Hack The Box - Bastion

Write-up for Bastion from hackthebox.eu


Starting off with nmap we use nmap -sV -sC -A shows 22, 139, 445, 135 are open.
Basically, we gonna use smbclient for further enumeration.

SMB Service Enumeration

Using smbclient -L // shows there are 4 folders on the network drive. Again, using smbclinet for that result in error for every folder excepyt Backups.

Using, smbclient // -U root we can access the files which typically contains notes.txt , nmap-test-file , SDTC56B and a folder named WindowsImageBackup.

Checking Files

The file named notes.txt has following contents:-

Sysadmins: please don’t transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

Mounting the Shared Drive’s Folder

Since we want to take a closer look in it Backups folder, the best way to do that is to mount that drive via inbuilt mount program.
Using mount -t cifs // -o user=guest,password= /tmp/mnt we can mount the drive it took sometime since the network was slow.

Mounting the .vhd files

Looking for files in Backups shows that there was a .vhd file, since as previously suggested in notes.txt we not gonna get the whole .vhd file instead of that we will mount it using guestmount package tool.
Using guestmount --add /mnt/backups/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd we ca succesfully mount the vhd file for further enumeration.
Network was kinda slow it took ~15 minutes.

SSH Password Recovery and SSH Login

There were a lot of .xml files but as we do in linux machine enumeration we head over to System32/config and using one of the known tools for dumping the password is samdump2and with samdump2 SYSTEM SAM we can dump the passwords aka NTLM hash of users password.

Since we got the NTLM hash, usinh Hashkiller we found the hash value that is buraeulampje.

26112010952d963c8dc4217daec986d9 bureaulampje

Using above password for user L4mpje we successfully logged into the machine.

User Flag and Root Password

Though, I spent quite a few time in finding user flag thrn I used dir /s *user.txt*, I saw the password is in /L4mpje/Desktop, hence we obtain the user flag.

Time to enumerate for root, I saw mRemoteNG and speaking of it, mRemoteng stores user’s password in a config file so time to get it.

So, I went to L4mpje/AppData/mRemoteng to et the config.ini we can see administartor password looks base64 encoded encrypted data.
After obtaining that ciphertext I started searching for tools for cracking that ciphertext. Lckly, I found a github repo with mremoteng-decrypt, using the python file and python3 mremoteng-decrypt -s <hash> we can get the password of Administrator i.e. thXLHM96BeKL0ER2.

After that I tried rnas /users:Administrator CMD.exe but it didn’t worked so I tried ssh again and we were logged in as Administrator in the machine. So going to Users/Administrator/Desktop we obtained our root.txt.

Author: D4mianwayne
Reprint policy: All articles in this blog are used except for special statements CC BY 4.0 reprint polocy. If reproduced, please indicate source D4mianwayne !