rX8hPGbtP9dRzZ3cRHdm8w,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有。

Bastion: Hack the box

Intrdouction

Target: 10.10.10.134 (Windows)

Kali: 10.10.16.65

In conclusion, Bastion is not a medium box. But it would be easier to solve this box with windows VM. Command VM may be a good choice. But it can be finished by kali.

Information enumeration

Firstly, detect the open ports:

From the open ports, it can be induced that the box may be a windows machine that opens ssh service. Then try to obtain the detailed services of these open ports:

Exploitation

There seem to be nothing special. For a normal box, http service will be the starting. For this box, we should try smb service for port 445. For smb service exploitation in kali, we choose to use smbmap, smbclient, enum4linux, etc. Let's try smbclient:

Bastion: Hack the box

With smbclient, we can see the smb shares of this box without any password. Try to access the share by smbclient//10.10.10.134/sharename . But the three shares cannot be accessed except Backups .

Bastion: Hack the box

Access to the share of Backups : smbclient//10.10.10.134/Backups :

Bastion: Hack the box

There is a note.txt in the share:

It does is a hint for something useful in the exploitation. It is inconvenient to access files by smbclient, as you cannot browse the file directly. So try to mount the shared folder to kali:

Here, we can access the files directly. It may be a backup folder. After some exploration, we have found some interesting files.

Bastion: Hack the box

VHD(virtual hard disk) files seem to be very interesting. According to the wiki, VHDisa file format which represents avirtualhard disk drive(HDD).Itmay contain whatisfound on a physical HDD,suchasdisk partitionsanda file system,whichinturn can contain filesandfolders.Itistypically usedasthe hard disk of avirtualmachine . So we may find more interesting contents in the VHD files. There are two vhd files, one is 37M, and the other is 5.1 G. The larger one seems to be attractive to us. But it will be inconvenient to download the whole vhd file. According to the discussions in the forum, the author has said that you don't have to download the vhd file. Try to mount the vhd file to kai:

The operation may cost some time if the network is not very stable. Then, the vhd file in mounted successfully. It seems to be an OS disk. There seem nothing special. Security Account Manager(SAM) is the database file in Windows which stores user passwords. Try to access the SAM files, samdump2 can be utilized to dump the hash.

Bastion: Hack the box

From the dumped hash, the hash of L4mpje seems to be useful. We can access HashKiller to crack the hash.

Bastion: Hack the box

We cracked it! As we know the box opens ssh service, so try to access ssh with the user of L4mpje. Of course, we are in.

Bastion: Hack the box

Privilege escalation

After login with user L4mpje, we find that we have relatively limited permission. PrivEsc is often vulnerable to some specific software vulnerability. It is significant to see the program files of the box.

Bastion: Hack the box

We can find an interesting folder mRemoteNG . It is an open source remote connections management tool. But there is a problem that the connections user information can be obtained by the config files. For this box, someone has created a tool to crack the password in this config file. The config file is store is the AppData folder.

Bastion: Hack the box

Bastion: Hack the box

It seems that the password of Administrator is stored in the XML file. Someone has created mremoteng-decrypt to crack the password. It is so convenient thanks to his awesome work.

Wow, we get the password of Administrator.

Bastion: Hack the box

可以扫描二维码或者搜索 mad_coder 关注微信公众号,点击阅读原文可以获取链接版原文。

Bastion: Hack the box


以上所述就是小编给大家介绍的《Bastion: Hack the box》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

结网@改变世界的互联网产品经理

结网@改变世界的互联网产品经理

王坚 / 人民邮电出版社 / 2013-5-1 / 69.00元

《结网@改变世界的互联网产品经理(修订版)》以创建、发布、推广互联网产品为主线,描述了互联网产品经理的工作内容,以及应对每一部分工作所需的方法和工具。产品经理的工作是围绕用户及具体任务展开的,《结网@改变世界的互联网产品经理(修订版)》给出的丰富案例以及透彻的分析道出了从发现用户到最终满足用户这一过程背后的玄机。新版修改了之前版本中不成熟的地方,强化了章节之间的衔接,解决了前两版中部分章节过于孤立......一起来看看 《结网@改变世界的互联网产品经理》 这本书的介绍吧!

MD5 加密
MD5 加密

MD5 加密工具

html转js在线工具
html转js在线工具

html转js在线工具

RGB HSV 转换
RGB HSV 转换

RGB HSV 互转工具