Sometimes to perform Windows Privilege Escalation you need to simply exploit the installed software. This is a common scenario for ethical hacking challenges. This tutorial will show you how to exploit remote connection managers, such as mRemoteNG.
One of those scenarios where it is necessary to exploit mRemoteNG is the Hack The Box host, “Bastion”. Metasploit has a module for decrypting encoded-passwords from mRemoteNG, but this tutorial is how to exploit mRemoteNG without using Metasploit.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.
Here’s What You Need
- Kali Linux VM
- Windows 10 VM
- mRemoteNG installed on Windows 10
What Is A Remote Connection Manager?
A remote connection manager basically manages remote connections to machines on the domain by saving the credentials being used and other settings. The vulnerability in this software is how it stores the passwords, sometimes someone finds out how to decrypt the encoded passwords. These are usually stored in configuration files in the software’s installation path.
How To Exploit mRemoteNG
The connection doesn’t even need to be made, we are already saving the credentials. Open mRemoteNG and save a credential for username: sa-robbyg with password “Robbyrules”.
To exploit this remote connection manager we need to use this public exploit that came out after the vulnerability in the software was reported.
Go to this Github repository and download the exploit, which is a decryption toolhttps://github.com/kmahyyg/mremoteng-decrypt. The usage of this script is simple:
Usage: python3 mremoteng_decrypt.py [-f FILE | -s STRING] [-p CUSTOM_PASSWORD]
What we need to grab is the base64-encoded password from the file. The file path for this is C:\Users\%USER%\AppData\Roaming\mRemoteNG\confCons.xml, next open the file and grab the encoded password.
This file is created by default by the software and it contains all the configuration items necessary for the program to run correctly.
as you can see the password can be decrypted, and now we have the password for the user sa-robbyg.
To see more about how to exploit mRemoteNG and remote connection managers to escalate privileges in a Windows environment buy a copy of the online ethical hacking course pdf, “Become An Ethical Hacker”.