Bastion is an easy level WIndows box which contains a VHD ( Virtual Hard Disk ) image from which credentials can be extracted. After logging in, the software MRemoteNG is found to be installed which stores passwords insecurely, and from which credentials can be extracted.

Enumeration

First I check for available open ports.

nmap -p- --min-rate=10000 10.10.10.134

nmap -sC -sV -p21,22,80,135,139,445,5985,39517 10.10.10.134 -oA ./nmap/bastion.txt

|Ports|Service
|22| ssh OpenSSH for_Windows_7.9 (protocol 2.0)
|135| msrpc Microsoft Windows RPC
|139| netbios-ssn Microsoft Windows netbios-ssn
|445| Windows Server 2016 Standard 14393
|5985| Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Foothold

I decided to check for the SMB port. Anonymous login doesn’t work. But if I use a random username it shows the shares.

We have read access to Backup. after logging in we found a note.

smbclient -U sz -N \\\\10.10.10.134\\Backups

Let’s download everything inside.

recurse ON
prompt OFF
cd 'path\to\remote\dir'
lcd '~/path/to/download/to/'
mget *

Inside WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\ we found VHD backup file.

We can mount it to our local machine

sudo guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/bastion

For some reason I couldn’t open the mount

I had to switch to the root user to browse the mount.

Alternative Mount

We can mount .vhd file directly from the SMB share.

1
2

mount -t cifs //10.10.10.134/backups /mnt -o user=,password=
guestmount --add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt2/

Credit → 0xdf

Inside the mount, we can see it’s a Windows backup.