HTB - Bastion
This post is a write-up for the Bastion box on hackthebox.eu
Enumeration
Start by enumerating the ports on the victim machine. Run Masscan
and Nmap
, then document the results:
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.134 --max-rate=500
nmap -n -v -Pn -p80 -A --reason -oN bastion_nmap.txt 10.10.10.134
Checked port 445 with smbmap
, and noticed a readable and writable share called Backups:
Given that this is a Windows victim, at this point I usually switch over to a Windows VM. I have been using Commando VM 2.0 lately, and I cannot recommend it enough especially for the task of mounting SMB shares.
User flag
Connect to the share via windows explorer and notice it has 2 .vhd backup files in it. The .vhd backups are quite large, so to make this faster you can simply mount them over the smb share:
You should be able to read the backup of the c drive from L4mpje
. Digging through the backup did not result in anything interesting, but you can pull the SAM
and SYSTEM
file from C:\windows\system32\config
to the attacking machine for some hash cracking fun:
pwdump SYSTEM SAM
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
Use hashkiller to bruteforce the hashed password of user L4mpje
L4mpje:bureaulampje
SSH into the victim machine with the credentials to get the user flag:
Root Flag
Enumerate the victim machine, and locate an application called mRemoteNG
.
mRemoteNG
manages connections (to ssh, rdp, ftp, etc.) and saves the connection details in an xml, including the encrypted saved credentials. It saves these encrypted secrets in C:\users\l4mpje\AppData\Roaming\mRemoteNG\confCons.xml
. We could attempt to bruteforce these, but that might take a long time.
Easier method: Install mRemoteNG
on the attackimg machine and copy in the confCons.xml
file.
Connect as administrator to the victim machine (change the IP & Protocol accordingly).