Today I am solving the machine called Bastion on HTB platform let’s start with scanning
First I started NMAP scan and here’s what I got
I also tried rustscan and found one more ssh port
rustscan -a bastion.htb -u 5000
After both ports scanning I ran smbclient and found these files
smbclient --list //bastion.htb/ -u
As you can see there is a IPC$ file I tried to search for user with lookupsid.py and found a new users
python3 lookupsid.py root:bastion.htb
Let’s get back to smbclient since we don’t have enough info about these users
We can login as root without a password
smbclient //bastion.htb/Backups -U "root"
And I found a note in there let’s see what it says
After searching again I found an interesting directory called “WindowsImageBackup” and in there there was another directory with the name of the user we found with lookupsid.py and there where we can find the backup file the note warned about
Only .xml and .vhd files were there vhd are virtual hard disk images so they must contain hashes or something valuable but as the note said it will take forever to download because of their large size.
Since I have never been in such a situation it took a lot of reading to figure it out and finally found that we can do it in the mounting way
mount -t cifs //bastion.htb/backups /mnt -o user=,password=
And finally after running this command I was able to act like i am in the system let’s try to search for a way to get in the real system
guestmount --add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro mnt0/
There is a tool in impacket called secretdump.py we can use to dump some hashes
python3 /path_to_secretdump.py -sam SAM -security SECURITY -system SYSTEM LOCALWe already know that windows’ hashes are always stored in Windows\System32\config directory
So we should be already in this directory before running secretdump.py
python3 /path-to-tool -sam SAM -security SECURITY -system SYSTEM LOCAL
It was a quick scan and we got what we want let’s crack these hashes to get an access to the actual machine
crackstation online was able to give the results for this hash only and it belong to the user L4mpje it could be ssh credentials so we gotta try it
ssh L4mpje@bastion.htb passowrd=bureaulampjeBingo.. it worked and I got the user.txt
Now it’s time to escalate to the system’s administrator and get the root.txt
While exploring ‘C:\Users\L4mpje\AppData\Roaming\mRemoteNG I’ found .xml files tried reading the first one and it contained the password for administrator and user L4mpje
It’s the first time to see this type of encryption so I searched with the file name “mRemoteNG” and found that mRemoteNG is a fork of mRemote
I found this python tool which decrypt mRemoteNG passwords and it successfully decrypted it and we got the administrator password time to abuse it
administrator:thXLHM96BeKL0ER2I tried logging in via ssh but it was like root authentication wasn’t enabled
So I tried using evil-winrm and it successfully logged in with the credentials we have and i got the root.txt
This machine was really fun and full with new techniques,Hope I wrote a good writeup and was easy to understand
