HackTheBox Writeup — Bastion

Hello Guys , I am Faisal Husaini and this is my writeup on Medium for Bastion machine which has retired. My username on HTB is “faisalelino” .

As I was not able to publish other writeups as I was off since 6 months from Infosec and related stuffs due to my exams. Now finally after getting free , the first box I thought to do the simplest ones as I almost forgot everything I had in my mind as my skills. So I tried to solve Bastion

The IP for this box is, so let’s get started

NMAP Result

nmap -sC -sV

As we can see , only two interesting services are running Port 22 for SSH and 445 probably for SMB

SMB Shares

We use SMBClient to check the shares available to us

smbclient -L // -N

We can see that the “Backups” sharename has open smbshares , lets try to connect to it

smbclient // -N

We try to list out the files and directories inside the smb shares

We saw a file named “note.txt” and a directory named “WindowsImageBackup” , so we get the notes.txt file first and then navigate to WindowsImageBackup folder

Here we can see an interesting folder named “Backup 2019–02–22 124351” so we try to navigate to it and see any interesting stuffs

We see 2 vhd files which may be interesting and be the way to our goal , but we need to mount this smb shares in our Linux box in order to view the files , dont worry if you never did the mounting stuff for vhd or smb shares , I will share an article where you can learn that easily by the end of this writeup.

I already did the mounting process for both SMB Share Backups and the vhd file , if you want to learn about it , I will post a link to an article for that at the end of this writeup

We check the contents of vhd files

I tried to find anything interesting here , but couldn't get , so I go for SAM hashes , which is usually stored under \Windows\System32\SAM and \Windows\System32\SYSTEM

I have already copied both the files to my box so we will move on to cracking part

We use samdump2 to get the NTLM hashes from SYSTEM and SAM file

samdump2 SYSTEM SAM > hash.txt

So we got the hash and put it in a file named hash.txt

Now we use John The Ripper tool to crack the hash

john — — format=NT — — wordlist=rockyou.txt hash.txt

Now we see the password using the command from John The Ripper

john — — show — — format=NT hash.txt

So we can see that we got the password for L4mpje user which is bureaulampje

Now we try to connect through ssh using these credentials.

Connection Through SSH

ssh L4mpje@

We successfully connected through the creds we got before

Getting User Flag

User Flags on Windows boxes are usually stored under the Desktop folder of the user

So we got the user.txt file which is our user flag. Now let’s move onto privilege escalation part.

Privilege Escalation

On digging alot , we find an interesting thing which is mRemoteNG installed in this machine which had an exploit.

We need to get the config file for it which is usually located under C:\Users\\Appdata\Roaming\mRemoteNG

We need the confCons.xml file , so we will use scp to bring it to our local machine

Now I will use a python script to crack the password string in the confCons.xml file

So we have the Password string , now we will use the python script to decrypt it (the string looks like base64 and I decoded it earlier but it gave gibbrish so no use for b64 decode)

So here is the usage of that script , now we move on further providing the string as given in the usage

So here we get the password , which maybe potentially for Administrator account , let’s try to login through SSH

Yes! We got in as Administrator , now we go to get the root password which is usually stored under the Desktop folder in Windows boxes

So here’s the box , hope you enjoyed reading , if you did , please leave 50 claps :)

Resources Used While Solving This Box

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store