MRemoteNG Software project. MRemoteNG - Current Work Board. You're in a company-managed project Projects.
- MRemoteNG is a fork of mRemote: an open source, tabbed, multi-protocol, remote connections manager. MRemoteNG adds bug fixes and new features to mRemote. It allows you to view all of your remote connections in a simple yet powerful tabbed interface.
- Launch the mRemoteNG application. From the Tools menu in mRemoteNG select External Tools. Select New, The display name will be a friendly name used to identify the connection to be made. Select the RDP file that contains the details for the connection, This must contain the alternate shell / start program in details required for the connection.
- MRemoteNG is an open source, tabbed, multi-protocol, and remote connections manager. It allows you to view all of your remote connections in a tabbed interface. MRemoteNG supports the following.
Sometimes to perform Windows Privilege Escalation you need to simply exploit the installed software. This is a common scenario for ethical hacking challenges. This tutorial will show you how to exploit remote connection managers, such as mRemoteNG.
One of those scenarios where it is necessary to exploit mRemoteNG is the Hack The Box host, “Bastion”. Metasploit has a module for decrypting encoded-passwords from mRemoteNG, but this tutorial is how to exploit mRemoteNG without using Metasploit.
Here’s What You Need
- Kali Linux VM
- Windows 10 VM
- mRemoteNG installed on Windows 10
What Is A Remote Connection Manager?
A remote connection manager basically manages remote connections to machines on the domain by saving the credentials being used and other settings. The vulnerability in this software is how it stores the passwords, sometimes someone finds out how to decrypt the encoded passwords. These are usually stored in configuration files in the software’s installation path.
:max_bytes(150000):strip_icc()/connect-ade159aedf0c4829aa04605aa936f599.jpg "Mremoteng multiple split panels")
How To Exploit mRemoteNG
The connection doesn’t even need to be made, we are already saving the credentials. Open mRemoteNG and save a credential for username: sa-robbyg with password “Robbyrules”.
To exploit this remote connection manager we need to use this public exploit that came out after the vulnerability in the software was reported.
Mremoteng Ftp
Go to this Github repository and download the exploit, which is a decryption toolhttps://github.com/kmahyyg/mremoteng-decrypt. The usage of this script is simple:
Usage: python3 mremoteng_decrypt.py [-f FILE | -s STRING] [-p CUSTOM_PASSWORD]
What we need to grab is the base64-encoded password from the file. The file path for this is C:Users%USER%AppDataRoamingmRemoteNGconfCons.xml, next open the file and grab the encoded password.
This file is created by default by the software and it contains all the configuration items necessary for the program to run correctly.
as you can see the password can be decrypted, and now we have the password for the user sa-robbyg.
Mremoteng Cmd
To see more about how to exploit mRemoteNG and remote connection managers to escalate privileges in a Windows environment buy a copy of the online ethical hacking course pdf, “Become An Ethical Hacker”.