Wednesday, July 31, 2019



- Layout for this exercise:


- The goal for this exercise is to develop a hacking process for the vulnerable machine Bastion from Hack The Box pentesting platform:


- Bastion's IP is

- Scanning with Nmap there are four open ports: 22, 135,139 and 445.

- Scanning deeper those four ports it seems that we have an SMB service running on port 445:

- This Nmap script enumerates the four shared folders:

- Connecting with smbclient:

- As expected, both ADMIN$ and C$ are not accessible:

- IPC$ seems accessible, but it does not yield any valuable information:

- However folder Backups gives us a lot of very important information about Bastion:

- Getting and reading note.txt it gives us a hint about backup related problems:

- Getting and reading SDT65CB.tmp it seems that the file is empty:

- Going into folder WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351:

- There are some .vhd and .xml files:

- VHD (Virtual Hard Disk) is a file format representing a virtual hard disk drive (HDD).

- It may contain what is found on a physical HDD, such as disk partitions and a file system, which in turn can contain files and folders. 

- It is typically used as the hard disk of a virtual machine.

- Getting the 1st .vhd file and applying command strings over it we find a lot of strings, but nothing that could lead to find any interesting hint for our purpose:



3.1 - Mounting the backup .vhd disk

- About the 2nd .vhd disk it is too large (5.4 GB) to check with strings, so it would be a better solution to mount it locally.

- Installing cifs-utils:

- Creating folder /Backups:

- Mounting locally the shared folder /Backups:

- The mounting process is successful:

- Looking for the 2nd .vhd disk:

- The guestmount program can be used to mount virtual machine filesystems and other disk images on the host. 

- It uses libguestfs for access to the guest filesystem, and FUSE (the "filesystem in userspace") to make it appear as a mountable device.

- Installing libguestfs-tools:

- Creating folder /vhd2:

- Using guestmount to mount the 2nd .vhd disk on local folder /mnt/vhd2:

- The mounting process is successful, so now we have access to the whole backup disk .vhd2:

3.2 - Getting the Security Account Manager (SAM)

- The Security Account Manager (SAM) is the database where Windows systems store users's passwords.

- The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. 

- Bastion is a Windows Server 2016 so it uses NTLM hashes for sure.

- This file can be found in %SystemRoot%/System32/config/SAM and is mounted on HKLM/SAM:

- Using samdump2 to retrieve hashes from Bastion's users:

- Accounts Administrator and Guest are disabled, so let's write down hash for user L4mpje:


3.3 - Cracking the NTLM hash

- Hashkiller works online to decrypt the NTLM hash found in previous point:

3.4 - Getting a remote shell

- Now, using credentials L4mpje:bureaulampje we have an SSH connection and a remote shell:


- Reading user.txt from user l4mpje's Desktop:


- As expected Administrator's Desktop is not accessible, so we need some type of Privilege Escalation:

- Browsing around with the command line we check the presence of the  .vhd and .xml files found before:

- Going to L4mpje's home folder:

- However looking for hidden folders we discover a lot more available resources:

- Going inside AppData\Roaming there is a very interesting folder named mRemoteNG:

- Actually mRemoteNG is an open source remote control and connections manager:

- Reading confCons.xml we find encrypted credentials for Administrator:

- It happens that there are online available tools for dealing with mRemoteNG encrypted credentials, for instance the Python script named

- Launching the script without parameters to explore available optional arguments:

- Applying the -s option, because the encrypted password seems to be encoded with base64 (see the final ==):

- So finally we have the Administrator's password: thXLHM96BeKL0ER2

- Connecting with SSH as Administrator we have a privileged remote shell:


- Reading root.txt: