Bastion

This post is a write-up for the Bastion box on hackthebox.eu

Bastion Info

Enumeration

Start by enumerating the ports on the victim machine. Run Masscan and Nmap, then document the results:

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.134 --max-rate=500
nmap -n -v -Pn -p80 -A --reason -oN bastion_nmap.txt 10.10.10.134

Running nmap reveals 4 open ports

Checked port 445 with smbmap, and noticed a readable and writable share called Backups:

SMBMap shares

Given that this is a Windows victim, at this point I usually switch over to a Windows VM. I have been using Commando VM 2.0 lately, and I cannot recommend it enough especially for the task of mounting SMB shares.

User flag

Connect to the share via windows explorer and notice it has 2 .vhd backup files in it. The .vhd backups are quite large, so to make this faster you can simply mount them over the smb share:

vhd mount

You should be able to read the backup of the c drive from L4mpje. Digging through the backup did not result in anything interesting, but you can pull the SAM and SYSTEM file from C:\windows\system32\config to the attacking machine for some hash cracking fun:

pwdump SYSTEM SAM
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

Use hashkiller to bruteforce the hashed password of user L4mpje

L4mpje:bureaulampje

SSH into the victim machine with the credentials to get the user flag:

user flag

Root Flag

Enumerate the victim machine, and locate an application called mRemoteNG.

mRemoteNG manages connections (to ssh, rdp, ftp, etc.) and saves the connection details in an xml, including the encrypted saved credentials. It saves these encrypted secrets in C:\users\l4mpje\AppData\Roaming\mRemoteNG\confCons.xml. We could attempt to bruteforce these, but that might take a long time.

Easier method: Install mRemoteNG on the attackimg machine and copy in the confCons.xml file.

Connect as administrator to the victim machine (change the IP & Protocol accordingly).

root flag

This is an active machine - please enter the password to view this content.