HackTheBox Writeup — Bastion
Hello Guys , I am Faisal Husaini and this is my writeup on Medium for Bastion machine which has retired. My username on HTB is “faisalelino” .
As I was not able to publish other writeups as I was off since 6 months from Infosec and related stuffs due to my exams. Now finally after getting free , the first box I thought to do the simplest ones as I almost forgot everything I had in my mind as my skills. So I tried to solve Bastion
The IP for this box is 10.10.10.134, so let’s get started
NMAP Result
nmap -sC -sV 10.10.10.134

As we can see , only two interesting services are running Port 22 for SSH and 445 probably for SMB
SMB Shares
We use SMBClient to check the shares available to us
smbclient -L //10.10.10.134 -N

We can see that the “Backups” sharename has open smbshares , lets try to connect to it
smbclient //10.10.10.134/Backups -N

We try to list out the files and directories inside the smb shares

We saw a file named “note.txt” and a directory named “WindowsImageBackup” , so we get the notes.txt file first and then navigate to WindowsImageBackup folder

Here we can see an interesting folder named “Backup 2019–02–22 124351” so we try to navigate to it and see any interesting stuffs

We see 2 vhd files which may be interesting and be the way to our goal , but we need to mount this smb shares in our Linux box in order to view the files , dont worry if you never did the mounting stuff for vhd or smb shares , I will share an article where you can learn that easily by the end of this writeup.

I already did the mounting process for both SMB Share Backups and the vhd file , if you want to learn about it , I will post a link to an article for that at the end of this writeup
We check the contents of vhd files

I tried to find anything interesting here , but couldn't get , so I go for SAM hashes , which is usually stored under \Windows\System32\SAM and \Windows\System32\SYSTEM
I have already copied both the files to my box so we will move on to cracking part
We use samdump2 to get the NTLM hashes from SYSTEM and SAM file
samdump2 SYSTEM SAM > hash.txt

So we got the hash and put it in a file named hash.txt
Now we use John The Ripper tool to crack the hash
john — — format=NT — — wordlist=rockyou.txt hash.txt

Now we see the password using the command from John The Ripper
john — — show — — format=NT hash.txt

So we can see that we got the password for L4mpje user which is bureaulampje
Now we try to connect through ssh using these credentials.
Connection Through SSH
ssh L4mpje@10.10.10.134

We successfully connected through the creds we got before
Getting User Flag
User Flags on Windows boxes are usually stored under the Desktop folder of the user

So we got the user.txt file which is our user flag. Now let’s move onto privilege escalation part.
Privilege Escalation
On digging alot , we find an interesting thing which is mRemoteNG installed in this machine which had an exploit.

We need to get the config file for it which is usually located under C:\Users\\Appdata\Roaming\mRemoteNG

We need the confCons.xml file , so we will use scp to bring it to our local machine

Now I will use a python script to crack the password string in the confCons.xml file

So we have the Password string , now we will use the python script to decrypt it (the string looks like base64 and I decoded it earlier but it gave gibbrish so no use for b64 decode)

So here is the usage of that script , now we move on further providing the string as given in the usage

So here we get the password , which maybe potentially for Administrator account , let’s try to login through SSH


Yes! We got in as Administrator , now we go to get the root password which is usually stored under the Desktop folder in Windows boxes

So here’s the box , hope you enjoyed reading , if you did , please leave 50 claps :)