HTB | Bastion

This is a Windows box. You can find it here.

Skill Learned

• Extracting passwords from SAM

• Exploiting MRemoteNG

NMAP

IP: 10.10.10.134

nmap scan

Port 139 and 445

smbclient gives share

smbclient

We can connect to Backup and found note.txt

cnnecting to Backups

note.txt

On looking further we found backup files

backup files

Foothold/shell

Here we can see .vhd files refer to this article for mounting .vhd files on Kali

Mount the share and guestmount the .vhd file

sudo mount -t cifs //10.10.10.134/backups /home/anurag/Documents/Bastion/WindowsImageBackup/ -o user=,password=

sudo guestmount --add /home/anurag/Documents/Bastion/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /home/anurag/Documents/Bastion/mnt2

guestmount

Sam dump

With full access to the file system, I have access to the registry files. These files can be locked when the system is running, but I won’t have that issue on a mounted drive. In the config directory where the registry hives are stored, I’ll use secretsdump.py to dump the password hashes:

secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL

Found the hashes and password for L4mpje

We saw port 22 open let's ssh

and we are in

found user.txt

user.txt

Priv Esc

found mRemoteNG

mRemoteNG

On looking further we found confCons.xml

confCons.xml

copy the file to our system

found mRemoteNG_password_decrypt.

mRemotrNG password drcrypt

found the administrator password

administrator cred

we are in and found the root.txt

root.txt