Write-up for Bastion from hackthebox.eu
Starting off with nmap we use
nmap -sV -sC -A 10.10.10.134 shows
135 are open.
Basically, we gonna use smbclient for further enumeration.
smbclient -L //10.10.10.134 shows there are 4 folders on the network drive. Again, using smbclinet for that result in error for every folder excepyt Backups.
smbclient //10.10.10.134/Backups -U root we can access the files which typically contains
SDTC56B and a folder named
The file named
notes.txt has following contents:-
Sysadmins: please don’t transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
Since we want to take a closer look in it Backups folder, the best way to do that is to mount that drive via inbuilt
mount -t cifs //10.10.10.134/Backups -o user=guest,password= /tmp/mnt we can mount the drive it took sometime since the network was slow.
Looking for files in Backups shows that there was a .vhd file, since as previously suggested in
notes.txt we not gonna get the whole .vhd file instead of that we will mount it using
guestmount package tool.
guestmount --add /mnt/backups/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd we ca succesfully mount the vhd file for further enumeration.
Network was kinda slow it took ~15 minutes.
There were a lot of .xml files but as we do in linux machine enumeration we head over to
System32/config and using one of the known tools for dumping the password is
samdump2 SYSTEM SAM we can dump the passwords aka NTLM hash of users password.
Since we got the NTLM hash, usinh Hashkiller we found the hash value that is
Using above password for user L4mpje we successfully logged into the machine.
Though, I spent quite a few time in finding user flag thrn I used
dir /s *user.txt*, I saw the password is in
/L4mpje/Desktop, hence we obtain the user flag.
Time to enumerate for root, I saw mRemoteNG and speaking of it, mRemoteng stores user’s password in a config file so time to get it.
So, I went to
L4mpje/AppData/mRemoteng to et the
config.ini we can see administartor password looks base64 encoded encrypted data.
After obtaining that ciphertext I started searching for tools for cracking that ciphertext. Lckly, I found a github repo with mremoteng-decrypt, using the python file and
python3 mremoteng-decrypt -s <hash> we can get the password of Administrator i.e.
After that I tried
rnas /users:Administrator CMD.exe but it didn’t worked so I tried ssh again and we were logged in as Administrator in the machine. So going to
Users/Administrator/Desktop we obtained our