Sometimes to perform Windows Privilege Escalation you need to simply exploit the installed software. This is a common scenario for ethical hacking challenges. This tutorial will show you how to exploit remote connection managers, such as mRemoteNG.
One of those scenarios where it is necessary to exploit mRemoteNG is the Hack The Box host, “Bastion”. Metasploit has a module for decrypting encoded-passwords from mRemoteNG, but this tutorial is how to exploit mRemoteNG without using Metasploit.
Here’s What You Need
Top 10 alternatives to mRemoteNG that can be used as remote desktop connection which are free to use. As we all are aware that mRemoteNG is a free remote connection manager which has a multi-protocol design. You can use it to view all the remote connection in your system with just a simple tab format. Helps jump easily between tabs. Test by right clicking on you connection - ‘External Tools’ - ‘View Password’.
- Kali Linux VM
- Windows 10 VM
- mRemoteNG installed on Windows 10
What Is A Remote Connection Manager?
A remote connection manager basically manages remote connections to machines on the domain by saving the credentials being used and other settings. The vulnerability in this software is how it stores the passwords, sometimes someone finds out how to decrypt the encoded passwords. These are usually stored in configuration files in the software’s installation path.
How To Exploit mRemoteNG
The connection doesn’t even need to be made, we are already saving the credentials. Open mRemoteNG and save a credential for username: sa-robbyg with password “Robbyrules”.
To exploit this remote connection manager we need to use this public exploit that came out after the vulnerability in the software was reported.
Go to this Github repository and download the exploit, which is a decryption toolhttps://github.com/kmahyyg/mremoteng-decrypt. The usage of this script is simple:
Usage: python3 mremoteng_decrypt.py [-f FILE | -s STRING] [-p CUSTOM_PASSWORD]
What we need to grab is the base64-encoded password from the file. The file path for this is C:Users%USER%AppDataRoamingmRemoteNGconfCons.xml, next open the file and grab the encoded password.
This file is created by default by the software and it contains all the configuration items necessary for the program to run correctly.
as you can see the password can be decrypted, and now we have the password for the user sa-robbyg.
To see more about how to exploit mRemoteNG and remote connection managers to escalate privileges in a Windows environment buy a copy of the online ethical hacking course pdf, “Become An Ethical Hacker”.
The list below of various examples is by no means a full list of ways to useExternal Tools but gives you a idea of how it can be used in different ways.
Ping¶
Ping a server via cmdline.
- Filename: %COMSPEC%
- Arguments: /c ping -t %HostName%
- Can integrate: Unknown
Traceroute¶
Run a traceroute via cmdline.
- Filename: %COMSPEC%
- Arguments: /c set /P = | tracert %HostName%
- Can integrate: Unknown
WinSCP is a free GUI Secure Copy program.
- Filename: C:Program FilesWinSCPWinSCP.exe (example path)
- Arguments: scp://%Username%:%Password%@%Hostname%/
- Optional Arguments - turn on compression and ignore any host key errors: -rawsetting Compression=1 -hostkey=*
- Can integrate: No
Free and open source FTP client for most platforms.
- Filename: C:Program FilesFileZilla FTP Clientfilezilla.exe (example path)
- Arguments (FTP): ftp://%Username%:%Password%@%Hostname%
- Arguments (SFTP): sftp://%Username%:%Password%@%Hostname%
- Can integrate: Unknown
Don’t like the built-in browser support? Integrate with the Mozilla Firefox browser directly!
- Filename: C:Program FilesMozilla Firefoxfirefox.exe (example path)
- Arguments: %Hostname%
- Can integrate: Unknown
Mremoteng Ftp
Google Chrome is a freeware web browser developed by Google.
- Filename: C:Program Files (x86)GoogleChromeApplicationchrome.exe (example path)
- Arguments: %Hostname%
- Can integrate: Unknown
Standard browser included with Windows installation.
- Filename: C:Program FilesInternet Exploreriexplore.exe
- Arguments: %Hostname%
- Can integrate: Unknown
MySQL Workbench provides data modeling, SQL development, and comprehensive administration tools for server configuration, user administration, backup, and much more. You will be prompted for a password when starting the connection.
- Filename: C:Program FilesMySQLMySQL Workbench 6.3 CEMySQLWorkbench.exe (example path)
- Arguments: -query %USERNAME%@%HOSTNAME%
- Can integrate: Unknown
- Filename: C:Program FilesRealVNCVNC Viewervncviewer.exe (example path)
- Arguments: %HostName%
- Can integrate: Unknown
Windows Computer Manager¶
- Filename: %WINDIR%system32compmgmt.msc
- Arguments: /Computer=%HostName%
- Can integrate: Unknown
Zenmap is a GUI front-end for nmap.
- Filename: C:Program FilesNmapzenmap.exe (example path)
- Arguments: -p “Quick scan plus” -t %Hostname%
- Can integrate: Unknown
UltraVNC is a free and open source program for connection to remote machines using the VNC protocol.
- Filename: C:Program FilesUltraVNCvncviewer.exe (example path)
- Arguments: %HostName%:%port% -password %PASSWORD%
- Can integrate: Unknown
COM Serial Port¶
This will allow you to connect to a specific COM serial port using PuTTY.
- Filename: putty.exe (example path)
- Arguments: -serial com%Port%
- Can integrate: Yes
Create a new connection entry with the following information:
- Name: Serial COM**X**
- Protocol: Ext. App
- External Tool: COM Serial Port
- Port: your desired COM port # here
Windows PowerShell is a task-based command-line shell and scripting language designed especially for system administration.
Mremoteng Setup
Running with suggested argument will open a PS session connected to a host. No prompt for credintials will popup.
- Filename: %WINDIR%system32WindowsPowerShellv1.0PowerShell.exe
- Arguments: -noexit $pw = “%password%” -replace ‘^’, ‘’; $password = ConvertTo-SecureString $pw -AsPlainText -Force; $Cred= New-Object System.Management.Automation.PSCredential (“%username%”, $password); Enter-PSSession -ComputerName %hostname% -credential $Cred
- Can integrate: No
Windows PowerShell Integrated Scripting Environment (ISE) is a graphical host application that enables you to read, write, run, debug, and test scripts and modules in a graphic-assisted environment.
Mremoteng Alternatives
- Filename: %WINDIR%system32WindowsPowerShellv1.0PowerShell_ISE.exe
- Arguments: args here
- Can integrate: Yes