HTB - Bastion

This post is a write-up for the Bastion box on


Start by enumerating the ports on the victim machine. Run Masscan and Nmap, then document the results:

masscan -e tun0 -p1-65535,U:1-65535 --max-rate=500
nmap -n -v -Pn -p80 -A --reason -oN bastion_nmap.txt

Checked port 445 with smbmap, and noticed a readable and writable share called Backups:

Given that this is a Windows victim, at this point I usually switch over to a Windows VM. I have been using Commando VM 2.0 lately, and I cannot recommend it enough especially for the task of mounting SMB shares.

User flag

Connect to the share via windows explorer and notice it has 2 .vhd backup files in it. The .vhd backups are quite large, so to make this faster you can simply mount them over the smb share:

You should be able to read the backup of the c drive from L4mpje. Digging through the backup did not result in anything interesting, but you can pull the SAM and SYSTEM file from C:\windows\system32\config to the attacking machine for some hash cracking fun:


Use hashkiller to bruteforce the hashed password of user L4mpje


SSH into the victim machine with the credentials to get the user flag:

Root Flag

Enumerate the victim machine, and locate an application called mRemoteNG.

mRemoteNG manages connections (to ssh, rdp, ftp, etc.) and saves the connection details in an xml, including the encrypted saved credentials. It saves these encrypted secrets in C:\users\l4mpje\AppData\Roaming\mRemoteNG\confCons.xml. We could attempt to bruteforce these, but that might take a long time.

Easier method: Install mRemoteNG on the attackimg machine and copy in the confCons.xml file.

Connect as administrator to the victim machine (change the IP & Protocol accordingly).