# Hack The Box - Bastion (Commando)

## Quick Summary

Hey guys, this is my second post for Bastion, in the first post I solved it with kali, in this one I will solve it with CommandoVM. Bastion’s ip is 10.10.10.134, I added it to C:\Windows\System32\drivers\etc\hosts as bastion.htb. Let’s jump right in !

## Nmap

We will start with nmap to scan for open ports and services :

Only ssh and smb, let’s check smb.

## SMB

Let’s list the available shares :

We can access one share : Backups, let’s mount it :

There’s an interesting text file called note.txt :

In WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\ I found two vhd images :

Those are the backup images, as you can see 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd has a very large size and as the note said downloading it will take a very long time, so a better solution is to mount it :

## Dumping Credentials

The Users directory had nothing interesting so I started searching in the system files. I could copy SYSTEM and SAM from Windows\System32\config :

Then by using secretsdump I could dump the password hashes :

I cracked l4mpje‘s hash with Crackstation :

Then I could ssh to the box :

We owned user.

## Privilege Escalation

By checking the application data for l4mpje I saw that mRemoteNG was installed :

mRemoteNG is a fork of mRemote: an open source, tabbed, multi-protocol, remote connections manager. mRemoteNG adds bug fixes and new features to mRemote.

It allows you to view all of your remote connections in a simple yet powerful tabbed interface. -mremoteng.org

mRemoteNG stores connections info and credentials in a file called confCons.xml :

I downloaded it with scp :

confCons.xml :

First connection is an RDP connection as Administrator :

Problem is, as I said in the previous post this password is encrypted, that base-64 encoded string is just for the encrypted password, if you tried to decode it you’ll get nothing readable. We can use the same script I used in the previous post, or since we are on windows we can install mRemoteNG and replace the default confCons.xml file with the one we have, edit the connection’s protocol and make it use ssh instead of RDP then connect to the box.

I closed mRemoteNG then I replaced confCons.xml with the one I got from the box :

Now if we open mRemoteNG again we should see the new connections :

I edited the host and the protocol of DC :

Then I connected to the box :

And we owned root !
That’s it , Feedback is appreciated !