Bastion is an easy level WIndows box which contains a VHD ( Virtual Hard Disk ) image from which credentials can be extracted. After logging in, the software MRemoteNG is found to be installed which stores passwords insecurely, and from which credentials can be extracted.


First I check for available open ports.

nmap -p- --min-rate=10000

nmap -sC -sV -p21,22,80,135,139,445,5985,39517 -oA ./nmap/bastion.txt

|22| ssh OpenSSH for_Windows_7.9 (protocol 2.0)
|135| msrpc Microsoft Windows RPC
|139| netbios-ssn Microsoft Windows netbios-ssn
|445| Windows Server 2016 Standard 14393
|5985| Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)


I decided to check for the SMB port. Anonymous login doesn’t work. But if I use a random username it shows the shares.

We have read access to Backup. after logging in we found a note.

smbclient -U sz -N \\\\\\Backups

Let’s download everything inside.

recurse ON
prompt OFF
cd 'path\to\remote\dir'
lcd '~/path/to/download/to/'
mget *

Inside WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\ we found VHD backup file.

We can mount it to our local machine

sudo guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/bastion

For some reason I couldn’t open the mount

I had to switch to the root user to browse the mount.

Alternative Mount

We can mount .vhd file directly from the SMB share.

mount -t cifs // /mnt -o user=,password=
guestmount --add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt2/

Credit → 0xdf

Inside the mount, we can see it’s a Windows backup.

We can visit /Windows/System32/config and Dump the credentials using secretsdump and then use Crackstation to crack the hash. -sam SAM -security SECURITY -system SYSTEM LOCAL

Creds → l4mpje : bureaulampje

We can now ssh to the machine and get the user flag.

Privilege Escalation

After looking for a while I found an interesting program mRemoteNG.

After researching online I found this website where they tell us encrypted passwords can be found.


Inside confCons.xml we find the encrypted creds.

I used mRemoteNG-Decrypt to decrypt the password of the administrator.

Creds → administrator : thXLHM96BeKL0ER2

After sshing with admin creds we get the root flag.