# Hack The Box - Bastion

## Quick Summary

Hey guys today Bastion retired and here’s my write-up about it. It was a nice easy box, unlike most of the other boxes this one had no web service running and unlike most of the Windows boxes it had ssh. I wrote two write-ups for this box, this one solving it with Linux (Kali), Second one solving it with Windows (CommandoVM). It’s a Windows box and its ip is 10.10.10.134, I added it to /etc/hosts as bastion.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services :

We have smb and ssh, let’s check smb.

## SMB

I used smbclient to list the shares :

Apparently the only share we can access is Backups, There was a file called note.txt and a folder called WindowsImageBackup :

note.txt :

In WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351 I found a couple of vhd images :

## Mounting the Backup Image, Dumping Credentials, User Flag

These vhd images are the system backup files. As the note said, trying to download them will take a very long time and probably won’t finish because of their big size, so instead we will mount them, I wanted to look at 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd first. This was helpful.

Now if we check /mnt/vhd we should see the contents of 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd :

I searched in Users for the user flag or any passwords but there wasn’t anything there, so I checked Windows/System32/config :

As you can see we can read SYSTEM and SAM so we can dump the password hashes with samdump or with secretsdump, I copied them to my directory :

Then I used samdump :

secretsdump will do the same thing :

I could crack l4mpje‘s hash with Crackstation :

l4mpje : bureaulampje
Now we can just ssh to the box :

We owned user.

## Privilege Escalation

After enumerating for sometime, when I checked the user’s appdata I saw that mRemoteNG was installed on the box :

mRemoteNG is a fork of mRemote: an open source, tabbed, multi-protocol, remote connections manager. mRemoteNG adds bug fixes and new features to mRemote.

It allows you to view all of your remote connections in a simple yet powerful tabbed interface. -mremoteng.org

mRemoteNG saves the connections info and credentials in a file called confCons.xml :

I downloaded it with scp :

confCons.xml :

First connection in the xml file is an RDP connection as Administrator :

Problem is, this password is encrypted, that base-64 string is for the encrypted password and if you try to decode it you will get nothing readable. However mRemoteNG is open source and if you check the code responsible for encrypting credentials you can figure out how to decrypt them, There’s a published script written by kmahyyg to do that so I used it :

And we owned root !
That’s it , Feedback is appreciated !