Bastion is an easy level WIndows box which contains a VHD ( Virtual Hard Disk ) image from which credentials can be extracted. After logging in, the software MRemoteNG is found to be installed which stores passwords insecurely, and from which credentials can be extracted.

Enumeration

First I check for available open ports.

nmap -p- --min-rate=10000 10.10.10.134

nmap -sC -sV -p21,22,80,135,139,445,5985,39517 10.10.10.134 -oA ./nmap/bastion.txt

Ports Service
22 ssh OpenSSH for_Windows_7.9 (protocol 2.0)
135 msrpc Microsoft Windows RPC
139 netbios-ssn Microsoft Windows netbios-ssn
445 Windows Server 2016 Standard 14393
5985 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Foothold

I decided to check for the SMB port. Anonymous login doesn’t work. But if I use a random username it shows the shares.

We have read access to Backup. after logging in we found a note.

smbclient -U sz -N \\\\10.10.10.134\\Backups

Let’s download everything inside.

1
2
3
4
5
recurse ON
prompt OFF
cd 'path\to\remote\dir'
lcd '~/path/to/download/to/'
mget *

Inside WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\ we found VHD backup file.

We can mount it to our local machine

sudo guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/bastion

For some reason I couldn’t open the mount

I had to switch to the root user to browse the mount.

Alternative Mount

We can mount .vhd file directly from the SMB share.

1
2
mount -t cifs //10.10.10.134/backups /mnt -o user=,password=
guestmount --add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt2/

Credit → 0xdf

Inside the mount, we can see it’s a Windows backup.

We can visit /Windows/System32/config and Dump the credentials using secretsdump and then use Crackstation to crack the hash.

secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL

Creds → l4mpje : bureaulampje

We can now ssh to the machine and get the user flag.

Privilege Escalation

After looking for a while I found an interesting program mRemoteNG.

After researching online I found this website where they tell us encrypted passwords can be found.

C:\Users\L4mpje\AppData\Roaming\mRemoteNG

Inside confCons.xml we find the encrypted creds.

I used mRemoteNG-Decrypt to decrypt the password of the administrator.

Creds → administrator : thXLHM96BeKL0ER2

After sshing with admin creds we get the root flag.