Bastion - [HTB]

Introduction

Bastion is an easy windows machine from Hack The Box where the attacker will have to mount a VHD file available in the smb service. Then, will have to crack the stored credentials in order to obtain the user flag. Finally, will have to find and decrypt the credentials from a installed software obtaining a shell as Administrator.

Enumeration

As always, let's start finding all opened ports in the machine with nmap.

Then, we continue with a deeper scan of every opened port, getting more information about each service.

Because there is a smb service let's enumerate its shares.

Looking inside the Backups share there is a note warning us that we shouldn't download the entire share.

Searching inside different folders there is a heavy 5GB file named 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd. VHD files are file formats representing a virtual hard disk drive (HDD).

Because we can not download this file we need to create a network shared folder. For doing so, we need to execute the following commands.

Exploitation

Now that we have access to the file we can mount it using guestmount.

The virtual hard drive contains the files SAM and SYSTEM where user credentials are stored, for obtaining them we need to use the tool samdump2.

Now, hashcat is able to retrieve the L4mpje's password from the NTLM hash.

These credentials can be used to become L4mpje through SSH.

Privilege Escalation

Looking inside the machine's file system appears an unusual program named mRemoteNG. mRemoteNG is a fork of mRemote; an open source, tabbed, multi-protocol, remote connections manager for Windows.

Searching about where credentials are stored, there is a post on reddit telling that are stored at %appdata%\mRemoteNG\confCons.xml .

Although they are encrypted we can decrypt them using mremoteng_decrypt.

The Administrator's password can be used to access to the machine as Administrator through SSH, getting the root flag.

Finally, if you want to umount the folders under mnt execute the following commands.